Omnimaga
Calculator Community => Other Calculators => Topic started by: zweb on June 04, 2013, 04:39:14 am
-
I have just bought a prototype of TI NSPIRE CM-C.
I will test it tonight(I'm a Chinese,so about 1:00 GMT)
-
Ooh, a prototype. This is pretty interesting, especially that big hole with wires sticking out. Be sure we'll news about it when you'll post your tests.
-
Very interesting. Thank you for posting pics. I'm curious what will be discovered about this prototype model.
:)
-
The big hole is for the J04/debug connector which is supposed to have JTAG and is not soldered on production models.
For now, can we have the OS/Boot2/Boot1 versions?
Thanks.
-
The big hole is for the J04/debug connector which is supposed to have JTAG and is not soldered on production models.
For now, can we have the OS/Boot2/Boot1 versions?
Thanks.
It doesn't boot up,and I don't know what to do now.Any pinout information about J04?I have a Jlink
-
The big hole is for the J04/debug connector which is supposed to have JTAG and is not soldered on production models.
For now, can we have the OS/Boot2/Boot1 versions?
Thanks.
I found that the L01A was broken,could you tell me the model of it?(It seems to be the same as CX/CM-C)
-
This is really cool. I collect nspire prototypes, but I prefer the working ones :(. I would still like to see what secrets this one contains.
-
The big hole is for the J04/debug connector which is supposed to have JTAG and is not soldered on production models.
For now, can we have the OS/Boot2/Boot1 versions?
Thanks.
It doesn't boot up,and I don't know what to do now.Any pinout information about J04?I have a Jlink
Unfortunately, as far as I know nobody has achieved (tried?) a JTAG connection on TI-Nspire CX/CM for now.
It's a proprietary connector, we don't know much about the pinout.
Does it at least turn on or not at all?
Please, don't throw it away - even if your prototype is not working, it has the J04 connector missing on production models, and this could be very useful.
Could we have a picture of the back with its serial visible in order to identify what kind of prototype it is?
Could we have a picture of the motherboard once opened with those strange wires connections?
And could we have a big picture of the J04 connector, as you have the only one which leaked in the world for now?
Thank you very much.
-
Ui, a new prototype! Hoepefully we'll learn a lot new stuff :D
-
The big hole is for the J04/debug connector which is supposed to have JTAG and is not
soldered on production models.
For now, can we have the OS/Boot2/Boot1 versions?
Thanks.
It doesn't boot up,and I don't know what to do now.Any pinout information about J04?I
have a Jlink
Unfortunately, as far as I know nobody has achieved (tried?) a JTAG connection on
TI-Nspire CX/CM for now.
It's a proprietary connector, we don't know much about the pinout.
Does it at least turn on or not at all?
Please, don't throw it away - even if your prototype is not working, it has the J04
connector missing on production models, and this could be very useful.
Could we have a picture of the back with its serial visible in order to identify what
kind of prototype it is?
Could we have a picture of the motherboard once opened with those strange wires
connections?
And could we have a big picture of the J04 connector, as you have the only one which
leaked in the world for now?
Thank you very much.
These strange wires were connected to some 0ohm resistors.I believe they were
jumpers.So I desoldered them and connected resistors back.They were marked in blue.
L01A(an inductor) was broken when I got it,I don't know the exact inductance,can
anybody tell me?I think it should be the same as CX's.
I'm sorry that my network is quite slow,so I have to upload photos in several posts.
-
hey, in future please don't tripple post, use the edit button instead, and that big pictures put in [spoiler] tags please! :D
-
Great - very interesting!
It's not a prototype which was given by TI for evaluation to some teacher/student, it's clearly a prototype coming from the development team - congratulations! :)
Would it be possible to have a picture of the back of the case?
It usually have interesting informations about prototypes in the serial, like the EVT/DVT/PVT codes.
Could we also have a picture of the ASIC 'Texas Instruments' chip?
The labels are visible on the last image but not readable, and they're not visible in the previous image.
As reference, here are pictures of the production TI-Nspire CM-C boards:
http://tiplanet.org/forum/gallery/image_page.php?album_id=119&image_id=1359
-
Great - very interesting!
It's not a prototype which was given by TI for evaluation to some teacher/student, it's clearly a prototype coming from the development team - congratulations! :)
Would it be possible to have a picture of the back of the case?
