The TI-Nspire CAS+ dumped at last !

[Jim Bauwens]

Interesting Goplat!
However pn_fm_fput is no existing command (but maybe it an int containing an address, need to check).
Also, the IP should just be a decimal number.
But it is great that you could find more info about the function, I'll soon do some tests with it (or Adrien, as my CAS+ just lost it's mind)



1337 posts

[adriweb]

Interesting indeed, I will try that soon, thanks GoPlat.

Also, I wiresharked the device transactions, I can send you some logs of basic actions.

Basically :
port 10001 tcp : how the software communicates.
port 10002 tcp : "TI-PN" shell via telnet. You know about that one. Not used by the software.
port 10003 udp : discovery port where the unit always (whatever you send) replies by its version ("pn-srv5.c phoenix 2006" or something like that)

[critor]

The TI-Nspire CAS+ P1-EVT2 has a different boot screen than later Nspire: So it probably has different Boot2 and Diags flashing screens too.

I hope you're making sure there is no diags present before testing the diags reflashing combination, as it immediately erases diags before receiving any data (unlike the boot2 reflashing combination, which doesn't erase until the transfer is completed)

Yes,I had checked before. When using the diags combo on the P1-EVT2, we get an error in the bootlog:

Code: Select All | Copy To Clipboard

1 2 3 4

Keypad request - launching DIAGS software... Error reading/validating DIAGS image Error loading DIAGS. reverting to BOOT2.

Up to now, I've never found a CAS+ including a Diags image

[adriweb]

fm_xfer(127.0.0.1, pn_fm_fput, "/phx/documents/ndless/phoenix.tns", "/phoenix/install/phoenix.img", 5000, 1, 0)

BTW, first arg is supposed to be a long (ip2long), so, 127.0.0.1 became 2130706433.
So, I just tested that, and I still get the "-100" (error/return code). I tested with some variants within the function call, but nothing ...

Any other idea, this looked kinda good

[Goplat]

BTW, first arg is supposed to be a long (ip2long), so, 127.0.0.1 became 2130706433.

The function that parses that argument (10339db0) reads a token, compares it to the string "addr", returns some variable if equal (probably the IP address of the other side), and tries to parse the token as an IP address otherwise (using the 10345488 function), dots and all. Don't be misled by the C-ish syntax.

[adriweb]

Hmm ok, thanks...

However, I found multiple occurences of code calling stuff with ip directly in the long format, and not the "normal" format, so I guess that's again de-compilation "mistakes" ?

Also, jim and I made a google doc with what we found/documented so far :
https://docs.google.com/document/d/1cP5BIeV8B66VXXv1LqOUl_SNO8voF2s1CxR_Ofuy9UM/edit

You're welcome to put there what you found too

[Jim Bauwens]

Ah, thanks for the info.
It's just weird since multiple functions contains the decimal equivalent of 127.0.0.1. But maybe that's because we are looking at the wrong file.

[Goplat]

However, I found multiple occurences of code calling stuff with ip directly in the long format, and not the "normal" format, so I guess that's again de-compilation "mistakes" ?

Not a mistake - the actual TI_PN_fm_xfer function (10342018) is called with an integer representing the IP address as its first argument. The port-10002 shell just does not use exact C syntax in all cases - in this case it wants the IP address in dotted quad notation instead of a plain number.

[adriweb]

Ok, let me try this, then

[adriweb]

Wow, sorry for the double post, but it's worth it :
it looks like it works (for a part, at least ) :

Here's what I get :

Code: Select All | Copy To Clipboard

1 2 3 4 5 6 7 8 9 10 11 12

TI_PN_fm_xfer(127.0.0.1, pn_fm_fput, "/phx/documents/ndless/phoenix.tns", "/phoenix/install/phoenix.img", 5000, 1, 0) fm_xfer(127.0.0.1, pn_fm_fput, "/phx/documents/ndless/phoenix.tns", "/phoenix/install/phoenix.img", 5000, 1, 0) = -unknown functio n ``ti_pn_fm_xfer'' 102    TI_PN_  [-1022] TI_PN_fn_cbfn: transferred 6144 of 5065885                                           fn_cbfn: transferred 6144 of 5065885                                                                               fm_xfer(127.0.0.1, pn_fm_fput, "/phx/documents/ndles s/phoenix.tns", "/phoenix/install/phoenix.img", 5000, 1, 0) = -1022 [-1022] = -1013 [-1013] TI_PN_

Weirdly, there is still nothing in the destination folder tho...

GOPLAT++ !


OK, with the options at 0,0,0 it worked !!
Let me host the OS file

[Jim Bauwens]

Very nice!
Great

[adriweb]

Just for you guys .... Thanks to GoPlat :



The Boot2 still remains to be dumped But Jim is doing that ...

[TheNlightenedOne]

Sorry if this seems rude or noobish, but why wasn't this done instead of connecting the NAND (I think? Correct me if I'm wrong) to an xD card reader?

[adriweb]

Both methods were tried simultaneously actually.
We only started to work on that a few days ago ... idk why

The nand reader is still needed to be done to get the boot2.

[Jim Bauwens]

Because I only found the 10002 port a couple of days ago AND we needed to reverse engineer some parts of an older CAS+ that we just dumped a few days ago to be able to find how it operated.