Omnimaga
Omnimaga => News => Topic started by: DJ Omnimaga on April 11, 2011, 03:55:25 pm
-
A few days ago, TNOC was updated again on TI-BANK . Not only it can be used to reduce the size of your OS file, increasing your calc user memory in the process, but more importantly TNOC allows you to break the anti-downgrade protection in OS 3.0. To remove that protection, you have to use the software to remove Boot2 3.0 from the OS file before installation on the calculator.
The current version of TNOC can be downloaded here (http://ti.bank.free.fr/index.php?mod=archives&ac=voir&id=1922).
However, if you already installed OS 3.0 without removing the included Boot2 from it, then you're stuck with no way to downgrade, as Nleash will not work on OS 3.0, since the exploit used to run Ndless-type files was fixed in OS 3.0. Basically, the only way to downgrade then is using 3 wires connected to the TI-Nspire dock connector (at the bottom of the calculator) and connected to a RS232/TTL converter. In other words, you need extra hardware.
Critor has published a tutorial (http://ti.bank.free.fr/index.php?mod=news&ac=commentaires&id=1038) on how to achieve this, including pictures, on TI-BANK. For those who don't speak French there is a post by him in English (http://ourl.ca/10147/195168) and some pictures (http://ourl.ca/10147/196556) on Omnimaga forums too.
TI's anti-downgrade protection was broken in 6 hours, compared to 2 weeks with OS 2.1. Unfortunately it depends of if you removed Boot2 3.0 from the OS prior installing it, though, and a solution to downgrade from an unmodified OS file without acquiring extra hardware nor sending your calculator to somebody who has it might take longer, now that TI fixed the exploit Nleash used to remove the previous anti-downgrade protection...
-
TI's anti-downgrade protection was broken in 6 hours, compared to 2 weeks with OS 2.1.
/me wins
I'm really happy, this is a great achievement!
This works both for the CX and non-CX, right?
-
TI's anti-downgrade protection was broken in 6 hours, compared to 2 weeks with OS 2.1.
/me wins
I'm really happy, this is a great achievement!
This works both for the CX and non-CX, right?
We don't know.
We need a CX to check if the modified TCC/TCO file is accepted.
-
We don't know.
We need a CX to check if the modified TCC/TCO file is accepted.
Isn't the new boot2 pre-installed on the CX?
-
I'm really happy, this is a great achievement!
This works both for the CX and non-CX, right?
For the CX, there are no older OSes to go back to.
Note that the reason boot2 3.0 doesn't load older OSes isn't exactly "anti-downgrade protection". boot2 3.0 requires that the OS have 2048-bit RSA signatures. Older OSes had only 1024-bit RSA signatures, OS 3.0 for the non-CX has both 1024-bit and 2048-bit, and OS 3.0 for the CX has only 2048-bit.
-
What. The.
FFFFFFFFFFFFFFFFFFFFUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU-
2048 bit RSA keys? ;_;
-
WHAT? 2048 BIT RSA KEYS????
They really don't want us to create third-party OSes, don't they? O.O
-
Yes, cracking RSA has gone from impossible to impossible.
-
Looks like it's time to try all the harder.
Maybe not crack the key, but it might be possible to modify the OS for programming ability.
-
What. The.
FFFFFFFFFFFFFFFFFFFFUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU-
2048 bit RSA keys? ;_;
DAMN, they doubled the size, damn it damn it!
-
Which made the NFS factorization maybe ten orders of magnitude beyond the state of the art.
-
And we thought 1024 bit was already near impossible to factor...
-
this isnt quantum computing now, this requires quantum servers! :P
-
It is impossible with any modern algorithm(isn't 2^2048 more thn the number of atoms in the universe?). We need a new way or extremely good luck now(maybe its an even number key). Maybe the Lua in the calc will help us get around this.
