Omnimaga
Omnimaga => News => Topic started by: critor on April 30, 2012, 08:33:15 pm
-
OS 1.0.334T for the TI-Phoenix / TI-Nspire CAS+ was built on 2006 May 1st.
This OS is included in my P1-EVT2 prototype:
(http://i23.servimg.com/u/f23/13/23/13/53/caspev11.jpg)
By hooking it up to an RS232 interface, we can totally control it through the DataLight shell to copy the system files to user folders:
/phoenix/phoenix.raw
/phoenix/install/manifest
/phoenix/install/devfiletree.zip
Then, by telnetting it on port 10001, we can transfer those files to the computer through USB.
(http://i63.servimg.com/u/f63/13/23/13/53/caspda11.jpg)
And this evening, on 2012 May 1st, exactly 6 years later, this has finally been done! ;D(http://www.omnimaga.org/Themes/default/images/gpbp_arrow_up.gif)
The 1st TI-Phoenix / TI-Nspire CAS+ OS has just been dumped! ;D(http://www.omnimaga.org/Themes/default/images/gpbp_arrow_up.gif)
Things are finally changing for CAS+ owners who can now hope for:
- some Ndless-like tool
- dumps of other OS versions
- dumps of Boot1/Boot2/diags
- reinstallation of the CAS+ OS on calculators which were bricked by trying to access the non-existent maintenance menu through Menu+Enter+P
- upgrade to the latest CAS+ OS (1.0.554)
- upgrade to a 3rd-party OS (production Nspire OSes probably won't work without because of the much different hardware) by reflashing Boot1 and Boot2 (yes, Boot1 seems to have the write-enable pin connected on the CAS+)
- ...
Have a little look at what has been kept secret for far too long: ;)
(http://i43.servimg.com/u/f43/13/23/13/53/capdum10.gif)
More information available in the TI-Planet news:
http://tiplanet.org/forum/viewtopic.php?f=43&t=9195
-
Awesome!
-
Would it be logical to buy a few bricked calcs for cheap, or would there be only a slight chance of it being able to help?
-
That is awesome to see this old model dumped :D
The best thing will be when it will be upgradeable to a commercial OS. Is the hardware the same?
-
Sadly I don't think that will ever happen, the CPU is too different from the production models.
-
Yeah, the OMAP hardware is too different from the ZEVIO hardware...
Very nice work, as usual, even if there are pretty few people using a CAS+, and consequently, there will be pretty little developer time spent on the CAS+ :)
-
Critor, you'll never cease to astound me :O
-
TI-nspire computer Link 1.0 is using port 10001 to transfer tns files to and from the CAS+ documents folder.
But we've just discovered a 2nd shell on port 10002, which seems to be able to access the whole filesystem.
And this time, it's working on all CAS+. here is an example with a CAS+ running OS 1.0.529:
size("C:\phoenix/install/phoenix.img")
-> 5067229
But as you can see, the syntax is strange.
Could someone help us figuring the commands list and their syntax?
-
it took u 6 yaers to download 1 game on your calculator
-
man how much time did u put into it a day
-
Please do not double post so much, rather edit your post using the edit button ;)
Also, he did not put any game on his calculator yet, and he wasn't busy on it for 6 years :P
The calculator itself is 6 years old, and he finally managed to extract the rom allowing him to reverse engineer it more :)
-
Congrats! I am sure this will be useful! :)
-
This looks great! The number of nspire versions that are now exploited/can be exploited has increased significantly. also may be of some help and hope to people who accidentally bought a CAS+. (And also to people who intentionally obtained one :P)
-
The TI-Nspire CAS+ P1-EVT2 has a different boot screen than later Nspire:
(http://tiplanet.org/forum/gallery/image.php?mode=medium&album_id=1&image_id=792)
So it probably has different Boot2 and Diags flashing screens too.
Let's discover them:
(http://tiplanet.org/forum/gallery/image.php?mode=medium&album_id=1&image_id=790)
(http://tiplanet.org/forum/gallery/image.php?mode=medium&album_id=1&image_id=788)
Bigger photos available from the TI-Planet news together with the CAS+ key combos:
http://tiplanet.org/forum/viewtopic.php?p=123705#p123705
-
TI-nspire computer Link 1.0 is using port 10001 to transfer tns files to and from the CAS+ documents folder.
But we've just discovered a 2nd shell on port 10002, which seems to be able to access the whole filesystem.
And this time, it's working on all CAS+. here is an example with a CAS+ running OS 1.0.529:
size("C:\phoenix/install/phoenix.img")
-> 5067229
But as you can see, the syntax is strange.
Could someone help us figuring the commands list and their syntax?
From what I can tell looking at the EVT2 OS, I think the fm_xfer command (syntax: fm_xfer(IP address, operation, destination filename, source filename, callback frequency, callback enabled, options)) initiates a file transfer (connecting to the IP address on port 10001 and requesting or sending a file). Maybe it could be possible to make it connect to the calc's own link handler with something like
fm_xfer(127.0.0.1, pn_fm_fput, "/phx/documents/ndless/phoenix.tns", "/phoenix/install/phoenix.img", 5000, 1, 0)
Or alternatively, maybe it would be possible to run a program on the PC to listen on that port for link commands and have it send the file to that.
The TI-Nspire CAS+ P1-EVT2 has a different boot screen than later Nspire: So it probably has different Boot2 and Diags flashing screens too.
I hope you're making sure there is no diags present before testing the diags reflashing combination, as it immediately erases diags before receiving any data (unlike the boot2 reflashing combination, which doesn't erase until the transfer is completed)
-
Interesting Goplat!
However pn_fm_fput is no existing command (but maybe it an int containing an address, need to check).
