Omnimaga
Omnimaga => News => Topic started by: Munchor on June 27, 2011, 06:34:13 am
-
Yesterday, Brandon Wilson tweeted that he had managed to modify both boot pages in the 84+/SE, through software only, as you can see in the following picture:
(http://dl.dropbox.com/u/763272/Screenshot-5.png)
Another tweet from Brandon Wilson tells us about some of the possibilities that this will bring:
It means we can modify the boot code & completely strip out all TI copyrighted code from the device. No more exploits or hacks.
From now on, if TI tries any more "tricks" to block features or downgrades, they can now be easily fixed thanks to this.
Some may say this is a fail from TI and others might say it is the end of all the problems caused by TI blocking downgrades and other features. I question, though, can't TI change the boot pages in a newer OS? Either way, I think this is wonderful news.
Finally I have to add that thepenguin77 also discovered this, but separately from Brandon Wilson.
Below is the most recent tweet by Brandon Wilson concerning this program:
Boot code one is a simple program. Pocket exploit...probably best not to say yet. But very simple & easy to use.
-
I question, though, can't TI change the boot pages in a newer OS?
At first, we all thought that the boot pages couldn't be written to, so I think it's safe to assume that TI doesn't know how to do it. And even if they do change them, we can probably just change them back...
-
Oh my! :O Does this mean that the new TI-84 pocket can be modded to accept OS downgrades/custom Oses? If so, that would be great news indeed!
-
Great news!
Does the 84 pocket have different signing keys than the original? Is that why we can't use custom OSes ATM?
-
Well, I've talked to brandonW about this. We really don't want to use this to make the pocket able to accept other OS's. The problem comes from how dangerous this is. In the end, it really is just like any flash mod, but the thing is, if something goes wrong while the boot code is all FF's, instant, permanent brick. Unless you can wire up the flash chip and reprogram it, your calculator is done. It will execute one instruction and end.
If we did make a boot code modder, of course it would be extremely safe. It would check batteries all over the place and probably would be stepped through instruction by instruction several times. But, boot code 1.03 will probably be coming to america soon which means it will become more widespread. And if we release this as the only way to install other OS's, over time, there will probably be about 5 people using it every day. If just 1 person is an idiot and tricks their calculator into running it with low batteries, they will brick their calculator and we will be in a huge mess online.
Besides, we don't even need to do this. BrandonW and I have come up with different ways to beat the boot code, and my program to do it is already done. With two exploits, we should be covered for a long time unless TI looks through their boot code for errors, which they won't.
Edit:
Now that I think about it, NOPing out some checks in the boot code wouldn't really be that dangerous. (I've already NOPed stuff in my boot code.) So I guess a mod like this could be a possibility, but only if we need to do it.
-
Does the 84 pocket have different signing keys than the original?
Maybe they have _additional_ keys (I don't know), but the 84+ Pocket does support the old signing key: an unmodified OS 2.55MP for regular 84+(SE) can be successfully sent to a 84+ Pocket :)
-
It's been a while, so I'll give you a hint: The 258 bytes at the start of page 73h are a new signature that the boot code expects to be present.
-
Well, I've talked to brandonW about this. We really don't want to use this to make the pocket able to accept other OS's. The problem comes from how dangerous this is. In the end, it really is just like any flash mod, but the thing is, if something goes wrong while the boot code is all FF's, instant, permanent brick. Unless you can wire up the flash chip and reprogram it, your calculator is done. It will execute one instruction and end.
If we did make a boot code modder, of course it would be extremely safe. It would check batteries all over the place and probably would be stepped through instruction by instruction several times. But, boot code 1.03 will probably be coming to america soon which means it will become more widespread. And if we release this as the only way to install other OS's, over time, there will probably be about 5 people using it every day. If just 1 person is an idiot and tricks their calculator into running it with low batteries, they will brick their calculator and we will be in a huge mess online.
Besides, we don't even need to do this. BrandonW and I have come up with different ways to beat the boot code, and my program to do it is already done. With two exploits, we should be covered for a long time unless TI looks through their boot code for errors, which they won't.
Edit:
Now that I think about it, NOPing out some checks in the boot code wouldn't really be that dangerous. (I've already NOPed stuff in my boot code.) So I guess a mod like this could be a possibility, but only if we need to do it.
