π
<-
Chat plein-écran
[^]

I found a vulnerability in boot1.5 4.4.0.8!

C, C++, ASM...

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby parrotgeek1 » 19 Jan 2018, 19:51

critor wrote:I know. :(
I perfectly understand that's it's going to be hard
(and hazardous)
to develop a boot loader without an emulator.

To begin with, are you using nspire_emu or firebird ?

nspire_emu, because read breakpoints STILL don't work in 64-bit firebird.
I suppose since the exploit works well I could switch to firebird.
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News Article
Prototypes:
Upgrade EVT Nspire CAS+Fix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX & CX CAS OS 4.4 & 4.5 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vuln (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
User avatar
parrotgeek1Prog.
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Level up: 68.6%
 
Posts: 739
Joined: 29 Mar 2016, 01:22
Location: USA
Gender: Male
Calculator(s):
Class: university student
GitHub: parrotgeek1

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby parrotgeek1 » 19 Jan 2018, 21:40

critor wrote:I don't think it'll work on nspire_emu anyway - something is not implemented if I remember well. Boot1 dumpers don't work on nspire_emu for example.

Maybe it'll work on firebird, but I'm not sure.
It should work on a real calculator.

It works on firebird.

But, when you try to use the read_nand function, boot1 (3.0.0.99) crashes.
@Lionel Debroux

Also I just realized something really dumb I never thought of:

All of the boot1 functions are at different addresses on boot1 4.0 lol
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News Article
Prototypes:
Upgrade EVT Nspire CAS+Fix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX & CX CAS OS 4.4 & 4.5 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vuln (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
User avatar
parrotgeek1Prog.
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Level up: 68.6%
 
Posts: 739
Joined: 29 Mar 2016, 01:22
Location: USA
Gender: Male
Calculator(s):
Class: university student
GitHub: parrotgeek1

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby critor » 19 Jan 2018, 21:56

Yes. If we want a new boot loader working on both HW-W+ and HW<W, we'll have to make it check the Boot1 version.
Image
User avatar
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Level up: 99.9%
 
Posts: 34111
Images: 8836
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby parrotgeek1 » 19 Jan 2018, 22:00

critor wrote:Yes. If we want a new boot loader working on both HW-W+ and HW<W, we'll have to make it check the Boot1 version.

and write 2 different screen.c files, one that displays everything sideways. ugh

I wonder if Excale or Vogtinator would help with the nand stuff?
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News Article
Prototypes:
Upgrade EVT Nspire CAS+Fix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX & CX CAS OS 4.4 & 4.5 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vuln (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
User avatar
parrotgeek1Prog.
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Level up: 68.6%
 
Posts: 739
Joined: 29 Mar 2016, 01:22
Location: USA
Gender: Male
Calculator(s):
Class: university student
GitHub: parrotgeek1

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby critor » 19 Jan 2018, 22:34

Let's just make everything use set_pixel(), with 2 cases in set_pixel(). :)
Image
User avatar
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Level up: 99.9%
 
Posts: 34111
Images: 8836
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby Lionel Debroux » 19 Jan 2018, 22:37

Lack of testing on real calculators is
a bit
worrisome ;)
Membre de la TI-Chess Team.
Co-mainteneur de GCC4TI (documentation en ligne de GCC4TI), TIEmu et TILP.
User avatar
Lionel DebrouxModo.G
Niveau 14: CI (Calculateur de l'Infini)
Niveau 14: CI (Calculateur de l'Infini)
Level up: 5.4%
 
Posts: 6411
Joined: 23 Dec 2009, 00:00
Location: France
Gender: Male
Calculator(s):
Class: -
GitHub: debrouxl

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby parrotgeek1 » 19 Jan 2018, 22:41

Lionel Debroux wrote:Lack of testing on real calculators is
a bit
worrisome ;)

are you saying the exploit doesn't work on real hardware? The ;) makes me think you're hinting at that
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News Article
Prototypes:
Upgrade EVT Nspire CAS+Fix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX & CX CAS OS 4.4 & 4.5 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vuln (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
User avatar
parrotgeek1Prog.
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Level up: 68.6%
 
Posts: 739
Joined: 29 Mar 2016, 01:22
Location: USA
Gender: Male
Calculator(s):
Class: university student
GitHub: parrotgeek1

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby Lionel Debroux » 19 Jan 2018, 22:51

The fact that exploits work on emulators - especially older ones, as you're running mainly nspire_emu for the reason you described above - does in no way warrant that said exploits work on real hardware (let alone that they don't cause issues), indeed...
Heck, even the fact that an exploit doesn't work on an emulator doesn't imply that it doesn't work on real hardware (though clearly, such as situation is unlikely, provided the emulator is accurate enough).

It's been about 16 years since I became aware of emulator glitches (in addition to missing features) on the TI-68k series. Non-existent bits in SR, garbage in - garbage out on the nbcd instruction, and even a simple instruction sequence which produces a different result when run on an emulator which doesn't emulate the 68000's embryonic pipeline - the trio was used as anti-VTI measures (and thereby a weak protection against reverse-engineering by script kiddies) in HW3Patch. TIEmu has none of these three bugs, so HW3Patch works properly, and in the abandoned JS TI-68k emulator, I worked around the third check.
Membre de la TI-Chess Team.
Co-mainteneur de GCC4TI (documentation en ligne de GCC4TI), TIEmu et TILP.
User avatar
Lionel DebrouxModo.G
Niveau 14: CI (Calculateur de l'Infini)
Niveau 14: CI (Calculateur de l'Infini)
Level up: 5.4%
 
Posts: 6411
Joined: 23 Dec 2009, 00:00
Location: France
Gender: Male
Calculator(s):
Class: -
GitHub: debrouxl

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby parrotgeek1 » 20 Jan 2018, 00:01

I would use firebird more if it let me launch it from the command line with a boot1/boot2 instead of having to create a new flash image in the GUI every single time. It's really tedious
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News Article
Prototypes:
Upgrade EVT Nspire CAS+Fix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX & CX CAS OS 4.4 & 4.5 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vuln (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
User avatar
parrotgeek1Prog.
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Level up: 68.6%
 
Posts: 739
Joined: 29 Mar 2016, 01:22
Location: USA
Gender: Male
Calculator(s):
Class: university student
GitHub: parrotgeek1

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby critor » 20 Jan 2018, 15:04

Same thing here.
I rarely use firebird, because I'm always dealing with different flash images.
Image
User avatar
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Level up: 99.9%
 
Posts: 34111
Images: 8836
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

PreviousNext

Return to Native: Ndless, Linux, ...

Who is online

Users browsing this forum: No registered users and 3 guests

-
Search
-
Featured topics
Concours TI-Planet-Casio de rentrée 2019. 3 défis pour plus d'une 15aine de calculatrices graphiques et nombre de goodies sortant de l'ordinaire ! :D
Comparaisons des meilleurs prix pour acheter sa calculatrice !
12
-
Donations / Premium
For more contests, prizes, reviews, helping us pay the server and domains...

Discover the the advantages of a donor account !
JoinRejoignez the donors and/or premium!les donateurs et/ou premium !


Partner and ad
Notre partenaire Jarrety 
-
Stats.
421 utilisateurs:
>384 invités
>31 membres
>6 robots
Record simultané (sur 6 mois):
6892 utilisateurs (le 07/06/2017)
-
Other interesting websites
Texas Instruments Education
Global | France
 (English / Français)
Banque de programmes TI
ticalc.org
 (English)
La communauté TI-82
tout82.free.fr
 (Français)