π
<-
Chat plein-écran
[^]

Patching 4.4.0.532 CAS to run on Non-CAS

C, C++, ASM...

Patching 4.4.0.532 CAS to run on Non-CAS

Unread postby parrotgeek1 » 01 Feb 2017, 08:15

I would like to announce that I have made several breakthroughs on patching 4.4.0.532 CAS to run on Non-CAS.
The environment I am testing them in is Nlaunchy with my own modified version of Firebird.

Components used:

1) Modified version of firebird which does a warning every time 900A0028/2C are read [ASIC user flags], so the address is printed out and you can look there in IDA.

(edit: removed)

2) Nlaunchy, latest version

The trick to installing it in firebird is:

Use 3.2 instead of 3.1 OS because file transfer doesn't work right on 3.1
To hold multiple keys to get to the maintenance menu, right click them.

3) OS 4.4.0.532 CX CAS

---------------------------------------------

To dump the OS: in emulator debugger

k 10000000
<wait, skip warnings by typing c>
wm ../../../../../../../../../../../Users/ethan/Desktop/4.4.bin 10000000 2000000

Yes you need those ../ on mac, you don't on windows

To nop out an instruction

pw <address> 0

You should enable "enter debugger on warning" in firebird preferences. It will have some warnings in boot2 but just type c to continue.

(the rest of this post is now irrelevant)
Last edited by parrotgeek1 on 22 Sep 2018, 00:55, edited 3 times in total.
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News ArticleTI-82 Advanced App Installer
Prototypes:
Upgrade EVT Nspire CAS+ - News ArticleFix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX & CX CAS OS 4.4 & 4.5 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vulnerability (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
User avatar
parrotgeek1Programmeur
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Level up: 78.6%
 
Posts: 758
Joined: 29 Mar 2016, 01:22
Location: USA
Gender: Male
Calculator(s):
GitHub: parrotgeek1

Re: [ARM GURU NEEDED] Patching 4.4.0.532 CAS to run on Non-C

Unread postby critor » 01 Feb 2017, 12:20

Thank you very much for your comprehensive explanations, and especially for the decrypted OS image dumping method.

I'm not sure I can help, but here are the 5-bits ASIC user flags values ( https://hackspire.org/index.php/Memory- ... cellaneous )
  • 0b11111 TI-XXXXXXXXXXX DVT1.2, TI-XXXXXXXXXXX CAS DVT1.2, TI-Nspire DVT 2.0, TI-Nspire CAS DVT 2.0
  • 0b00000 TI-Nspire, TI-Nspire TouchPad, TI-Nspire CX, TI-Nspire Lab Cradle
  • 0b00001 TI-Nspire CAS, TI-Nspire CAS TouchPad, TI-Nspire CX CAS
  • 0b00010 TI-Nspire CM
  • 0b00011 TI-Nspire CM CAS
Image
User avatar
critorAdmin
Niveau 19: CU (Créateur Universel)
Niveau 19: CU (Créateur Universel)
Level up: 8.4%
 
Posts: 35907
Images: 9787
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti
GitHub: critor

Re: [ARM GURU NEEDED] Patching 4.4.0.532 CAS to run on Non-C

Unread postby parrotgeek1 » 02 Feb 2017, 05:26

newest patch attempt

in cxcas emulator

900A0028 is 00010105
900A002C is 04000001

so I tried to fake those values

I have successfully redirected 900a002x to 11f0002x but it does not work
---------------------------------

boot2 has
118b7cf8: e59f3478 ldr r3,[118b8178] = 900a0000
so

k 11800000
c

pw 11F00028 00010105
pw 11F0002C 04000001
pw 118B8178 11F00000
k 10000000
c

-----------
os has
100e44f4: e59f1190 ldr r1,[100e468c] = 900a0000

so

pw 11F00028 00010105
pw 11F0002C 04000001
pw 100CB3FC 11F00000
pw 100E468C 11F00000
c

------------------------

still freezes at clock BUT DOES NOT READ 900A00XX anymore so the patch works

Lionel Debroux
Last edited by parrotgeek1 on 02 Feb 2017, 06:54, edited 1 time in total.
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News ArticleTI-82 Advanced App Installer
Prototypes:
Upgrade EVT Nspire CAS+ - News ArticleFix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX & CX CAS OS 4.4 & 4.5 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vulnerability (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
User avatar
parrotgeek1Programmeur
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Level up: 78.6%
 
Posts: 758
Joined: 29 Mar 2016, 01:22
Location: USA
Gender: Male
Calculator(s):
GitHub: parrotgeek1

Re: [ARM GURU NEEDED] Patching 4.4.0.532 CAS to run on Non-C

Unread postby parrotgeek1 » 02 Feb 2017, 06:28

critor wrote:Thank you very much for your comprehensive explanations, and especially for the decrypted OS image dumping method.