This is great news! I'm glad that there is a safer way instead. Regardless of what OS it was running, I was planning to get a TI-84 pocket when it is released. It makes me even happier that I will be able to run whatever OS I choose though. ;D Awesome work thepenguin and Brandon W.! You guys kick so much ass!
-
hooray! BrandonW's CalcGod factor: >9000! :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup: :thumbsup:
-
The only word I can think of to describe this is wow. I love how we now have complete control over the 84. Hopefully we will also be able to do this to other calcs eventually
-
Thank you TI for all those weird holes you seem to leave everywhere :thumbsup:
-
Thank you TI for all those weird holes you seem to leave everywhere ;D(http://www.omnimaga.org/Themes/default/images/gpbp_arrow_up.gif)
Thank god for TI's bad programming
-
Well that's nice. Can't wait to see this on the other 83+ calcs. And that would allow for custom boot code?
-
I think from what they said that this allows anything you could possibly do. The hardware is completely open now
-
So we can boot Windows Vista now! :D/me runs
-
So we can boot Windows Vista now! :D
why would you want to do that. Lets go with Damn Small Linux(smallest current OS I know)
-
Well that's nice. Can't wait to see this on the other 83+ calcs. And that would allow for custom boot code?
This won't work on 83+'s because on those, TI most likely locked the boot code the proper way with the flash chip itself. Here is the only reason that it actually works on an 84+: (new paragraph so people can quote me :))
On the 84+, for whatever reason, TI decided not to hardware write protect the boot code sectors. The flash chip supports this feature, but TI didn't do it. So TI just programs the boot sectors and puts the flash chip in the calculator. That was mistake number one, but here comes mistake number two. Next, probably in order to save money, TI decided to make the circuit boards of the 84+ and 84+SE exactly the same, the only difference of course is the flash chip. So, to make sure that the boot sectors can't be overwritten, TI had to come up with a way to block different sectors on the flash chip for each model even though the hardware was exactly the same. Their solution was to make a port on the calculator that protects different flash pages based on its value. And finally, since the boot codes were programmed differently on the flash chips, TI put in code to set this port to different values based on the size of the flash chip. This way, as long as no one touches that port, the calculator will look like the boot code is write protected. However, we discovered what this port was and removed their boot code protection.
After writing this, I feel like this would work on the 83+SE also.
(Now, after all of that, if you know a bit of assembly, I'm sure you can figure out how to do it.)
-
(Now, after all of that, if you know a bit of assembly, I'm sure you can figure out how to do it.)
It's not that simple to do -- it is a protected port, after all.
-
I didn't say you could do it, I just said you know how to do it. :P Or you at least have some ballpark idea.
-
So we can boot Windows Vista now! :D/me runs
You better run fast =]
Anyway, that's amazing news.
Just hope noone will be legally hurt after this discovery...
-
So we can boot Windows Vista now! :D/me runs
You better run fast =]
Anyway, that's amazing news.
Just hope noone will be legally hurt after this discovery...
I believe any threats they sent would be totally unfounded, and probably just ignored. It's fully legal to replace code on your own device, as long as you're not replacing it with unlicensed copyrighted code.
-
I believe any threats they sent would be totally unfounded, and probably just ignored. It's fully legal to replace code on your own device, as long as you're not replacing it with unlicensed copyrighted code.
You never know what a company which has just been raped can do =]
-
TI has essentially no legal case in this situation. Even if they wanted to go after BrandonW or thePenguin (which I doubt they do), they can't make a case against this. For once, the law is actually in our favor here because this hack allows us to actually remove all copyrighted code from the device. Previously, TI could have made a [tenuous] case against all 3rd party OSes because the boot code was still present.
-
TI has essentially no legal case in this situation. Even if they wanted to go after BrandonW or thePenguin (which I doubt they do), they can't make a case against this. For once, the law is actually in our favor here because this hack allows us to actually remove all copyrighted code from the device. Previously, TI could have made a [tenuous] case against all 3rd party OSes because the boot code was still present.
so this code has effectively taken out TI's ability to bring lawsuits against us for 84+/84+SE programs/OS's
-
If and only if new OSes also overwrite the boot code. Needless to say, that's not exactly a desirable thing, for reasons previously mentioned by thepenguin77. However, I think the danger of the process could be somewhat mitigated if someone wrote a good alternative boot code and open sourced it.
