π
<-
Chat plein-écran
[^]

I found a vulnerability in boot1.5 4.4.0.8!

C, C++, ASM...

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby parrotgeek1 » 19 Jan 2018, 18:42

Lionel Debroux wrote:With reliable code execution, you can change the contents of the virtual memory translation table to map the boot1, if it's not mapped at the suitable place (0 or A4000000, back in the day) when the boot1.5 executes.

That is the problem. Nothing is mapped there.

How do I map it? I looked at some code in ControlX to map the second 32MB of RAM, but I don't understand how it works.
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News Article
Prototypes:
Upgrade EVT Nspire CAS+Fix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX & CX CAS OS 4.4 & 4.5 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vuln (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
User avatar
parrotgeek1Prog.
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Level up: 68.6%
 
Posts: 739
Joined: 29 Mar 2016, 01:22
Location: USA
Gender: Male
Calculator(s):
Class: university student
GitHub: parrotgeek1

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby critor » 19 Jan 2018, 18:44

Polydumper includes some asm code to map Boot1 at 0x00100000 :
archives_voir.php?id=3829

Code: Select all
asm("ldr r1,=0x00000C12");
asm("mrc p15,0,r0,c2,c0,0");
asm("str r1,[r0,#4]");
asm("ldr r0,=0x00100000");
asm("mcr p15,0,r0,c8,c7,1");
Image
User avatar
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Level up: 99.9%
 
Posts: 34111
Images: 8836
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby parrotgeek1 » 19 Jan 2018, 18:58

critor wrote:Polydumper includes some asm code to map Boot1 at 0x00100000 :
archives_voir.php?id=3829

Code: Select all
asm("ldr r1,=0x00000C12");
asm("mrc p15,0,r0,c2,c0,0");
asm("str r1,[r0,#4]");
asm("ldr r0,=0x00100000");
asm("mcr p15,0,r0,c8,c7,1");

Warning at PC=111E43A0: Unknown coprocessor instruction MCR EE080F37
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News Article
Prototypes:
Upgrade EVT Nspire CAS+Fix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX & CX CAS OS 4.4 & 4.5 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vuln (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
User avatar
parrotgeek1Prog.
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Level up: 68.6%
 
Posts: 739
Joined: 29 Mar 2016, 01:22
Location: USA
Gender: Male
Calculator(s):
Class: university student
GitHub: parrotgeek1

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby critor » 19 Jan 2018, 19:12

The real hardware won't bother. ;)
Image
User avatar
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Level up: 99.9%
 
Posts: 34111
Images: 8836
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby parrotgeek1 » 19 Jan 2018, 19:24

critor wrote:The real hardware won't bother. ;)


something else is wrong

Code: Select all
Warning at PC=111E43A0: Unknown coprocessor instruction MCR EE080F37
Error at PC=00020000: Bad PC: 00020000

   Backtrace:
Frame     PrvFrame Self     Return   Start
11229444: 00000000 00000000 1132CCC0 00008800
debug> c
Reset



Boot Loader Stage 1 (3.00.99)

etc
It didn't actually map the boot1 to 0x00000000 anyway ("d 100" just shows zeros)

I changed it to ldr r0,=0x00000000, which should work...right?
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News Article
Prototypes:
Upgrade EVT Nspire CAS+Fix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX & CX CAS OS 4.4 & 4.5 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vuln (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
User avatar
parrotgeek1Prog.
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Level up: 68.6%
 
Posts: 739
Joined: 29 Mar 2016, 01:22
Location: USA
Gender: Male
Calculator(s):
Class: university student
GitHub: parrotgeek1

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby critor » 19 Jan 2018, 19:28

Yes the code was mapping to 0x00100000 .
Image
User avatar
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Level up: 99.9%
 
Posts: 34111
Images: 8836
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby parrotgeek1 » 19 Jan 2018, 19:30

critor wrote:Yes the code was mapping to 0x00100000 .

"I changed it to ldr r0,=0x00000000, which should work...right?"

it didn't work when it was 0x00100000 either, though.

Can you just PM me?
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News Article
Prototypes:
Upgrade EVT Nspire CAS+Fix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX & CX CAS OS 4.4 & 4.5 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vuln (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
User avatar
parrotgeek1Prog.
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Level up: 68.6%
 
Posts: 739
Joined: 29 Mar 2016, 01:22
Location: USA
Gender: Male
Calculator(s):
Class: university student
GitHub: parrotgeek1

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby critor » 19 Jan 2018, 19:39

I don't think it'll work on nspire_emu anyway - something is not implemented if I remember well. Boot1 dumpers don't work on nspire_emu for example.

Maybe it'll work on firebird, but I'm not sure.
It should work on a real calculator.
Image
User avatar
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Level up: 99.9%
 
Posts: 34111
Images: 8836
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby parrotgeek1 » 19 Jan 2018, 19:44

critor wrote:I don't think it'll work on nspire_emu anyway - something is not implemented if I remember well. Boot1 dumpers don't work on nspire_emu for example.

Maybe it'll work on firebird, but I'm not sure.
It should work on a real calculator.


I need a method that works on nspire_emu or firebird because my CX was stolen last year (remember?)

Boot1.5 successfully *unmaps* the boot1 from 0x00000000, so there has to be a way to put it back again.
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News Article
Prototypes:
Upgrade EVT Nspire CAS+Fix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX & CX CAS OS 4.4 & 4.5 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vuln (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
User avatar
parrotgeek1Prog.
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Level up: 68.6%
 
Posts: 739
Joined: 29 Mar 2016, 01:22
Location: USA
Gender: Male
Calculator(s):
Class: university student
GitHub: parrotgeek1

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby critor » 19 Jan 2018, 19:49

I know. :(
I perfectly understand that's it's going to be hard
(and hazardous)
to develop a boot loader without an emulator.

To begin with, are you using nspire_emu or firebird ?
Image
User avatar
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Level up: 99.9%
 
Posts: 34111
Images: 8836
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

PreviousNext

Return to Native: Ndless, Linux, ...

Who is online

Users browsing this forum: No registered users and 2 guests

-
Search
-
Featured topics
Concours TI-Planet-Casio de rentrée 2019. 3 défis pour plus d'une 15aine de calculatrices graphiques et nombre de goodies sortant de l'ordinaire ! :D
Comparaisons des meilleurs prix pour acheter sa calculatrice !
12
-
Donations / Premium
For more contests, prizes, reviews, helping us pay the server and domains...

Discover the the advantages of a donor account !
JoinRejoignez the donors and/or premium!les donateurs et/ou premium !


Partner and ad
Notre partenaire Jarrety 
-
Stats.
406 utilisateurs:
>358 invités
>43 membres
>5 robots
Record simultané (sur 6 mois):
6892 utilisateurs (le 07/06/2017)
-
Other interesting websites
Texas Instruments Education
Global | France
 (English / Français)
Banque de programmes TI
ticalc.org
 (English)
La communauté TI-82
tout82.free.fr
 (Français)