Omnimaga
Calculator Community => Other Calculators => Topic started by: alberthrocks on July 16, 2010, 10:31:30 pm
-
I'm frankly pissed at TI, so I've decided to get hacking! :)
This method is different. I'm not interested in finding a way to crash the OS (and from there, develop a hack).
Instead, I'll take the other way instead - hacking with the original firmware/OS update instead!
Of course:
1) I have ZERO knowledge of how this works and such, but I'll use what I know to hack it
2) This isn't a one person project - anyone can join in! :)
3) You will not be able to download anything I have. You can follow along, but to keep TI from sending crazy
DMCA takedowns, I will NOT post links.
So, let's get started!
======================
Downloading the cursed update
I've downloaded the official, evil update from TI's website.
If you are downloading this, PLEASE, disconnect your Nspire(s) from the computer!
You never know if TI's going to try auto-updating your calc... :o
(http://dl.dropbox.com/u/1016340/NSPIRE2.1/ScreenshotsOfProcess/WebShrunk/DownloadingCursedUpdate-SMALL.png)
...and it's done.
(http://dl.dropbox.com/u/1016340/NSPIRE2.1/ScreenshotsOfProcess/WebShrunk/Downloaded-SMALL.png)
Into the mysterious world of TI Nspire OS Updates...
Now, there's a forum that gave me a interesting hint on opening these update files:
The tnc and tno files are PKZIPs with 63 header bytes. Some unzippers will unzip them unmodified. Inside are a .img and .cer file. The .img is a zip with other stuff in it as well. I have only managed to extract the .img with Peazip (Windows version runs in wine/darwine -- the source looks like a bitch to compile). Inside it seems to only be factory default settings (which are in a .xml in a .zip), 6 language localizations, and in the non-CAS version, parts of the 84+ ROM (I can only identify the user archive -- has several language localization apps, as well as language-local versions of at least StudyCards and Periodic). The rest of the .img (about 4/5 of it) seems to be the actual code part of the OS. I haven't spent much time examining it yet. It may or may not be compressed and/or encrypted. I certainly haven't tried to ID the processor yet.
So, renaming to ZIP did it:
(http://dl.dropbox.com/u/1016340/NSPIRE2.1/ScreenshotsOfProcess/WebShrunk/Renamed-SMALL.png)
And of course, it opened:
(http://dl.dropbox.com/u/1016340/NSPIRE2.1/ScreenshotsOfProcess/WebShrunk/Extracted-SMALL.png)
The files:
(http://dl.dropbox.com/u/1016340/NSPIRE2.1/ScreenshotsOfProcess/WebShrunk/ExtractedFiles-SMALL.png)
Into Pandora's box
Let's examine the files:
(http://dl.dropbox.com/u/1016340/NSPIRE2.1/ScreenshotsOfProcess/WebShrunk/TerminalExamination-SMALL.png)
Ignore the dBase files. I'm still trying to figure out what they are.
The TI-Nspire file is interesting. I renamed that to a zip and opened it:
(http://dl.dropbox.com/u/1016340/NSPIRE2.1/ScreenshotsOfProcess/WebShrunk/IntoTheNspireZIP-SMALL.png)
So... what exactly IS inside of these folders?
phoenix/clnk/locales/en/strings.res contains... strings (??) about class logins:
(note: this is strings extracted from the binary)
Login to Class
Transfer Status
Session Info
Class not started.
Receiving file...
Destination Folder:
User Name:
Password:*
Class has ended, you have been logged out.'
There are no pending items to transfer.
Transfer completed successfully.
Close
Login
Login Failed,
Unrecognized user for current class session.+
Communication failed. Check the connection.
Class type mismatch.
Wrong username or password.7
Username must be between 3 and 12 characters in length.7
Password must be between 3 and 12 characters in length.
Login attempt failed.
Wrong device type.
is already logged in.
You are logged in as user:
Login Successful
is logged in.
Not logged in.
Network:
Wireless cradle is not attached.
Connecting to AP.
Connected to AP.
Connected to Network.
Network Error.
Recharge cradle immediately.