-
Call me a n00b, but what's the function of the existing boot code?
-
Call me a n00b, but what's the function of the existing boot code?
I believe it is the code for loading the OS(guess)
-
Call me a n00b, but what's the function of the existing boot code?
To boot the calculator. It's run when the calculator turns on for the first time, after a battery change, or after a crash/clear of any sort. I guess it checks if the OS is valid.
-
It's also able to receive new OSes over I/O and USB. Kind of important.
-
Ok, so it's just code that's not part of TIOS, but still interacts with some of the dirtier aspects?
-
It's lower than that. You could think of the TI-OS itself as one big program that's being run by the boot code.
-
IT appears it is a program that actually runs the calculator. The OS has to go through it I think. It runs pretty much everything I think
-
So the boot code also checks that it's actually TIOS it's running instead of a third-party OS. (hence signing keys?) Also it limits TIOS.
Now that it's editable.. ;D
-
So the boot code also checks that it's actually TIOS it's running instead of a third-party OS. (hence signing keys?) Also it limits TIOS.
Now that it's editable.. ;D
Yep no control by TI over the calculator >:)
-
So the boot code also checks that it's actually TIOS it's running instead of a third-party OS. (hence signing keys?) Also it limits TIOS.
Now that it's editable.. ;D
It doesn't check if the TI-OS is running -- it runs the TI-OS. Think of the TI-OS as one big program that gets run from the boot code. Even when your calculator "turns off," the TI-OS is still running (that's why it still uses power, and that's why you can't remove all five batteries without resetting RAM). When your calc crashes, it goes back to the boot code to check if there's an OS and start it up.
-
So the boot code also checks that it's actually TIOS it's running instead of a third-party OS. (hence signing keys?) Also it limits TIOS.
Now that it's editable.. ;D
It doesn't check if the TI-OS is running -- it runs the TI-OS. Think of the TI-OS as one big program that gets run from the boot code. Even when your calculator "turns off," the TI-OS is still running (that's why it still uses power, and that's why you can't remove all five batteries without resetting RAM). When your calc crashes, it goes back to the boot code to check if there's an OS and start it up.
So turning the calc off is more like putting it into standby mode right?
-
Pretty much.
-
It's very good news, and renewed proof to TI's extensive and long-lasting fail at controlling their devices... Two different flaws found independently in parallel, congratulations :D
Once again, the search for flaws was a consequence of a negative move by TI, towards further locking of their calculators. Let's keep going on, together, with that pattern :)
-
There is a free boot code out there called BootFree, developed by Benjamin Moody (FloppusMaximus). It's quite hard to find... but you might be able to extract it from the Wabbitemu source code. ;)
EDIT: Found a topic that mentions and gives a link... which is broken. :P http://www.revsoft.org/phpBB3/viewtopic.php?f=32&t=608&start=45
-
There is a free boot code out there called BootFree, developed by Benjamin Moody (FloppusMaximus). It's quite hard to find... but you might be able to extract it from the Wabbitemu source code. ;)
EDIT: Found a topic that mentions and gives a link... which is broken. :P http://www.revsoft.org/phpBB3/viewtopic.php?f=32&t=608&start=45
Since it was designed exclusively for emulators, I don't think it has any code to receive an OS over link cable.
-
The boot code has two purposes. 1) To receive OS's, 2) To prepare the calculator hardware to run the operating system.
Receiving OS's is one of the boot codes two purposes. Whenever you see the OS percentage screen, that is the boot code. The boot code also makes it appearance in "Waiting... Please send operating system now." However, even if the boot code couldn't receive OS's for whatever reason, this really isn't too bad as there are ways to glitch it.
But the primary purpose of the boot code is to prepare the calculator hardware for an OS and then jump to the OS to let it start executing. Whenever power is cut from the calculator, all of the hardware stuff dies. Then, when power returns, execution starts at the boot code. The boot code sets up all of the calculator hardware, checks to make sure that an OS is installed, and then jump to the OS. But the key thing here is that the boot code is run first no matter what. If you pull a battery, the next thing that is going to run is the boot code. (Unless the calculator is turned off, then you have like 5 secs to put it back in.) So if the boot code is missing, the calculator will crash as soon as a battery is inserted. And when it crashes, guess where it goes. The boot code. This would be an endless loop, and the end of your calculator.
