Omnimaga
Omnimaga => News => Topic started by: critor on June 15, 2011, 06:20:27 pm
-
Good news! :)
If you have installed the 3.0.2 OS without the 3.0.1 Boot2 (so if you're still on the 1.4 Boot2), a new software way of downgrading the OS has just been released.
It just does the same thing as Nleash, but in a different way.
Check here:
http://ti.bank.free.fr/index.php?mod=news&ac=commentaires&id=1184
Note that unless they really want to, I don't credit new Nspire hacks developers anymore.
So the author of the tool is unknown in the TI-Bank database.
If you have installed the 3.0.1 Boot2, you'll still need to downgrade it with an RS232 interface, befor being able to remove the 3.0.2 OS downgrade protection with this new software tool.
Have fun.
-
You guys rock :w00t:
-
Split topic and moving to news. This is awesome!
-
This means we have code execution on 3.0.{1,2}?
-
From what I gather on TI-BANK, when you installed OS 3.0.2 you must have ran it through TNOC first to remove Boot2 3.0, removing the other downgrade protection that was present in it. Now what you do to remove the 2nd anti-downgrade protection that is present in OS 3.0.2 itself, is that you delete the OS via maintenance menu, then send a fake OS called DowngradeFix that will launch ASM code, thanks to an exploit found in Boot2 1.4, removing the anti-downgrade protection.
One concern I have, though, is if it's compatible with the regular TI-Nspire? Because I only see a CAS file present in the download ???
-
Damn, that was fast! O.O Great work guys! :thumbsup:
-
Damn, that was fast! O.O Great work guys! ;D(http://www.omnimaga.org/Themes/default/images/gpbp_arrow_up.gif)
^ It's amazing what you guys do over there.[21:10:36] <DJ_O> OS 3.0.3 just got released and DowngradeFix doesn't work in it :(
<_<
-
just curious, are you using the same buffer overflow on zips as in the other ndless/nleash?
-
Well, that's awesome, good job guys :)
-
Damn, that was fast! O.O Great work guys! ;D(http://www.omnimaga.org/Themes/default/images/gpbp_arrow_up.gif)
^ It's amazing what you guys do over there.[21:10:36] <DJ_O> OS 3.0.3 just got released and DowngradeFix doesn't work in it :(
<_<
THat said, they responded quite fast to the TNOC downgrade breaking on OS 3.0.1 D:
-
Yay. great work, whoever did it.
-
Wow, this is great news! Congratulations to all the people who made this possible :)
-
The Boot2 1.4 is the same on CAS and non-CAS.
So just rename the tnc extension into tno and you can send the file on a non-CAS.
But as said in the end of my news, DowngradeFix is not a "good" solution.
You need the old 1.4 Boot2.
Most people with the 3.0.2 OS will also have the 3.0.1 Boot2 (which came preloaded into their Nspire, or which they didn't remove before updating as they weren't aware of the problem).
And in that configuration, there is currently no way to downgrade through software... :(
You cannot execute Asm code at the 3.0.1 Boot2 "Install OS" screen, and you need an RS232 interface to downgrade the Boot2... Although it's quite cheap, to my advice very few people are going to deal with that... :(
-
Good to see this file released - I wondered if, and when, it would be released :)
just curious, are you using the same buffer overflow on zips as in the other ndless/nleash?
Nope, this is something completely different :)
boot2 1.4.1571 has a stack-based buffer overflow in its OS parsing code.
-
I already bought the RS232, just in case :P
And now I'll upgrade to 3.0.2 after «TNOCing» it :D
what diferences will I find between 3.0.1 and 3.0.2 others than the bugs fixed?
-
A question: Does 3.0.2 allow downgrading to 3.0.1, or are all downgrades blocked?
-
You cannot downgrade from 3.0.2 to 3.0.1 without using the previous tricks.
-
A little bug has been reported with DowngradeFix.
Check here:
http://ti.bank.free.fr/index.php?mod=news&ac=commentaires&id=1188
Strangely, that bug was also present on the first Nleash versions.
Note that Nleash only worked on OSes 1.7 and 2.1.0.
