Omnimaga
Omnimaga => News => Topic started by: critor on October 25, 2011, 02:28:52 pm
-
We did it again!!! :love:
After his diagnostic flasher in the previous news (http://ourl.ca/13616), Bsl sent me a Boot2 flasher today.
I had prepared my RS232 interface in case of bricking problems, but Bsl is so great that it worked on the 1st try on both ClickPad and TouchPad models!
No need for an RS232 inteface anymore! You can freely upgrade/downgrade your Boot2.
Beyond upgrading/downgrading the Boot2, try to think about everything that could be achieved with this new Ndless program...
Another great day you shouldn't forget in the Nspire history! :D
For more informations and photos:
http://tiplanet.org/forum/viewtopic.php?f=43&t=8363
-
so boot1 next? :D
-
Good question.
-
I know how the boot2 is important, but what's the boot1 good for for us?
-
That is awesome. This definitively deserves a spot in the news section.
-
I know how the boot2 is important, but what's the boot1 good for for us?
It's not protected by a RSA key. So we could write our own so that we can also run an unsigned boot2 and through that also a custom OS.
-
Once again, amazing achievement! Great work! :)
-
Awesome stuff guys! :D
-
With this, I'm guessing you can semi-brick your calc if you have an invalid boot2, right? (You would just need to reflash using RS232, but until then it is unusable)
-
Yes, if ones flashes a wrong boot2 and reboots the calculator, RS232 access will be necessary.
-
Take a TI-Nspire ClickPad prototype with its 1.1 development diagnostic software.
Compared to production diagnostic softwares, the development ones have an additional option in the memory menu which seems to test a flash of the Boot1.
And guess what... it does pass!!!
Have a look:
http://vimeo.com/31331496
If what we are assuming is true, then it would perfectly be possible to convert TI-Nspire ClickPad prototypes into production TI-Nspire ClickPad, by flashing the 1.1 production Boot1 over the 1.1 development Boot1. Then, OSes 1.3 and above could be installed on those prototypes! :)
Of course, we would expect the Boot1 to be read-only on production TI-Nspire ClickPad, and on TI-Nspire TouchPad where it was moved from the NOR ROM chip to the Zevio ASIC chip. But you never know... The TI-84 Boot Code should not have been writeable either :P
-
Interesting :)
Would it be possible to dump the diag of the prototype and put it on a regular clickpad?
Or are the signing keys different? If you could put it would work, you can try if the test works on it :)
-
All the prototype diags have allready been dumped.
But they use the developper keys and cannot be installed on production models.
They should be runnable with DiagsLauncher, though.
-
The Nspire diagnostic softwares signed with the developer keys have a menu for flashing the Boot1 located in NOR ROM. The matching code still does exist on diagnostic softwares signed with the production keys, but isn't accessible through the menu any more.
The Boot1 flashing code is looking for a "nor.raw" file on the mysterious SD card nobody has ever seen.
So the flashing does fail... That option had never been proved to be usable.
But by using the emulator, it is possible to intercept the SD card accesses and make the Nor flashing option go to the next step:
(http://i43.servimg.com/u/f43/13/23/13/53/norupd10.gif)
(all credit for this experience goes to Bsl)
So the TI-Nspire Diagnostic software does include code usable to flash the Boot1, which should at least be usable on developer TI-Nspire ClickPad (prototypes), maybe on production TI-Nspire ClickPad, but probably not on TI-Nspire TouchPad & CX as the NOR chip seems to have been moved into the proprietary ASIC on those modes...
-
That is very interesting! Thanks for the information :)
-
So we have assumed in the above posts that the Boot1 on prototype Nspire ClickPad was rewriteable (which is a very good news if right, and a wonderfull hope for those owning such models currently limited to OSes 1.1/1.2 because of different RSA signing keys).
The only remaining question was if it was also possible on production Nspire ClickPad.
Here's the same Ndless program running simultaneously on a prototype (on the left) and on a production model, trying to get the NOR chip ID:
(http://i43.servimg.com/u/f43/13/23/13/53/th/img_7410.jpg) (http://www.servimg.com/image_preview.php?i=1636&u=13231353)
On the left it does pass. :)
On the right it does fail. :(
Which would mean if the test is correct, that TI added some software/hardware protection on production Nspire ClickPad models, preventing direct access to the NOR chip.
Wouldn't that mean that prototypes prices should raise on eBay soon? :P
-
Interesting.
But could it not be that the non-prototype used a different type of nor, differently accessible than the prototype? It might be that its not protected, but that it works just different?
(But I don't know so much about this topic, so don't listen to me :p)
-
But could it not be that the non-prototype used a different type of nor, differently accessible than the prototype? It might be that its not protected, but that it works just different?
According to Datamath.org, the prototype and non-prototype basic ClickPad models are using the same NOR chip:
http://www.datamath.org/Graphing/JPEG_NSpire_P.htm#memory
http://www.datamath.org/Graphing/JPEG_NSpire.htm#memory
-
Can't be sure if this is related or not, but Excale spotted me the disappearance of R02D near the NOR chip between the prototype and production model:
http://www.datamath.org/Graphing/JPEG_NSpire_P.htm#memory
http://www.datamath.org/Graphing/JPEG_NSpire.htm#memory
If this is the reason, I don't think we can fix that :(
-
R02D is a resistor - should be able to solder that .......
Dont know the size of the resistance.
-
Same for R09D in the middle upper part
-
R02D is a resistor - should be able to solder that .......
Dont know the size of the resistance.
Yes we should be able to solder a resistor, but we have to solder it on *something*.
Just check: the circuit connected to the NOR chip pin is gone :(
-
At any rate , if someone supplied the schematic diagram for that chip with all connecting components
it would not be worth the effort for most people to modify.
-
Hmm, thats kinda sad :(
Edit:
That (removed) circuit line goes directly to a pic named NC (not connected). The closest other pin is WE# (write enable), so maybe its connected with this.
Another option is that that line isn't connected at all with the NOR chip, but just goes under it (there is another line coming out the other side that is perfectly aligned with it).
Anyway, there isn't really a way to any pins on the bottom of the NOR, as the SoC is just under it.