Also, the IP should just be a decimal number.
But it is great that you could find more info about the function, I'll soon do some tests with it (or Adrien, as my CAS+ just lost it's mind) :)
1337 posts
-
Interesting indeed, I will try that soon, thanks GoPlat.
Also, I wiresharked the device transactions, I can send you some logs of basic actions.
Basically :
port 10001 tcp : how the software communicates.
port 10002 tcp : "TI-PN" shell via telnet. You know about that one. Not used by the software.
port 10003 udp : discovery port where the unit always (whatever you send) replies by its version ("pn-srv5.c phoenix 2006" or something like that)
-
The TI-Nspire CAS+ P1-EVT2 has a different boot screen than later Nspire: So it probably has different Boot2 and Diags flashing screens too.
I hope you're making sure there is no diags present before testing the diags reflashing combination, as it immediately erases diags before receiving any data (unlike the boot2 reflashing combination, which doesn't erase until the transfer is completed)
Yes,I had checked before. When using the diags combo on the P1-EVT2, we get an error in the bootlog:
Keypad request - launching DIAGS software...
Error reading/validating DIAGS image
Error loading DIAGS. reverting to BOOT2.
Up to now, I've never found a CAS+ including a Diags image :(
-
fm_xfer(127.0.0.1, pn_fm_fput, "/phx/documents/ndless/phoenix.tns", "/phoenix/install/phoenix.img", 5000, 1, 0)
BTW, first arg is supposed to be a long (ip2long), so, 127.0.0.1 became 2130706433.
So, I just tested that, and I still get the "-100" (error/return code). I tested with some variants within the function call, but nothing ... :(
Any other idea, this looked kinda good :D
-
BTW, first arg is supposed to be a long (ip2long), so, 127.0.0.1 became 2130706433.
The function that parses that argument (10339db0) reads a token, compares it to the string "addr", returns some variable if equal (probably the IP address of the other side), and tries to parse the token as an IP address otherwise (using the 10345488 function), dots and all. Don't be misled by the C-ish syntax.
-
Hmm ok, thanks...
However, I found multiple occurences of code calling stuff with ip directly in the long format, and not the "normal" format, so I guess that's again de-compilation "mistakes" ?
Also, jim and I made a google doc with what we found/documented so far :
https://docs.google.com/document/d/1cP5BIeV8B66VXXv1LqOUl_SNO8voF2s1CxR_Ofuy9UM/edit
You're welcome to put there what you found too :)
-
Ah, thanks for the info.
It's just weird since multiple functions contains the decimal equivalent of 127.0.0.1. But maybe that's because we are looking at the wrong file.
-
However, I found multiple occurences of code calling stuff with ip directly in the long format, and not the "normal" format, so I guess that's again de-compilation "mistakes" ?
Not a mistake - the actual TI_PN_fm_xfer function (10342018) is called with an integer representing the IP address as its first argument. The port-10002 shell just does not use exact C syntax in all cases - in this case it wants the IP address in dotted quad notation instead of a plain number.
-
Ok, let me try this, then :)
-
Wow, sorry for the double post, but it's worth it :
it looks like it works (for a part, at least ) :
Here's what I get :
TI_PN_fm_xfer(127.0.0.1, pn_fm_fput, "/phx/documents/ndless/phoenix.tns", "/phoenix/install/phoenix.img", 5000, 1, 0)
fm_xfer(127.0.0.1, pn_fm_fput, "/phx/documents/ndless/phoenix.tns", "/phoenix/install/phoenix.img", 5000, 1, 0) = -unknown functio
n ``ti_pn_fm_xfer''
102
TI_PN_ [-1022]
TI_PN_fn_cbfn: transferred 6144 of 5065885
fn_cbfn: transferred 6144 of 5065885
fm_xfer(127.0.0.1, pn_fm_fput, "/phx/documents/ndles
s/phoenix.tns", "/phoenix/install/phoenix.img", 5000, 1, 0) = -1022 [-1022] = -1013 [-1013]
TI_PN_
Weirdly, there is still nothing in the destination folder tho...
GOPLAT++ !
OK, with the options at 0,0,0 it worked !!
Let me host the OS file :D
-
Very nice!
Great :)
-
Just for you guys .... Thanks to GoPlat :
(http://tiplanet.org/forum/gallery/image.php?mode=thumbnail&album_id=1&image_id=794) (http://tiplanet.org/forum/gallery/image_page.php?album_id=1&image_id=794)
The Boot2 still remains to be dumped :) But Jim is doing that ...
-
Sorry if this seems rude or noobish, but why wasn't this done instead of connecting the NAND (I think? Correct me if I'm wrong) to an xD card reader?
-
Both methods were tried simultaneously actually.
We only started to work on that a few days ago ... idk why :D
The nand reader is still needed to be done to get the boot2.
-
Because I only found the 10002 port a couple of days ago AND we needed to reverse engineer some parts of an older CAS+ that we just dumped a few days ago to be able to find how it operated.
-
Aah, I see now. That makes more sense. Thanks.
-
How many calc prototypes needs to be dumped now (in the ones that were found)? QToo bad the CPU might be different on them, although I guess it wouldn't hurt if Ndless was made possible on them anyway if there are a lot of prototypes around :)
Also lol at first I thought from the pics at http://ourl.ca/16005/299477 showed the LCDs had color support O.O
-
We just finished dumping all mayor CAS+ os's. We will now try to start unbricking CAS+'s.
There are still some other Nspire prototypes, but basically nobody has them.
-
Oh right, you broke half of them <_< jk
Hopefully most prototypes get found. I'm hoping not every single prototype are different either too. It would suck if you guys wanted to port Ndless to them and you had to write like 800 versions of Ndless for 800 calcs. X.x