π
<-
Chat plein-écran
[^]

[removed]

C, C++, ASM...

Re: I found an exploit in boot1.5 4.4.0.8!

Message non lude critor » 23 Jan 2018, 23:15

Oh, funny ! :D
Image

Reminds me of the Boot1 1.1.9999 patch which could be flashed on TI-Nspire ClickPad DVT1.2, DVT2.0, HW-A, and maybe HW-B :
2194
Image
Avatar de l’utilisateur
critorAdmin
Niveau 19: CU (Créateur Universel)
Niveau 19: CU (Créateur Universel)
Prochain niv.: 41.8%
 
Messages: 41470
Images: 14480
Inscription: 25 Oct 2008, 00:00
Localisation: Montpellier
Genre: Homme
Calculatrice(s):
MyCalcs profile
YouTube: critor3000
Twitter/X: critor2000
GitHub: critor

Re: I found an exploit in boot1.5 4.4.0.8!

Message non lude critor » 23 Jan 2018, 23:23

@parrotgeek1
Couldn't rebuild nanoloader on cygwin, it complains about find commands, which don't appear in the Makefile...

But I've tested on nspire_emu with your prebuilt images.
No problem with both Boot1 3.0.0.99 and 4.0.1.43.
Image
Avatar de l’utilisateur
critorAdmin
Niveau 19: CU (Créateur Universel)
Niveau 19: CU (Créateur Universel)
Prochain niv.: 41.8%
 
Messages: 41470
Images: 14480
Inscription: 25 Oct 2008, 00:00
Localisation: Montpellier
Genre: Homme
Calculatrice(s):
MyCalcs profile
YouTube: critor3000
Twitter/X: critor2000
GitHub: critor

Re: I found an exploit in boot1.5 4.4.0.8!

Message non lude critor » 23 Jan 2018, 23:41

Also works on the splash screen, great ! :bj:
Image
Image
Avatar de l’utilisateur
critorAdmin
Niveau 19: CU (Créateur Universel)
Niveau 19: CU (Créateur Universel)
Prochain niv.: 41.8%
 
Messages: 41470
Images: 14480
Inscription: 25 Oct 2008, 00:00
Localisation: Montpellier
Genre: Homme
Calculatrice(s):
MyCalcs profile
YouTube: critor3000
Twitter/X: critor2000
GitHub: critor

Re: I found an exploit in boot1.5 4.4.0.8!

Message non lude critor » 23 Jan 2018, 23:59

parrotgeek1 a écrit:
critor a écrit:Could you check how to add a correct size to your 0x8000 HHackers!, so that BtMg is going to flash your image correctly ?

If I do that, the exploit doesn't work


Doesn't seem to be the case.

Fixed the CAS image manually in the hex editor.
Image

Not complicated, you already specify a size for the HHackers! 0x8070 subfield. Just add 0x20 to it for the HHackers! 0x8000 root field.

Can now be flashed correctly with BtMg :
Image

And moreover, it works ! :bj:
Image
Avatar de l’utilisateur
critorAdmin
Niveau 19: CU (Créateur Universel)
Niveau 19: CU (Créateur Universel)
Prochain niv.: 41.8%
 
Messages: 41470
Images: 14480
Inscription: 25 Oct 2008, 00:00
Localisation: Montpellier
Genre: Homme
Calculatrice(s):
MyCalcs profile
YouTube: critor3000
Twitter/X: critor2000
GitHub: critor

Re: I found an exploit in boot1.5 4.4.0.8!

Message non lude parrotgeek1 » 24 Jan 2018, 00:12

.
Dernière édition par parrotgeek1 le 08 Jan 2021, 01:21, édité 1 fois.
Avatar de l’utilisateur
parrotgeek1Programmeur
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Prochain niv.: 88%
 
Messages: 745
Inscription: 29 Mar 2016, 01:22
Localisation: This account is no longer used.
Genre: Non spécifié
Calculatrice(s):
MyCalcs profile

Re: I found an exploit in boot1.5 4.4.0.8!