With Downgradefix you don't need to have a specific OS installed - you only need the 1.4 Boot2.
-
Hmm weird. Hopefully it doesn't cause too much problems for downgrading.
-
Hmm, somehow I missed this.
Anyways, this is awesome! Great job by whoever made this. Excellent work. :D
-
The french "OS 3.0.2 downgrade" tutorial is out.
If you're running OS 3.0.2 with Boot2 1.4, you just need to use DowngradeFix.
If not, you'll have to downgrade your Boot2 first in order to be able to use DowgradeFix, and this won't be as easy...
http://ti.bank.free.fr/index.php?mod=news&ac=commentaires&id=1245
-
wow this is wonderful, works perfectly
If you can create a fake OS, able to handle ASM code then do not be long time before you can create a full OS and fully equipped with ndless, besides noting that not long to launch a ndless 3.0, very good job.
-
wow this is wonderful, works perfectly
If you can create a fake OS, able to handle ASM code then do not be long time before you can create a full OS and fully equipped with ndless, besides noting that not long to launch a ndless 3.0, very good job.
Creating a full OS is pretty much impossible for now, as we don't know the RSA Algorithm yet :S
-
Creating a full OS is pretty much impossible for now, as we don't know the RSA Algorithm yet :S
We know the algorithm that the OS is signed with - it's the key that we don't know. (Or did you mean the algorithm to find the keys? It's mostly a matter of computing power.) Anyway, wouldn't OSLauncher work for custom OSes?
-
OSLauncher does work for custom OS indeed, I released the (useless) DummyOS proof of concept alongside OSLauncher :)
-
What would be required for an OS to be compatible with existing Ndless programs? Do we have to provide an environment that's similar to Phoenix, or will the programs accept anything?
-
What would be required for an OS to be compatible with existing Ndless programs? Do we have to provide an environment that's similar to Phoenix, or will the programs accept anything?
For full Ndless compatibility, lots of things are required: Ndless exports dozens of standard and less standard functions to user programs, and said functions have dependencies themselves.
-
OSLauncher does work for custom OS indeed, I released the (useless) DummyOS proof of concept alongside OSLauncher :)
Can you please link? I never saw it O.O
-
I can post a link, but the "OS" is completely useless, as I mentioned, so you're not missing much if you haven't seen it :D
DummyOS draws garbage on screen indefinitely, and polls the ESC key: if it's pressed, it reboots the calculator.
OSLauncher: http://www.ticalc.org/archives/files/fileinfo/437/43701.html
DummyOS: http://www.ticalc.org/archives/files/fileinfo/437/43702.html
-
Thanks Lionel, is it possible to emulate it?
-
Yes, it was somewhat tested on emulator before being thrown to a real Nspire.
-
Yes, it was somewhat tested on emulator before being thrown to a real Nspire.
Is there a screenshot? My Nspire is 50KM away :S
-
-
But that's being launched from OS 1.7. A true OS should be launched on boot, I think.
-
But that's being launched from OS 1.7. A true OS should be launched on boot, I think.
We need the RSA keys to do that.
-
But that's being launched from OS 1.7. A true OS should be launched on boot, I think.
We need the RSA keys to do that.
Which was my point :)
-
Agreed, and notice that I used a pair of quotes in one of my above posts ;)
But for now, this kind of things doesn't exist, for obvious reasons: we don't have TI's private key (and basically can't obtain it through indirect means, as you know), so we cannot produce an OS that the Nspire would accept ;)
Making our own OS is a fully legal purpose. But TI doesn't want to let us do that. And even if we were able to trick the Nspire into accepting the installation of an unsigned OS, we'd also have to trick the boot2 into launching the unsigned OS, which adds a level of difficulty.
I did not write that it's possible or impossible - I don't know. But it's hard, and highly dependent on the boot2 version, too.
-
To downgrade OS 3.0.1 we need special hardware if TNOC didn't be used
has somebody tested sending a TI-Nspire.img file by the RS232 comunication to have a CAS OS installed on a nonCAS handheld?
or it is imposible?
-
On non-CX calculators, you can send a TNC/TNO file through RS232, but it is checked the same way.