I'm not sure I can help, but here are the 5-bits ASIC user flags values ( https://hackspire.org/index.php/Memory- ... cellaneous )
  • 0b11111 TI-XXXXXXXXXXX DVT1.2, TI-XXXXXXXXXXX CAS DVT1.2, TI-Nspire DVT 2.0, TI-Nspire CAS DVT 2.0
  • 0b00000 TI-Nspire, TI-Nspire TouchPad, TI-Nspire CX, TI-Nspire Lab Cradle
  • 0b00001 TI-Nspire CAS, TI-Nspire CAS TouchPad, TI-Nspire CX CAS
  • 0b00010 TI-Nspire CM
  • 0b00011 TI-Nspire CM CAS


In another thread, you said that someone had tried to modify the value in Manuf, and that didn't work either. How would you do that?
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News ArticleTI-82 Advanced App Installer
Prototypes:
Upgrade EVT Nspire CAS+ - News ArticleFix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX & CX CAS OS 4.4 & 4.5 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vulnerability (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
User avatar
parrotgeek1Programmeur
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Level up: 78.6%
 
Posts: 758
Joined: 29 Mar 2016, 01:22
Location: USA
Gender: Male
Calculator(s):
GitHub: parrotgeek1

Re: [ARM GURU NEEDED] Patching 4.4.0.532 CAS to run on Non-C

Unread postby critor » 02 Feb 2017, 13:07

The ASIC user flags are in the ASIC, not in the Manuf.

The Manuf includes the model ID, which is not exactly the same thing.
Image
User avatar
critorAdmin
Niveau 19: CU (Créateur Universel)
Niveau 19: CU (Créateur Universel)
Level up: 8.4%
 
Posts: 35907
Images: 9787
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti
GitHub: critor

Re: [ARM GURU NEEDED] Patching 4.4.0.532 CAS to run on Non-C

Unread postby Lionel Debroux » 02 Feb 2017, 14:34

parrotgeek1 wrote:Mac version [...]
Sorry I don't have a PC.

As you know, modern x86-based Macs are technically PCs, equipped with several Apple-specific components, in an enclosure whose design negatively impacts reliability, and a high price tag :)
I have worked with such a machine in a past day job, and seen others' experiences with their Macs.

critor wrote:Thank you very much for your comprehensive explanations, and especially for the decrypted OS image dumping method.

That one's trivial and has been known, publicly documented since 2009, in a matter of hours or days after the boot2 was first decompressed :)
Unlike another offline method developed later, it requires a emulator in working state, and on the CX/CM, a copy of the boot1. But that method is less user-friendly nevertheless.

Amusingly, four suitably aligned zero bytes make one quasi-NOP on an ARM processor running in ARM mode, one quasi-NOP on a 68k processor, and four NOPs on a Z80/eZ80. Both the ARM and the 68000 have explicit, nonzero NOPs.
Membre de la TI-Chess Team.
Co-mainteneur de GCC4TI (documentation en ligne de GCC4TI), TIEmu et TILP.
User avatar
Lionel DebrouxSuper Modo
Niveau 14: CI (Calculateur de l'Infini)
Niveau 14: CI (Calculateur de l'Infini)
Level up: 7.6%
 
Posts: 6573
Joined: 23 Dec 2009, 00:00
Location: France
Gender: Male
Calculator(s):
Class: -
GitHub: debrouxl

Re: [ARM GURU NEEDED] Patching 4.4.0.532 CAS to run on Non-C

Unread postby parrotgeek1 » 02 Feb 2017, 16:36

Lionel Debroux wrote:
parrotgeek1 wrote:Mac version [...]
Sorry I don't have a PC.

As you know, modern x86-based Macs are technically PCs, equipped with several Apple-specific components, in an enclosure whose design negatively impacts reliability, and a high price tag :)
I have worked with such a machine in a past day job, and seen others' experiences with their Macs.

critor wrote:Thank you very much for your comprehensive explanations, and especially for the decrypted OS image dumping method.

That one's trivial and has been known, publicly documented since 2009, in a matter of hours or days after the boot2 was first decompressed :)
Unlike another offline method developed later, it requires a emulator in working state, and on the CX/CM, a copy of the boot1. But that method is less user-friendly nevertheless.

Amusingly, four suitably aligned zero bytes make one quasi-NOP on an ARM processor running in ARM mode, one quasi-NOP on a 68k processor, and four NOPs on a Z80/eZ80. Both the ARM and the 68000 have explicit, nonzero NOPs.

The point of those dumping instructions was to help other people who might know about reverse engineering, but not necessarily about calculators, continue this project.

I'm not really sure why you needed to be so critical of Macs. Yes, they're a little underpowered, but my MacBook pro has been the most reliable computer I've ever owned.