-
It is impossible with any modern algorithm(isn't 2^2048 more thn the number of atoms in the universe?). We need a new way or extremely good luck now(maybe its an even number key). Maybe the Lua in the calc will help us get around this.
Actually, we need to stop thinking about factoring the RSA keys. As Goplat said, it's gone from impossible to impossible. As in, it will rain pink flying unicorns before we can factor it. Hoping to get lucky finding it is statistically foolish.
We should just enjoy the new scripting and use RunOS/OSLauncher for what it can't do if we really need OS3 (right now, we don't), though that would require some modifications to the OS which could not be distributed.
-
Its theoretically not impossible is what I meant. Unless there is a breakthrough in factoring -stares at Xeda- this is effectively impossible. Who knows maybe we will find another way to find the answrs we want.
-
Not sure RunOS/OSLauncher requires modifying the OS :)
-
Pretty darn sure all it takes is decompressing it to get a raw file. the .img isn't enough, I believe, since RunOS doesn't do extraction.
-
it will rain pink flying unicorns before we can factor it.
or nethams
And I agree, I think at this point it isn't even worth it to try factoring even the 1024 bit one anymore either, since it's gonna be replaced with a 2048 one. I wouldn't be surprised if TI did that on purpose.
I guess for now we have to rely on what Lionel mentionned, which means much less free space...
-
Yes, less free space, though the OS in ZIPped form is only 3-4 MB (7-9 MB for phoenix.raw, obtained from decompressing the ZIP resulting from the Blowfish decryption of the 8070 field) :)
-
Ah that's good then. I was worried about only having like 3 MB of free space, which means not even enough room to play nDoom. O.O
I wonder if it takes a long while to decompress?
-
Several seconds, AFAICS.
-
Its theoretically not impossible is what I meant. Unless there is a breakthrough in factoring -stares at Xeda- this is effectively impossible. Who knows maybe we will find another way to find the answrs we want.
Do you think Zeda could look at the hex and get the key using his special hex powers and maths spells? :P
-
We do already have the public keys - but they're too hard to factor in order to deduce the private keys.
-
Hi, I'm trying to remove boot2 from my nspire. Not being very experienced with programming, I'm having much trouble compiling TNOC. :banghead: Could someone please help me?
-
Its theoretically not impossible is what I meant. Unless there is a breakthrough in factoring -stares at Xeda- this is effectively impossible. Who knows maybe we will find another way to find the answrs we want.
Do you think Zeda could look at the hex and get the key using his special hex powers and maths spells? :P
If it helps, I have been attacking primes and some prime theory. I haven't gotten anywhere that nobody else has, but I am giving it a whirl :D
EDIT: It might help if I actually understand the concept of these public and private keys... I've only been guessing in that area and I still don't understand how the method works to prevent access to stuff.
-
Hi, I'm trying to remove boot2 from my nspire. Not being very experienced with programming, I'm having much trouble compiling TNOC. :banghead: Could someone please help me?
I guess your problem is compiling the Linux binaries ? :p
What are the errors ?
Be sure you read the HOWTOCOMPILE text file before.
-
Its theoretically not impossible is what I meant. Unless there is a breakthrough in factoring -stares at Xeda- this is effectively impossible. Who knows maybe we will find another way to find the answrs we want.
Do you think Zeda could look at the hex and get the key using his special hex powers and maths spells? :P
If it helps, I have been attacking primes and some prime theory. I haven't gotten anywhere that nobody else has, but I am giving it a whirl :D
EDIT: It might help if I actually understand the concept of these public and private keys... I've only been guessing in that area and I still don't understand how the method works to prevent access to stuff.
Don't bother -- It's impossible. (No, seriously. Not impossible like going back in time, but rather less probable then pretty much anything you can think of.)
Hi, I'm trying to remove boot2 from my nspire. Not being very experienced with programming, I'm having much trouble compiling TNOC. Frustrated Could someone please help me?
TNOC dosen't need to be compiled... It comes with a binary. Assuming the previous sentence does not apply because you're using linux, where does it fail?
