Author Topic: First patch of the HP-Prime firmware  (Read 4130 times)

0 Members and 1 Guest are viewing this topic.

critor

• Editor
• LV11 Super Veteran (Next: 3000)
• Posts: 2079
• Rating: +439/-13
First patch of the HP-Prime firmware
« on: November 02, 2013, 05:01:22 pm »
In a video, Deloge gave props to the fast boot speed of the HP Prime, only several seconds whereas the Nspire’s boot procedure takes dozens of seconds (especially on the CX series).
Indeed, Texas Instruments gives priority to “security”, possibly a consequence of the company’s military past, nowadays a will to protect the lucrative business model. The Nspire CX CAS uses two layers of security during its boot process:
• the boot1 decompresses the boot2 and validates the authenticity of a signature using a 2048-bit RSA key, before launching the boot2 if it passes validation;
• the boot2 decrypts and decompresses the OS, before validating its authenticity with another 2048-bit RSA key… and launching it, at last.
Therefore, it felt logical that the HP Prime didn’t use such a “security” scheme, like Casio calculators where the installed OS can be modified at will, provided a simple checksum is updated.
The use of quotes around “security” in the previous sentence is meant to refer to the fact that signatures and encryption do not prevent reverse-engineering, exploits and various manipulations which we already described at length in many other news items and various tutorials, and aren’t directly related to the current news item. From a user’s perspective, decryption (especially) is a pure waste of time.

HP Prime firmwares are made of multiple files.
• BXCBOOT0.BIN
• BESTAARM.ROM
• MASTER.DAT
• APPSDISK.DAT

In August, Lionel and I had made a quick experiment described by Lionel.

The experiment was made of a modification, in the Prime’s firmware ( \programs\misc\armfir.elf part of the FAT16 filesystem embedded into APPSDISK.DAT), of some user-visible items, namely the help strings of WHILE and REPEAT.
The modification was performed under Linux, after mounting the image:
Code: [Select]
mkdir appsdisk; mount -o loop,offset=8192 APPSDISK.DAT appsdisk/It was done thanks to the hte hex editor, after finding the strings with strings and a sprinkling of od. No fancy tools.

Of course, such a modification has no chance of working (well, at least, we think so, but we’ll perform more tests) without updating the MD5 sum in the \APPSLIST.MD5 file of the FAT16 filesystem, after computing the MD5 sum of the modified armfir.elf

So far, so good ? Nope, our experiment from August had failed. The help strings for WHILE and REPEAT didn’t change, on the calculator, so we supposed that the checking procedure was more complicated. Trying out the simple, quick things first was the appropriate thing to do

However, this week-end, we understood why our experiment had failed: the firmware hadn’t been fully re-transferred to the calculator !
In order to trigger a full firmware transfer, a seemingly reliable method is to downgrade the firmware before upgrading it back. Maybe there are simpler ways (e.g. modifying MASTER.DAT), but on the Prime, firmware upgrades are fast enough, thanks to an USB controller better than that of the Nspire, and a better protocol.

During the upgrade + downgrade, the calculator displays a “verifying firmware” message for several seconds. Therefore, there may be a signature, but it could be applied only to a subset of files considered highly critical ?
Anyhow, the modified APPSDISK.DAT file is correctly transferred to the calculator, and the modifications are visible, as shown by the following snapshots as well as the screenshot made with the libhpcalcs (“libticalcs for the Prime”, and more) being developed by Lionel, which I’m testing:
(notice the inverted colors, caused by the current lack of implementation of necessary post-processing on the images produced by the calculator)

It is obvious that if modifying the OS’s strings is so easy, then many other things can be modified
Let’s hope the best for the Prime platform, starting with:
• unleashing the full power of the calculator through native code (at the time of this writing, the highest raw power on a calculator in the entire marketplace, even if it’s low compared to modern smartphones);
• porting Linux and emulating the calculator, clearly doable before the end of the year if someone can spend enough time on it, all the more the calculator is based on well-known components, most of them already supported by Linux and old QEMU forks, see http://tiplanet.org/hpwiki/index.php?title=HP_Prime/Emulation ;
• bugfixes, such as making it possible for sequence index to start at 0 (the current impossibility to do so is very annoying for French high school teaching).
cowritten by Critor and Lionel Debroux

Source : http://tiplanet.org/forum/viewtopic.php?t=13329&p=151670&lang=en
« Last Edit: November 02, 2013, 05:12:23 pm by critor »

Keoni29

• LV11 Super Veteran (Next: 3000)
• Posts: 2466
• Rating: +291/-16
Re: First patch of the HP-Prime firmware
« Reply #1 on: November 02, 2013, 05:10:12 pm »
Awesome! I really hope we are able to write some of our own code soon! I am definitely getting a prime once that happens!
If you like my work: why not give me an internet?