Anyway, that's all I have for now. I'll keep you guys updated! :)
Albert
-
What is your goal in doing this? To find a way to execute ASM programs. (I am sorry if you had this in your post, I may have missed it).
I was just wondering, can you add/delete/modify files in the .tno file in the program you are using to extract these files. I am using 7-zip (on Windows 7) and I can access all of these files, but I cannot add/delete/modify them.
-
@apcalc: I would assume that if you were interested, you would know what the goal is. ;)
It is to indeed, execute community apps/programs. For Nspire, it's more or less C programs,
but can be ASM too.
I'm not sure about that though. You could go inside the file and muck around and attempt to replace files.
-
Perhaps also, you could find what causes the upgrade to lock out OS downgrading?
I was just wondering, can you add/delete/modify files in the .tno file in the program you are using to extract these files. I am using 7-zip (on Windows 7) and I can access all of these files, but I cannot add/delete/modify them.
As a 7-zip user, I downloaded it (even though I don't have an Nspire, I just wanted to see if it would work) to see if I could open it. I found renaming the *.tno and the *.img files to *.7z allowed me to open/extract/edit them fine.
I'm on my XP laptop at the moment so I don't know if it works on Windows 7, though.
-
On my Ubuntu, p7zip is installed, so it was able to open and extract it. (p7zip is the linux version of 7zip.)
I'm not really sure about finding the causes though. That requires decrypting and extracting the OS
(and decompiling it too!), so I'm not sure.
If you want to know what the hackers are up to, check out this:
http://www.unitedti.org/forum/index.php?showtopic=8191&st=800
They are far up ahead than me. ;)
-
If you're modifying the OS, how do you plan to send an unsigned patched version to the device? :)
-
You're reinventing the wheel, alberthrocks. Use (and expand if you can find new things) the information already posted at http://hackspire.unsads.com ;)
Between other things, how the upgrade locks out OS downgrading has been documented for more than 24 hours already, on UTI, and cross-posted at least to TI-Bank and yAronet: http://www.unitedti.org/forum/index.php?showtopic=8191&view=findpost&p=141968 :)
-
Btw, Critor has been trying to figure out how to remove the downgrade protection as well on TI-BANK at http://tibank.forumactif.com/actualites-f25/os-21-sorti-t5803-60.htm
Use Google language tools.
-
If you open up the Nspire OS with a text editor (without using 7-zip or some other program to extract the files contained within), you can clearly see the minimum OS version (in plain text, not even in hex).
Could you change it to "1.1.9523", save, and send to your calculator? Based on ExtendeD's and Goplat's posts on UTI, I assume this would work presuming you haven't already sent 2.1 to your calculator- unless of course it invalidates the OS in some way.
-
Could you change it to "1.1.9523", save, and send to your calculator?
TI is not that stupid ;)
Even after recreating the encrypted version of the 8020 field (critor did in http://tibank.forumactif.com/actualites-f25/os-21-sorti-t5803-60.htm , referencing a post by ExtendeD on UTI), the whole file is signed by a 1024-bit RSA key. That key contained in the TI-Nspire.cer file, which is itself signed with a 1024-bit RSA key...
-
@Ancient Power: My goal is to disassemble it and find bugs that way. ;)
@Lionel Debroux: Wow.... well, I'm certainly behind! :-o I'll look into it.
It seems though that nobody in the UnitedTI forums noticed (nor in the Wiki) that the Nspire OS is BSD based.
Also... in theory, couldn't the boot1 be extracted and used to find the keys?
RSA is public/private key based - it should be decrypting it with the private key.
Finding the private key can lead to the public key...?
BTW, are you the TiLP developer by any chance?
@DJ Omnimaga: I've looked into that. I don't think it'll work, since it's bound to break CRC/MD5/SHA1/whatever checks.
(And possibly the 1028 bit RSA key encryption too!)
And some French will do me some good. ;) I take French, and I think it's a cool language! :) (Je pense français est très super!)
EDIT: Wow... unfortunately, I was right about the process not working. :(
@TC01: I wish it was that way. I'm pretty sure there are some interesting checks that they put in (listed above).
