π
<-
Chat plein-écran
[^]

Patching 4.4.0.532 CAS to run on Non-CAS

C, C++, ASM...

Patching 4.4.0.532 CAS to run on Non-CAS

Message non lude parrotgeek1 » 01 Fév 2017, 08:15

I would like to announce that I have made several breakthroughs on patching 4.4.0.532 CAS to run on Non-CAS.
The environment I am testing them in is Nlaunchy with my own modified version of Firebird.

Components used:

1) Modified version of firebird which does a warning every time 900A0028/2C are read [ASIC user flags], so the address is printed out and you can look there in IDA.

(edit: removed)

2) Nlaunchy, latest version

The trick to installing it in firebird is:

Use 3.2 instead of 3.1 OS because file transfer doesn't work right on 3.1
To hold multiple keys to get to the maintenance menu, right click them.

3) OS 4.4.0.532 CX CAS

---------------------------------------------

To dump the OS: in emulator debugger

k 10000000
<wait, skip warnings by typing c>
wm ../../../../../../../../../../../Users/ethan/Desktop/4.4.bin 10000000 2000000

Yes you need those ../ on mac, you don't on windows

To nop out an instruction

pw <address> 0

You should enable "enter debugger on warning" in firebird preferences. It will have some warnings in boot2 but just type c to continue.

(the rest of this post is now irrelevant)
Dernière édition par parrotgeek1 le 22 Sep 2018, 00:55, édité 3 fois.
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News Article
Prototypes:
Upgrade EVT Nspire CAS+Fix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX OS 4.4 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vuln (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
Avatar de l’utilisateur
parrotgeek1Prog.
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Prochain niv.: 4.4%
 
Messages: 692
Inscription: 29 Mar 2016, 01:22
Localisation: USA
Genre: Homme
Calculatrice(s):
Classe: university student
GitHub: parrotgeek1

Re: [ARM GURU NEEDED] Patching 4.4.0.532 CAS to run on Non-C

Message non lude critor » 01 Fév 2017, 12:20

Thank you very much for your comprehensive explanations, and especially for the decrypted OS image dumping method.

I'm not sure I can help, but here are the 5-bits ASIC user flags values ( https://hackspire.org/index.php/Memory- ... cellaneous )
  • 0b11111 TI-XXXXXXXXXXX DVT1.2, TI-XXXXXXXXXXX CAS DVT1.2, TI-Nspire DVT 2.0, TI-Nspire CAS DVT 2.0
  • 0b00000 TI-Nspire, TI-Nspire TouchPad, TI-Nspire CX, TI-Nspire Lab Cradle
  • 0b00001 TI-Nspire CAS, TI-Nspire CAS TouchPad, TI-Nspire CX CAS
  • 0b00010 TI-Nspire CM
  • 0b00011 TI-Nspire CM CAS
Image
Avatar de l’utilisateur
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Prochain niv.: 78.6%
 
Messages: 30949
Images: 7324
Inscription: 25 Oct 2008, 00:00
Localisation: Montpellier
Genre: Homme
Calculatrice(s):
Classe: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Re: [ARM GURU NEEDED] Patching 4.4.0.532 CAS to run on Non-C

Message non lude parrotgeek1 » 02 Fév 2017, 05:26

newest patch attempt

in cxcas emulator

900A0028 is 00010105
900A002C is 04000001

so I tried to fake those values

I have successfully redirected 900a002x to 11f0002x but it does not work
---------------------------------

boot2 has
118b7cf8: e59f3478 ldr r3,[118b8178] = 900a0000
so

k 11800000
c

pw 11F00028 00010105
pw 11F0002C 04000001
pw 118B8178 11F00000
k 10000000
c

-----------
os has
100e44f4: e59f1190 ldr r1,[100e468c] = 900a0000

so

pw 11F00028 00010105
pw 11F0002C 04000001
pw 100CB3FC 11F00000
pw 100E468C 11F00000
c

------------------------

still freezes at clock BUT DOES NOT READ 900A00XX anymore so the patch works

Lionel Debroux
Dernière édition par parrotgeek1 le 02 Fév 2017, 06:54, édité 1 fois.
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News Article
Prototypes:
Upgrade EVT Nspire CAS+Fix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX OS 4.4 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vuln (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
Avatar de l’utilisateur
parrotgeek1Prog.
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Prochain niv.: 4.4%
 
Messages: 692
Inscription: 29 Mar 2016, 01:22
Localisation: USA
Genre: Homme
Calculatrice(s):
Classe: university student
GitHub: parrotgeek1

Re: [ARM GURU NEEDED] Patching 4.4.0.532 CAS to run on Non-C

Message non lude parrotgeek1 » 02 Fév 2017, 06:28

critor a écrit:Thank you very much for your comprehensive explanations, and especially for the decrypted OS image dumping method.