-
There is a free boot code out there called BootFree, developed by Benjamin Moody (FloppusMaximus). It's quite hard to find... but you might be able to extract it from the Wabbitemu source code. ;)
EDIT: Found a topic that mentions and gives a link... which is broken. :P http://www.revsoft.org/phpBB3/viewtopic.php?f=32&t=608&start=45
Since it was designed exclusively for emulators, I don't think it has any code to receive an OS over link cable.
Well, you still have half the functionality! ;) Now it just needs to be improved to get receiving and sending support, this time with a pretty progress bar? :P
This would be an endless loop, and the end of your calculator.
... unless you take the time to attempt to reprogram your flash chip. :P I've heard some convo about it a while ago, not sure if any breakthrough was found.
-
This is great news. I read about the boot code exploit for a few days now and I must say those exploits will really need to be bug-free when coming out, since it could be dangerous otherwise (calc bricking), but when they're perfect this will give us even more control on our calcs.
So the boot code also checks that it's actually TIOS it's running instead of a third-party OS. (hence signing keys?) Also it limits TIOS.
Now that it's editable.. ;D
It doesn't check if the TI-OS is running -- it runs the TI-OS. Think of the TI-OS as one big program that gets run from the boot code. Even when your calculator "turns off," the TI-OS is still running (that's why it still uses power, and that's why you can't remove all five batteries without resetting RAM). When your calc crashes, it goes back to the boot code to check if there's an OS and start it up.
So turning the calc off is more like putting it into standby mode right?
Indeed. In fact in ASM in 28 days, they say to really turn the calc OFF, you must remove all five batteries (including the lithium one)
-
That's correct. :) If you ran, say, KOS or RougeOS, and you took the batteries out, the screen would fade away gradually.
However... if you took the batteries out when running TI-OS, it detect the occurrence and shuts the calc off into a "RAM safe mode", waiting for you to put batteries back in.
Above info not known nor discovered by me, but by the magnificent BrandonW! Great job! :D
-
Indeed. In fact in ASM in 28 days, they say to really turn the calc OFF, you must remove all five batteries (including the lithium one)
We actually now know better than that. The calculator is off a few hundreths of a second after you pull out a AAA. The reason it appears that it didn't shut off is because the lithium battery kept the ram intact. Execution still starts at the boot code. But, I guess if you call ram intact powered, then yes, it takes all 5 batteries.
That's correct. :) If you ran, say, KOS or RougeOS, and you took the batteries out, the screen would fade away gradually.
However... if you took the batteries out when running TI-OS, it detect the occurrence and shuts the calc off into a "RAM safe mode", waiting for you to put batteries back in.
If you pull the batteries while the calculator is ON, the screen will blank, it won't fade. You can see this happen if you pull the batteries during an assembly program.
-
I see. Also I noticed that when removing all 5 batteries, if they're put back in immediately the RAM remains intact. (I tried)
-
That would, I think be because the capacitors had not had time to fully drain. It might corrupt some memory, though, so be careful. Of course, my thought is worthless if I'm wrong on how that particular RAM functions :P
-
Yes! This is great news! Think of all of the possibilities for the un-TI'd calculator! :D
-
Somebody needs to start working on this open source Boot code for us :P
And hey, that's my picture in the first post :D
-
SWEET! no more worrying about 2.71MP!
also, does this mean the TI-84 Pocket can be nnow?
-
I just a got Walmart calculator today. It came with 1.03. So, TI is definitely shipping 1.03 for the new school year.
Also, TI is trying to get a Z80 to do 2048 encryption? That . . . is ridiculous. Just . . . as ridiculous as possible. Let's one-up them and make a boot code that verifies the OS with a 4096-bit key. That'll probably take 2 hours to validate.
-
Somebody needs to start working on this open source Boot code for us :P
And hey, that's my picture in the first post :D
According to Brandon, we have one for emulators already.
