Ndless 1.7
This is an archived, read-only copy of the United-TI subforum , including posts and topic from May 2003 to April 2012. If you would like to discuss any of the topics in this forum, you can visit Cemetech's Technology & Calculator Open Topic subforum. Some of these topics may also be directly-linked to active Cemetech topics. If you are a Cemetech member with a linked United-TI account, you can link United-TI topics here with your current Cemetech topics.

This forum is locked: you cannot post, reply to, or edit topics. Community News & Discuss Nspire => Technology & Calculator Open Topic
Ndless 1.7
United-TI Archives -> Community News & Discuss Nspire
 
    » Goto page Previous  1, 2, 3, 4  Next
» View previous topic :: View next topic  
Author Message
yifanlu


Newbie


Joined: 21 Mar 2010
Posts: 15
Posted: 18 Sep 2010 09:06:44 am    Post subject:
ExtendeD wrote:

Yifan wrote:

1/5 of the time, it freezes at the clock.

We probably won't be able to do much for this one.

Quote:
2/5 of the time it freezes in a black screen after reboot.

Try to install Ndless while the calculator is connected to a computer.

Hmm, I just noticed that when I install while plugged in, I get frozen clock. When I install unplugged, I get black screen. Maybe I screwed up compiling?

Oh WOW, here's how I got it working (at least twice in a row): Unplug the cable. Click on "ndless_installer". While the clock is moving, immediately plug in the cable.

Last edited by Guest on 18 Sep 2010 04:31:58 pm; edited 1 time in total
Back to top
bsl


Advanced Newbie


Joined: 09 Jan 2010
Posts: 94
Posted: 19 Sep 2010 10:39:18 am    Post subject:
Try modifying the installer a little.

The installer is in part a very long buffer overflow, which is overwriting some OS code.
The overflow repeats a 1024 byte block of installer code several megabytes.
Borrowing a hack from the x86 world, you could alternate code with a NOP sled,
which on an ARM is a block of mov r0,r0 instructions.
If an OS calling/returning address falls on the NOP sled , the installer should work every time.
Write 2 modifications of MakeLoader.c:
1) The first 1024 block is the NOP sled , then installer code - repeat
2) The first 1024 block is the installer code , then NOP sled - repeat

Here is the scenario:

Code:

------------------------------------
origin  mod1  mod2
______ ____________
|     |     |     |
|code |NOPS |code |
|_____|_____|_____|
|     |     |     |
|code |code |NOPS |
|_____|_____|_____|
|     |     |     |
|code |NOPS |code |
|_____|_____|_____|
|     |     |     |
|code |code |NOPS | <----- calling or returning address
|_____|_____|_____|
|     |     |     |
|code |NOPS |code |
|_____|_____|_____|
|     |     |     |
|code |code |NOPS |
|_____|_____|_____|
|     |     |     |
|code |NOPS |code |
|_____|_____|_____|
|     |     |     |
|code |code |NOPS |
|_____|_____|_____|
..
..
..
..

I have a CAS , so I can't test this since this beta version is only for a NONCAS.
Theoretically, from the diagram above the second modification should work,
because the point of execution falls safely on the NOP sled,which the installer code follows.
Back to top
critor


Member


Joined: 04 Feb 2009
Posts: 132
Posted: 21 Sep 2010 07:24:44 am    Post subject:
crossposting, for information...


We're going to have a "big" problem with Ndless 1.7 and the CAS TI-Nspire TouchPad.

It was perfectly possible to install and use Ndless 1.0/1.1 on both CAS and basic TI-Nspire TouchPad.


With the basic 1.7 OS, you should still be able to install and use Ndless 1.7 on the basic TI-Nspire TouchPad.
You'll just have to learn the new key-equivalents, or replace your TouchPad keypad with a ClickPad keypad.