I'm not sure I can help, but here are the 5-bits ASIC user flags values ( https://hackspire.org/index.php/Memory- ... cellaneous )
  • 0b11111 TI-XXXXXXXXXXX DVT1.2, TI-XXXXXXXXXXX CAS DVT1.2, TI-Nspire DVT 2.0, TI-Nspire CAS DVT 2.0
  • 0b00000 TI-Nspire, TI-Nspire TouchPad, TI-Nspire CX, TI-Nspire Lab Cradle
  • 0b00001 TI-Nspire CAS, TI-Nspire CAS TouchPad, TI-Nspire CX CAS
  • 0b00010 TI-Nspire CM
  • 0b00011 TI-Nspire CM CAS


In another thread, you said that someone had tried to modify the value in Manuf, and that didn't work either. How would you do that?
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News Article
Prototypes:
Upgrade EVT Nspire CAS+Fix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX OS 4.4 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vuln (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
Avatar de l’utilisateur
parrotgeek1Prog.
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Prochain niv.: 4.4%
 
Messages: 692
Inscription: 29 Mar 2016, 01:22
Localisation: USA
Genre: Homme
Calculatrice(s):
Classe: university student
GitHub: parrotgeek1

Re: [ARM GURU NEEDED] Patching 4.4.0.532 CAS to run on Non-C

Message non lude critor » 02 Fév 2017, 13:07

The ASIC user flags are in the ASIC, not in the Manuf.

The Manuf includes the model ID, which is not exactly the same thing.
Image
Avatar de l’utilisateur
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Prochain niv.: 78.6%
 
Messages: 30949
Images: 7324
Inscription: 25 Oct 2008, 00:00
Localisation: Montpellier
Genre: Homme
Calculatrice(s):
Classe: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Re: [ARM GURU NEEDED] Patching 4.4.0.532 CAS to run on Non-C

Message non lude Lionel Debroux » 02 Fév 2017, 14:34

parrotgeek1 a écrit:Mac version [...]
Sorry I don't have a PC.

As you know, modern x86-based Macs are technically PCs, equipped with several Apple-specific components, in an enclosure whose design negatively impacts reliability, and a high price tag :)
I have worked with such a machine in a past day job, and seen others' experiences with their Macs.

critor a écrit:Thank you very much for your comprehensive explanations, and especially for the decrypted OS image dumping method.

That one's trivial and has been known, publicly documented since 2009, in a matter of hours or days after the boot2 was first decompressed :)
Unlike another offline method developed later, it requires a emulator in working state, and on the CX/CM, a copy of the boot1. But that method is less user-friendly nevertheless.

Amusingly, four suitably aligned zero bytes make one quasi-NOP on an ARM processor running in ARM mode, one quasi-NOP on a 68k processor, and four NOPs on a Z80/eZ80. Both the ARM and the 68000 have explicit, nonzero NOPs.
Membre de la TI-Chess Team.
Co-mainteneur de GCC4TI (documentation en ligne de GCC4TI), TIEmu et TILP.
Avatar de l’utilisateur
Lionel DebrouxModo.G
Niveau 14: CI (Calculateur de l'Infini)
Niveau 14: CI (Calculateur de l'Infini)
Prochain niv.: 0.8%
 
Messages: 6078
Inscription: 23 Déc 2009, 00:00
Localisation: France
Genre: Homme
Calculatrice(s):
Classe: -

Re: [ARM GURU NEEDED] Patching 4.4.0.532 CAS to run on Non-C

Message non lude parrotgeek1 » 02 Fév 2017, 16:36

Lionel Debroux a écrit:
parrotgeek1 a écrit:Mac version [...]
Sorry I don't have a PC.

As you know, modern x86-based Macs are technically PCs, equipped with several Apple-specific components, in an enclosure whose design negatively impacts reliability, and a high price tag :)
I have worked with such a machine in a past day job, and seen others' experiences with their Macs.

critor a écrit:Thank you very much for your comprehensive explanations, and especially for the decrypted OS image dumping method.

That one's trivial and has been known, publicly documented since 2009, in a matter of hours or days after the boot2 was first decompressed :)
Unlike another offline method developed later, it requires a emulator in working state, and on the CX/CM, a copy of the boot1. But that method is less user-friendly nevertheless.

Amusingly, four suitably aligned zero bytes make one quasi-NOP on an ARM processor running in ARM mode, one quasi-NOP on a 68k processor, and four NOPs on a Z80/eZ80. Both the ARM and the 68000 have explicit, nonzero NOPs.

The point of those dumping instructions was to help other people who might know about reverse engineering, but not necessarily about calculators, continue this project.

I'm not really sure why you needed to be so critical of Macs. Yes, they're a little underpowered, but my MacBook pro has been the most reliable computer I've ever owned.