-
Still its a chance if not very large that they might figure something out. I have also been wondering about this. Could someone give a comprehensive tutorial/information about how this works. Chances are almost 100% we'll find nothing but it still would be a nice interesting experience.
-
Still its a chance if not very large that they might figure something out. I have also been wondering about this. Could someone give a comprehensive tutorial/information about how this works. Chances are almost 100% we'll find nothing but it still would be a nice interesting experience.
Look, I'm sorry to rain on the parade here, but I'm just being honest. Our time is better spent on things that can be accomplished. We can't factor the RSA key in the forseable future, unless we get quantum computers.
For an introduction to RSA, see the Wikipedia article:
http://en.wikipedia.org/wiki/RSA
-
Basicly :
2 public keys : E and N
1 private key D
We choose X < N
When we encode : y = (X^E) % N
When we decode : z = (Y^D) % N (or the inverse way if you want)
In fact : z = (Y^D) % N
= (X^E % N)^D % N
= (X^E*D) % N
= X^1 % N
= X because X < N
Now, find D with E and N... good luck
-
Hmm, thanks! I will look at that because it has intrigued me how this works!
Anywho...
Any work I do involving numbers or patterns is my way of just having fun :) They have always been my favorite toys, so I will continue playing with them. The only reason I am working with primes is because they make me happy, not for some silly RSA thing :)
-
Hmm, thanks! I will look at that because it has intrigued me how this works!
Anywho...
Any work I do involving numbers or patterns is my way of just having fun :) They have always been my favorite toys, so I will continue playing with them. The only reason I am working with primes is because they make me happy, not for some silly RSA thing :)
As long as you enjoy it, that's great :D I just wanted you to know how improbable factoring those keys really is.
*mikehill hopes newbies don't think this means they will have the keys in a week....
-
Oh, I know, so thanks :) To brute force a 2048-bit RSA, you might need to check as many as 1+2^1023 numbers as potential factors x.x To give an idea, to those who don't know, that is almost 10^308 which is greater than a google cubed.
-
Can I ask what is the boot1 and boot2 of TI-Nspire 3.0.1.1753?
-
The boot1 is a program which validates the boot2, decode it and run it. It can also reprogram the boot2, run the diagnostics software, reprogram the diagnostics software...
The boot2 is a program which validates the OS, decode it an run it. It can also run the maintenance menu (remove OS and/or documents) and run a test OS on non-CX models (without permanent installation).
To my knowledge, Boot1 is 1.1.8916 on all non-CX TI-Nspire released.
Boot2 can be 1.1.8981, 1.4.1571 or 3.0.1.131.
Boot1 is 3.0.0.99 on all TI-Nspire CX released.
Boot2 is 3.0.1.131
-
is it 3.0.1.131 for boot2 because on mine it said:
boot1 1.1.8916
boot2 3.1.131
why is the 0 being left out? Is this significant? or just typo from the programmer fault?
-
Yes, 3.0.1.131 and 3.1.131 refer to the same version.
-
So I have a computer with an actual serial port, so for sending the boot2 can I just use that or do I need that specific USB <-> rs232 converter? Also, what program do I need to send the boot2 with?
Also, I need to corrupt my boot2. What memory address do I need to write to to do so?
-
You need a TTL level converter. You can buy them, or make one yourself: http://sodoityourself.com/max232-serial-level-converter/ .
I made mine using the above guide :)
-
Also, what program do I need to send the boot2 with?
A number of terminal programs can do the job. Use the one that critor used, if possible :)
Also, I need to corrupt my boot2. What memory address do I need to write to to do so?
You don't need to worry about memory addresses, just use the appropriate key combo for the boot1 to put itself in boot2 receiving mode. I don't remember which it is, but it's written in the tutorial :)
-
No, I need to make it look like my calc is bricked, so I have an excuse to buy a prizm >:D Then, a few months later, I'm going to restore the boot2, and tell my parents "oh, I figured out how to fix it" ;)
Also, what program did critor use? It doesn't say in the article on TI-Bank.