It usually have interesting informations about prototypes in the serial, like the EVT/DVT/PVT codes.
Could we also have a picture of the ASIC 'Texas Instruments' chip?
The labels are visible on the last image but not readable, and they're not visible in the previous image.
As reference, here are pictures of the production TI-Nspire CM-C boards:
http://tiplanet.org/forum/gallery/image_page.php?album_id=119&image_id=1359
My network is slow,so it takes me a long time to reply.
HD Photos here.
In CM-C photos,L01A was covered by green glue :(
On ASIC chip:
Texas Instruments
ET-LC2010B-0
T6UJIXBG-0002
JAPAN1111-ES
409506 e1
-
Great discovery! :D
-
It boots up!
OS 3.1.0.236,BOOT1 3.0.99,BOOT2 3.10.0,128MB ROM
the broken inductor was 4R7(4.7uH),I used a 5uH one instead.
-
Great :)
-
Ok, great!
We need to dump it now ;)
Would you be ok to try some dumping tools? Nothing dangerous, but it might require several tries.
By the way, can you check the Diagnostic Software menu and version?
Hold Esc+Menu+Minus while pressing reset.
(the minus on the right near the plus - not the sign minus)
Thanks again for this great discovery.
The easiest way but not the cheapest is having two TI-Nspire CM and to star by dumping the OS.
You send the OS to the Ndlessed production unit, and I've got an Ndless tool which does get it before the installation is triggered (and aborted as it's a development OS).
Once the OS is dumped, it can be studied/tested on emulators, and some specific tools for dumpes the Boot1/Boot2/Diags can be developped.
-
It seems that I have something to do with the battery...I don't have the official battery :(
-
You should stop trying to install an OS on your prototype.
You may just manage to erase your special 3.1.0.236 development OS, and you can't install released production OSes on your prototype as it's using the development RSA keys instead of the production RSA keys.
We have never dumped any TI-Nspire CM development OS - if you erase the OS, the calculator will remain unusable - we'll have no way to repair it.
That's why the 1st priority should be to try to dump your 3.1.0.236 development OS.
If you find a production TI-Nspire CM, this can be performed quite easily.
-
You should stop trying to install an OS on your prototype.
You may just manage to erase your special 3.1.0.236 development OS, and you can't install released production OSes on your prototype as it's using the development RSA keys instead of the production RSA keys.
We have never dumped any TI-Nspire CM development OS - if you erase the OS, the calculator will remain unusable - we'll have no way to repair it.
That's why the 1st priority should be to try to dump your 3.1.0.236 development OS.
If you find a production TI-Nspire CM, this can be performed quite easily.
I'm installing ndless,but failed
-
Ok, fine. :)
Ndless 'might' work.
It depends if most syscalls addresses are the same or not.
If Ndless works, you can dump everything with Polydumper CX.
For exemple, Ndless 1.7/2.0 was designed for OS 1.7.2741, but could also be used with the older OS 1.7.2733 we managed to dump after the release.
Using a charged rechargeable battery from another TI-Nspire CM/CX, TI-Nspire TouchPad or TI-84 Plus C Silver Edition should solve your problem.
-
You should stop trying to install an OS on your prototype.
You may just manage to erase your special 3.1.0.236 development OS, and you can't install released production OSes on your prototype as it's using the development RSA keys instead of the production RSA keys.
We have never dumped any TI-Nspire CM development OS - if you erase the OS, the calculator will remain unusable - we'll have no way to repair it.
That's why the 1st priority should be to try to dump your 3.1.0.236 development OS.
If you find a production TI-Nspire CM, this can be performed quite easily.
How to dump the OS without having another CM?Dump tools can't run without ndless
-
The exploits used by Ndless on production OS 3.1 are likely present on your development OS 3.1.
If Ndless 3.1 doesn't work, a special tool or light Ndless could be developped for your model.
I can see several ways for now:
- installing Ndless 3.1 and running Polydumper CX (which might not work if your OS is too different - you'll have to solve your battery problem first)
- sending the OS to another Ndlessed production TI-Nspire CM
- using specific tools exploiting some flaws, but developing them will be easier and faster if the OS is dumped first
- lending the calculator to one of us if you trust us
-
The exploits used by Ndless on production OS 3.1 are likely present on your development OS 3.1.
