[removed]
Re: I found an exploit in boot1.5 4.4.0.8!
Oh, funny !
Reminds me of the Boot1 1.1.9999 patch which could be flashed on TI-Nspire ClickPad DVT1.2, DVT2.0, HW-A, and maybe HW-B :
Reminds me of the Boot1 1.1.9999 patch which could be flashed on TI-Nspire ClickPad DVT1.2, DVT2.0, HW-A, and maybe HW-B :
-
critorAdmin
Niveau 19: CU (Créateur Universel)- Messages: 41470
- Images: 14480
- Inscription: 25 Oct 2008, 00:00
- Localisation: Montpellier
- Genre:
- Calculatrice(s):→ MyCalcs profile
- YouTube: critor3000
- Twitter/X: critor2000
- GitHub: critor
Re: I found an exploit in boot1.5 4.4.0.8!
@parrotgeek1
Couldn't rebuild nanoloader on cygwin, it complains about find commands, which don't appear in the Makefile...
But I've tested on nspire_emu with your prebuilt images.
No problem with both Boot1 3.0.0.99 and 4.0.1.43.
Couldn't rebuild nanoloader on cygwin, it complains about find commands, which don't appear in the Makefile...
But I've tested on nspire_emu with your prebuilt images.
No problem with both Boot1 3.0.0.99 and 4.0.1.43.
-
critorAdmin
Niveau 19: CU (Créateur Universel)- Messages: 41470
- Images: 14480
- Inscription: 25 Oct 2008, 00:00
- Localisation: Montpellier
- Genre:
- Calculatrice(s):→ MyCalcs profile
- YouTube: critor3000
- Twitter/X: critor2000
- GitHub: critor
-
critorAdmin
Niveau 19: CU (Créateur Universel)- Messages: 41470
- Images: 14480
- Inscription: 25 Oct 2008, 00:00
- Localisation: Montpellier
- Genre:
- Calculatrice(s):→ MyCalcs profile
- YouTube: critor3000
- Twitter/X: critor2000
- GitHub: critor
Re: I found an exploit in boot1.5 4.4.0.8!
parrotgeek1 a écrit:critor a écrit:Could you check how to add a correct size to your 0x8000 HHackers!, so that BtMg is going to flash your image correctly ?
If I do that, the exploit doesn't work
Doesn't seem to be the case.
Fixed the CAS image manually in the hex editor.
Not complicated, you already specify a size for the HHackers! 0x8070 subfield. Just add 0x20 to it for the HHackers! 0x8000 root field.
Can now be flashed correctly with BtMg :
And moreover, it works !
-
critorAdmin
Niveau 19: CU (Créateur Universel)- Messages: 41470
- Images: 14480
- Inscription: 25 Oct 2008, 00:00
- Localisation: Montpellier
- Genre:
- Calculatrice(s):→ MyCalcs profile
- YouTube: critor3000
- Twitter/X: critor2000
- GitHub: critor
Re: I found an exploit in boot1.5 4.4.0.8!
.
Dernière édition par parrotgeek1 le 08 Jan 2021, 01:21, édité 1 fois.
-
parrotgeek1Programmeur
Niveau 11: LV (Légende Vivante)- Messages: 745
- Inscription: 29 Mar 2016, 01:22
- Localisation: This account is no longer used.
- Genre:
- Calculatrice(s):→ MyCalcs profile
-
critorAdmin
Niveau 19: CU (Créateur Universel)- Messages: 41470
- Images: 14480
- Inscription: 25 Oct 2008, 00:00
- Localisation: Montpellier
- Genre:
- Calculatrice(s):→ MyCalcs profile
- YouTube: critor3000
- Twitter/X: critor2000
- GitHub: critor
Re: I found an exploit in boot1.5 4.4.0.8!
Indeed, very strange.
In non-CR4 mode, Boot2 is there :
In CR4 mode, Boot2 version is wrong because Boot2 is corrupted, shifted or just missing - don't know but it's clearly wrong :
I suppose Boot1.5 is behaving differently for some obscure reason...
In non-CR4 mode, Boot2 is there :
- Code: Tout sélectionner
EXPLOIT: Created by parrotgeek1. Compiled: Jan 22 2018 17:21:49
CAS OS mode
EXPLOIT: Loading complete, launching image.
>d 11800000
11800000 18 F0 9F E5 18 F0 9F E5-18 F0 9F E5 18 F0 9F E5 .���.���.���.���
11800010 18 F0 9F E5 18 F0 9F E5-18 F0 9F E5 18 F0 9F E5 .���.���.���.���
11800020 30 BE 89 11 70 BF 89 11-AC BF 89 11 E8 BF 89 11 0��.p��.���.���.
11800030 24 C0 89 11 FC C0 89 11-C0 C8 89 11 30 C9 89 11 $��.���.���.0��.