-
Wow so TI was really determined into getting people stuck with 2.55MP.
But 2048 bit encryption? O.O Did they really do it? O.O
-
Nothing like wasting half our batteries invalidating the OS.
-
So that's why the new boot code takes so long to validate the OS now? Personally I already found the OS taking long enough to send on a calc. Now imagine with that new calc boot code...
I hope they do not update the 83+ with it. It takes 15-20 minutes to send an OS to it with a serial cable. Now imagine with the new boot code: 30-40 minutes?
-
Why TI why? you give us Lua then do something evil like this :(
-
Nice. Never thought this would be possible, although the pictures on datamath made me wonder why the pages were different. But 2048 bit on a little 8/16 bit cpu, TI is getting desperate if it's true. Unless TI decided to make yet another hardware variation, boot code 1.03 is useless :evillaugh:
EDIT:
Did TI properly protect flash on the 83+SE?
-
Somebody should lock this thread before TI notices and actually does change things again.
-
inb4 ticalc.org front page :P
-
TI will find out soon enough anyways
-
Somebody should lock this thread before TI notices and actually does change things again.
Lol, for TI to fix this, they would have to make some assembly line changes. Most notably, locking the flash chip, which I don't think they could accomplish very easily.
-
I am not very knowledgeable about z80 stuff, but from what I have read here, am I correct in thinking that the boot code is a "master program" of sorts that runs everything including the OS?
-
The boot code is the first sector of code that's executed when you power on the calculator. It's responsible for checking to make sure there's a valid OS installed, and if so, booting it. If not, it waits for one to be received over a link cable, and then boots it.
It also provides common routines that the OS uses, for Flash reading/writing, certificate manipulation, cryptographic functions, etc.
It must always be there.
-
Somebody should lock this thread before TI notices and actually does change things again.
Lol, for TI to fix this, they would have to make some assembly line changes. Most notably, locking the flash chip, which I don't think they could accomplish very easily.
Wouldn't they also need to change some hardware too?
-
They certainly have to change things in the ASIC so that the port we're modifying no longer has any effect. How difficult that would be is unknown. Based on the fact that they put such bone-headed functionality in there, it's possible it's not that easy.
Even if they did fix it, there are still numerous boot code exploits to get an OS on there, and it appears they made some pretty crappy attempts to block some other hacks.
I hope you're reading this, TI: you have truly failed. The harder you try, the worse you make it on yourself.
-
I just a got Walmart calculator today. It came with 1.03. So, TI is definitely shipping 1.03 for the new school year.
Could you report the serial datestamp with the manufacturing date and hardware revision?
It might be usefull to have a good guess before buying a calculator. ;)
-
P-0211Q
-
P-0211Q
Thanks. I don't know if the new 1.03 Boot Code on TI-84+/84+SE is strongly related to the manufacturing date or hardware revision, but I have a P-1209M with Boot Code 1.02.
Anybody with hardware revisions N, O, or P?
-
/me wonders what happens when they reach Z...
[/offtopic]
-
I have a P-0510O. With boot code 1.02.
-
What is the point of TI doing this anyway? We are the minority that actually is willing to buy multiple calculators. They also know that we will find an exploit to their "protections."
They should really give up with this strapping down; it is pointless.
-
My calc is N with 1.02.
-
So they've started releasing 1.03 on normal calcs now? I'm really starting to hate TI...
-
DrDnar, could we have a photo of your 84+SE showing the 1.03 Boot Code version?
It would be usefull to inform/news about it.
Let's sum up things for the TI-84+ and TI-84+SE:
- initial hardware: Boot Code 1.00
- hardware revision A-O: Boot Code 1.02
- hardware revision Q or above: Boot Code 1.03
Anybody with the missing hardware revision P ?
-
- initial hardware: Boot Code 1.00
- hardware revision A-O: Boot Code 1.02
My S-1204A 84+SE has 1.00.
-
Thank you and sorry for the mistake.
-
Well, I'm not surprised that Boot code 1.03 is being distributed with the newer calculators, I just didn't expect it so soon. It's not like it *really* matters since we have workarounds though. :)
-
Well, I'm not surprised that Boot code 1.03 is being distributed with the newer calculators, I just didn't expect it so soon. It's not like it *really* matters since we have workarounds though. :)
It's going to cause a lot of problems for those who have 1.03 and want to downgrade to 2.43 and don't know about any exploits... The average calculator user doesn't visit any calculator sites. So TI hinders those who didn't want to do anything bad at all, but we can still install third-party OSes if we want to...
