Omnimaga
Calculator Community => TI Calculators => General Calculator Help => Topic started by: davetheant on January 16, 2013, 09:27:16 pm
-
Hello everyone. I have a TI Nspire CX Cas and I've been wondering for some time whether it's possible to hack the native OS and add custom menus/key combinations, etc. If not, could this be achieved by installing a custom OS that I create from modifying the stock?
Thanks!
-
I haven’t researched much, but their was something called dummyos made, but it doesn’t do anything, and I read that to make your own you will have to crack the 2048 bit encryption key, which is impossible to do.
-
nlaunch which was released recently makes it possible to load a non-signed or custom os and bypass the encryption key. So I guess it would be possible to mod the os and add extra feature now. Only problem is that you would wouldn't be able to distribute modified os's as that would directly be against the copyright.
-
Thank you for your replies! I'll check out dummyos mode and nLaunch. I don't plan on distributing the modified OS, it's for personal convenience only. Do you know anything about modding the original OS? What language(s) would I need to be familiar with?
-
I can't imagine it would be too easy, as someone else would have already done it, but a fun place to "start" is by unzipping the OS and several folders in it, even though I didn't learn much from it
This might be able to help
http://hackspire.unsads.com/wiki/index.php/Main_Page#OS_information
And this section
http://hackspire.unsads.com/wiki/index.php/OS_upgrade_files
-
My guess is that the only think you could get would be the assembly code for the OS and I believe the nspire is an ARM so you'd need a knowledge of ARM assembly
-
I think the only way to re-distribute modified TI-OSes would be via IPS patches, like SNES/NES/GB/N64 ROMs.
-
Also Nlaunch does not work on the CX since it exploits a bug in boot2(or is it boot1) code from before the CX's
-
Don't we have nsNandMgr for this now? Or is that not capable of loading custom OSes?
-
Without nLaunch or anything, just OS 3.1 and Ndless 3.1, one can create hooks (or anything similar) to redirect soem OS calls to his own functions, that either extend or change completely the behaviour of the original function. But it's a matter of time to code all this.
-
Also Nlaunch does not work on the CX since it exploits a bug in boot2(or is it boot1) code from before the CX's
It is an exploit in boot2 (if it was an exploit in boot1, it would mean you'd have to reinstall the boot2 if anything goes wrong, and you cannot reinstall the boot2 via USB).
Don't we have nsNandMgr for this now? Or is that not capable of loading custom OSes?
OSes 3.x hang on the clock screen when hot-launched. That is the problem.
Edit: ThemeEditor v2 ( http://tiplanet.org/forum/viewtopic.php?p=134618#p134618 ) is a good example of a program using the OS routines, and it also adds a submenu in "settings".
-
So from my understanding I can't really achieve this on the CX because there's no way to install my own OS?
-
Get cracking on that encryption key!
-
Well, your first question was "is it possible to hack the native OS and add custom menus/key combinations, etc" and it is definitely possible since ThemeEditor added an option in the settings menu :)
-
With ThemeEditor, OS is just temporarily hacked in RAM.
If you reboot and don't run ThemeEditor again, you'll be back with the original OS.
Don't we have nsNandMgr for this now? Or is that not capable of loading custom OSes?
nsNandMgr doesn't deal with OSes at all, and so is unable to run them.
But as nsNandMgr does deal with Boot2/Diags, you could run a custom Boot2 which would then load an OS the way you want.
-
Don't we have nsNandMgr for this now? Or is that not capable of loading custom OSes?
nsNandMgr doesn't deal with OSes at all, and so is unable to run them.
But as nsNandMgr does deal with Boot2/Diags, you could run a custom Boot2 which would then load an OS the way you want.
IIRC you can boot Linux this way.
-
Well, the current method for running Linux doesn't do this, but it's certainly a possible route to do so. The current program loads itself into RAM then shuts off the nspire, all post-boot, so it bypasses the whole protection system.
-
The best way is to hot patch the OS, add hooks and stuff such as Adriweb mentioned. This is probably more easy too.
-
How difficult is it to create a custom Boot2? Could this brick my calculator if I messed up?
and are there any simple tutorials for adding hooks?
-
How difficult is it to create a custom Boot2?
Impossible: the boot2 is validated by the boot1. If the boot2 is not valid, it's erased by the boot1, and then, the calculator requires reflashing through the RS232 port, which requires additional hardware.
Could this brick my calculator if I messed up?
The calculator is not bricked as long as the boot1 is not.
-
Alright thank you for the clarification. I'll attempt to add hooks to the OS but I'm not sure where I would put them or how to get my custom OS onto my calculator.
-
You don't get the OS onto the calculator. You run an ndless program that changes the OS state in RAM. By putting such a patch in the ndless startup folder, you can have it run on boot, so it feels like you've put in a new OS even though you haven't.
-
Thanks. Now where would I begin modifying the OS to change some menus around? I see a bunch of asm files
-
Now where would I begin modifying the OS to change some menus around? I see a bunch of asm files
Without any official documentation, that's indeed what the OS is - a large pack of ASM.
The Ndless SVN repository contains some information about symbols.
-
I can't seem to find Ndless on SVN at all, just an Unofficial Ndless clone with nothing in it
EDIT: I think I found a clone of Ndless, but where do I go from here? Say, to add some entries to the menu when the "menu" key is pressed?
-
But where do I go from here? Say, to add some entries to the menu when the "menu" key is pressed?
I'm pretty sure there is no documentation about this. The easiest way for now would probably be to have a look at the source code of ThemeEditor v2 and understand how it works.