Message non lude critor » 24 Jan 2018, 00:35

Sorry, and indeed :(
Image
Image
Avatar de l’utilisateur
critorAdmin
Niveau 19: CU (Créateur Universel)
Niveau 19: CU (Créateur Universel)
Prochain niv.: 41.8%
 
Messages: 41470
Images: 14480
Inscription: 25 Oct 2008, 00:00
Localisation: Montpellier
Genre: Homme
Calculatrice(s):
MyCalcs profile
YouTube: critor3000
Twitter/X: critor2000
GitHub: critor

Re: I found an exploit in boot1.5 4.4.0.8!

Message non lude critor » 24 Jan 2018, 00:46

Indeed, very strange.

In non-CR4 mode, Boot2 is there :
Code: Tout sélectionner
EXPLOIT: Created by parrotgeek1. Compiled: Jan 22 2018 17:21:49
CAS OS mode
EXPLOIT: Loading complete, launching image.
>d 11800000
11800000  18 F0 9F E5 18 F0 9F E5-18 F0 9F E5 18 F0 9F E5   .���.���.���.���
11800010  18 F0 9F E5 18 F0 9F E5-18 F0 9F E5 18 F0 9F E5   .���.���.���.���
11800020  30 BE 89 11 70 BF 89 11-AC BF 89 11 E8 BF 89 11   0��.p��.���.���.
11800030  24 C0 89 11 FC C0 89 11-C0 C8 89 11 30 C9 89 11   $��.���.���.0��.
11800040  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
11800050  7C 81 6E 5B A0 A4 47 5C-39 37 C6 6E 29 0D F9 D2   |�n[��G\97�n).��
11800060  DC 40 40 51 09 4E 07 13-93 5B B4 A5 23 38 75 03   �@@Q.N..�[��#8u.
11800070  BC 74 3D 58 48 E0 55 3B-CD 41 DC 8E 37 03 48 F0   �t=XH�U;�A��7.H�


In CR4 mode, Boot2 version is wrong because Boot2 is corrupted, shifted or just missing - don't know but it's clearly wrong :
Code: Tout sélectionner
EXPLOIT: Created by parrotgeek1. Compiled: Jan 22 2018 17:21:49
CAS OS mode
Wrong boot2 version
>d 11800000
11800000  01 00 8F 00 8A 11 8F 00-8A 11 8F 00 8A 11 8F 00   ..�.�.�.�.�.�.�.
11800010  8A 11 8F 00 8A 11 8F 00-8A 11 8F 00 8A 11 8F 00   �.�.�.�.�.�.�.�.
11800020  01 30 0B EC 93 E5 00 50-8A 11 96 E5 E2 44 20 00   .0.���.P�.���D .
11800030  97 F8 22 3E 17 F8 22 32-0A 00 9F E5 00 0A 01 00   ��">.�"2..��....
11800040  FE 60 1E FF 00 10 00 30-FF FF 23 12 00 10 30 C9   �`.�...0��#...0�
11800050  89 11 00 00 00 00 00 00-00 00 00 00 00 00 00 00   �...............
11800060  00 00 7C 81 6E 5B A0 A4-47 5C 39 37 C6 6E 29 0D   ..|�n[��G\97�n).
11800070  F9 D2 DC 40 40 51 09 4E-07 13 93 5B B4 A5 23 38   ���@@Q.N..�[��#8


I suppose Boot1.5 is behaving differently for some obscure reason...
Image
Avatar de l’utilisateur
critorAdmin
Niveau 19: CU (Créateur Universel)
Niveau 19: CU (Créateur Universel)
Prochain niv.: 41.8%
 
Messages: 41470
Images: 14480
Inscription: 25 Oct 2008, 00:00
Localisation: Montpellier
Genre: Homme
Calculatrice(s):
MyCalcs profile
YouTube: critor3000
Twitter/X: critor2000
GitHub: critor

Re: I found an exploit in boot1.5 4.4.0.8!

Message non lude parrotgeek1 » 24 Jan 2018, 01:02

critor a écrit:Indeed, very strange.

