π
<-
Chat plein-écran
[^]

[removed]

C, C++, ASM...

Re: I found an exploit in boot1.5 4.4.0.8!

Message non lude parrotgeek1 » 19 Jan 2018, 18:42

Lionel Debroux a écrit:With reliable code execution, you can change the contents of the virtual memory translation table to map the boot1, if it's not mapped at the suitable place (0 or A4000000, back in the day) when the boot1.5 executes.

That is the problem. Nothing is mapped there.

How do I map it? I looked at some code in ControlX to map the second 32MB of RAM, but I don't understand how it works.
Avatar de l’utilisateur
parrotgeek1Programmeur
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Prochain niv.: 88%
 
Messages: 745
Inscription: 29 Mar 2016, 01:22
Localisation: This account is no longer used.
Genre: Non spécifié
Calculatrice(s):
MyCalcs profile

Re: I found an exploit in boot1.5 4.4.0.8!

Message non lude critor » 19 Jan 2018, 18:44

Polydumper includes some asm code to map Boot1 at 0x00100000 :
archives_voir.php?id=3829

Code: Tout sélectionner
asm("ldr r1,=0x00000C12");
asm("mrc p15,0,r0,c2,c0,0");
asm("str r1,[r0,#4]");
asm("ldr r0,=0x00100000");
asm("mcr p15,0,r0,c8,c7,1");
Image
Avatar de l’utilisateur
critorAdmin
Niveau 19: CU (Créateur Universel)
Niveau 19: CU (Créateur Universel)
Prochain niv.: 41.8%
 
Messages: 41470
Images: 14480
Inscription: 25 Oct 2008, 00:00
Localisation: Montpellier
Genre: Homme
Calculatrice(s):
MyCalcs profile
YouTube: critor3000
Twitter/X: critor2000
GitHub: critor

Re: I found an exploit in boot1.5 4.4.0.8!

Message non lude parrotgeek1 » 19 Jan 2018, 18:58

critor a écrit:Polydumper includes some asm code to map Boot1 at 0x00100000 :
archives_voir.php?id=3829

Code: Tout sélectionner
asm("ldr r1,=0x00000C12");
asm("mrc p15,0,r0,c2,c0,0");
asm("str r1,[r0,#4]");
asm("ldr r0,=0x00100000");
asm("mcr p15,0,r0,c8,c7,1");

Warning at PC=111E43A0: Unknown coprocessor instruction MCR EE080F37
Avatar de l’utilisateur
parrotgeek1Programmeur
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Prochain niv.: 88%
 
Messages: 745
Inscription: 29 Mar 2016, 01:22
Localisation: This account is no longer used.
Genre: Non spécifié
Calculatrice(s):
MyCalcs profile

Re: I found an exploit in boot1.5 4.4.0.8!

Message non lude critor » 19 Jan 2018, 19:12

The real hardware won't bother. ;)
Image
Avatar de l’utilisateur
critorAdmin
Niveau 19: CU (Créateur Universel)
Niveau 19: CU (Créateur Universel)
Prochain niv.: 41.8%
 
Messages: 41470
Images: 14480
Inscription: 25 Oct 2008, 00:00
Localisation: Montpellier
Genre: Homme
Calculatrice(s):
MyCalcs profile
YouTube: critor3000
Twitter/X: critor2000
GitHub: critor

Re: I found an exploit in boot1.5 4.4.0.8!

Message non lude parrotgeek1 » 19 Jan 2018, 19:24

critor a écrit:The real hardware won't bother. ;)


something else is wrong

Code: Tout sélectionner
Warning at PC=111E43A0: Unknown coprocessor instruction MCR EE080F37
Error at PC=00020000: Bad PC: 00020000

   Backtrace:
Frame     PrvFrame Self     Return   Start
11229444: 00000000 00000000 1132CCC0 00008800
debug> c
Reset



Boot Loader Stage 1 (3.00.99)

etc
It didn't actually map the boot1 to 0x00000000 anyway ("d 100" just shows zeros)

I changed it to ldr r0,=0x00000000, which should work...right?
Avatar de l’utilisateur
parrotgeek1Programmeur
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Prochain niv.: 88%
 
Messages: 745
Inscription: 29 Mar 2016, 01:22
Localisation: This account is no longer used.
Genre: Non spécifié
Calculatrice(s):
MyCalcs profile

Re: I found an exploit in boot1.5 4.4.0.8!