If Ndless 3.1 doesn't work, a special tool or light Ndless could be developped for your model.
I can see several ways for now:
- installing Ndless 3.1 and running Polydumper CX (which might not work if your OS is too different - you'll have to solve your battery problem first)
- sending the OS to another Ndlessed production TI-Nspire CM
- using specific tools exploiting some flaws, but developing them will be easier and faster if the OS is dumped first
- lending the calculator to one of us if you trust us
I solved the battery problem but it reboots while installing ndless.
I have a Clickpad and my parents won't let me to buy another CM :(
Lending the calculator seems to be a great idea,but I'm in mainland China,so It will take lot of money :(
I will try JTAG way but nobody succeed before...Any way to dump the OS with UART?
-
Yes we have tools which do print the Boot1/Boot2/Diags data on RS232, but adapting them for your OS would require to dump the OS first.
I've just sent an email, asking if somebody had an idea to help you. Let's see in the next few days...
In the worst case, money isn't a problem. :)
-
Hey zweb, thanks for sharing all the pics and info on your prototype model. :)
-
- sending the OS to another Ndlessed production TI-Nspire CM
I wonder if it's possible to use a CX instead of CM?or TI-XXXXXXXXXX(Clickpad Prototype)
-
In theory, no.
The model ID is different, and the transfer will be denied.
-
There's a computer-side program for dumping the OS (which is not libticalcs/tilp, that works only on OS 1.x by taking advantage of a glaring directory traversal vulnerability), but we need to check it first, so as to make sure it can work for you in its current state :)
Meanwhile, don't take any initiatives which could destroy the calculator (as critor wrote above, that's what will happen, for practical purposes, if the OS is erased somehow).
EDIT: the C# program is http://brandonw.net/svn/calcstuff/Fron/trunk/ , and you need to open Fron\Startup.cs and change the "if (true)" to "if (false)" and run it so it can receive the OS upgrade (information courtesy of BrandonW). It may, or may not, work for you.
-
I thought that from Clickpad to CX,there is always a SDIO test in DIAG,is that means J04 may contains SDIO?
And I got the bootlog:
Boot Loader Stage 1 (3.00.99)
Build: 2010/9/9, 17:29:13
Copyright (c) 2006-2010 Texas Instruments Incorporated
Using production keys
Last boot progress: 65
Available system memory: 33196
Checking for NAND: NAND Flash ID: MICRON
SDRAM size: 32 MB
Wakeup Event: ON.
SDRAM memory test: Pass
Clearing SDRAM...Done.
Clocks: CPU = 132MHz AHB = 66MHz APB = 33MHz
Clearing SDRAM...Done.
Clearing SDRAM...Done.
Boot option: Normal
Loading BOOT2 software...
99%
BOOT1: loading complete (307 ticks), launching image.
Boot Loader Stage 2 (3.10.DEVBUILD)
Build: 2011/5/19, 12:34:34
Copyright (c) 2006-2010 Texas Instruments Incorporated
Using production keys
Clocks: CPU = 132MHz AHB = 66MHz APB = 33MHz
Checking for NAND: NAND Flash ID: MICRON
Initializing graphics subsystem.
Boot option: Normal
Initializing filesystem.
Datalight Reliance v2.10.1150
Copyright (c) 2003-2006 Datalight, Inc.
Datalight FlashFX Pro v3.00 Build 1358
Nucleus Edition for ARM9
Copyright (c) 1993-2006 Datalight, Inc.
Patents: US#5860082, US#6260156.
Filesystem ready.
Purging temporary files...
TI_OS_INSTALL_PRECHECK_OK (0)
Loading Operating System...
100%
BOOT2: loading complete (2130 ticks), launching image.
Beginning system initialization.
Clocks: CPU = 132 MHz AHB = 66 MHz APB = 33 MHz
Preparing file system. This takes a while...
POSIX layer initialized.
POSIX "NULL" device initialized.
POSIX "CONSOLE" device initialized.
Datalight Reliance v2.10.1150
Copyright (c) 2003-2006 Datalight, Inc.
Datalight FlashFX Pro v3.00 Build 1358
Nucleus Edition for ARM9
Copyright (c) 1993-2006 Datalight, Inc.
Patents: US#5860082, US#6260156.