Of course I know that I could install a windows virtual machine and compile firebird, I just don't feel like it. It took me 2 hours to get Qt Creator to work right.
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News ArticleTI-82 Advanced App Installer
Prototypes:
Upgrade EVT Nspire CAS+ - News ArticleFix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX & CX CAS OS 4.4 & 4.5 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vulnerability (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
User avatar
parrotgeek1Programmeur
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Level up: 78.6%
 
Posts: 758
Joined: 29 Mar 2016, 01:22
Location: USA
Gender: Male
Calculator(s):
GitHub: parrotgeek1

Re: [ARM GURU NEEDED] Patching 4.4.0.532 CAS to run on Non-C

Unread postby parrotgeek1 » 02 Feb 2017, 20:58

4.4.0.532 CAS

PATCH_SETW(0x100CAF70,0xE59F5484);
PATCH_SETW(0x100CB3FC,0x00010105);
PATCH_SETW(0x100CAF88,0xE3A04341);
PATCH_SETW(0x100CAF8C,NOP);
PATCH_SETW(0x100E44F4,0xE59F3190);
PATCH_SETW(0x100E44FC,NOP);
PATCH_SETW(0x100e468c,0x04000001);

;)

-----------

OS patch

r5 is where 900A0028 value goes
r4 is where 900A002C value goes

pw 100CAF70 E59F5484
# was:LDR R3, [PC, #0x484]
# is: LDR R5, [PC, #0x484]

pw 100CB3FC 00010105
# [PC,#0x484] was 900A0000, repurposing as fake 900a0028 value
pw 100CAF88 E3A04341
# was: ldr r5,[r3,#0x28]
# is: MOV R4, #0x4000001
pw 100CAF8C 0
# was: ldr r4,[r3,#0x2C]
# is: alternate nop

pw 100E44F4 E59F3190
# was:LDR R1, [PC, #0x190]
# is: LDR R3, [PC, #0x190]

pw 100E44FC 0
# was:ldr r3,[r1 + 02c]
# is: alternate nop

pw 100e468c 04000001
# [PC, #0x190] was 900a0000, repurposing as fake 900a002c value
My Projects:
nLoaderCAS Patcher for ControlXnLaunchy CXM fork (3.9 CAS on B&W) - News ArticleTI-82 Advanced App Installer
Prototypes:
Upgrade EVT Nspire CAS+ - News ArticleFix keyboard on prototype TI-Nspire CAS Touchpad
- Highlights: Nspire CX Non-CAS OS 3.3, CX & CX CAS OS 4.4 & 4.5 special reformatting installers (both found by me on TI's site)
Discoveries:
Boot1.5 vulnerability (used in nLoader) • Nspire dev boardsPink CX
Je peux comprendre le français mais je ne peux pas le parler bien.
User avatar
parrotgeek1Programmeur
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Level up: 78.6%
 
Posts: 758
Joined: 29 Mar 2016, 01:22
Location: USA
Gender: Male
Calculator(s):
GitHub: parrotgeek1

Re: [ARM GURU NEEDED] Patching 4.4.0.532 CAS to run on Non-C

Unread postby critor » 02 Feb 2017, 21:49

Ah, interesting.

Could you check if your patches can be adapted for OSes 3.6-4.3 ?
Image
User avatar
critorAdmin
Niveau 19: CU (Créateur Universel)
Niveau 19: CU (Créateur Universel)
Level up: 8.4%
 
Posts: 35907
Images: 9787
Joined: 25 Oct 2008, 00:00
Location: Montpellier
Gender: Male
Calculator(s):
Class: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti
GitHub: critor

Re: [ARM GURU NEEDED] Patching 4.4.0.532 CAS to run on Non-C

Unread postby Lionel Debroux » 02 Feb 2017, 21:52

Patching the memory read instructions is one of the ways to achieve the aim, indeed :)
Membre de la TI-Chess Team.
Co-mainteneur de GCC4TI (documentation en ligne de GCC4TI), TIEmu et TILP.
User avatar
Lionel DebrouxSuper Modo
Niveau 14: CI (Calculateur de l'Infini)
Niveau 14: CI (Calculateur de l'Infini)
Level up: 7.6%
 
Posts: 6573
Joined: 23 Dec 2009, 00:00
Location: France
Gender: Male
Calculator(s):
Class: -
GitHub: debrouxl

Next

Return to Native: Ndless, Linux, ...

Who is online

Users browsing this forum: No registered users and 5 guests

-
Search
-
Featured topics
Comparaisons des meilleurs prix pour acheter sa calculatrice !
Découvre les nouvelles fonctionnalités en Python de l'OS 5.2 pour les Nspire CX II
Découvre les nouvelles fonctionnalités en Python de l'OS 5.5 pour la 83PCE/84+C-T Python Edition
Omega, le fork étendant les capacités de ta NumWorks, même en mode examen !
1234
-
Donations / Premium
For more contests, prizes, reviews, helping us pay the server and domains...

Discover the the advantages of a donor account !
JoinRejoignez the donors and/or premium!les donateurs et/ou premium !


Partner and ad
Notre partenaire Jarrety Calculatrices à acheter chez Calcuso
-
Stats.
660 utilisateurs:
>650 invités
>3 membres
>7 robots
Record simultané (sur 6 mois):
6892 utilisateurs (le 07/06/2017)

-
Other interesting websites
Texas Instruments Education
Global | France
 (English / Français)
Banque de programmes TI
ticalc.org
 (English)
La communauté TI-82
tout82.free.fr
 (Français)