-
RSA keys can be used in a few ways. One of which is encryption/decryption. Another one is validation. Say I have a program called "TEST". I produce a checksum on TEST, and then use my private key to encrypt it. I distribute TEST with it's encrypted checksum and public key. Then, if a person wants to make sure my program TEST is really from me and unmodified then they use the included public key and do their own checksum of the program, and then encrypt it. If the two encrypted checksums match, then the program is said to be valid.
-
And some French will do me some good. ;) I take French, and I think it's a cool language! :) (Je pense français est très super!)
I agree it can be good to know multiple languages, even if not perfectly. In the TI community case, the 2nd most popular language is French, followed by Dutch, with German lagging far behind.
Anyway, sadly I am not into low level stuff, so I wouldn't be able to help much, unless it was to factor a key or something, I would be happy to put my two computers to contribution. I wish you guys (and girls?) good luck on hacking the OS or the calc
-
It seems though that nobody in the UnitedTI forums noticed (nor in the Wiki) that the Nspire OS is BSD based.
Perhaps because it is not BSD-based, AFAWCT ? ;)
The boot2 and the OS (at least up to 2.0.x) are based on Nucleus. Hundreds of symbols for OS 1.7.2741 have been posted at http://www.yaronet.com/posts.php?s=125502 , and packed together (for easier use) into a privately-distributed file.
Also... in theory, couldn't the boot1 be extracted and used to find the keys?
The boot1 was extracted months ago.
Finding the private key can lead to the public key...?
For our purposes, it's the reciprocal way: factoring the public key leads to the private key. But while this was possible (and even quite easy) for the 512-bit RSA keys of TI-Z80 and TI-68k calculators, this is outright impossible at the moment for 1024-bit RSA keys used in Nspire calcs. See http://ourl.ca/6236
BTW, are you the TiLP developer by any chance?
Yes, I am the current TILP maintainer.
@DJ Omnimaga: I've looked into that. I don't think it'll work, since it's bound to break CRC/MD5/SHA1/whatever checks.
(And possibly the 1028 bit RSA key encryption too!)
Here, it's signature, not encryption, as explained by graphmastur; and factoring 1024-bit RSA keys is not practical, even with GNFS, see the topic I linked to :)
-
Wait, what exactly are we trying to do here?
We can already execute machine code on OS 1.1, and Ndless 2 is rumored to function on OS 1.7, so barring future downgrade protection, Ndless 2 will bring with it the ability to execute unsigned applications on all versions of the Nspire hardware.
Or are we trying to remove the downgrade protection from 2.1?
Or are we just brainstorming general discoveries?
-
I think he wants to remove the downgrade protection and also allow machine code execution.
-
@graphmastur: OK, I see. So much for hope.... I still think we should at least TRY to factor the keys. After we're done, we're free forever! :)
@Lionel Debroux: Well, I must be really behind! :)
I still think it's BSD, or at least has some BSD parts in it. Lookie here:
http://www.google.com/#hl=en&q=usbd_start_next%3A+error%3D%25d&aq=f&aqi=&aql=&oq=&gs_rfai=&fp=76ee7718c2ec583d
The interesting text is "usbd_start_next: error=%d". The google search above yields plenty of BSD source links. How isn't it BSD? ;)
This was found in the latest stock OS, 2.1. Line 8752 to be exact (after extracting phoenix.raw, and "strings"ing it).
And since you are the TiLP dev, could you look at these bugs?
http://sourceforge.net/tracker/?func=detail&aid=3018522&group_id=18378&atid=368378
http://sourceforge.net/tracker/?func=detail&aid=3018546&group_id=18378&atid=118378
I still think we should at least TRY - it's hard, seemingly impossible, but if you look at today's hardware - it's better!
1000s of computers doing this is pretty strong. If we crack this, we basically unlocked the biggest door to community hacking! :)
If it's really THAT bad, then maybe not. :P
@bwang: Ndless2 sounds dismal... so I thought that I should try to crack it and develop an exploit.
A little bit of general discoveries for now though.
@Silver Shadow: Downgrade protection removal is impossible without cracking the keys. (Which fuels my point for at least trying to crack it) The latest news seems to indicate that, so it's pretty bleak.