-
Alright thanks, so I played aroudn with theme editor and examined the source for a while, and the only part that seems useful is as follows (in C):
void hook_menu_handler(Button button, CallbackData button_data, EventCode eventCode)
{
if(eventCode == ENTER || eventCode == MOUSECLIC)
{
Config *conf = new_config();
char *filename = "/ThemeEditor.tns";
char *argv[] = {filename};
if (read_config(conf, 1, argv))
{
free_config(conf);
return;
}
if (conf->mode == 2)
conf->current_index = themeEditor(conf->current_index);
else
theme_editor_gui(conf);
write_config(conf);
free_config(conf);
}
}
static int32_t* new_menu = NULL;
void hook_menu ()
{
if(*((int*)HOOK_ADDR) == HOOK_VALUE)
{
int32_t new_menu_[] = {
1, 0xE5, 0xFFFFFFFF, 1, SYST,
2, 0xE7, 0, 0, SYST,
3, 0xEB, 0xFFFFFFFF, 2, SYST,
3, 0x16D, 0xFFFFFFFF, 3, SYST,
1, 0x176, 0xFFFFFFFF, 4, SYST,
1, 0x192, 0xFFFFFFFF, 5, SYST,
1, 0x5E, 0xFFFFFFFF, 6, SYST,
// sentinel 0x42133769 because we can't get absolute addressing in the declaration of a table
1, 0x34, 0x42133769, 0, SYST,
0, 0, 0, 0, 0
};
new_menu = malloc (sizeof (new_menu_));
unsigned i = 0;
unsigned n = sizeof (new_menu_) / sizeof (new_menu_[0]);
for (; i < n; ++i)
if (new_menu_[i] == (int32_t)0xFFFFFFFF)
new_menu[i] = (int32_t)MENU_CALLBACK;
else if (new_menu_[i] == 0x42133769)
new_menu[i] = (int32_t)hook_menu_handler;
else
new_menu[i] = (int32_t)new_menu_[i];
*((int32_t**)HOOK_ADDR) = new_menu;
puts("patched");
nl_set_resident();
}
I understand C fairly well, but I don't see where the code adds the "6: Theme Editor" to the Settings menu.. Any ideas?
-
I understand C fairly well, but I don't see where the code adds the "6: Theme Editor" to the Settings menu.. Any ideas?
In Gui.c, last lines.
Edit1: okay, I'm naughty ..
Basicly, menus in the TI-Nspire OS are static and encoded like that :
Deep, Resource ID, callback, callbackdata, Resource Lib,
...
0, 0, 0, 0, 0
Deep defines what deep the menu entry is, basically, if it is in a submenu.
When you have a submenu, its callback and callbackdata are null.
The submenu is right after this entry.
Resource ID defines the offset in the Resource Lib. You'll have to extract all the resource strings to have an idea what is behind.
The function called is get_res_string(lib, id); This returns an utf16 char array.
Callback is the function that is ran when you hit the entry
Callbackdata is the data passed to this function as 2nd argument (first is the Button, third is the event Code - keep in mind to have a condition code to filter only active events like Enter or MouseClic).
Resource Lib is the lib to use for the string (SYST, DCOL, CTLG, etc ....) - those are defines in nFrame, sorry.
Edit2: By the way, I do not really add '6 - Theme Editor' because I do not have the place for one more entry in the OS.
I simply copied the existing table (I could have made a simple copy table also) in the source code and put one more entry.
This is not the extensible way to do, I know it, but it was worth for testing :p.
-
Wow, I never thought that Levak himself would reply to my post! You cleared up a lot of my questions, so thanks a lot!
I think one last question will set me on the way to adding my own entries to the menus:
How do I extract the resource strings using "get_res_string(lib, id)" ? Say I added that in the C file somewhere, how would I be able to see the array that is returned?
Thanks again everyone
-
How do I extract the resource strings using "get_res_string(lib, id)" ? Say I added that in the C file somewhere, how would I be able to see the array that is returned?
#include <os.h>
#include <libndls.h>
static unsigned get_res_string_addrs[] = {0x100E9B20, 0x100E9E10, 0x100E9634, 0x100E994C};
#define get_res_string SYSCALL_CUSTOM(get_res_string_addrs, char *, int, int)
enum {
CLNK = 0x636C6E6B,
CTLG = 0x63746C67,
DCOL = 0x64636F6C,
DLOG = 0x646C6F67,
DTST = 0x64747374,
GEOG = 0x67656F67,
MATH = 0x6D617468,
MWIZ = 0x6D77697A,
NTPD = 0x6E747064,
PGED = 0x70676564,
QCKP = 0x71636B70,
QUES = 0x71756573,
SCPD = 0x73637064,
SYST = 0x73797374,
TBLT = 0x74626C74,
};
int main()
{
char *undef = "U\0n\0d\0e\0f\0i\0n\0e\0d\0\0";
int i = 0;
char *utf16;
String s = string_new();
do
{
string_set_utf16(s, get_res_string(SYST, i));
if (memcmp(undef, s->str, 20) == 0)
break;
char ascii[s->len + 1];
printf("0x%X : %s\n", i, string_to_ascii(s));
++i;
} while (1);
string_free(s);
puts("");
return 0;
}
Or simply : https://www.dropbox.com/sh/orpup682k3f7nkd/fQRyPHoVvv
-
How did you tell the calculator that 0x34 corresponds to "Theme Editor"?
-
How did you tell the calculator that 0x34 corresponds to "Theme Editor"?
It is the case.
Remember that a Theme Editor was introduced in development builds, but sadly (or luckily for us) the string remained in the resources.
-
Oh that makes total sense now. Thank you for all your help