DJ Omnimaga

• Former TI programmer
• CoT Emeritus
• LV15 Omnimagician (Next: --)
• Posts: 55828
• Rating: +3151/-232
• CodeWalrus founder & retired Omnimaga founder
Re: First patch of the HP-Prime firmware
« Reply #2 on: November 02, 2013, 05:14:07 pm »
THis is great news!

This means that there could definitively be some patches being done to fix some of the bugs, should the next official firmware not fix all of them despite having been reported long ago. One thing to be careful with would be to ensure that we don't tamper with the exam/test mode, since this is the exact reason why TI and HP have not officially supported ASM on their respective calcs in the first place, and it could lead to more protections and lockdowns if we try to allow students to cheat. Another thing is to ensure that unnoficial patches won't conflict with future updates and that unnoficial patches can be applied to newer official ones as well. I mean, for example, if you decided to add translucency to BLIT commands through an extra, optional argument, then HP released a patch that changes BLIT syntax to the point where translucency no longer works. There would be people wanting the unnofical patch for extra features, but others wanting the official one, resulting in each group of users not being able to run each other's programs.

Btw, does the transfer of unnoficial patches only work in "HPLP" or will it work with the official connectivity kit too?
In case you are wondering where I went, I left Omni back in 2015 to form CodeWalrus due to various reasons explained back then, but I stopped calc dev in 2016 and am now mostly active on the CW Discord server at https://discord.gg/cuZcfcF

Lionel Debroux

• LV11 Super Veteran (Next: 3000)
• Posts: 2135
• Rating: +290/-45
Re: First patch of the HP-Prime firmware
« Reply #3 on: November 02, 2013, 05:16:15 pm »
Quote
Btw, does the transfer of unnoficial patches only work in "HPLP" or will it work with the official connectivity kit too?
"HPLP" does not implement the Mass Storage Device-based protocol used for reflashing the calculator (only the HID-based protocol for transferring regular files), so for now, it won't transfer either official or unofficial firmware at all

Don't worry, fixing bugs or adding a translucency to BLIT commands requires a depth of reverse-engineering that we're very far from having on the Prime yet.
« Last Edit: November 02, 2013, 05:17:37 pm by Lionel Debroux »
Member of the TI-Chess Team.
Co-maintainer of GCC4TI (GCC4TI online documentation), TILP and TIEmu.

Sorunome

• Fox Fox Fox Fox Fox Fox Fox!
• Support Staff
• LV13 Extreme Addict (Next: 9001)
• Posts: 7917
• Rating: +373/-13
• Derpy Hooves
Re: First patch of the HP-Prime firmware
« Reply #4 on: November 02, 2013, 05:23:50 pm »
This is pretty awesome, great to hear that it is so easy to modify the firmware, compared to the nspire
 THE GAMEAlso, check out my websiteIf OmnomIRC is screwed up, blame me!Click here to give me an internet!

Juju

• Incredibly sexy mare
• Coder Of Tomorrow
• LV13 Extreme Addict (Next: 9001)
• Posts: 5730
• Rating: +500/-19
• Weird programmer
Re: First patch of the HP-Prime firmware
« Reply #5 on: November 02, 2013, 08:54:06 pm »
Seriously, I should totally buy that calculator.

Remember the day the walrus started to fly...

I finally cleared my sig after 4 years you're happy now?

This signature is ridiculously large you've been warned.

The cute mare that used to be in my avatar is Yuki Kagayaki, you can follow her on Facebook and Tumblr.

DJ Omnimaga

• Former TI programmer
• CoT Emeritus
• LV15 Omnimagician (Next: --)
• Posts: 55828
• Rating: +3151/-232
• CodeWalrus founder & retired Omnimaga founder
Re: First patch of the HP-Prime firmware
« Reply #6 on: November 02, 2013, 09:35:26 pm »
Quote
Btw, does the transfer of unnoficial patches only work in "HPLP" or will it work with the official connectivity kit too?
"HPLP" does not implement the Mass Storage Device-based protocol used for reflashing the calculator (only the HID-based protocol for transferring regular files), so for now, it won't transfer either official or unofficial firmware at all

Don't worry, fixing bugs or adding a translucency to BLIT commands requires a depth of reverse-engineering that we're very far from having on the Prime yet.
IMHO, for the time being, the best thing that could happen in short terms would be the ability to patch a firmware file using a third-party patch using no copyrighted material, which would install an hack that lets you run ASM language files. Users would just install the patch via whatever means possible if they want to run such program.

That said, we never know, maybe we'll eventually find an existing exploit in the OS anyway
In case you are wondering where I went, I left Omni back in 2015 to form CodeWalrus due to various reasons explained back then, but I stopped calc dev in 2016 and am now mostly active on the CW Discord server at https://discord.gg/cuZcfcF

Streetwalrus

• LV12 Extreme Poster (Next: 5000)
• Posts: 3820
• Rating: +80/-8
Re: First patch of the HP-Prime firmware
« Reply #7 on: November 03, 2013, 04:59:30 am »
Cool to hear.