POSIX file system initialized.
File system ready.
BOOT2 updater not needed
* No battery door detection
System build date: Jun 6 2011, 02:18:23
Available memory: 15525412 bytes
Purging temporary files...
Launching system...
TouchPad Firmware Revision : 01060000
Created Execution Context
NavNet Ready.
Creating new IME Dialog
-
And after some simple test,I believe pin 25 in J04 should be RST,so I think if J04 really contain JTAG signals,pinout should be like this:
GND 1 2 GND
Vcc 3 4 Square-wave
High 5 6 Square-wave
High 7 8 Square-wave
TBD 9 10 Square-wave
GND 11 12 Square-wave
GND 13 14 GND
TRST 15 16 TBD
TDI 17 18 GND
TMS 19 20 Square-wave
TCK 21 22 Square-wave
TDO 23 24 RS232 Output (115'200,8,n,1)
RST 25 26 RS232 Input
GND 27 28 GND
GND 29 30 GND
I will test it on next Monday,and of course,I wonder what pin9\pin16 and these strange square wave really are
-
After some tries,I'm sure that pin 21 and pin 19 can't be TCK.
To critor: can I dump the OS with a CX running CM OS?
-
Have you tested the program I linked to above ?
-
Have you tested the program I linked to above ?
oh,sorry,I don't know how to use vc#.I'm learning these days.
-
After some tries,I'm sure that pin 21 and pin 19 can't be TCK.
To critor: can I dump the OS with a CX running CM OS?
Maybe.
-
Have you tested the program I linked to above ?
CM will send its OS to PC,but,where to get it?I didn't get any sense form the source code.
-
Is there something in "C:\temp.tnc" ?
-
Is there something in "C:\temp.tnc" ?
Oh,yes,I found it.but OS sending fails with this message on the computer:
ContextSwitchDeadlock
Message: The CLR has been unable to transition from COM context 0x1bdeb6b0 to COM context 0x1bdeb900 for 60 seconds. The thread that owns the destination context/apartment is most likely either doing a non pumping wait or processing a very long running operation without pumping Windows messages. This situation generally has a negative performance impact and may even lead to the application becoming non responsive or memory usage accumulating continually over time. To avoid this problem, all single threaded apartment (STA) threads should use pumping wait primitives (such as CoWaitForMultipleHandles) and routinely pump messages during long running operations.
I will disable this exception message in VS and try again
-
(By the way, if any of the files in your double-post contains actual OS files, you might want to remove them, so we don't get in trouble with TI)
-
(By the way, if any of the files in your double-post contains actual OS files, you might want to remove them, so we don't get in trouble with TI)
OK,I removed them.It *might* contains the OS.
-
Is it possible to repost the files without the OS itself (if applicable)? (Else, I guess you could just e-mail them to Lionel or others who can help)
-
Chances are that zweb is asleep by now, so I'll reply myself:
Is it possible to repost the files without the OS itself (if applicable)?
Nope.
-
And after some simple test,I believe pin 25 in J04 should be RST,so I think if J04 really contain JTAG signals,pinout should be like this:
GND 1 2 GND
Vcc 3 4 Square-wave
High 5 6 Square-wave
High 7 8 Square-wave
TBD 9 10 Square-wave
GND 11 12 Square-wave
GND 13 14 GND
TRST 15 16 TBD
TDI 17 18 GND
TMS 19 20 Square-wave
TCK 21 22 Square-wave
TDO 23 24 RS232 Output (115'200,8,n,1)
RST 25 26 RS232 Input
GND 27 28 GND
GND 29 30 GND
I will test it on next Monday,and of course,I wonder what pin9\pin16 and these strange square wave really are
Could you test and confirm those pins?
Just connecting the RST pin to ground doesn't seem to trigger any reset.
-
I think I've successfully found out the J04/JTAG connector reference:
It's a BTBh005F-PtM30GN which has to be soldered on the TI-Nspire CX/CM J04 contacts.
The matching connector to plug it into is BTBh005F-PtF30GN.
They're going to look like that:
(http://i.imgur.com/SzubyBZ.jpg)(http://i.imgur.com/bqqq5mE.jpg)
@zweb: can you confirm this on your side?
For source / explanations:
http://tiplanet.org/forum/viewtopic.php?f=43&t=13169