In non-CR4 mode, Boot2 is there :
Code: Tout sélectionner
EXPLOIT: Created by parrotgeek1. Compiled: Jan 22 2018 17:21:49
CAS OS mode
EXPLOIT: Loading complete, launching image.
>d 11800000
11800000  18 F0 9F E5 18 F0 9F E5-18 F0 9F E5 18 F0 9F E5   .���.���.���.���
11800010  18 F0 9F E5 18 F0 9F E5-18 F0 9F E5 18 F0 9F E5   .���.���.���.���
11800020  30 BE 89 11 70 BF 89 11-AC BF 89 11 E8 BF 89 11   0��.p��.���.���.
11800030  24 C0 89 11 FC C0 89 11-C0 C8 89 11 30 C9 89 11   $��.���.���.0��.
11800040  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
11800050  7C 81 6E 5B A0 A4 47 5C-39 37 C6 6E 29 0D F9 D2   |�n[��G\97�n).��
11800060  DC 40 40 51 09 4E 07 13-93 5B B4 A5 23 38 75 03   �@@Q.N..�[��#8u.
11800070  BC 74 3D 58 48 E0 55 3B-CD 41 DC 8E 37 03 48 F0   �t=XH�U;�A��7.H�


In CR4 mode, Boot2 version is wrong because Boot2 is corrupted, shifted or just missing - don't know but it's clearly wrong :
Code: Tout sélectionner
EXPLOIT: Created by parrotgeek1. Compiled: Jan 22 2018 17:21:49
CAS OS mode
Wrong boot2 version
>d 11800000
11800000  01 00 8F 00 8A 11 8F 00-8A 11 8F 00 8A 11 8F 00   ..�.�.�.�.�.�.�.
11800010  8A 11 8F 00 8A 11 8F 00-8A 11 8F 00 8A 11 8F 00   �.�.�.�.�.�.�.�.
11800020  01 30 0B EC 93 E5 00 50-8A 11 96 E5 E2 44 20 00   .0.���.P�.���D .
11800030  97 F8 22 3E 17 F8 22 32-0A 00 9F E5 00 0A 01 00   ��">.�"2..��....
11800040  FE 60 1E FF 00 10 00 30-FF FF 23 12 00 10 30 C9   �`.�...0��#...0�
11800050  89 11 00 00 00 00 00 00-00 00 00 00 00 00 00 00   �...............
11800060  00 00 7C 81 6E 5B A0 A4-47 5C 39 37 C6 6E 29 0D   ..|�n[��G\97�n).
11800070  F9 D2 DC 40 40 51 09 4E-07 13 93 5B B4 A5 23 38   ���@@Q.N..�[��#8


I suppose Boot1.5 is behaving differently for some obscure reason...

If you "k 111e0000" the compressed boot2 is in the right place, but it fails to decompress it...why?!
Avatar de l’utilisateur
parrotgeek1Programmeur
Niveau 11: LV (Légende Vivante)
Niveau 11: LV (Légende Vivante)
Prochain niv.: 88%
 
Messages: 745
Inscription: 29 Mar 2016, 01:22
Localisation: This account is no longer used.
Genre: Non spécifié
Calculatrice(s):
MyCalcs profile

Re: I found an exploit in boot1.5 4.4.0.8!

Message non lude critor » 24 Jan 2018, 23:54

Added some debug in the Boot2 decompression, with the fields encountered.

Here is the normal behaviour :
Code: Tout sélectionner
Loading from Boot 2 partition...

19%
EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01
8000
8040
8010
8010
8020
8020
8080
320
8070
CAS OS mode
EXPLOIT: Loading complete, launching image.


And now, here is the totally abnormal CR4 behaviour :
Code: Tout sélectionner
Loading from Boot 2 partition...

19%
EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01
8000
8040
8010
8010
8020
8020
8080
320
8070

EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01
8000
8040
8010
8010
8020
8020
8080
320
8070
CAS OS mode
Wrong boot2 version

So it appears decompressFiles() is launched a 1st time, but then we don't reach patch_Boot2().
Instead your exploit is launched a 2nd time...

