Omnimaga

Omnimaga => News => Topic started by: critor on December 18, 2012, 05:25:43 pm

Title: 1st reflashing of a production TI-Nspire Boot1 !
Post by: critor on December 18, 2012, 05:25:43 pm: In a previous news (https://tiplanet.org/forum/viewtopic.php?t=8890&p=121649), we saw that a small broaching difference around the NOR Flash chip in TI-Nspire ClickPad prototypes was making the chip writeable.
(http://tiplanet.org/forum/gallery/image.php?album_id=10&image_id=596)

This ability to reprogram the Boot1 had then helped us transforming TI-Nspire ClickPad prototypes into fully functionnal production TI-Nspire (http://tiplanet.org/forum/viewtopic.php?t=8954).

In a previous news (http://tiplanet.org/forum/viewtopic.php?t=10446), an anonymous source had published information about a hardware mod for production TI-Nspire ClickPad, which would make the Flash NOR chip writeable like on prototypes.
(http://tiplanet.org/forum/gallery/image.php?album_id=77&image_id=1394)

We were unable to obtain any further information, so it was best to try ourselves to check:
(http://tiplanet.org/forum/gallery/image.php?album_id=77&image_id=1699) (http://tiplanet.org/forum/gallery/image.php?album_id=77&image_id=1699)

The installation does require a switch to toggle between the original and modified states of the calculator. Indeed, in the modified state the calculator does not boot, which suggests that there are other hardware differences with the prototypes since those are able to boot in this state.

Once the OS has started, you just have to flip the switch before launching the NOR flasher.

Let's try to reprogram a 1.1.8916 Boot1, with its version string modified to 1.1.9999...
(http://tiplanet.org/forum/gallery/image.php?album_id=13&image_id=1698)

Success! ;D(http://www.omnimaga.org/Themes/default/images/gpbp_arrow_up.gif)

Since you can now modify the Boot1 exactly as you want, it becomes possible to program anything as Boot2 and diagnostics software, or even as OS.

The possibilities are simply huge! ;)
Note that the Boot1 does launch either the Boot2, either the diagnostic software. Both use the same format in memory and are fully interchangeable, the only constraint being the size (the diags area is limited to 640KB, but the code can be compressed).

We could have our own diagnostics / troubleshooting / maintenance software, with more and greater options than the official one...

Or permanently install Linux by programming a loader as a Boot2 or Diags...

Or even have a true dual-boot, to run two different OS ... for example to switch between the Nspire OS and Linux... or to switch between OS 3.1 (for Ndless) and OS 3.2 (for new Lua apps)... No need for a computer or another calculator anymore to constantly install the currently needed OS every 2 days!

And much more... ;)

But don't be too excited: we are talking about TI-Nspire ClickPad sold until 2009-2010, which had an external Flash-NOR chip.

From 2010-2011, TI-Nspire TouchPad, CX and CM had their Flash-NOR chip moved inside the ASIC.

This internal Flash-NOR internal is unknown and probably write-protected. A similar change would require to uncap the ASIC chip without destroying it and then modify it under a microscope... Let's say it more simply: it's impossible.

Source:
http://tiplanet.org/forum/viewtopic.php?p=133688&lang=en
Title: Re: 1st reflashing of a production TI-Nspire Boot1 !
Post by: Sorunome on December 18, 2012, 07:28:27 pm: but, i thought nothing was impossible! D:
And epic news btw! :D
Title: Re: 1st reflashing of a production TI-Nspire Boot1 !
Post by: DJ Omnimaga on December 18, 2012, 08:33:28 pm: Quote from: critor on December 18, 2012, 05:25:43 pm
A similar change would require to uncap the ASIC chip without destroying it and then modify it under a microscope... Let's say it more simply: it's impossible.[/i]

But Calc84maniac made a GBA emulator for the Nspire, so that must be possible! O.O

But joking aside, good job critor :)
Title: Re: 1st reflashing of a production TI-Nspire Boot1 !
Post by: DrDnar on December 19, 2012, 04:01:08 am: Well this might well piss them off. They'd have to rehire a team of expensive electrical engineers to fix this.
Title: Re: 1st reflashing of a production TI-Nspire Boot1 !
Post by: Adriweb on December 19, 2012, 06:05:59 am: Well it's useless, the clickpad are out there already and not produced anymore, so....
Title: Re: 1st reflashing of a production TI-Nspire Boot1 !
Post by: DJ Omnimaga on December 19, 2012, 01:41:42 pm: Also, considering it requires the user to modify his calculator hardware (add the small switch on the side), I doubt that even a few people will bother trying this anyway.
Title: Re: 1st reflashing of a production TI-Nspire Boot1 !
Post by: _Nicco_ on December 19, 2012, 07:03:03 pm: This is revolutionary! We must figure out a way to flash boot1 on the CX even if it is "impossible". :)
Title: Re: 1st reflashing of a production TI-Nspire Boot1 !
Post by: critor on December 22, 2012, 10:16:12 am: It seems that not all TI-Nspire ClickPad will be reflashable.

Hardware revisions 'A' and earlier (2007) are.

We thought that the Boot1 Flash-NOR was moved into the ASIC when TI-Nspire TouchPad were released (back to school 2010).