11800040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
11800050 7C 81 6E 5B A0 A4 47 5C-39 37 C6 6E 29 0D F9 D2 |�n[��G\97�n).��
11800060 DC 40 40 51 09 4E 07 13-93 5B B4 A5 23 38 75 03 �@@Q.N..�[��#8u.
11800070 BC 74 3D 58 48 E0 55 3B-CD 41 DC 8E 37 03 48 F0 �t=XH�U;�A��7.H�
In CR4 mode, Boot2 version is wrong because Boot2 is corrupted, shifted or just missing - don't know but it's clearly wrong :
- Code: Tout sélectionner
EXPLOIT: Created by parrotgeek1. Compiled: Jan 22 2018 17:21:49
CAS OS mode
Wrong boot2 version
>d 11800000
11800000 01 00 8F 00 8A 11 8F 00-8A 11 8F 00 8A 11 8F 00 ..�.�.�.�.�.�.�.
11800010 8A 11 8F 00 8A 11 8F 00-8A 11 8F 00 8A 11 8F 00 �.�.�.�.�.�.�.�.
11800020 01 30 0B EC 93 E5 00 50-8A 11 96 E5 E2 44 20 00 .0.���.P�.���D .
11800030 97 F8 22 3E 17 F8 22 32-0A 00 9F E5 00 0A 01 00 ��">.�"2..��....
11800040 FE 60 1E FF 00 10 00 30-FF FF 23 12 00 10 30 C9 �`.�...0��#...0�
11800050 89 11 00 00 00 00 00 00-00 00 00 00 00 00 00 00 �...............
11800060 00 00 7C 81 6E 5B A0 A4-47 5C 39 37 C6 6E 29 0D ..|�n[��G\97�n).
11800070 F9 D2 DC 40 40 51 09 4E-07 13 93 5B B4 A5 23 38 ���@@Q.N..�[��#8
I suppose Boot1.5 is behaving differently for some obscure reason...
-
critorAdmin
Niveau 19: CU (Créateur Universel)- Messages: 41470
- Images: 14480
- Inscription: 25 Oct 2008, 00:00
- Localisation: Montpellier
- Genre:
- Calculatrice(s):→ MyCalcs profile
- YouTube: critor3000
- Twitter/X: critor2000
- GitHub: critor
Re: I found an exploit in boot1.5 4.4.0.8!
critor a écrit:Indeed, very strange.
In non-CR4 mode, Boot2 is there :
- Code: Tout sélectionner
EXPLOIT: Created by parrotgeek1. Compiled: Jan 22 2018 17:21:49
CAS OS mode
EXPLOIT: Loading complete, launching image.
>d 11800000
11800000 18 F0 9F E5 18 F0 9F E5-18 F0 9F E5 18 F0 9F E5 .���.���.���.���
11800010 18 F0 9F E5 18 F0 9F E5-18 F0 9F E5 18 F0 9F E5 .���.���.���.���
11800020 30 BE 89 11 70 BF 89 11-AC BF 89 11 E8 BF 89 11 0��.p��.���.���.
11800030 24 C0 89 11 FC C0 89 11-C0 C8 89 11 30 C9 89 11 $��.���.���.0��.
11800040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
11800050 7C 81 6E 5B A0 A4 47 5C-39 37 C6 6E 29 0D F9 D2 |�n[��G\97�n).��
11800060 DC 40 40 51 09 4E 07 13-93 5B B4 A5 23 38 75 03 �@@Q.N..�[��#8u.
11800070 BC 74 3D 58 48 E0 55 3B-CD 41 DC 8E 37 03 48 F0 �t=XH�U;�A��7.H�
In CR4 mode, Boot2 version is wrong because Boot2 is corrupted, shifted or just missing - don't know but it's clearly wrong :
- Code: Tout sélectionner
EXPLOIT: Created by parrotgeek1. Compiled: Jan 22 2018 17:21:49
CAS OS mode
Wrong boot2 version
>d 11800000
11800000 01 00 8F 00 8A 11 8F 00-8A 11 8F 00 8A 11 8F 00 ..�.�.�.�.�.�.�.
11800010 8A 11 8F 00 8A 11 8F 00-8A 11 8F 00 8A 11 8F 00 �.�.�.�.�.�.�.�.
11800020 01 30 0B EC 93 E5 00 50-8A 11 96 E5 E2 44 20 00 .0.���.P�.���D .
11800030 97 F8 22 3E 17 F8 22 32-0A 00 9F E5 00 0A 01 00 ��">.�"2..��....
11800040 FE 60 1E FF 00 10 00 30-FF FF 23 12 00 10 30 C9 �`.�...0��#...0�
11800050 89 11 00 00 00 00 00 00-00 00 00 00 00 00 00 00 �...............
11800060 00 00 7C 81 6E 5B A0 A4-47 5C 39 37 C6 6E 29 0D ..|�n[��G\97�n).