Something's clearly bad, so a corrupted decompressed Boot2 image doesn't surprise me at all.
Image
Avatar de l’utilisateur
critorAdmin
Niveau 19: CU (Créateur Universel)
Niveau 19: CU (Créateur Universel)
Prochain niv.: 41.8%
 
Messages: 41470
Images: 14480
Inscription: 25 Oct 2008, 00:00
Localisation: Montpellier
Genre: Homme
Calculatrice(s):
MyCalcs profile
YouTube: critor3000
Twitter/X: critor2000
GitHub: critor

Re: I found an exploit in boot1.5 4.4.0.8!

Message non lude critor » 25 Jan 2018, 00:05

Also seems to be random.

Just worked after a reset, but with the exploit still being launched twice :
Code: Tout sélectionner
Loading from Boot 2 partition...

19%
EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01
8000
8040
8010
8010
8020
8020
8080
320
8070

EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01
8000
8040
8010
8010
8020
8020
8080
320
8070
CAS OS mode
EXPLOIT: Loading complete, launching image.





Boot Loader Stage 2 (4.0.3.49)
Build: 2015/11/6, 12:44:23
Copyright (c) 2006-2015 Texas Instruments Incorporated
Using production keys

Clocks:  CPU = 132MHz   AHB = 66MHz   APB = 33MHz
Checking for NAND: NAND Flash ID: Generic 1 GBit (0xA1)
This device is a CXCR.
TI_PM_SetShipMode:  FALSE
Unknown LCD(0x00 0x00 0x00).


Initializing graphics subsystem.
Unknown LCD(0x00 0x00 0x00).
Boot option: Normal


Initializing filesystem.
  Skipping NAND workaround.
Datalight Reliance v2.10.1150
Copyright (c) 2003-2006 Datalight, Inc.
Datalight FlashFX Pro v3.00 Build 1358
Nucleus Edition for ARM9
Copyright (c) 1993-2006 Datalight, Inc.
Patents: US#5860082, US#6260156.
FB NAND Flash Controller
FFX: BBM Format found 0 bad blocks (IOError=0 Factory=0 Marked=0 Legacy=0)
FlashFX: Formatting... One moment please
100%
FlashFX: Format complete, Status=0x00000000
relFs_Format v2.10.1150
Copyright (c) 2003-2006 Datalight, Inc.
Writing file system...100
Block size: 2048
Total blocks: 59008
Used blocks: 21
Free blocks: 58987
Filesystem ready.
deleteTree(): path /tmp
TI_OS_deleteTree: deleteAllFiles Done!

Loading Operating System...

Error loading OS image. Removing OS remnants.

Waiting for OS download.
Starting Connectivity services.
Initializing USB subsystem...Done.
USB Download is enabled.
Image
Avatar de l’utilisateur
critorAdmin
Niveau 19: CU (Créateur Universel)
Niveau 19: CU (Créateur Universel)
Prochain niv.: 41.8%
 
Messages: 41470
Images: 14480
Inscription: 25 Oct 2008, 00:00
Localisation: Montpellier
Genre: Homme
Calculatrice(s):
MyCalcs profile
YouTube: critor3000
Twitter/X: critor2000
GitHub: critor

PrécédenteSuivante

Retourner vers Native: Ndless, Linux, ...

Qui est en ligne

Utilisateurs parcourant ce forum: Aucun utilisateur enregistré et 6 invités

-
Rechercher
-
Social TI-Planet
-
Sujets à la une
Comparaisons des meilleurs prix pour acheter sa calculatrice !
Aidez la communauté à documenter les révisions matérielles en listant vos calculatrices graphiques !
Phi NumWorks jailbreak
123
-
Faire un don / Premium
Pour plus de concours, de lots, de tests, nous aider à payer le serveur et les domaines...
Faire un don
Découvrez les avantages d'un compte donateur !
JoinRejoignez the donors and/or premium!les donateurs et/ou premium !


Partenaires et pub
Notre partenaire Jarrety Calculatrices à acheter chez Calcuso
-
Stats.
1633 utilisateurs:
>1620 invités
>8 membres
>5 robots
Record simultané (sur 6 mois):
6892 utilisateurs (le 07/06/2017)
-
Autres sites intéressants
Texas Instruments Education
Global | France
 (English / Français)
Banque de programmes TI
ticalc.org
 (English)
La communauté TI-82
tout82.free.fr
 (Français)