-
Yeah, that's the problem with a number of vendor protections developed over the years: they create artificial inconveniences for normal usage, while they don't prevent usages unwanted by the vendor (because said vendor often fails at designing or coding the protection).
-
Well, I'm not surprised that Boot code 1.03 is being distributed with the newer calculators, I just didn't expect it so soon. It's not like it *really* matters since we have workarounds though. :)
It's going to cause a lot of problems for those who have 1.03 and want to downgrade to 2.43 and don't know about any exploits... The average calculator user doesn't visit any calculator sites. So TI hinders those who didn't want to do anything bad at all, but we can still install third-party OSes if we want to...
Well, true, but that is how many users wind up here or similar sites. They google for solutions to such problems. I don't think many average users will take issue with MP 2.55 (or whatever the current version is) anyway. I mean, for maths it's (more or less)fine right?
-
Well, I'm not surprised that Boot code 1.03 is being distributed with the newer calculators, I just didn't expect it so soon. It's not like it *really* matters since we have workarounds though. :)
It's going to cause a lot of problems for those who have 1.03 and want to downgrade to 2.43 and don't know about any exploits... The average calculator user doesn't visit any calculator sites. So TI hinders those who didn't want to do anything bad at all, but we can still install third-party OSes if we want to...
Well, true, but that is how many users wind up here or similar sites. They google for solutions to such problems. I don't think many average users will take issue with MP 2.55 (or whatever the current version is) anyway. I mean, for maths it's (more or less)fine right?
He's right. The average calculator user, in my experience, doesn't even think to update their calc's operating system, let alone downgrade. I most commonly find 2.21 and 2.22 on other peoples' 84s.
-
I guess in general it would probably come handy if a new OS upgrade ever breaks compatibility with the majority of the ASM programs or if somebody releases a popular third-party OS that makes news on popular non-calc sites. Otherwise, when I was in hi-school, I still saw people running 83+ OS 1.03 or something like that and it was in 2001-03.
On the other hand it's still cool for those who wants to install OS 2.71MP on their calc, for example.
-
Bad news: the flash chip supports a full chip erase commands. It works. Even the boot sector. You don't need to unlock the boot sector to erase it.
So watch out, TI. If you block the software boot sector unlock without using the flash chip's own write protect feature, calculators can still be bricked.
-
I've finally been reported a TI-84 Plus Hardware Revision P (thank you Adriweb), and it came with Boot Code 1.02.
So more accurate rules should be:
- TI-84+ initial hardware revision & hardware revision A: Boot Code 1.00
- TI-84+ hardware revision A-P: Boot Code 1.02
- TI-84+ hardware revision Q or above: Boot Code 1.03
-
necro-update, but yay!
What does this actually give us, i mean, we already have asm and we also have custom os'es......
-
And do you remember how to install custom OSes on Boot Code 1.03 ? ;)
Boot Code 1.03 is using new 2048-bits RSA keys which haven't been factored yet. So we can't sign custom OSes with those keys.
-
And do you remember how to install custom OSes on Boot Code 1.03 ? ;)
wasn't there thepenguins program unsigned to fix such things? (or did i mess stuff up this time...)
-
You could use that, or you could use Flashy and the 1.2 bootcode from another calculator, or you could use EpicFail to patch the 2048 bit signature out of the bootcode.
-
I think the only way for TI to prevent any such hacking would be to remove the Asm command and Flash APP support on new models, but since they're popular due to all the programs for them, I doubt that TI would be able to afford to do that, not to mention they might have left ASM support intact on those calcs just so that the TI-Nspire lockdown pills are easier to swallow for us.
-
I think the only way for TI to prevent any such hacking would be to remove the Asm command and Flash APP support on new models, but since they're popular due to all the programs for them, I doubt that TI would be able to afford to do that, not to mention they might have left ASM support intact on those calcs just so that the TI-Nspire lockdown pills are easier to swallow for us.
