π
<-
Chat plein-écran
[^]

Patching 4.4.0.532 CAS to run on Non-CAS

C, C++, ASM...
Online

Re: Patching 4.4.0.532 CAS to run on Non-CAS

Unread postby critor » 17 Feb 2017, 22:31

parrotgeek1 wrote:Should I remove this thread?

I don't think so.

It's still very interesting. :)
Image
User avatar
critorAdmin
Niveau 19: CU (Créateur Universel)
Niveau 19: CU (Créateur Universel)
Level up: 3.5%
 
Posts: 34937
Images: 9308
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Re: Patching 4.4.0.532 CAS to run on Non-CAS

Unread postby Lionel Debroux » 17 Feb 2017, 22:40

Yup, no need to remove this thread, stop working, or delete content on Github :)
Membre de la TI-Chess Team.
Co-mainteneur de GCC4TI (documentation en ligne de GCC4TI), TIEmu et TILP.
User avatar
Lionel DebrouxSuper Modo
Niveau 14: CI (Calculateur de l'Infini)
Niveau 14: CI (Calculateur de l'Infini)
Level up: 5.8%
 
Posts: 6443
Joined: 23 Dec 2009, 00:00
Location: France
Gender: Male
Calculator(s):
Class: -
GitHub: debrouxl

Re: Patching 4.4.0.532 CAS to run on Non-CAS

Unread postby parrotgeek1 » 18 Feb 2017, 03:24

critor wrote:
parrotgeek1 wrote:Should I remove this thread?

I don't think so.

It's still very interesting. :)

Can you help me find the nboot patch for boot1?

08 C0 85 E2 44 58 94 E5 03 00 9C E8 14 20 87 E2 01 00 55 E3 03 00 82 E8 10 50 8D E5 01 10 05 E2 01 20 A0 E3 08 30 87 E2 E7 FF FF 3A 00 00 51 E3 07 00 00 0A 08 20 8C E2 03 00 92 E8 02 20 A0 E3 1C E0 87 E2 02 00 55 E1 03 00 8E E8 08 30 83 E2 DD FF FF 3A 82 41 8C E0 03 00 94 E8 01 20 82 E2 82 E1 8C E0 14 40 83 E2 03 00 84 E8 03 00 9E E8 01 20 82 E2 1C E0 83 E2 02 00 55 E1 03 00 8E E8 10 30 83 E2 F2 FF FF 2A CF FF FF EA

does not exist
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News ArticleTI-82 Advanced App Installer
Prototypes:
Upgrade EVT Nspire CAS+Fix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX & CX CAS OS 4.4 & 4.5 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vulnerability (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
User avatar
parrotgeek1Programmeur
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Level up: 70.6%
 
Posts: 741
Joined: 29 Mar 2016, 01:22
Location: USA
Gender: Male
Calculator(s):
Twitter: parrotgeek1
GitHub: parrotgeek1

Re: Patching 4.4.0.532 CAS to run on Non-CAS

Unread postby parrotgeek1 » 18 Feb 2017, 04:30

Lionel Debroux wrote:Yup, no need to remove this thread, stop working, or delete content on Github :)

the signature patches worked in firebird

Boot Loader Stage 1 (3.00.99)
Build: 2010/9/9, 17:29:13
Copyright (c) 2006-2010 Texas Instruments Incorporated
Using production keys

Last boot progress: 65

Available system memory: 33196
Checking for NAND: NAND Flash ID: Generic 1 GBit (0xA1)
SDRAM size: 64 MB
Wakeup Event: ON.
SDRAM memory test: Pass
Clearing SDRAM...Done.
Clocks: CPU = 132MHz AHB = 66MHz APB = 33MHz
Clearing SDRAM...Done.
Boot option: Normal

Loading BOOT2 software...

99%
BOOT1: loading complete (135 ticks), launching image.



Boot Loader Stage 2 (3.00.DEVBUILD)
Build: 2010/9/24, 16:33:1
Copyright (c) 2006, 2007, 2008 Texas Instruments Incorporated
Using developer keys



btw boot1 is exactly 0x20200 bytes
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News ArticleTI-82 Advanced App Installer
Prototypes:
Upgrade EVT Nspire CAS+Fix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX & CX CAS OS 4.4 & 4.5 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vulnerability (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
User avatar
parrotgeek1Programmeur
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Level up: 70.6%
 
Posts: 741
Joined: 29 Mar 2016, 01:22
Location: USA
Gender: Male
Calculator(s):
Twitter: parrotgeek1
GitHub: parrotgeek1

Online

Re: Patching 4.4.0.532 CAS to run on Non-CAS

Unread postby critor » 18 Feb 2017, 10:39

Correct me if I'm wrong, your signature patch let us run DVT Boot2 on production Boot1 ?

