Forum TI-Planet.org

Oh, funny !


Reminds me of the Boot1 1.1.9999 patch which could be flashed on TI-Nspire ClickPad DVT1.2, DVT2.0, HW-A, and maybe HW-B :

@parrotgeek1
Couldn't rebuild nanoloader on cygwin, it complains about find commands, which don't appear in the Makefile...

But I've tested on nspire_emu with your prebuilt images.
No problem with both Boot1 3.0.0.99 and 4.0.1.43.

Also works on the splash screen, great !

parrotgeek1 a écrit:

critor a écrit:Could you check how to add a correct size to your 0x8000 HHackers!, so that BtMg is going to flash your image correctly ?

If I do that, the exploit doesn't work

Doesn't seem to be the case.

Fixed the CAS image manually in the hex editor.


Not complicated, you already specify a size for the HHackers! 0x8070 subfield. Just add 0x20 to it for the HHackers! 0x8000 root field.

Can now be flashed correctly with BtMg :


And moreover, it works !

.

Sorry, and indeed

Indeed, very strange.

In non-CR4 mode, Boot2 is there :

Code: Tout sélectionner

EXPLOIT: Created by parrotgeek1. Compiled: Jan 22 2018 17:21:49
CAS OS mode
EXPLOIT: Loading complete, launching image.
>d 11800000
11800000  18 F0 9F E5 18 F0 9F E5-18 F0 9F E5 18 F0 9F E5   .���.���.���.���
11800010  18 F0 9F E5 18 F0 9F E5-18 F0 9F E5 18 F0 9F E5   .���.���.���.���
11800020  30 BE 89 11 70 BF 89 11-AC BF 89 11 E8 BF 89 11   0��.p��.���.���.
11800030  24 C0 89 11 FC C0 89 11-C0 C8 89 11 30 C9 89 11   $��.���.���.0��.
11800040  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
11800050  7C 81 6E 5B A0 A4 47 5C-39 37 C6 6E 29 0D F9 D2   |�n[��G\97�n).��
11800060  DC 40 40 51 09 4E 07 13-93 5B B4 A5 23 38 75 03   �@@Q.N..�[��#8u.
11800070  BC 74 3D 58 48 E0 55 3B-CD 41 DC 8E 37 03 48 F0   �t=XH�U;�A��7.H�

In CR4 mode, Boot2 version is wrong because Boot2 is corrupted, shifted or just missing - don't know but it's clearly wrong :

Code: Tout sélectionner

EXPLOIT: Created by parrotgeek1. Compiled: Jan 22 2018 17:21:49
CAS OS mode
Wrong boot2 version
>d 11800000
11800000  01 00 8F 00 8A 11 8F 00-8A 11 8F 00 8A 11 8F 00   ..�.�.�.�.�.�.�.
11800010  8A 11 8F 00 8A 11 8F 00-8A 11 8F 00 8A 11 8F 00   �.�.�.�.�.�.�.�.
11800020  01 30 0B EC 93 E5 00 50-8A 11 96 E5 E2 44 20 00   .0.���.P�.���D .
11800030  97 F8 22 3E 17 F8 22 32-0A 00 9F E5 00 0A 01 00   ��">.�"2..��....
11800040  FE 60 1E FF 00 10 00 30-FF FF 23 12 00 10 30 C9   �`.�...0��#...0�
11800050  89 11 00 00 00 00 00 00-00 00 00 00 00 00 00 00   �...............
11800060  00 00 7C 81 6E 5B A0 A4-47 5C 39 37 C6 6E 29 0D   ..|�n[��G\97�n).
11800070  F9 D2 DC 40 40 51 09 4E-07 13 93 5B B4 A5 23 38   ���@@Q.N..�[��#8

I suppose Boot1.5 is behaving differently for some obscure reason...

critor a écrit:Indeed, very strange.

In non-CR4 mode, Boot2 is there :

Code: Tout sélectionner

EXPLOIT: Created by parrotgeek1. Compiled: Jan 22 2018 17:21:49
CAS OS mode
EXPLOIT: Loading complete, launching image.
>d 11800000
11800000  18 F0 9F E5 18 F0 9F E5-18 F0 9F E5 18 F0 9F E5   .���.���.���.���
11800010  18 F0 9F E5 18 F0 9F E5-18 F0 9F E5 18 F0 9F E5   .���.���.���.���
11800020  30 BE 89 11 70 BF 89 11-AC BF 89 11 E8 BF 89 11   0��.p��.���.���.
11800030  24 C0 89 11 FC C0 89 11-C0 C8 89 11 30 C9 89 11   $��.���.���.0��.
11800040  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
11800050  7C 81 6E 5B A0 A4 47 5C-39 37 C6 6E 29 0D F9 D2   |�n[��G\97�n).��
11800060  DC 40 40 51 09 4E 07 13-93 5B B4 A5 23 38 75 03   �@@Q.N..�[��#8u.
11800070  BC 74 3D 58 48 E0 55 3B-CD 41 DC 8E 37 03 48 F0   �t=XH�U;�A��7.H�

In CR4 mode, Boot2 version is wrong because Boot2 is corrupted, shifted or just missing - don't know but it's clearly wrong :

Code: Tout sélectionner

EXPLOIT: Created by parrotgeek1. Compiled: Jan 22 2018 17:21:49
CAS OS mode
Wrong boot2 version
>d 11800000
11800000  01 00 8F 00 8A 11 8F 00-8A 11 8F 00 8A 11 8F 00   ..�.�.�.�.�.�.�.
11800010  8A 11 8F 00 8A 11 8F 00-8A 11 8F 00 8A 11 8F 00   �.�.�.�.�.�.�.�.
11800020  01 30 0B EC 93 E5 00 50-8A 11 96 E5 E2 44 20 00   .0.���.P�.���D .
11800030  97 F8 22 3E 17 F8 22 32-0A 00 9F E5 00 0A 01 00   ��">.�"2..��....
11800040  FE 60 1E FF 00 10 00 30-FF FF 23 12 00 10 30 C9   �`.�...0��#...0�
11800050  89 11 00 00 00 00 00 00-00 00 00 00 00 00 00 00   �...............
11800060  00 00 7C 81 6E 5B A0 A4-47 5C 39 37 C6 6E 29 0D   ..|�n[��G\97�n).
11800070  F9 D2 DC 40 40 51 09 4E-07 13 93 5B B4 A5 23 38   ���@@Q.N..�[��#8

I suppose Boot1.5 is behaving differently for some obscure reason...

If you "k 111e0000" the compressed boot2 is in the right place, but it fails to decompress it...why?!

Added some debug in the Boot2 decompression, with the fields encountered.

Here is the normal behaviour :

Code: Tout sélectionner

Loading from Boot 2 partition...

19%
EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01
8000
8040
8010
8010
8020
8020
8080
320
8070
CAS OS mode
EXPLOIT: Loading complete, launching image.

And now, here is the totally abnormal CR4 behaviour :

Code: Tout sélectionner

Loading from Boot 2 partition...

19%
EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01
8000
8040
8010
8010
8020
8020
8080
320
8070

EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01
8000
8040
8010
8010
8020
8020
8080
320
8070
CAS OS mode
Wrong boot2 version

So it appears decompressFiles() is launched a 1st time, but then we don't reach patch_Boot2().
Instead your exploit is launched a 2nd time...

Something's clearly bad, so a corrupted decompressed Boot2 image doesn't surprise me at all.

Also seems to be random.

Just worked after a reset, but with the exploit still being launched twice :

Code: Tout sélectionner

Loading from Boot 2 partition...

19%
EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01
8000
8040
8010
8010
8020
8020
8080
320
8070

EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01
8000
8040
8010
8010
8020
8020
8080
320
8070
CAS OS mode
EXPLOIT: Loading complete, launching image.





Boot Loader Stage 2 (4.0.3.49)
Build: 2015/11/6, 12:44:23
Copyright (c) 2006-2015 Texas Instruments Incorporated
Using production keys

Clocks:  CPU = 132MHz   AHB = 66MHz   APB = 33MHz
Checking for NAND: NAND Flash ID: Generic 1 GBit (0xA1)
This device is a CXCR.
TI_PM_SetShipMode:  FALSE
Unknown LCD(0x00 0x00 0x00).


Initializing graphics subsystem.
Unknown LCD(0x00 0x00 0x00).
Boot option: Normal


Initializing filesystem.
  Skipping NAND workaround.
Datalight Reliance v2.10.1150
Copyright (c) 2003-2006 Datalight, Inc.
Datalight FlashFX Pro v3.00 Build 1358
Nucleus Edition for ARM9
Copyright (c) 1993-2006 Datalight, Inc.
Patents: US#5860082, US#6260156.
FB NAND Flash Controller
FFX: BBM Format found 0 bad blocks (IOError=0 Factory=0 Marked=0 Legacy=0)
FlashFX: Formatting... One moment please
100%
FlashFX: Format complete, Status=0x00000000
relFs_Format v2.10.1150
Copyright (c) 2003-2006 Datalight, Inc.
Writing file system...100
Block size: 2048
Total blocks: 59008
Used blocks: 21
Free blocks: 58987
Filesystem ready.
deleteTree(): path /tmp
TI_OS_deleteTree: deleteAllFiles Done!

Loading Operating System...

Error loading OS image. Removing OS remnants.

Waiting for OS download.
Starting Connectivity services.
Initializing USB subsystem...Done.
USB Download is enabled.