On the CAS TI-Nspire TouchPad, the "big" problem we'll have to deal with, is that the CAS 1.7 OS won't boot correctly, with any of the 4 available keypads:
- with the CAS TouchPad keypad, you're getting a dialog box when the progress bar reaches 100%, saying something like "unrecognized keypad! install an official keypad! contact TI Education [ . . . ]", and the system doesn't seem to react to any key press
- with the basic TouchPad keypad, same thing
- with the 84+ keypad, same thing
- with the ClickPad keypad, the calculator just reboots when the progress bar reaches 100%

Those tests were done during the Nleash beta-testing, and published on TI-Bank:
http://ti.bank.free.fr/index.php?mod=news&ac=commentaires&id=844


Despite I can boot all OSes 1.1-2.1 on my basic TI-Nspire TouchPad, I cannot with my CAS TI-Nspire TouchPad.

I only can boot 1.1-1.4, and 2.0-2.1 OSes on my CAS TI-Nspire TouchPad.
OSes 1.6 and 1.7 are sharing the same problem, and so are unusable for now.
Something has been changed on those OSes...


I hope we can find a way to trick those OSes... or we get Ndless 2.0 Wink
Whichever...
Back to top
Levak


Advanced Newbie


Joined: 11 Nov 2009
Posts: 94
Posted: 21 Sep 2010 02:33:40 pm    Post subject:
Does anyone tried to compile with Linux GNU ARM ?
I have a curious translation of the IDC files (in syscall***.c)

Like that :

Code:

/* Each entry matches a symbol in syscalls.h. This file is generated by mksyscalls.sh. */
unsigned syscalls_ncas_1_7[] = {
-en     
0x0
-en    ,
0x0
-en    ,

[...]

0x0
-en    ,
0x0
-en    ,
0x0
};
Back to top
ExtendeD


Advanced Newbie


Joined: 30 Aug 2009
Posts: 91
Posted: 21 Sep 2010 03:10:16 pm    Post subject:
bsl wrote:

Try modifying the installer a little.

Thank you for your suggestion.

But the exploit requires the installer not to exceed 1024 bytes, and its entry point is at a fixed address (I'd prefer talking about this in private if needed), so the current implementation should be good.

This USB-related unstability is just weird.

Quote:
I have a CAS , so I can't test this since this beta version is only for a NONCAS.

The CAS symbols are not difficult to find out but it is currently not my own top priority.
You may also try your ideas of nspire_emu before sharing them with non-CAS owners.
Back to top
ExtendeD


Advanced Newbie


Joined: 30 Aug 2009
Posts: 91
Posted: 21 Sep 2010 03:19:42 pm    Post subject:
Levak wrote:

Does anyone tried to compile with Linux GNU ARM ?
I have a curious translation of the IDC files (in syscall***.c)

Running MakeSyscalls is not required unless you want to define new syscalls the standard way instead of using SYSCALL_CUSTOM().
It seems your 'echo' implementation doesn't like the "-ne" option, maybe you could try to adapt mksyscalls.sh to make it more portable.
You also need to make sure the idcfile is found by the script.
Back to top
yifanlu


Newbie


Joined: 21 Mar 2010
Posts: 15
Posted: 21 Sep 2010 04:25:32 pm    Post subject:
Ok, ignore my complete non-understanding of how the exploit works, but out of curiously, I copied the Ndless installer on my friend's 2.1 Nspire, and running it crashes the calculator. Does this mean the hole you're exploiting for Ndless isn't patched in 2.1? How could they patch it, if it wasn't released before 2.0? And if it isn't patched, what prevents us from using this exploit on 2.0-2.1?
Back to top
codeslicer


Newbie


Joined: 21 Sep 2010
Posts: 4
Posted: 21 Sep 2010 04:53:11 pm    Post subject:
Yifan wrote:

Ok, ignore my complete non-understanding of how the exploit works, but out of curiously, I copied the Ndless installer on my friend's 2.1 Nspire, and running it crashes the calculator. Does this mean the hole you're exploiting for Ndless isn't patched in 2.1? How could they patch it, if it wasn't released before 2.0? And if it isn't patched, what prevents us from using this exploit on 2.0-2.1?