11800070 F9 D2 DC 40 40 51 09 4E-07 13 93 5B B4 A5 23 38 ���@@Q.N..�[��#8
I suppose Boot1.5 is behaving differently for some obscure reason...
If you "k 111e0000" the compressed boot2 is in the right place, but it fails to decompress it...why?!
-
parrotgeek1Programmeur
Niveau 11: LV (Légende Vivante)- Messages: 745
- Inscription: 29 Mar 2016, 01:22
- Localisation: This account is no longer used.
- Genre:
- Calculatrice(s):→ MyCalcs profile
Re: I found an exploit in boot1.5 4.4.0.8!
Added some debug in the Boot2 decompression, with the fields encountered.
Here is the normal behaviour :
And now, here is the totally abnormal CR4 behaviour :
So it appears decompressFiles() is launched a 1st time, but then we don't reach patch_Boot2().
Instead your exploit is launched a 2nd time...
Something's clearly bad, so a corrupted decompressed Boot2 image doesn't surprise me at all.
Here is the normal behaviour :
- Code: Tout sélectionner
Loading from Boot 2 partition...
19%
EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01
8000
8040
8010
8010
8020
8020
8080
320
8070
CAS OS mode
EXPLOIT: Loading complete, launching image.
And now, here is the totally abnormal CR4 behaviour :
- Code: Tout sélectionner
Loading from Boot 2 partition...
19%
EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01
8000
8040
8010
8010
8020
8020
8080
320
8070
EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01
8000
8040
8010
8010
8020
8020
8080
320
8070
CAS OS mode
Wrong boot2 version
So it appears decompressFiles() is launched a 1st time, but then we don't reach patch_Boot2().
Instead your exploit is launched a 2nd time...
Something's clearly bad, so a corrupted decompressed Boot2 image doesn't surprise me at all.
-
critorAdmin
Niveau 19: CU (Créateur Universel)- Messages: 41470
- Images: 14480
- Inscription: 25 Oct 2008, 00:00
- Localisation: Montpellier
- Genre:
- Calculatrice(s):→ MyCalcs profile
- YouTube: critor3000
- Twitter/X: critor2000
- GitHub: critor
Re: I found an exploit in boot1.5 4.4.0.8!
Also seems to be random.
Just worked after a reset, but with the exploit still being launched twice :
Just worked after a reset, but with the exploit still being launched twice :
- Code: Tout sélectionner
Loading from Boot 2 partition...
19%
EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01
8000
8040
8010
8010
8020
8020
8080
320
8070
EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01
8000
8040
8010
8010
8020
8020
8080
320
8070
CAS OS mode
EXPLOIT: Loading complete, launching image.
Boot Loader Stage 2 (4.0.3.49)
Build: 2015/11/6, 12:44:23
Copyright (c) 2006-2015 Texas Instruments Incorporated
Using production keys
Clocks: CPU = 132MHz AHB = 66MHz APB = 33MHz
Checking for NAND: NAND Flash ID: Generic 1 GBit (0xA1)
This device is a CXCR.
TI_PM_SetShipMode: FALSE
Unknown LCD(0x00 0x00 0x00).
Initializing graphics subsystem.
Unknown LCD(0x00 0x00 0x00).
Boot option: Normal
Initializing filesystem.
Skipping NAND workaround.
Datalight Reliance v2.10.1150
Copyright (c) 2003-2006 Datalight, Inc.
Datalight FlashFX Pro v3.00 Build 1358
Nucleus Edition for ARM9
Copyright (c) 1993-2006 Datalight, Inc.
Patents: US#5860082, US#6260156.
FB NAND Flash Controller
FFX: BBM Format found 0 bad blocks (IOError=0 Factory=0 Marked=0 Legacy=0)
FlashFX: Formatting... One moment please
100%
FlashFX: Format complete, Status=0x00000000
relFs_Format v2.10.1150
Copyright (c) 2003-2006 Datalight, Inc.
Writing file system...100
Block size: 2048
Total blocks: 59008
Used blocks: 21
Free blocks: 58987
Filesystem ready.
deleteTree(): path /tmp
TI_OS_deleteTree: deleteAllFiles Done!
Loading Operating System...
Error loading OS image. Removing OS remnants.
Waiting for OS download.
Starting Connectivity services.
Initializing USB subsystem...Done.
USB Download is enabled.
-
critorAdmin
Niveau 19: CU (Créateur Universel)- Messages: 41470
- Images: 14480
- Inscription: 25 Oct 2008, 00:00
- Localisation: Montpellier
- Genre:
- Calculatrice(s):→ MyCalcs profile
- YouTube: critor3000
- Twitter/X: critor2000
- GitHub: critor
Retourner vers Native: Ndless, Linux, ...
Qui est en ligne
Utilisateurs parcourant ce forum: Aucun utilisateur enregistré et 6 invités