Message non lude critor » 19 Jan 2018, 19:28

Yes the code was mapping to 0x00100000 .
Image
Avatar de l’utilisateur
critorAdmin
Niveau 19: CU (Créateur Universel)
Niveau 19: CU (Créateur Universel)
Prochain niv.: 41.8%
 
Messages: 41470
Images: 14480
Inscription: 25 Oct 2008, 00:00
Localisation: Montpellier
Genre: Homme
Calculatrice(s):
MyCalcs profile
YouTube: critor3000
Twitter/X: critor2000
GitHub: critor

Re: I found an exploit in boot1.5 4.4.0.8!

Message non lude parrotgeek1 » 19 Jan 2018, 19:30

critor a écrit:Yes the code was mapping to 0x00100000 .

"I changed it to ldr r0,=0x00000000, which should work...right?"

it didn't work when it was 0x00100000 either, though.

Can you just PM me?
Avatar de l’utilisateur
parrotgeek1Programmeur
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Prochain niv.: 88%
 
Messages: 745
Inscription: 29 Mar 2016, 01:22
Localisation: This account is no longer used.
Genre: Non spécifié
Calculatrice(s):
MyCalcs profile

Re: I found an exploit in boot1.5 4.4.0.8!

Message non lude critor » 19 Jan 2018, 19:39

I don't think it'll work on nspire_emu anyway - something is not implemented if I remember well. Boot1 dumpers don't work on nspire_emu for example.

Maybe it'll work on firebird, but I'm not sure.
It should work on a real calculator.
Image
Avatar de l’utilisateur
critorAdmin
Niveau 19: CU (Créateur Universel)
Niveau 19: CU (Créateur Universel)
Prochain niv.: 41.8%
 
Messages: 41470
Images: 14480
Inscription: 25 Oct 2008, 00:00
Localisation: Montpellier
Genre: Homme
Calculatrice(s):
MyCalcs profile
YouTube: critor3000
Twitter/X: critor2000
GitHub: critor

Re: I found an exploit in boot1.5 4.4.0.8!

Message non lude parrotgeek1 » 19 Jan 2018, 19:44

critor a écrit:I don't think it'll work on nspire_emu anyway - something is not implemented if I remember well. Boot1 dumpers don't work on nspire_emu for example.

Maybe it'll work on firebird, but I'm not sure.
It should work on a real calculator.


I need a method that works on nspire_emu or firebird because my CX was stolen last year (remember?)

Boot1.5 successfully *unmaps* the boot1 from 0x00000000, so there has to be a way to put it back again.
Avatar de l’utilisateur
parrotgeek1Programmeur
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Prochain niv.: 88%
 
Messages: 745
Inscription: 29 Mar 2016, 01:22
Localisation: This account is no longer used.
Genre: Non spécifié
Calculatrice(s):
MyCalcs profile

Re: I found an exploit in boot1.5 4.4.0.8!

Message non lude critor » 19 Jan 2018, 19:49

I know. :(
I perfectly understand that's it's going to be hard (and hazardous) to develop a boot loader without an emulator.

To begin with, are you using nspire_emu or firebird ?
Image
Avatar de l’utilisateur
critorAdmin
Niveau 19: CU (Créateur Universel)
Niveau 19: CU (Créateur Universel)
Prochain niv.: 41.8%
 
Messages: 41470
Images: 14480
Inscription: 25 Oct 2008, 00:00
Localisation: Montpellier
Genre: Homme
Calculatrice(s):
MyCalcs profile
YouTube: critor3000
Twitter/X: critor2000
GitHub: critor

PrécédenteSuivante

Retourner vers Native: Ndless, Linux, ...

Qui est en ligne

Utilisateurs parcourant ce forum: Aucun utilisateur enregistré et 9 invités

-
Rechercher
-
Social TI-Planet
-
Sujets à la une
Comparaisons des meilleurs prix pour acheter sa calculatrice !
Aidez la communauté à documenter les révisions matérielles en listant vos calculatrices graphiques !
Phi NumWorks jailbreak
123
-
Faire un don / Premium
Pour plus de concours, de lots, de tests, nous aider à payer le serveur et les domaines...
Faire un don
Découvrez les avantages d'un compte donateur !
JoinRejoignez the donors and/or premium!les donateurs et/ou premium !


Partenaires et pub
Notre partenaire Jarrety Calculatrices à acheter chez Calcuso
-
Stats.
940 utilisateurs:
>921 invités
>14 membres
>5 robots
Record simultané (sur 6 mois):
6892 utilisateurs (le 07/06/2017)
-
Autres sites intéressants
Texas Instruments Education
Global | France
 (English / Français)
Banque de programmes TI
ticalc.org
 (English)
La communauté TI-82
tout82.free.fr
 (Français)