Machine code execution? Definitely something I'm aiming for. ;)
-
@bwang: Ndless2 sounds dismal... so I thought that I should try to crack it and develop an exploit.
A little bit of general discoveries for now though.
I still am confident that we will see Ndless 2.0 some day. Last I heard, progress had stopped, but not ended, also, that was during the end of the school year, when progress on projects usually slows.
EDIT:100 Posts!!!! ;D
-
@apcalc: Well, we'll see. :) And happy 100 posts! ;)
-
Just wondering... does the TNS format need cracking?
-
Now that you mention it...
Does TiLP and TI-Connect freaks out if you attempt at sending a hacked TNS file (or its content) to a TI-Nspire/CAS? Is there a calc protection against that too?
I know if I rename the file to .zip, rar, 7z, tar.gz or tar, it says it's not a valid archive, so we can't do like with tno files, it seems. But I remember for the TI-73, 82, 85 and 92, you had to send an hacked RAM backup file to the calc to be able to run ASM on them.
-
From what I've read, the calc does get a little upset if you send it a ZIP file instead of it's special compression format.
I don't know about software side though. (I played around with a friend's Nspire and unlocked its true potential with Ndless. He loved it. ;) )
Quite frankly, I would need a TI Nspire to really do some hacking, but I don't have one, and I don't think I'm going to beg for one here... :P
It's possible that a hacked TNS could open exploits for the calc.
The TNS contains XML files. The XML files are parsed by expat. (Version 1.95.8 for reference)
However.... expat doesn't really (at least not mentioned on their page) have any security issues.
A recent one is something to make it go loopity loop (infinite loop, aka DoS attack), which doesn't really seem helpful. :P
(Maybe hilarious to watch the Nspire freeze?)
-
@graphmastur: OK, I see. So much for hope.... I still think we should at least TRY to factor the keys. After we're done, we're free forever! :)
well, we're not quite free. TI will find some way around it. Okay, so if you really want to try, you are most likely going to want to use the boinc project. There would have to be a custom server, because NFS won't do it. The current record is 768-bits made by the top experts in the field. This is 1024 bits. This would take absolutely forever. It's just not possible, without a better algorithm. So unless you find a better algorithm, then it is not going to work.
Oh well.
-
@graphmastur: The only way around it is releasing a new line of calculators. You can't just change the keys overnight and expect them to work on all the Nspire calcs.
I'm just suggesting ideas. I'm not the person who does this kind of stuff. I've started some preliminary prime number analysis, but otherwise, nothing much at all. Monsieur Debroux might be able to do it, but he, like you, is unwilling to. Just another random idea: rent Amazon/Sun Microsystems servers, and use that. :) (Of course, it has to be donation funded. Sun Microsystems does give free usage for some projects, but I doubt cracking RSA keys is one of them...)
(Sigh....)
It's actually quite interesting really. RSA cracking is basically finding 2 prime numbers that multiply each other to get a final number (which I think is the public key).
It's basically finding 2 numbers that multiply each other to give the final key.
It's kinda sad really that mathematics is the thing that's preventing all of this... :(
To anyone out there:
1) Does the TNS format still need cracking?
2) Which key on the Hackspire wiki do we need?
-
alberthrocks: I do look at the TILP bug tracker ;)
* http://sourceforge.net/tracker/?func=detail&aid=3018546&group_id=18378&atid=118378 -> this one looks simple, but it's not. It requires awful lots of testing on all TI-Z80 models (there are subtle differences between models). One thing is sure, the 84+ USB linking code is a brand-new code that accepts filenames different from those accepted by the legacy I/O linking code of other TI-Z80 calcs, and that's precisely why sending pictures to a 84+ does not work.
* http://sourceforge.net/tracker/?func=detail&aid=3018522&group_id=18378&atid=368378 -> all those are good ideas (he's not the first person to report some of them anyway), but there's no manpower.
-
@Lionel Debroux: Ahh, I see. Looks like you are part of the few who can't do much this summer! :(
Are you a math teacher by any chance? (I've heard that some people here are math teachers... which could explain why they are busy)
The CLI program might be OK to implement, but I'm not really familiar with the code. I'll see if I can write something. :)
Anyway, back on topic...
