π
<-
Chat plein-écran
[^]

I found a vulnerability in boot1.5 4.4.0.8!

C, C++, ASM...

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby critor » 23 Jan 2018, 23:15

Oh, funny ! :D
Image

Reminds me of the Boot1 1.1.9999 patch which could be flashed on TI-Nspire ClickPad DVT1.2, DVT2.0, HW-A, and maybe HW-B :
2194
Image
User avatar
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Level up: 99.7%
 
Posts: 34074
Images: 8827
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby critor » 23 Jan 2018, 23:23

@parrotgeek1
Couldn't rebuild nanoloader on cygwin, it complains about find commands, which don't appear in the Makefile...

But I've tested on nspire_emu with your prebuilt images.
No problem with both Boot1 3.0.0.99 and 4.0.1.43.
Image
User avatar
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Level up: 99.7%
 
Posts: 34074
Images: 8827
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby critor » 23 Jan 2018, 23:41

Also works on the splash screen, great ! :bj:
Image
Image
User avatar
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Level up: 99.7%
 
Posts: 34074
Images: 8827
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby critor » 23 Jan 2018, 23:59

parrotgeek1 wrote:
critor wrote:Could you check how to add a correct size to your 0x8000 HHackers!, so that BtMg is going to flash your image correctly ?

If I do that, the exploit doesn't work


Doesn't seem to be the case.

Fixed the CAS image manually in the hex editor.
Image

Not complicated, you already specify a size for the HHackers! 0x8070 subfield. Just add 0x20 to it for the HHackers! 0x8000 root field.

Can now be flashed correctly with BtMg :
Image

And moreover, it works ! :bj:
Image
User avatar
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Level up: 99.7%
 
Posts: 34074
Images: 8827
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby parrotgeek1 » 24 Jan 2018, 00:12

critor wrote:Oh, funny ! :D
Image

Reminds me of the Boot1 1.1.9999 patch which could be flashed on TI-Nspire ClickPad DVT1.2, DVT2.0, HW-A, and maybe HW-B :
2194

That's an intentional reference, yes. It's also partly to prevent hiding it, but in a way that doesn't look terrible.

To build nanoloader, remove "./todo.sh" from mknanoloader.sh. I'm going to change that, it was a stupid idea anyway.

Read carefully: The problem is not that it doesn't work on boot1 4.0.1. The problem is that it doesn't work on boot1 4.0.1 *when the emulator is emulating a CR4*.
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News Article
Prototypes:
Upgrade EVT Nspire CAS+Fix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX & CX CAS OS 4.4 & 4.5 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vuln (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
User avatar
parrotgeek1Prog.
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Level up: 68.6%
 
Posts: 739
Joined: 29 Mar 2016, 01:22
Location: USA
Gender: Male
Calculator(s):
Class: university student
GitHub: parrotgeek1

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby critor » 24 Jan 2018, 00:35

Sorry, and indeed :(
Image
Image
User avatar
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Level up: 99.7%
 
Posts: 34074
Images: 8827
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby critor » 24 Jan 2018, 00:46

Indeed, very strange.

In non-CR4 mode, Boot2 is there :
Code: Select all
EXPLOIT: Created by parrotgeek1. Compiled: Jan 22 2018 17:21:49
CAS OS mode
EXPLOIT: Loading complete, launching image.
>d 11800000
11800000  18 F0 9F E5 18 F0 9F E5-18 F0 9F E5 18 F0 9F E5   .���.���.���.���
11800010  18 F0 9F E5 18 F0 9F E5-18 F0 9F E5 18 F0 9F E5   .���.���.���.���
11800020  30 BE 89 11 70 BF 89 11-AC BF 89 11 E8 BF 89 11   0��.p��.���.���.
11800030  24 C0 89 11 FC C0 89 11-C0 C8 89 11 30 C9 89 11   $��.���.���.0��.
11800040  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
11800050  7C 81 6E 5B A0 A4 47 5C-39 37 C6 6E 29 0D F9 D2   |�n[��G\97�n).��
11800060  DC 40 40 51 09 4E 07 13-93 5B B4 A5 23 38 75 03   �@@Q.N..�[��#8u.
11800070  BC 74 3D 58 48 E0 55 3B-CD 41 DC 8E 37 03 48 F0   �t=XH�U;�A��7.H�


In CR4 mode, Boot2 version is wrong because Boot2 is corrupted, shifted or just missing - don't know but it's clearly wrong :
Code: Select all
EXPLOIT: Created by parrotgeek1. Compiled: Jan 22 2018 17:21:49
CAS OS mode
Wrong boot2 version
>d 11800000
11800000  01 00 8F 00 8A 11 8F 00-8A 11 8F 00 8A 11 8F 00   ..�.�.�.�.�.�.�.
11800010  8A 11 8F 00 8A 11 8F 00-8A 11 8F 00 8A 11 8F 00   �.�.�.�.�.�.�.�.
11800020  01 30 0B EC 93 E5 00 50-8A 11 96 E5 E2 44 20 00   .0.���.P�.���D .
11800030  97 F8 22 3E 17 F8 22 32-0A 00 9F E5 00 0A 01 00   ��">.�"2..��....
11800040  FE 60 1E FF 00 10 00 30-FF FF 23 12 00 10 30 C9   �`.�...0��#...0�
11800050  89 11 00 00 00 00 00 00-00 00 00 00 00 00 00 00   �...............
11800060  00 00 7C 81 6E 5B A0 A4-47 5C 39 37 C6 6E 29 0D   ..|�n[��G\97�n).
11800070  F9 D2 DC 40 40 51 09 4E-07 13 93 5B B4 A5 23 38   ���@@Q.N..�[��#8


I suppose Boot1.5 is behaving differently for some obscure reason...
Image
User avatar
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Level up: 99.7%
 
Posts: 34074
Images: 8827
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby parrotgeek1 » 24 Jan 2018, 01:02

critor wrote:Indeed, very strange.

In non-CR4 mode, Boot2 is there :
Code: Select all
EXPLOIT: Created by parrotgeek1. Compiled: Jan 22 2018 17:21:49
CAS OS mode
EXPLOIT: Loading complete, launching image.
>d 11800000
11800000  18 F0 9F E5 18 F0 9F E5-18 F0 9F E5 18 F0 9F E5   .���.���.���.���
11800010  18 F0 9F E5 18 F0 9F E5-18 F0 9F E5 18 F0 9F E5   .���.���.���.���
11800020  30 BE 89 11 70 BF 89 11-AC BF 89 11 E8 BF 89 11   0��.p��.���.���.
11800030  24 C0 89 11 FC C0 89 11-C0 C8 89 11 30 C9 89 11   $��.���.���.0��.
11800040  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
11800050  7C 81 6E 5B A0 A4 47 5C-39 37 C6 6E 29 0D F9 D2   |�n[��G\97�n).��
11800060  DC 40 40 51 09 4E 07 13-93 5B B4 A5 23 38 75 03   �@@Q.N..�[��#8u.
11800070  BC 74 3D 58 48 E0 55 3B-CD 41 DC 8E 37 03 48 F0   �t=XH�U;�A��7.H�


In CR4 mode, Boot2 version is wrong because Boot2 is corrupted, shifted or just missing - don't know but it's clearly wrong :
Code: Select all
EXPLOIT: Created by parrotgeek1. Compiled: Jan 22 2018 17:21:49
CAS OS mode
Wrong boot2 version
>d 11800000
11800000  01 00 8F 00 8A 11 8F 00-8A 11 8F 00 8A 11 8F 00   ..�.�.�.�.�.�.�.
11800010  8A 11 8F 00 8A 11 8F 00-8A 11 8F 00 8A 11 8F 00   �.�.�.�.�.�.�.�.
11800020  01 30 0B EC 93 E5 00 50-8A 11 96 E5 E2 44 20 00   .0.���.P�.���D .
11800030  97 F8 22 3E 17 F8 22 32-0A 00 9F E5 00 0A 01 00   ��">.�"2..��....
11800040  FE 60 1E FF 00 10 00 30-FF FF 23 12 00 10 30 C9   �`.�...0��#...0�
11800050  89 11 00 00 00 00 00 00-00 00 00 00 00 00 00 00   �...............
11800060  00 00 7C 81 6E 5B A0 A4-47 5C 39 37 C6 6E 29 0D   ..|�n[��G\97�n).
11800070  F9 D2 DC 40 40 51 09 4E-07 13 93 5B B4 A5 23 38   ���@@Q.N..�[��#8


I suppose Boot1.5 is behaving differently for some obscure reason...

