Author Topic: Bypassing TI-Nspire RSA signatures now possible? (Read 30464 times)

willrandship · « **Reply #75 on:** April 05, 2011, 07:55:57 pm »

Except for that tiny soldering, even on the CAS+ I'd call that hard

Lionel Debroux · « **Reply #76 on:** April 07, 2011, 01:56:34 am »

Wild ideas, probably unworkable (though nobody has yet explained why to me):
* fiddling with the boot2's load_os_image and subroutines, in such a way as to make the boot2 load a TNS file containing the raw TNO/TNC for the same or the other calculator model. For example, proceeding forward no matter what the result of checks performed by some subroutines is. However, judging by the RunOS video, that's not what it did - but it looks like that in order to replicate RunOS perfectly, the tricks would have to be independently rediscovered...
* using launch_os_image after loading the OS image at 10000000 (in such a way as not to trigger the errors mentioned by critor - perhaps by using the boot2 stdio/POSIX file functions ?).

mikehill2003 · « **Reply #77 on:** April 07, 2011, 12:23:47 pm »

Quote

Wild ideas, probably unworkable (though nobody has yet explained why to me):
* fiddling with the boot2's load_os_image and subroutines, in such a way as to make the boot2 load a TNS file containing the raw TNO/TNC for the same or the other calculator model. For example, proceeding forward no matter what the result of checks performed by some subroutines is. However, judging by the RunOS video, that's not what it did - but it looks like that in order to replicate RunOS perfectly, the tricks would have to be independently rediscovered...

Does this subroutine load a TNO/C into RAM without installing it?

Quote

* using launch_os_image after loading the OS image at 10000000 (in such a way as not to trigger the errors mentioned by critor

I haven't gotten this far yet.

Quote

- perhaps by using the boot2 stdio/POSIX file functions ?).

I was also thinking about this, I'm not sure if you could call the function in C though.

Lionel Debroux · « **Reply #78 on:** April 07, 2011, 01:41:10 pm »

Calling the boot2 functions is merely a matter of making the appropriate cast to a function pointer type: ((returntype(*)(type1, type2, ..., typen))function_address)(arg1, arg2, ..., argn);

Or so it should be.

Lionel Debroux · « **Reply #79 on:** April 09, 2011, 09:10:40 am »

Several notes:
* since direct fread to the destination area is impossible, it's necessary to fread to somewhere else, and somehow copy later;
* during the copy to the destination area, no access to the destination other than the ones performed by the copy code, shall occur;
* during the early bootup of the new OS, one source of perturbation (which reads from memory) shall be disabled.

critor · « **Reply #80 on:** April 09, 2011, 09:24:30 am »

Lionel Debroux · « **Reply #81 on:** April 09, 2011, 09:26:47 am »

critor · « **Reply #82 on:** April 09, 2011, 09:34:05 am »

bsl · « **Reply #83 on:** April 09, 2011, 11:35:04 am »

Quote from: critor on April 09, 2011, 09:34:05 am

Now add another intermediate step - patch Ndless hooks into it before launching

May be able to port Ndless2.0 to Ndless3.0 this way ?

critor · « **Reply #84 on:** April 09, 2011, 12:23:02 pm »

Except that launching the 3.0 OS on a 2.x installation will probably result in many display bugs.
System strings for example have different indexes and will be all messed up...

We can only launch and use a "similar" OS this way.

DJ Omnimaga · « **Reply #85 on:** April 12, 2011, 12:16:14 am »

Will OS 3.0 and 2.x even fit on one calc at once, anyway (or at least give enough memory to the user to be functional enough and allow him to install some games)?

Lionel Debroux · « **Reply #86 on:** April 12, 2011, 12:19:02 am »

Compression is required for not hampering the usability of the calculator for large games, as you guessed, but it can be done

OS 3.0 is more optimized than OS 2.1 is, as shown by critor's measurements. And that's a pretty good thing - at least (and at last), TI seems to optimize their code.

DJ Omnimaga · « **Reply #87 on:** April 12, 2011, 01:10:56 am »

Ok. Yeah I saw the smaller size for OS 3.0. At least on that point TI was good, finally. It got smaller even if it still includes a 84+ emu and adds 3D graphing. I wish they didn't lock Ndless out, though...

Munchor · « **Reply #88 on:** April 13, 2011, 07:49:06 am »

The RSA Algorithm is now *impossible* to discover, 2048 bits!!!!!!!!!!!!!!!

Lionel Debroux · « **Reply #89 on:** April 13, 2011, 07:54:53 am »

Indeed, it's so far beyond the state of the art. TF could yield something, but with hopelessly remote chances of success.
However, don't forget that we do have arbitrary code execution on OS 1.1 to 2.1, which enables launching other OS without installing them ("RunOS")

Author Topic: Bypassing TI-Nspire RSA signatures now possible? (Read 30464 times)

willrandship

Re: Bypassing TI-Nspire RSA signatures now possible?

Lionel Debroux

Re: Bypassing TI-Nspire RSA signatures now possible?

mikehill2003

Re: Bypassing TI-Nspire RSA signatures now possible?

Lionel Debroux

Re: Bypassing TI-Nspire RSA signatures now possible?

Lionel Debroux

Re: Bypassing TI-Nspire RSA signatures now possible?

critor

Re: Bypassing TI-Nspire RSA signatures now possible?

Lionel Debroux

Re: Bypassing TI-Nspire RSA signatures now possible?

critor

Re: Bypassing TI-Nspire RSA signatures now possible?

bsl

Re: Bypassing TI-Nspire RSA signatures now possible?

critor

Re: Bypassing TI-Nspire RSA signatures now possible?

DJ Omnimaga

Re: Bypassing TI-Nspire RSA signatures now possible?

Lionel Debroux

Re: Bypassing TI-Nspire RSA signatures now possible?

DJ Omnimaga

Re: Bypassing TI-Nspire RSA signatures now possible?

Munchor

Re: Bypassing TI-Nspire RSA signatures now possible?

Lionel Debroux

Re: Bypassing TI-Nspire RSA signatures now possible?