I honestly don't think TI could ever lock us out of the 84 line. We just know too much. No one has ever actually looked for vulnerabilities in the 84+, but I'm sure they exist. We have full OS dissassemblies that include every system call and we know the hardware better than they probably do.
You know, now I kind of want to do this. Run asm code in a non-standard way.
-
I think the only way for TI to prevent any such hacking would be to remove the Asm command and Flash APP support on new models, but since they're popular due to all the programs for them, I doubt that TI would be able to afford to do that, not to mention they might have left ASM support intact on those calcs just so that the TI-Nspire lockdown pills are easier to swallow for us.
The reason that we can defeat the 2048-bit key on the TI-84+/SE line is that the boot sector is not properly protected. TI fixed that with the TI-84+CSE, and there's no reason they can't apply that fix to the TI-84+/SE, other than that it would require them to make a few minor changes to the manufacturing process.
(Specifically, the TI-83+ originally protected the boot sector by having the factory lock the boot sector using a locking feature the flash chip itself has, which can only be overridden by apply +12 V to the right pin. Later, they decided that they wanted to save a few pennies per unit by rolling their protection circuit into the ASIC, instead of using the protection capabilities that the flash chip itself has. This system works fine on the TI-83+, but the TI-84+ ASIC system is easily circumvented once flash is unlocked. (We simply tell the ASIC that it has a 4 MB or 8 MB flash chip, instead of 1 or 2 MB. Thus, it stops protecting the boot sector because it doesn't know it's a boot sector anymore.) After we discovered this, TI decided to return to the flash chip's locking system for the TI-84+CSE.)
I'm not saying they could stop us from running custom code. But I am saying that they can stop us from patching the boot sector(s).
-
Oh I didn't know they fixed it on the CSE. Does it means that the CSE might never ever be downgradeable?
-
Oh I didn't know they fixed it on the CSE. Does it means that the CSE might never ever be downgradeable?
Downgradeable? There's nothing to downgrade to. Besides, there are other methods of uploading a custom OS.
-
Oh I mean when they release a new OS.
-
As far as I know, there's no downgrade prevention code in the new boot code. If there is, it would have to be certificate-based, which we can modify at will once flash is unlocked. Brandon has a library of flash unlock exploits ready and waiting, so it should never be an issue.
-
So.....why does TI do that if they know that we can still get through.
-
So.....why does TI do that if they know that we can still get through.
They're just pissed off in silence. :P
-
I don't think they are really concerned with the monochrome z80 anymore. Don't get mad, I just think, with seeing color calc profusion, that they just want us to buy/use them. It's for thesz kind of reasons I suppose that they won't acting up on 8x(+) anymore. They certainly prefer blocking the nSpire to conserve the exams monopoly, I'd guess.
Technically speaking, last rsa record was 768bits in 2009. GLHF cracking a 2k one...
-
Anybody with a TI-84+ or TI-84+SE hardware revision R or above?
It seems that the new TI-83 Plus.fr USB in France (which use the TI-84+SE hardware) have their Boot Code write protected: EpicFail and Flashy don't work anymore.
(source: http://tiplanet.org/forum/viewtopic.php?f=41&t=13116 )
I suppose it's the same for the new TI-84+ in shops.
We need to determine at which hardware revision they did change this.
My TI-83 Plus.fr USB won't help, as the hardware revision code on the back was reset.
-
Nope I got N, but I bought my calc a few years ago, which probably means that there are R models in stores by now.
Also this sucks. Btw do those revisions still have the Asm()/AsmComp()/AsmPrgm commands anymore and do they support third-party Flash APPs? Also, how much extra RAM do they have?
-
Well, I hope that Unsigned still works at least. :/
-
Yes, I could confirm that Unsigned.8xp still works. Probably USORECV.8xp still works too.
So we can sill install unsigned or missigned OSes.
But we still need to understand what TI did (again) and when.
So Boot Code 1.03 was introduced in TI-84+ hardware revision Q.
Anybody who bought a TI-84+ those last weeks/months? Which hardware revision did it come with?
-
critor, you'd be better off posting that question on the front page.
-
Thank you.
The TI-Planet news about this is in my list of news which need to be translated and crossposted.