If you "k 111e0000" the compressed boot2 is in the right place, but it fails to decompress it...why?!
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News Article
Prototypes:
Upgrade EVT Nspire CAS+Fix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX & CX CAS OS 4.4 & 4.5 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vuln (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
User avatar
parrotgeek1Prog.
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Level up: 68.6%
 
Posts: 739
Joined: 29 Mar 2016, 01:22
Location: USA
Gender: Male
Calculator(s):
Class: university student
GitHub: parrotgeek1

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby critor » 24 Jan 2018, 23:54

Added some debug in the Boot2 decompression, with the fields encountered.

Here is the normal behaviour :
Code: Select all
Loading from Boot 2 partition...

19%
EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01
8000
8040
8010
8010
8020
8020
8080
320
8070
CAS OS mode
EXPLOIT: Loading complete, launching image.


And now, here is the totally abnormal CR4 behaviour :
Code: Select all
Loading from Boot 2 partition...

19%
EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01
8000
8040
8010
8010
8020
8020
8080
320
8070

EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01
8000
8040
8010
8010
8020
8020
8080
320
8070
CAS OS mode
Wrong boot2 version

So it appears decompressFiles() is launched a 1st time, but then we don't reach patch_Boot2().
Instead your exploit is launched a 2nd time...

Something's clearly bad, so a corrupted decompressed Boot2 image doesn't surprise me at all.
Image
User avatar
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Level up: 99.7%
 
Posts: 34074
Images: 8827
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Re: I found an exploit in boot1.5 4.4.0.8!

Unread postby critor » 25 Jan 2018, 00:05

Also seems to be random.

Just worked after a reset, but with the exploit still being launched twice :
Code: Select all
Loading from Boot 2 partition...

19%
EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01
8000
8040
8010
8010
8020
8020
8080
320
8070

EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01
8000
8040
8010
8010
8020
8020
8080
320
8070
CAS OS mode
EXPLOIT: Loading complete, launching image.





Boot Loader Stage 2 (4.0.3.49)
Build: 2015/11/6, 12:44:23
Copyright (c) 2006-2015 Texas Instruments Incorporated
Using production keys

Clocks:  CPU = 132MHz   AHB = 66MHz   APB = 33MHz
Checking for NAND: NAND Flash ID: Generic 1 GBit (0xA1)
This device is a CXCR.
TI_PM_SetShipMode:  FALSE
Unknown LCD(0x00 0x00 0x00).


Initializing graphics subsystem.
Unknown LCD(0x00 0x00 0x00).
Boot option: Normal


Initializing filesystem.
  Skipping NAND workaround.
Datalight Reliance v2.10.1150
Copyright (c) 2003-2006 Datalight, Inc.
Datalight FlashFX Pro v3.00 Build 1358
Nucleus Edition for ARM9
Copyright (c) 1993-2006 Datalight, Inc.
Patents: US#5860082, US#6260156.
FB NAND Flash Controller
FFX: BBM Format found 0 bad blocks (IOError=0 Factory=0 Marked=0 Legacy=0)
FlashFX: Formatting... One moment please
100%
FlashFX: Format complete, Status=0x00000000
relFs_Format v2.10.1150
Copyright (c) 2003-2006 Datalight, Inc.
Writing file system...100
Block size: 2048
Total blocks: 59008
Used blocks: 21
Free blocks: 58987
Filesystem ready.
deleteTree(): path /tmp
TI_OS_deleteTree: deleteAllFiles Done!

Loading Operating System...

Error loading OS image. Removing OS remnants.

Waiting for OS download.
Starting Connectivity services.
Initializing USB subsystem...Done.
USB Download is enabled.
Image
User avatar
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Level up: 99.7%
 
Posts: 34074
Images: 8827
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

PreviousNext

Return to Native: Ndless, Linux, ...

Who is online

Users browsing this forum: No registered users and 5 guests

-
Search
-
Featured topics
Concours TI-Planet-Casio de rentrée 2019. 3 défis pour plus d'une 15aine de calculatrices graphiques et nombre de goodies sortant de l'ordinaire ! :D
Comparaisons des meilleurs prix pour acheter sa calculatrice !
12
-
Donations / Premium
For more contests, prizes, reviews, helping us pay the server and domains...

Discover the the advantages of a donor account !
JoinRejoignez the donors and/or premium!les donateurs et/ou premium !


Partner and ad
Notre partenaire Jarrety 
-
Stats.
543 utilisateurs:
>520 invités
>18 membres
>5 robots
Record simultané (sur 6 mois):
6892 utilisateurs (le 07/06/2017)
-
Other interesting websites
Texas Instruments Education
Global | France
 (English / Français)
Banque de programmes TI
ticalc.org
 (English)
La communauté TI-82
tout82.free.fr
 (Français)