I'm not sure this has any application on real hardware, but it's still great : we'll b able to test DVT Boot2/OS much more easily on Firebird ! :bj:

Could you share the patch then ?


parrotgeek1 wrote:
critor wrote:
parrotgeek1 wrote:Should I remove this thread?

I don't think so.

It's still very interesting. :)

Can you help me find the nboot patch for boot1?

08 C0 85 E2 44 58 94 E5 03 00 9C E8 14 20 87 E2 01 00 55 E3 03 00 82 E8 10 50 8D E5 01 10 05 E2 01 20 A0 E3 08 30 87 E2 E7 FF FF 3A 00 00 51 E3 07 00 00 0A 08 20 8C E2 03 00 92 E8 02 20 A0 E3 1C E0 87 E2 02 00 55 E1 03 00 8E E8 08 30 83 E2 DD FF FF 3A 82 41 8C E0 03 00 94 E8 01 20 82 E2 82 E1 8C E0 14 40 83 E2 03 00 84 E8 03 00 9E E8 01 20 82 E2 1C E0 83 E2 02 00 55 E1 03 00 8E E8 10 30 83 E2 F2 FF FF 2A CF FF FF EA

does not exist


Which nBoot patch ?
Are you trying to port nBoot for DVT Boot1 3.0.0.0 ?

I suppose it's the code in the nBoot manuf.img file which will have to be fixed...
Image
User avatar
critorAdmin
Niveau 19: CU (Créateur Universel)
Niveau 19: CU (Créateur Universel)
Level up: 3.5%
 
Posts: 34937
Images: 9308
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Re: Patching 4.4.0.532 CAS to run on Non-CAS

Unread postby parrotgeek1 » 18 Feb 2017, 20:59

critor wrote:Correct me if I'm wrong, your signature patch let us run DVT Boot2 on production Boot1 ?

I'm not sure this has any application on real hardware, but it's still great : we'll b able to test DVT Boot2/OS much more easily on Firebird ! :bj:

Could you share the patch then ?


parrotgeek1 wrote:
critor wrote:
parrotgeek1 wrote:Should I remove this thread?

I don't think so.

It's still very interesting. :)

Can you help me find the nboot patch for boot1?

08 C0 85 E2 44 58 94 E5 03 00 9C E8 14 20 87 E2 01 00 55 E3 03 00 82 E8 10 50 8D E5 01 10 05 E2 01 20 A0 E3 08 30 87 E2 E7 FF FF 3A 00 00 51 E3 07 00 00 0A 08 20 8C E2 03 00 92 E8 02 20 A0 E3 1C E0 87 E2 02 00 55 E1 03 00 8E E8 08 30 83 E2 DD FF FF 3A 82 41 8C E0 03 00 94 E8 01 20 82 E2 82 E1 8C E0 14 40 83 E2 03 00 84 E8 03 00 9E E8 01 20 82 E2 1C E0 83 E2 02 00 55 E1 03 00 8E E8 10 30 83 E2 F2 FF FF 2A CF FF FF EA

does not exist


Which nBoot patch ?
Are you trying to port nBoot for DVT Boot1 3.0.0.0 ?

I suppose it's the code in the nBoot manuf.img file which will have to be fixed...

I'll send the patch later. I am trying to fix the nboot vulnerability in boot1 3.0. The patch I posted was how you fixed it in old boot2. I need it because I have figured out how to launch a copy of boot1 from RAM. However, without fixing the vulnerability, it has an infinite Loop of unlocked, then loading the boot one from diags into ram, etc.
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News ArticleTI-82 Advanced App Installer
Prototypes:
Upgrade EVT Nspire CAS+Fix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX & CX CAS OS 4.4 & 4.5 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vulnerability (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
User avatar
parrotgeek1Programmeur
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Level up: 70.6%
 
Posts: 741
Joined: 29 Mar 2016, 01:22
Location: USA
Gender: Male
Calculator(s):
Twitter: parrotgeek1
GitHub: parrotgeek1