I'm just very busy those last days. ;)
-
How big is the RSA key now btw? O.O
Also glad that some custom OS tools still works. It will be hard for TI to lock down such outdated platform, unless they ever decide to remove ASM support completely in future OSes, but still, it sucks that they try so hard. >.<
-
Why do they try that hard? Would being able to program and do these things with them actually ATTRACT customers?
-
/me pokes 65536 bits RSA key :P
-
This is a bit odd. Not really a big deal to us though.
-
/me pokes 65536 bits RSA key :P
let's get decoding >:D
-
Well, I hope that Unsigned still works at least. :/
Good luck stopping unsigned lol. I made that program possibly the most annoying program for TI to debug. Not only is the entire program encrypted, but it has like 8 different hardware checks that it performs to make sure it's not running on an emulator. My favorite part is that a few of the checks crash it, a few of the checks freeze, and finally, the last few checks make it look like it worked when in reality nothing happened.
Basically, TI is going to have to write some code in order to figure out how that program works.
-
That sounds pretty fun, as if you should film them trying to debug unsigned :P
-
LOL ;D
Though if they lock the certificate we're screwed. :/
Also I have a rev G clac with boot code 1.02 but I use unsigned anyway for the name on about screen. :P Also set my cert rev to 42. :P
-
@thepenguin77: And that my friend, is why you are so awesome. :D
-
Well, I hope that Unsigned still works at least. :/
Good luck stopping unsigned lol. I made that program possibly the most annoying program for TI to debug. Not only is the entire program encrypted, but it has like 8 different hardware checks that it performs to make sure it's not running on an emulator. My favorite part is that a few of the checks crash it, a few of the checks freeze, and finally, the last few checks make it look like it worked when in reality nothing happened.
Basically, TI is going to have to write some code in order to figure out how that program works.
If they ever manage to block it, I hope OS validation (when sending an OS to the calc) won't take an extra 10 minutes O.O
-
Anybody who bought a TI-84+ those last weeks/months? Which hardware revision did it come with?
People in my class recently bought calcs, so I checked a few of them.
Calc 1: P-0113P, 1.03, TI-84+
Calc 2: This one seems weird to me. K_0411S, 1.03, TI-84+ (EDIT: I mistyped this as an SE. It's actually a regular one.)
Calc 3: This is an TI-84+SE that's so old that it doesn't have a letter at the end of its serial.
-
Calc 2: This one seems weird to me. K_0411S, 1.03, TI-84+SE
Back around the time that the missing ram pages were discovered, we figured out not to trust anything written on the back of a K calculator. If I remember correctly, we thought they might be refurbished or something.
-
Thanks, JosJuice :)
Any other contributors to the quest ?
-
Calc 2: This one seems weird to me. K_0411S, 1.03, TI-84+SE
Back around the time that the missing ram pages were discovered, we figured out not to trust anything written on the back of a K calculator. If I remember correctly, we thought they might be refurbished or something.
Is there still a list of various calc models with tests ran on it showing if tools work or if they have the extra RAM pages? I remember it was floating around somewhere when TI-Boy SE started, but I don't remember if it was updated.
-
Good luck stopping unsigned lol. I made that program possibly the most annoying program for TI to debug. Not only is the entire program encrypted, but it has like 8 different hardware checks that it performs to make sure it's not running on an emulator. My favorite part is that a few of the checks crash it, a few of the checks freeze, and finally, the last few checks make it look like it worked when in reality nothing happened.
As an emulator author I know I ought to be offended at the idea of emulators being imperfect; as a realist I know that of course they inevitably are; and as a fan of third-party OSes I'm just amused. Well done, though I may need to have a go at cracking your program myself. ;)
It seems that the new TI-83 Plus.fr USB in France (which use the TI-84+SE hardware) have their Boot Code write protected: EpicFail and Flashy don't work anymore.
This, to be honest, is probably a good thing. Is the boot code the same as the older 1.03?
-
It seems that the new TI-83 Plus.fr USB in France (which use the TI-84+SE hardware) have their Boot Code write protected: EpicFail and Flashy don't work anymore.
I can write a program to test this directly.
It's hardly surprising, considering they did the same thing on the TI-84+CSE.
-
Yes, this would be very useful DrDnar.