Is there any Nspire emulator that works on Linux and is compatible with the latest OS?
I've tried numerous times to get the emulator (windows, latest) to work, but it's pretty buggy.
-
@graphmastur: The only way around it is releasing a new line of calculators. You can't just change the keys overnight and expect them to work on all the Nspire calcs.
I'm just suggesting ideas. I'm not the person who does this kind of stuff. I've started some preliminary prime number analysis, but otherwise, nothing much at all. Monsieur Debroux might be able to do it, but he, like you, is unwilling to. Just another random idea: rent Amazon/Sun Microsystems servers, and use that. :) (Of course, it has to be donation funded. Sun Microsystems does give free usage for some projects, but I doubt cracking RSA keys is one of them...)
(Sigh....)
It's actually quite interesting really. RSA cracking is basically finding 2 prime numbers that multiply each other to get a final number (which I think is the public key).
It's basically finding 2 numbers that multiply each other to give the final key.
It's kinda sad really that mathematics is the thing that's preventing all of this... :(
I still think TI can find a way around it. After all, TI would not be happy with the keys being cracked.
It's not that we are unwilling to. We would all like nothing more than having full access to the Nspire. But unfortunately, it is highly unlikely.
Your best bet is a project called boinc. There is only one algorithm that is actually pretty successful right now at factoring numbers. Unless someone comes up with a better algorithm, which by all means please try, it isn't going to happen. We are unwilling, because right now, it would be a complete waste of time. So then, better algorithm... (new thread)
-
Oh, I missed the post of alberthrocks you're quoting.
The difficulty of factoring integers is not intuitive: for the task of factoring a 1024-bit number, we're too low on resources by orders of magnitude ;)
1) the naive trial factoring (TF) algorithm would require ~1e155 trial divisions, i.e. even more electrons. The trouble is, the estimated number of atoms in the universe is ~1e100, and the number of electrons is less than ten times that amount. That TF yields a factor in 1e13-1e20 steps is sooo extremely unlikely. My computers have performed ~3.1e12 trial divisions on the OS signing key, and I'm planning to let them perform up to ~1e13 trial divisions on the boot2 key - but going beyond that would be unreasonable.
2) we can't use the only not-completely-impractical algorithm, GNFS, because it requires a terrifying amount of computing power and storage space, and because we don't have the appropriate implementations. Let's just use the figures in the research paper detailing the factorization of RSA-768, made by the top researchers of the field:
* RSA-512 requires several gigabytes of storage space, it can nowadays be done in a home computer in a couple months (we confirm the numbers for the TI-Z80 and TI-68k keys);
* RSA-768 was, as written in the paper, a task several thousands times harder than RSA-512, and it required ~10 TB;
* RSA-1024 is said by the top researchers of the field to be a thousand times harder... see where that leads ?
And that's before I even mention that the factorization of RSA-768 was obtained through highly special algorithms and implementations (not made public), which are likely to require further improvements to scale up three orders of magnitude...
If you want more information, and a program that you can make your processors work on (it might, even if extremely unlikely, yield a miracle), read the entire http://www.omnimaga.org/index.php?action=printpage;topic=3639.0 topic. Use my version, and switch to the 0xc3b3... key.
And nope, I'm not a math teacher. I'd have more free time during the summer if I were.
-
@Lionel Debroux: Yikes. That's pretty big! :-o
But then again... wouldn't the likeliness that we would have to hit all the combinations be low?
Anyway, I've built GMP again (5.x version) for the compiler optimizations, and then compiled your app and executed it. :)
As you've said, it's all about chance.
Could you possibly code it so that if I hit CTRL-C (or hit a key to quit the program), it saves the key?
(I might be very much wrong - I think it's really random/dependent on the time, right?)
And it's unfortunate that you are that busy! I think critor was the guy I was thinking about that is a math professor...?
-
But then again... wouldn't the likeliness that we would have to hit all the combinations be low?
Unfortunately, no.
Could you possibly code it so that if I hit CTRL-C (or hit a key to quit the program), it saves the key?