Ndless 1.7 uses the same exploit used by Nleash... which works for all OSs up to 2.1. The dilemma, from what I understand, is that each OS is different has to have a separate Ndless version developed for it.
Back to top
Levak


Advanced Newbie


Joined: 11 Nov 2009
Posts: 94
Posted: 21 Sep 2010 05:53:27 pm    Post subject:
ExtendeD wrote:

Levak wrote:

Does anyone tried to compile with Linux GNU ARM ?
I have a curious translation of the IDC files (in syscall***.c)

Running MakeSyscalls is not required unless you want to define new syscalls the standard way instead of using SYSCALL_CUSTOM().
It seems your 'echo' implementation doesn't like the "-ne" option, maybe you could try to adapt mksyscalls.sh to make it more portable.
You also need to make sure the idcfile is found by the script.


Ok !
I managed to compile and use Ndless 1.7 on the Goplat Emulator with Nspire ROM 1.7.

Thus, I managed to run Mandelbrot.tns (a C program that I made for Ndless 1.0 THAT I DIDN'T RECOMPILED), nCaster & floorCaster from Bwang, but not gb4nspire, neither if I get the oldest versions.
On this way I couldn't run nspire_ressource.tns (it crashes the emulator).

On a second hand, I didn't manage to make the installer available for Nspire CAS. I know that I haven't the IDC files for CAS 1.7 but you said that it shouldn't perturbe the Ndless 1.7 installation (is that what you mean ?).

The error at installing Ndless 1.7 on a Nspire CAS is :

Code:
Wrote to translated code at a4000018. Deleting translations.
Error at PC=0000006E: Unaligned read_word: 1ad
   Backtrace:
Frame     PrvFrame Self     Return   Start
1800DA08: 1800DA78 1800DA0C 101996B4 101A0FF4
1800DA78: 1800DAB8 1800DA7C 101990A4 10199610
1800DAB8: 1800E1D8 1800DABC 100399C8 1019902C
1800E1D8: 1800E260 1800E1DC 10027854 10039980
1800E260: 1800EA98 1800E264 10008FBC 1002780C
1800EA98: 1800ECE8 1800EA9C 10009784 10008F48
1800ECE8: 1800ED50 1800ECEC 10011E44 10009348
1800ED50: 1800FA50 1800ED54 1000C17C 10011CF0
1800FA50: 1800FAA0 1800FA54 1000C8B8 1000C108
1800FAA0: 1800FAB8 1800FAA4 101F3E94 1000C754
1800FAB8: 1800FB08 1800FABC 1016E834 101F3DC8
1800FB08: 1800FCB0 1800FB0C 1016EB20 1016E6FC
1800FCB0: 1800FCD0 1800FCB4 1016EBA8 1016E9F4
1800FCD0: 1800FD38 1800FCD4 1000D280 1016EB74
1800FD38: 1800FDA0 1800FD3C 10001024 1000D0AC
1800FDA0: 1800FDD8 1800FDA4 102A16A0 10000DD4
1800FDD8: 1800FDF8 1800FDDC 10212BA8 102A1650
1800FDF8: 1800FDFC 1800FDFC 00000000 10212B8C
debug> c


And I just reminded that at the end of the compilation, I get this errors, either it creates the *.tns :

Code:

../../bin/nspire-gcc -Os -Wall -W -c tests.c
../../bin/nspire-ld -nostdlib tests.o -o ndless_tests.elf
tests.o:(.ARM.exidx+0x0): undefined reference to `__aeabi_unwind_cpp_pr0'
collect2: ld returned 1 exit status
make[2]: *** [ndless_tests.tns] Erreur 1
make[2]: quittant le répertoire « /media/JA/TI-Nspire/Ndless-v1.7/arm/tests »
make[1]: *** [subdirs] Erreur 1
make[1]: quittant le répertoire « /media/JA/TI-Nspire/Ndless-v1.7/arm »
make: *** [subdirs] Erreur 1
Back to top
yifanlu


Newbie


Joined: 21 Mar 2010
Posts: 15
Posted: 21 Sep 2010 08:29:01 pm    Post subject:
Is anyone else having troubles with frozen clock with USB connected & black/bar screen without USB connected? Or is it just me?

I don't know if it's a timing thing or not, but if I click on the installer, and immediately plug in the cable (with nspire connect software running), I can get in. If too late, it will freeze.