Online

Re: Patching 4.4.0.532 CAS to run on Non-CAS

Unread postby critor » 20 Feb 2017, 11:49

Where are the signature keys in Boot2 4.0.3.49 and 3.0.0.0DVT ?
I suppose ControlX could just patch them when you'd like to install+run a DVT OS. :)
Image
User avatar
critorAdmin
Niveau 19: CU (Créateur Universel)
Niveau 19: CU (Créateur Universel)
Level up: 3.5%
 
Posts: 34937
Images: 9308
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Re: Patching 4.4.0.532 CAS to run on Non-CAS

Unread postby parrotgeek1 » 21 Feb 2017, 00:35

critor wrote:Where are the signature keys in Boot2 4.0.3.49 and 3.0.0.0DVT ?
I suppose ControlX could just patch them when you'd like to install+run a DVT OS. :)

cant find them, sorry

boot1 patches
194e4 write 00 00 00 00 - nop out find matching prod field check
193f4 write 00 00 00 00 - skip signature validation splash data
195b8 write 0d 00 00 ea - skip signature validation boot2

have you found nboot vulnerability fix for boot1 yet? I need it, see above
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News ArticleTI-82 Advanced App Installer
Prototypes:
Upgrade EVT Nspire CAS+Fix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX & CX CAS OS 4.4 & 4.5 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vulnerability (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
User avatar
parrotgeek1Programmeur
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Level up: 70.6%
 
Posts: 741
Joined: 29 Mar 2016, 01:22
Location: USA
Gender: Male
Calculator(s):
Twitter: parrotgeek1
GitHub: parrotgeek1

Online

Re: Patching 4.4.0.532 CAS to run on Non-CAS

Unread postby critor » 22 Feb 2017, 12:20

parrotgeek1 wrote:
critor wrote:Where are the signature keys in Boot2 4.0.3.49 and 3.0.0.0DVT ?
I suppose ControlX could just patch them when you'd like to install+run a DVT OS. :)

cant find them, sorry

Ok, found several of them.

For 1024-bits RSA keys, search for :
Code: Select all
30 81 89 02 81 81 00 [128 bytes: the key] 02 03 01 00 01

There is one in the CX 3.0.0.0 DVT Boot2 image.

For 2048-bits RSA keys, search for :
Code: Select all
30 82 01 0A 02 82 01 01 00 [256 bytes: the key] 02 03 01 00 01

There are 7-8 of them in all tested CX/CM Boot2 images.
I don't know which one is used for the OS.

parrotgeek1 wrote:have you found nboot vulnerability fix for boot1 yet? I need it, see above

For Boot1 3.0.0.0 DVT ?
Sorry, I don't know how to patch it. :(
Image
User avatar
critorAdmin
Niveau 19: CU (Créateur Universel)
Niveau 19: CU (Créateur Universel)
Level up: 3.5%
 
Posts: 34937
Images: 9308
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Online

Re: Patching 4.4.0.532 CAS to run on Non-CAS

Unread postby critor » 22 Feb 2017, 14:15

Ok, CX Boot2 DVT and production have both following 2048-bits keys :
- BA EA ...
- A5 4F ...

CX DVT Boot2 3.0.0.0 is using the BA EA... key to validate TI-Nspire.cer.

CX production Boot2 are using the A5 EF... key to validate TI-Nspire.cer.

CM Boot2 don't have the A5 EF... key, but a D3 C1... key used to validate TI-Nspire.cer.

That's why CX Boot2 4.0.3 with ControlX currently cannot launch CX DVT or CM OSes.
Image
User avatar
critorAdmin
Niveau 19: CU (Créateur Universel)
Niveau 19: CU (Créateur Universel)
Level up: 3.5%
 
Posts: 34937
Images: 9308
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

PreviousNext

Return to Native: Ndless, Linux, ...

Who is online

Users browsing this forum: No registered users and 5 guests

-
Search
-
Featured topics
Omega, le fork étendant les capacités de ta NumWorks, même en mode examen !
Comparaisons des meilleurs prix pour acheter sa calculatrice !
12
-
Donations / Premium
For more contests, prizes, reviews, helping us pay the server and domains...

Discover the the advantages of a donor account !
JoinRejoignez the donors and/or premium!les donateurs et/ou premium !


Partner and ad
Notre partenaire Jarrety 
-
Stats.
453 utilisateurs:
>443 invités
>5 membres
>5 robots
Record simultané (sur 6 mois):
6892 utilisateurs (le 07/06/2017)
-
Other interesting websites
Texas Instruments Education
Global | France
 (English / Français)
Banque de programmes TI
ticalc.org
 (English)
La communauté TI-82
tout82.free.fr
 (Français)