It's possible, but harder (portability problems). I'm myself using CTRL + C and redirecting the output to a file, which enables me to resume using `cspire -r 0x...` the next time.
I think critor was the guy I was thinking about that is a math professor...?
Yes, critor is a math teacher indeed.
-
@Lionel Debroux: Oh ok. I'll be running it.... and at the same time, attempting to find exploits too.
-
I know if I rename the file to .zip, rar, 7z, tar.gz or tar, it says it's not a valid archive, so we can't do like with tno files, it seems. But I remember for the TI-73, 82, 85 and 92, you had to send an hacked RAM backup file to the calc to be able to run ASM on them.
IIRC the renaming problem arose because TI used a proprietary compressing algorithm. I could be wrong, though
-
I know if I rename the file to .zip, rar, 7z, tar.gz or tar, it says it's not a valid archive, so we can't do like with tno files, it seems. But I remember for the TI-73, 82, 85 and 92, you had to send an hacked RAM backup file to the calc to be able to run ASM on them.
IIRC the renaming problem arose because TI used a proprietary compressing algorithm. I could be wrong, though
You are very correct. The Hackspire wiki discusses about that. Apparently there IS something to hide... :)
(See this: http://hackspire.unsads.com/wiki/index.php/TNS_File_Format)
-
Does anyone has Nspire OS 2.1 or OS 2.0 installed?
If so, could you please attach a TNS file in a reply to this topic?
Make sure that your TNS file has a text document inside it (or whatever it's called). Type something random inside it.
Then tell me what string you placed in the text document/note.
Thanks in advance! :)
-
Here you go!
-
I don't think that it is legal to post an OS, so if it is an os, please delete it.
-
It's not a OS, it is a ti-nspire document file.
-
That's a document that they're gonna use to figure out the .tns format
.tns is for documents, .tno for non-cas os's, and .tnc for cas os's
They're fine :)
Edit: ninja'd :P
-
@graphmastur: Not an OS. Heck, it's way too small to be an OS. I've never seen an OS that is 0.86 KBs! ;)
This is a TNS file, which is a TI-Nspire Document file.
Now, if I asked to post a TNO file, which is a TI-Nspire OS, that's illegal. (Obviously I would not do that. :) I have other sources...)
EDIT: Yikes! You guys are snappy posters! :-o
-
Wait, have we located where the protection is?
-
Protection in what? Right now we're trying to discover the .tns format, which is probably compressed in a proprietary manner as far as we know.
If you mean "how it works," then that's what we're doing
(Well, what they are doing ;))
-
i am clueless about alot of this but out of reading i have been inspired.
If we need to rent a server from amazon or where ever i will be willing to donate some money (eg.25-50 $)
-
Honestly, I don't think a server is necessary right now.
@graphmastur: Not an OS. Heck, it's way too small to be an OS. I've never seen an OS that is 0.86 KBs! ;)
This is a TNS file, which is a TI-Nspire Document file.
Now, if I asked to post a TNO file, which is a TI-Nspire OS, that's illegal. (Obviously I would not do that. :) I have other sources...)
EDIT: Yikes! You guys are snappy posters! :-o
Oh, yeah, didn't pay much attention to the size. Yeah, just making sure, and not enough paying attention. lol, sorry.
-
Wait, have we located where the protection is?
@qazz42: Protection? I'm not looking for that! :) The TI Nspire hackers right now are hunting for exploits, especially in the upgrade/downgrade area. I think right now they're foraging around in the diagnostic part of the TI Nspire.
(By the way, if you have one, DO NOT PRESS that "diagnostic key" where they ask you to install another image. Critor wants some of those images, so don't delete! :) )
Protection in what? Right now we're trying to discover the .tns format, which is probably compressed in a proprietary manner as far as we know.
If you mean "how it works," then that's what we're doing
(Well, what they are doing ;))
@calcdude84se: Correcto! :) That's exactly what we're trying to do. Why "we're"? Because:
1) The real hackers are doing some crazy stuff now with the Nspire (you might have seen it on this forum regarding diagnostics and such), and I'm just interested in poking around some code. :)
2) I'm just doing this out of curiosity and determination against TI. I unfortunately don't possess that much skill as critor and some of the other Nspire hackers out there have! Heck, I don't even have a Nspire to hack with! :(
3) I haven't learned high level math yet. (I will, don't worry!) But all this cracking and such does require some serious math to understand how (RSA) primes are factored.