Last edited by Guest on 21 Sep 2010 08:30:54 pm; edited 1 time in total
Back to top
apcalc


Newbie


Joined: 28 Jun 2010
Posts: 22
Posted: 21 Sep 2010 09:09:02 pm    Post subject:
Sometimes it takes several tries to get Ndless to install. I accidentally reset my Nspire today, so I will have to try to install Ndless again. The first time it took just under 10 tries.

It seems like the most common errors are the "frozen clock", the "random pixels at the top of the screen", and the "black screen with white vertical lines."

EDIT: I just reinstalled Ndless again, and it only took 4 tries this time Smile.

Last edited by Guest on 21 Sep 2010 09:14:50 pm; edited 1 time in total
Back to top
Lionel Debroux


Member


Joined: 01 Aug 2009
Posts: 170
Posted: 22 Sep 2010 12:48:58 am    Post subject:
Quote:
It seems your 'echo' implementation doesn't like the "-ne" option, maybe you could try to adapt mksyscalls.sh to make it more portable.

Indeed, some implementations of echo do not support "-n". The top-level GCC4TI installer script avoids using "-n" for asking several questions to the user if that switch is not supported.

Quote:
Ndless 1.7 uses the same exploit used by Nleash... which works for all OSs up to 2.1. The dilemma, from what I understand, is that each OS is different has to have a separate Ndless version developed for it.

For Ndless "1.7" to work on 2.0, 2.0.1 and 2.1, one of the required steps is finding the addresses of a number of useful syscalls on those versions. For most functions, the code shouldn't have changed much across versions, so even a simple binary search could yield good results.
Back to top
Levak


Advanced Newbie


Joined: 11 Nov 2009
Posts: 94
Posted: 22 Sep 2010 05:46:49 am    Post subject:
Lionel Debroux wrote:

For Ndless "1.7" to work on 2.0, 2.0.1 and 2.1, one of the required steps is finding the addresses of a number of useful syscalls on those versions. For most functions, the code shouldn't have changed much across versions, so even a simple binary search could yield good results.



I Think it is helpful to precise on which way we have to do this "binary search", isn't it ?
For example, I'm sure it is as simple that compile Ndless 1.7 but I don't know how to do. Where to search ? In which binary ? Using which software ?

Thanks !
Back to top
ExtendeD


Advanced Newbie


Joined: 30 Aug 2009
Posts: 91
Posted: 26 Sep 2010 12:04:30 pm    Post subject:
Note that publishing content describing how to reverse-engineer the OS may not be a good idea, since it is forbidden by its license.

Levak wrote:

On a second hand, I didn't manage to make the installer available for Nspire CAS.

The CAS is currently not supported.

All the open issues are listed here: http://www.omnimaga.org/index.php?topic=4509.0
Back to top
bsl


Advanced Newbie


Joined: 09 Jan 2010
Posts: 94
Posted: 01 Oct 2010 12:37:57 pm    Post subject:
Here is a very simple patch to Goplat's 16 byte program to enter the shell, with source.
The CAS1.7 is untested , but has a 99.9999% chance of being correct.

[attachment=3283:dcs1.7.zip]
Back to top
Levak


Advanced Newbie


Joined: 11 Nov 2009
Posts: 94
Posted: 01 Oct 2010 04:27:06 pm    Post subject:
I found that in the utils.c (Ndless sources: ./arm/) there were missing some calling adresses for CAS 1.7

Here they are :


Code:
static unsigned const ut_os_reboot_reset_addrs[][3] = {
   {0x106DAFC4, 0x106F2A0C, 0x106F2AF0},  // 1.7 non-CAS
   {0x1070D28C, 0x10725314, 0x107253F8} // 1.7 CAS
};


Last edited by Guest on 01 Oct 2010 05:39:03 pm; edited 1 time in total
Back to top
bsl


Advanced Newbie


Joined: 09 Jan 2010
Posts: 94
Posted: 01 Oct 2010 05:56:31 pm    Post subject:
First one looks good to me as a spot check:

Code:

OS1.7 noncas (106DAFC4)
106DAFC0:0075AFC0   ----------> 00 00 00 00-07 00 00 00 E8 03 00 00    ................
106DAFD0:0075AFD0   01 00 00 00 1C 1D 10 1F-20 61 26 27 32 34 40 41    ........ a&'24@A
106DAFE0:0075AFE0   48 49 4A 4B 4C 4D 4E 4F-50 51 52 53 54 84 FB FC    HIJKLMNOPQRST...
106DAFF0:0075AFF0   08 00 00 00 5A 00 00 00-5A 00 00 00 5A 00 00 00    ....Z...Z...Z...