Of course I know that I could install a windows virtual machine and compile firebird, I just don't feel like it. It took me 2 hours to get Qt Creator to work right.
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News Article
Prototypes:
Upgrade EVT Nspire CAS+Fix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX OS 4.4 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vuln (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
Avatar de l’utilisateur
parrotgeek1Prog.
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Prochain niv.: 4.4%
 
Messages: 692
Inscription: 29 Mar 2016, 01:22
Localisation: USA
Genre: Homme
Calculatrice(s):
Classe: university student
GitHub: parrotgeek1

Re: [ARM GURU NEEDED] Patching 4.4.0.532 CAS to run on Non-C

Message non lude parrotgeek1 » 02 Fév 2017, 20:58

4.4.0.532 CAS

PATCH_SETW(0x100CAF70,0xE59F5484);
PATCH_SETW(0x100CB3FC,0x00010105);
PATCH_SETW(0x100CAF88,0xE3A04341);
PATCH_SETW(0x100CAF8C,NOP);
PATCH_SETW(0x100E44F4,0xE59F3190);
PATCH_SETW(0x100E44FC,NOP);
PATCH_SETW(0x100e468c,0x04000001);

;)

-----------

OS patch

r5 is where 900A0028 value goes
r4 is where 900A002C value goes

pw 100CAF70 E59F5484
# was:LDR R3, [PC, #0x484]
# is: LDR R5, [PC, #0x484]

pw 100CB3FC 00010105
# [PC,#0x484] was 900A0000, repurposing as fake 900a0028 value
pw 100CAF88 E3A04341
# was: ldr r5,[r3,#0x28]
# is: MOV R4, #0x4000001
pw 100CAF8C 0
# was: ldr r4,[r3,#0x2C]
# is: alternate nop

pw 100E44F4 E59F3190
# was:LDR R1, [PC, #0x190]
# is: LDR R3, [PC, #0x190]

pw 100E44FC 0
# was:ldr r3,[r1 + 02c]
# is: alternate nop

pw 100e468c 04000001
# [PC, #0x190] was 900a0000, repurposing as fake 900a002c value
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News Article
Prototypes:
Upgrade EVT Nspire CAS+Fix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX OS 4.4 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vuln (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
Avatar de l’utilisateur
parrotgeek1Prog.
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Prochain niv.: 4.4%
 
Messages: 692
Inscription: 29 Mar 2016, 01:22
Localisation: USA
Genre: Homme
Calculatrice(s):
Classe: university student
GitHub: parrotgeek1

Re: [ARM GURU NEEDED] Patching 4.4.0.532 CAS to run on Non-C

Message non lude critor » 02 Fév 2017, 21:49

Ah, interesting.

Could you check if your patches can be adapted for OSes 3.6-4.3 ?
Image
Avatar de l’utilisateur
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Prochain niv.: 78.6%
 
Messages: 30949
Images: 7324
Inscription: 25 Oct 2008, 00:00
Localisation: Montpellier
Genre: Homme
Calculatrice(s):
Classe: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Re: [ARM GURU NEEDED] Patching 4.4.0.532 CAS to run on Non-C

Message non lude Lionel Debroux » 02 Fév 2017, 21:52

Patching the memory read instructions is one of the ways to achieve the aim, indeed :)
Membre de la TI-Chess Team.
Co-mainteneur de GCC4TI (documentation en ligne de GCC4TI), TIEmu et TILP.
Avatar de l’utilisateur
Lionel DebrouxModo.G
Niveau 14: CI (Calculateur de l'Infini)
Niveau 14: CI (Calculateur de l'Infini)
Prochain niv.: 0.8%
 
Messages: 6078
Inscription: 23 Déc 2009, 00:00
Localisation: France
Genre: Homme
Calculatrice(s):
Classe: -

Suivante

Retourner vers Native: Ndless, Linux, ...

Qui est en ligne

Utilisateurs parcourant ce forum: Aucun utilisateur enregistré et 2 invités

-
Rechercher
-
Sujets à la une
"NumWorks++": Challenge de modification matérielle pour rajouter une puce de mémoire Flash !
Offre TI-Planet/Jarrety pour avoir la TI-83 Premium CE avec son chargeur pour 79,79€ port inclus !
Offre TI-Planet/Jarrety pour avoir la TI-Nspire CX CAS à seulement 130€ TTC port inclus!
Jailbreake ta TI-Nspire avec Ndless et profite des meilleurs jeux et applications !
Transforme ta TI-Nspire CX en console Game Boy Advance!
12345
-
Donations/Premium
Pour plus de concours, de lots, de tests, nous aider à payer le serveur et les domaines...
PayPal : paiement en ligne sécurisé - secure online payments
Découvrez les avantages d'un compte donateur !
JoinRejoignez the donors and/or premium!les donateurs et/ou premium !


Partenaires et pub
Notre partenaire Jarrety 
-
Stats.
576 utilisateurs:
>480 invités
>91 membres
>5 robots
Record simultané (sur 6 mois):
6892 utilisateurs (le 07/06/2017)
-
Autres sites intéressants
Texas Instruments Education
Global | France
 (English / Français)
Banque de programmes TI
ticalc.org
 (English)
La communauté TI-82
tout82.free.fr
 (Français)