4) Everyone's involved, not just me. I know there's other threads around here discussing ways as well, and you guys help me too! It's not only one, it's everyone! ;)
i am clueless about alot of this but out of reading i have been inspired.
If we need to rent a server from amazon or where ever i will be willing to donate some money (eg.25-50 $)
@happybobjr: You should be. Everyone should. It seems dismal (1028 bits IS nothing small), but I'd help crack it whether I win or lose. I rather lose trying then giving up.
Save that for later. For now, you should look around in that long post for Lionel's post with a C++ source to do cracking. That's the best way for now. What OS do you have? I'll try compiling it for you if needed. I will (after I finish a personal, not-so-legal-unrelated-to-TI programming project) build a simple GUI for the cracker. At the same time, a thread (http://ourl.ca/6418/104329;topicseen#new) is currently discussing ways to do the prime factorization faster (basically, the way to crack RSA is to factor a large number into 2 big primes). If that goes through, you can then use your money to rent some Amazon servers to assist with calculations and such with the improved cracking formula.
Honestly, I don't think a server is necessary right now.
@graphmastur: Not an OS. Heck, it's way too small to be an OS. I've never seen an OS that is 0.86 KBs! ;)
This is a TNS file, which is a TI-Nspire Document file.
Now, if I asked to post a TNO file, which is a TI-Nspire OS, that's illegal. (Obviously I would not do that. :) I have other sources...)
EDIT: Yikes! You guys are snappy posters! :-o
Oh, yeah, didn't pay much attention to the size. Yeah, just making sure, and not enough paying attention. lol, sorry.
@graphmastur: Yup, no direct need for one unless you already own one, in which you can run the aforementioned program on it.
And don't worry about it. I know you were just being cautious. :) I too am kinda confused about the extensions and such.
=============================
Some updates...
A quick analysis from 7zip shows/confirms the stuff we already know:
(below paths are censored to prevent TI from intruding, since stuff in this particular directory is public,
and with proper knowledge they can get in...)
arthur@arthur-PC:/media/WD/.../.../.../.../.../.../$ 7z l -slt *.zip
7-Zip 9.04 beta Copyright (c) 1999-2009 Igor Pavlov 2009-05-30
p7zip Version 9.04 (locale=en_US.utf8,Utf16=on,HugeFiles=on,1 CPU)
Listing archive: 2.0test.zip
----
Path = 2.0test.zip
Type = Zip
----------
Path = Document.xml
Folder = -
Size = 611
Packed Size = 309
Modified = 2010-07-22 20:21:02
Created =
Accessed =
Attributes = ....A
Encrypted = -
Comment =
CRC = 46CCE168
Method = 13
Host OS = FAT
Path = Problem1.xml
Folder = -
Size = 642
Packed Size = 347
Modified = 2010-07-22 20:21:02
Created =
Accessed =
Attributes = ....A
Encrypted = -
Comment =
CRC = 2F8F91DC
Method = 13
Host OS = FAT
Compression is something very hard to analyze, but my hope is that I'm able to find something, especially if
TI's Nspire links with ZLIB for compression.
So, I've decided to compile ZLIB myself and see what they have in store:
arthur@arthur-PC:/media/WD/munchmunchnopeeking/zlib-1.2.5$ ~/example
zlib version 1.2.5 = 0x1250, compile flags = 0x55
uncompress(): hello, hello!
gzread(): hello, hello!
gzgets() after gzseek: hello!
inflate(): hello, hello!
large_inflate(): OK
after inflateSync(): hello, hello!
inflate with dictionary: hello, hello!
Interesting, eh?
Anyway, what I've done so far:
- Made reference compressions for a text file, with inside text Nspire text
List: reftext.7z reftext.bz2 reftext.gz reftext.txt
7z = 7zip
bz2 = bunzip
gz = gunzip
txt = original
- Opened them all up with ghex2 for some bare analysis
That's all! Does anyone have any suggestions for how I should proceed?