Also since we seemingly have full control over low level stuff, we might as well avoid using userland exploits. These are often less reliable than patching the OS directly, plus they would be fixed quickly by HP for security reasons.
send it

Jim Bauwens

• Lua! Nspire! Linux!
• Editor
• LV10 31337 u53r (Next: 2000)
• Posts: 1881
• Rating: +206/-7
• Linux!
Re: First patch of the HP-Prime firmware
« Reply #8 on: November 03, 2013, 05:36:11 am »
Also since we seemingly have full control over low level stuff, we might as well avoid using userland exploits. These are often less reliable than patching the OS directly, plus they would be fixed quickly by HP for security reasons.

What do you think is easier to fix? To protect a binary or fixing a bug somewhere in your code that can be/is exploited? I think the first. So if HP is serious about the security that's what they would do first.

Ryleh

• LV1 Newcomer (Next: 20)
• Posts: 16
• Rating: +2/-0
Re: First patch of the HP-Prime firmware
« Reply #9 on: November 03, 2013, 03:16:13 pm »
Oh man is this exciting.

• Editor
• LV10 31337 u53r (Next: 2000)
• Posts: 1708
• Rating: +229/-17
Re: First patch of the HP-Prime firmware
« Reply #10 on: November 03, 2013, 07:44:32 pm »
Exciting indeed

So much protection on the Nspire and almost none on the Prime... it's quite a gap between the two
« Last Edit: November 04, 2013, 04:05:11 am by adriweb »
My calculator programs
TI-Nspire Lua programming : Tutorials  |  API Documentation

DJ Omnimaga

• Former TI programmer
• CoT Emeritus
• LV15 Omnimagician (Next: --)
• Posts: 55828
• Rating: +3151/-232
• CodeWalrus founder & retired Omnimaga founder
Re: First patch of the HP-Prime firmware
« Reply #11 on: November 03, 2013, 09:26:56 pm »
Yup. This is why I think we need to play nice, though. The first step is to never include copyrighted material in our patches (IPS files or Linux port?), the second step is to not destroy the teacher mode and the third step is to make sure that compatibility remains and that patches won't be risky for the user (such as permanently preventing the connectivity kit from detecting the calc and/or bricking the calc).
In case you are wondering where I went, I left Omni back in 2015 to form CodeWalrus due to various reasons explained back then, but I stopped calc dev in 2016 and am now mostly active on the CW Discord server at https://discord.gg/cuZcfcF

Streetwalrus

• LV12 Extreme Poster (Next: 5000)
• Posts: 3820
• Rating: +80/-8
Re: First patch of the HP-Prime firmware
« Reply #12 on: November 06, 2013, 01:45:31 pm »
Also since we seemingly have full control over low level stuff, we might as well avoid using userland exploits. These are often less reliable than patching the OS directly, plus they would be fixed quickly by HP for security reasons.

What do you think is easier to fix? To protect a binary or fixing a bug somewhere in your code that can be/is exploited? I think the first. So if HP is serious about the security that's what they would do first.
Well, the Prime has no hardware protection against arbitrary flashes even to the boot code so they couldn't lock it down so easily without rolling out a new revision and stuff. Like TI did with the 84+ boot code and the Nspire J+ and also Apple with the iPhone 3GS which has been locked down more with a new HW revision.
send it

DJ Omnimaga

• Former TI programmer
• CoT Emeritus
• LV15 Omnimagician (Next: --)
• Posts: 55828
• Rating: +3151/-232
• CodeWalrus founder & retired Omnimaga founder
Re: First patch of the HP-Prime firmware
« Reply #13 on: November 06, 2013, 02:07:52 pm »
It doesn't guarantee that HP won't ever change the hardware to add extra protections in the future, though.
In case you are wondering where I went, I left Omni back in 2015 to form CodeWalrus due to various reasons explained back then, but I stopped calc dev in 2016 and am now mostly active on the CW Discord server at https://discord.gg/cuZcfcF

Jim Bauwens

• Lua! Nspire! Linux!
• Editor
• LV10 31337 u53r (Next: 2000)
• Posts: 1881
• Rating: +206/-7
• Linux!
Re: First patch of the HP-Prime firmware
« Reply #14 on: November 06, 2013, 02:31:21 pm »
Well, the Prime has no hardware protection against arbitrary flashes even to the boot code so they couldn't lock it down so easily without rolling out a new revision and stuff. Like TI did with the 84+ boot code and the Nspire J+ and also Apple with the iPhone 3GS which has been locked down more with a new HW revision.

Where do you get this information from? There is still code from HP handling the flashing AFAIK and they are probably able to update this using software updates to add additional protection (I'm not saying that they will though).