But cncalc.org (http://cncalc.org) has opened a TI-Nspire CAS ClickPad hardware revision 'I' (2009) and discovered that the external Boot1 Flash-NOR was allready missing.
(http://i11.servimg.com/u/f11/13/23/13/53/12230810.jpg)
(http://i11.servimg.com/u/f11/13/23/13/53/09064210.jpg)

So hardware revisions 'I' and later (2009) aren't.

Could you help us determining exactly the set of TI-Nspire ClickPad hardware revisions whose Boot1 can be reflashed?

If you own a TI-Nspire ClickPad revision B-H, you would just have to open it and tell us or take a photo.

Thanks.

Source: http://tiplanet.org/forum/viewtopic.php?f=43&t=10971
Title: Re: 1st reflashing of a production TI-Nspire Boot1 !
Post by: critor on December 22, 2012, 11:35:07 am: Answering to myself.

Here is Adriweb's TI-Nspire CAS ClickPad hardware revision E:
(http://i.imgur.com/giwm2.jpg)

Only 2 chips - we won't be able to reflash the Boot1 which is inside the ASIC.

Seems like TI fixed that exploit very early, and we should have released many things years ago.

TI-Nspire ClickPad hardware revisions E and later won't be flashable.

So, we now need to check TI-Nspire ClickPad hardware revisions B, C, D.
Thanks.

Edit: now from Excale, a TI-Nspire CAS ClickPad hardware revision C (P-0308C).

It uses the new hardware: new ASIC reference and no Flash-NOR chip :(

We now need someone with a TI-Nspire ClickPad hardware revision B.

But apparently it seems that only prototypes and first production models manufactured in 2007 will be reflashable.
Title: Re: 1st reflashing of a production TI-Nspire Boot1 !
Post by: critor on December 22, 2012, 08:06:33 pm: A Boot1 flasher for Ndless 3.1 has just been released:
http://tiplanet.org/forum/archives_voir.php?id=10069

Beware: flashing a bad/wrong Boot1 image will permanently brick your TI-Nspire.

The flasher will only work if your TI-Nspire is using an external SST 39WF400A Flash-NOR chip:
- TI-XXXXXXXXXXX DVT 1.2 prototypes
- TI-Nspire DVT 2.0 prototypes
- TI-Nspire (1st hardware version)
- TI-Nspire hardware revision A (2nd hardware version)
* maybe TI-Nspire hardware revision B ? *

On production TI-Nspire using that chip, you'll have to perform the hardware mod described in 1st post in order to make your chip writeable.

In theory, nothing bad should happen on models or hardware revisions which don't use that chip.
Title: Re: 1st reflashing of a production TI-Nspire Boot1 !
Post by: Sorunome on December 22, 2012, 10:21:34 pm: But would you still need to hardware-mod?
Title: Re: 1st reflashing of a production TI-Nspire Boot1 !
Post by: Adriweb on December 23, 2012, 03:48:57 am: Yes, indeed (so that's reducing the range of HW revisions of CLickpad to pre-A (nothing shown after the date), and possibly A and B)
Title: Re: 1st reflashing of a production TI-Nspire Boot1 !
Post by: critor on December 23, 2012, 05:20:14 am: Quote from: adriweb on December 23, 2012, 03:48:57 am
Yes, indeed (so that's reducing the range of HW revisions of CLickpad to pre-A (nothing shown after the date), and possibly A and B)

A is confirmed to be flashable after the hardware mod.
I've got a Nspire hardware revision A, sent to me by Lionel.

pre-A models need the hardware mod too.

The only unknown remains hardware revision B.
Title: Re: 1st reflashing of a production TI-Nspire Boot1 !
Post by: critor on January 12, 2013, 07:24:29 pm: If you think the image below is real, then try to guess "freely Boot1 1.1.9999" features before I news about it! ;)

(http://tiplanet.org/forum/gallery/image.php?album_id=13&image_id=1889) (http://tiplanet.org/forum/gallery/image_page.php?album_id=13&image_id=1889)
Title: Re: 1st reflashing of a production TI-Nspire Boot1 !
Post by: Sorunome on January 12, 2013, 07:29:22 pm: You can load a CAS os?
Title: Re: 1st reflashing of a production TI-Nspire Boot1 !
Post by: critor on January 12, 2013, 07:31:50 pm: The Boot1 doesn't deal with the OS, only with the Diags and Boot2.

But "freely Boot1 1.1.9999" could be used to 'help' loading a CAS OS, yes.
(although you can allready perform this by using nLaunch)
Title: Re: 1st reflashing of a production TI-Nspire Boot1 !
Post by: Nick on January 12, 2013, 07:42:40 pm: I guess it's some kind of boot manager which makes it possible to select whichever OS you want to load?

seeing the loader, it's at about 50%, so that's where the OS gets loaded, right?
Title: Re: 1st reflashing of a production TI-Nspire Boot1 !
Post by: critor on January 12, 2013, 07:49:47 pm: Below 50%, we're in the Boot1 which is loading the Boot2.
So again, nothing to do with the OS 'directly'.

A little video for those who were thinking the photo was fake:
Title: Re: 1st reflashing of a production TI-Nspire Boot1 !
Post by: critor on January 13, 2013, 06:20:54 am: For those who can't wait, I've newsed about this in french for now:
http://tiplanet.org/forum/viewtopic.php?f=43&t=11102&p=134459#p134458