-
Does anyone has Nspire OS 2.1 or OS 2.0 installed?
If so, could you please attach a TNS file in a reply to this topic?
Make sure that your TNS file has a text document inside it (or whatever it's called). Type something random inside it.
Then tell me what string you placed in the text document/note.
Thanks in advance! :)
There is a nSpire text editor on TI-BANK, for a PC, though that may not support the 2.x format.
-
@fb39ca4: Really? Is there a link you could provide? It *might* be 1.x though, but I'll check.
-
Here:
http://ti.bank.free.fr/index.php?mod=archives&ac=voir&id=397 (http://ti.bank.free.fr/index.php?mod=archives&ac=voir&id=397)
-
Here:
http://ti.bank.free.fr/index.php?mod=archives&ac=voir&id=397 (http://ti.bank.free.fr/index.php?mod=archives&ac=voir&id=397)
OK, I've tried and unfortunately, it's an older version. :(
It seems that the TI community hasn't found the format yet.
See below screenshot.
Red is the file magic number (I think), which is highlighted by the program.
The rest (blue, green) are highlighted by me.
Blue is the header, green is the compressed data.
2.0test.tns is apcalc's TNS, with OS 2.0.
Binder1.tns is the TNS I produced from the program.
(Click to enlarge)
(http://dl.dropbox.com/u/1016340/NSPIRE2.1/TNSReverseEngineering/TNSHackingAnnotated-SMALL.png) (http://dl.dropbox.com/u/1016340/NSPIRE2.1/TNSReverseEngineering/TNSHackingAnnotated.png)
EDIT: Yikes! Looks like I forgot to censor out the directories... :P Oh well - TI still has no right to run around my public files! ;)
-
If you think you found the basic algorithm, perhaps you could do a diff of the two?
Just make sure your diff utility supports binary files ;)
-
@Lionel Debroux: Well, I must be really behind! :)
I still think it's BSD, or at least has some BSD parts in it. Lookie here:
http://www.google.com/#hl=en&q=usbd_start_next%3A+error%3D%25d&aq=f&aqi=&aql=&oq=&gs_rfai=&fp=76ee7718c2ec583d
The interesting text is "usbd_start_next: error=%d". The google search above yields plenty of BSD source links. How isn't it BSD? ;)
This was found in the latest stock OS, 2.1. Line 8752 to be exact (after extracting phoenix.raw, and "strings"ing it).
You're right. Looking closer:
"*BSD"'s usbdi (and ehci) interface was introduced in OS 2.0 (apcalc points out that this could be required to support the docking station (http://education.ti.com/educationportal/sites/US/productDetail/us_nspire_docking_station.html)).
Some parts seem to be deeply adapted though.
This means that:
- TI would be in violation of the BSD license. The license requires that any distribution in binary form reproduce the copyright notice, conditions of distribution and disclaimer. I can't find these requirements.
- Understanding/hooking the USB stack and documenting the USB I/O ports may be easier thanks to this open interface
-
- TI would be in violation of the BSD license. The license requires that any distribution in binary form reproduce the copyright notice, conditions of distribution and disclaimer. I can't find these requirements.
so I smell a lawsuit? :o
-
Wait, so TI would have used someone else's code without crediting them/asking permission or what? This topic is a bit old so I kinda forgot the context of the latest discussion a bit. Does it means TI could be in trouble?
-
Yes. But it would just be a matter of updating their "About" screen that already contains credits for other third-party components.
The second point is the most interesting for us.
-
irrelevant to recent discussion: I had a thought.
Could we use "TI-Nspire Computer Link" and disassemble it to find the rsa key?
-
No, all it does is copy over the files. If it does verify the os, it'll only need the public key.
-
The RSA private key is never ever ever used anywhere in the operating system, transfer links, or anything, because then it wouldn't be a private key. ;-)
-
ok, i think i understand.
-
The RSA private key is never ever ever used anywhere in the operating system, transfer links, or anything, because then it wouldn't be a private key. ;-)
Now if only they made it that easy ;D
But again hacking that stuff wouldn't be as fun for some people :P