-
Ah, that's a different matter indeed :D
-
The program I used is mentionned in the tutorial linked from the article, with screen captures.
-
Huh? The only screenshot I see in the tutorial is of WinRAR. Did you use WinRar to send the file?
-
Huh? The only screenshot I see in the tutorial is of WinRAR. Did you use WinRar to send the file?
The TNOC tutorial doesn't deal with Boot2 reflashing.
I've made several tutorials about that.
Check this one for example:
http://ti.bank.free.fr/index.php?mod=archivesac=voirid=3507
-
Hi, just got my Nspire touchpad (non-CAS) a few days ago. I connected it and it installed the new OS. I am trying to get ndless but I know I cant without 2.0.1 or 2.1. The reason I am posting this here is because whenever I click on a link to "ti.bank.free.fr" I get this message:
The server understood the request but is refusing to fulfill. An authentication process will not help and the request should not be renewed. If the invoked method is different from HEAD and the server wishes to make public why he refuses treatment, he will do in the entity associated with this response. This status code is often used when the server does not wish to dwell on the reasons for refusing access, or because it's the only answer that works. You are trying to access a resource to you prohibited. It may be that the relevant account is suspended (see Management Console)
I am trying to get TNOC to remove boot2 so I can downgrade to 2.1 so I can get ndless.
-
Yeah TI-BANK was taken down by their hosting provider for having too many files and using too much server ressources or something like that. Not sure when it will come back.
Critor should probably put TNOC somewhere or update the version on ticalc.org for OS 3.0.1 if not already done.
Welcome on the forums by the way! :)
-
Here : http://levak.free.fr/ftp/nspire/TNOC/
-
Thanks :)
Also, can you explain to me exactly what I need to do to be able to get ndless? I have an Nspire touchpad (non cas) with the most recent OS. Im pretty sure I know but I dont want to do anything wrong and brick my calc
-
pillyg: if you have already installed OS 3.0.1.1753 or 3.0.2.1791 without having used TNOC first on the TNO, you cannot downgrade your calculator anymore without special hardware (which enables you to reflash the boot2).
IOW, in the current state of things, it's very likely that you cannot get Ndless.
-
:( Ok. It still wont work even if I remove the OS and reinstall it without the boot2
-
It still wont work even if I remove the OS and reinstall it without the boot2
Indeed, it still won't work until you reflash the boot2 through the serial port, or Ndless 3.x is released.
-
ok. and I need the rs232 setup inorder to do that right?
is there any info on Ndless 3.x?
-
and I need the rs232 setup inorder to do that right?
Yes :)
is there any info on Ndless 3.x?
"No", in that not much will be posted publicly for the reason that TI is still very much trying to fight against the inevitable :)
-
New TNOC link:
http://tiplanet.org/forum/archives_voir.php?id=1922
-
So, how does an OS know if a supplied boot2 is "older" or newer? after all, they're signed with the same key. perhaps you could package a 1.4 boot2 into the 3.0 OS file. Thoughts?
-
I guess I should compile TNOC 1.22 for Windows but since it is a way too hard to solve zlib stuff problems under windows I've never done it, even if there are many bug-fix ... =/
-
perhaps you could package a 1.4 boot2 into the 3.0 OS file. Thoughts?
Maybe, but then the result could be redistributed only under the form of binary patches, because third parties are not supposed to redistribute TI's binaries :)
That's how tiosmod+amspatch works for those who do not compile and use it themselves: four different formats of binary patches.
-
sure, but heck, if it meant getting back the boot2 without an rs232 mod, a patch isn't bad at all.
-
I need to remember to start posting TNOC links again when posting Nspire-related news, to remind Lua game fans to TNOC their OS before upgrading from 2.x