OS1.7 cas (1070D28C)
1070D280:0078D280   ----------------------------------> 01 00 00 00    ....@...........
1070D290:0078D290   07 00 00 00 E8 03 00 00-01 00 00 00 1C 1D 10 1F    ................
1070D2A0:0078D2A0   20 61 26 27 32 34 40 41-48 49 4A 4B 4C 4D 4E 4F     a&'24@AHIJKLMNO
1070D2B0:0078D2B0   50 51 52 53 54 84 FB FC-08 00 00 00 5A 00 00 00    PQRST.......Z...
1070D2C0:0078D2C0   5A 00 00 00 5A 00 00 00-60 00 00 00 5A 00 00 00    Z...Z...`...Z...

The are minor differences
Back to top
Levak


Advanced Newbie


Joined: 11 Nov 2009
Posts: 94
Posted: 01 Oct 2010 06:19:32 pm    Post subject:
bsl wrote:

First one looks good to me as a spot check:

The are minor differences



I can't see them in the desassembled code :
[attachment=3284:compare.JPG]

By the way, here are my modifications :
./arm/utils.c line 52


Code:
// addresses of OS global variables which must be reinitialized for proper OS reboot
static unsigned const ut_os_reboot_reset_addrs[][3] = {
   {0x106DAFC4, 0x106F2A0C, 0x106F2AF0},  // 1.7 non-CAS
   {0x1070D28C, 0x10725314, 0x107253F8} // 1.7 CAS
};


./arm/loader.c line 30


Code:
static unsigned const ld_hook_alloc_patch_addrs[][3] = {
   {0x107957B0, 0x100002C0, 0x10000088}, // 1.7 non-CAS
   {0x100002C0, 0x10000088} // 1.7 CAS
};



/arm/install.c line 30


Code:
static unsigned const ins_ploader_hook_addrs[] = {0x1000921C, 0x1000091E8};


Those are just clues, I can't manage to install ndless but I haven't freeze any more when launching ndless_installer.
I just have a black screen when it reboots

Last edited by Guest on 01 Oct 2010 06:22:58 pm; edited 1 time in total
Back to top
bsl


Advanced Newbie


Joined: 09 Jan 2010
Posts: 94
Posted: 01 Oct 2010 06:41:06 pm    Post subject:
I am getting close to patching 1024 bytes of NONCAS installer code to CAS[or both] installer code,
and repacking the installer with 7za. I have to look at the resources file too.
Maybe I will try with what you have, and try it on a CAS flash

Last edited by Guest on 01 Oct 2010 06:50:25 pm; edited 1 time in total
Back to top
yifanlu


Newbie


Joined: 21 Mar 2010
Posts: 15
Posted: 01 Oct 2010 11:15:13 pm    Post subject:
Ok, just a FYI, if you accidentally restarted the calculator (for 84 keypad or something), and want to use ndless 1.7 again, but don't have access to a computer. If a friend has a nspire, you can use the link cable and install ndless. Same as with PC. Click on Ndless installer, and quickly plug in the cable (other end in friend's nspire). It works.
Back to top
Display posts from previous:   
Register to Join the Conversation
Have your own thoughts to add to this or any other topic? Want to ask a question, offer a suggestion, share your own programs and projects, upload a file to the file archives, get help with calculator and computer programming, or simply chat with like-minded coders and tech and calculator enthusiasts via the site-wide AJAX SAX widget? Registration for a free Cemetech account only takes a minute.

» Go to Registration page
Ndless 1.7
    » Goto page Previous  1, 2, 3, 4  Next
» View previous topic :: View next topic  
Page 2 of 4 » All times are UTC - 5 Hours

 

Advertisement