Author Topic: Let's hack Nspire OS 2.1!  (Read 17686 times)

0 Members and 1 Guest are viewing this topic.

Offline alberthrocks

  • Moderator
  • LV8 Addict (Next: 1000)
  • ********
  • Posts: 876
  • Rating: +103/-10
    • View Profile
Let's hack Nspire OS 2.1!
« on: July 16, 2010, 10:31:30 pm »
I'm frankly pissed at TI, so I've decided to get hacking! :)

This method is different. I'm not interested in finding a way to crash the OS (and from there, develop a hack).
Instead, I'll take the other way instead - hacking with the original firmware/OS update instead!

Of course:

1) I have ZERO knowledge of how this works and such, but I'll use what I know to hack it
2) This isn't a one person project - anyone can join in! :)
3) You will not be able to download anything I have. You can follow along, but to keep TI from sending crazy
DMCA takedowns, I will NOT post links.


So, let's get started!

======================
Downloading the cursed update
I've downloaded the official, evil update from TI's website.
If you are downloading this, PLEASE, disconnect your Nspire(s) from the computer!
You never know if TI's going to try auto-updating your calc...   :o



...and it's done.


Into the mysterious world of TI Nspire OS Updates...

Now, there's a forum that gave me a interesting hint on opening these update files:

Quote
The tnc and tno files are PKZIPs with 63 header bytes. Some unzippers will unzip them unmodified. Inside are a .img and .cer file. The .img is a zip with other stuff in it as well. I have only managed to extract the .img with Peazip (Windows version runs in wine/darwine -- the source looks like a bitch to compile). Inside it seems to only be factory default settings (which are in a .xml in a .zip), 6 language localizations, and in the non-CAS version, parts of the 84+ ROM (I can only identify the user archive -- has several language localization apps, as well as language-local versions of at least StudyCards and Periodic). The rest of the .img (about 4/5 of it) seems to be the actual code part of the OS. I haven't spent much time examining it yet. It may or may not be compressed and/or encrypted. I certainly haven't tried to ID the processor yet.

So, renaming to ZIP did it:


And of course, it opened:


The files:


Into Pandora's box

Let's examine the files:


Ignore the dBase files. I'm still trying to figure out what they are.
The TI-Nspire file is interesting. I renamed that to a zip and opened it:


So... what exactly IS inside of these folders?
phoenix/clnk/locales/en/strings.res contains... strings (??) about class logins:
(note: this is strings extracted from the binary)
Code: [Select]
Login to Class
Transfer Status
Session Info
Class not started.
Receiving file...
Destination Folder:
User Name:
Password:*
Class has ended, you have been logged out.'
There are no pending items to transfer.
Transfer completed successfully.
Close
Login
Login Failed,
Unrecognized user for current class session.+
Communication failed. Check the connection.
Class type mismatch.
Wrong username or password.7
Username must be between 3 and 12 characters in length.7
Password must be between 3 and 12 characters in length.
Login attempt failed.
Wrong device type.
 is already logged in.
You are logged in as user:
Login Successful
 is logged in.
Not logged in.
Network:  
Wireless cradle is not attached.
Connecting to AP.
Connected to AP.
Connected to Network.
Network Error.
Recharge cradle immediately.

Anyway, that's all I have for now. I'll keep you guys updated! :)

Albert
« Last Edit: July 16, 2010, 10:31:56 pm by alberthrocks »
Withgusto Networks Founder and Administrator
Main Server Status: http://withg.org/status/
Backup Server Status: Not available
Backup 2/MC Server Status: http://mc.withg.org/status/


Proud member of ClrHome!

Miss my old signature? Here it is!
Spoiler For Signature:
Alternate "New" IRC post notification bot (Newy) down? Go here to reset it! http://withg.org/albert/cpuhero/

Withgusto Networks Founder and Administrator
Main Server Status: http://withg.org/status/
Backup Server Status: Not available
Backup 2/MC Server Status: http://mc.withg.org/status/

Activity remains limited due to busyness from school et al. Sorry! :( Feel free to PM, email, or if you know me well enough, FB me if you have a question/concern. :)

Don't expect me to be online 24/7 until summer. Contact me via FB if you feel it's urgent.


Proud member of ClrHome!

Spoiler For "My Projects! :D":
Projects:

Computer/Web/IRC Projects:
C______c: 0% done (Doing planning and trying to not forget it :P)
A_____m: 40% done (Need to develop a sophisticated process queue, and a pretty web GUI)
AtomBot v3.0: 0% done (Planning stage, may do a litmus test of developer wants in the future)
IdeaFrenzy: 0% done (Planning and trying to not forget it :P)
wxWabbitemu: 40% done (NEED MOAR FEATURES :P)

Calculator Projects:
M__ C_____ (an A____ _____ clone): 0% done (Need to figure out physics and Axe)
C2I: 0% done (planning, checking the demand for it, and dreaming :P)

Offline apcalc

  • The Game
  • CoT Emeritus
  • LV10 31337 u53r (Next: 2000)
  • *
  • Posts: 1393
  • Rating: +120/-2
  • VGhlIEdhbWUh (Base 64 :))
    • View Profile
Re: Let's hack Nspire OS 2.1!
« Reply #1 on: July 16, 2010, 10:37:59 pm »
What is your goal in doing this? To find a way to execute ASM programs.  (I am sorry if you had this in your post, I may have missed it).

I was just wondering, can you add/delete/modify files in the .tno file in the program you are using to extract these files.  I am using 7-zip (on Windows 7) and I can access all of these files, but I cannot add/delete/modify them.


Offline alberthrocks

  • Moderator
  • LV8 Addict (Next: 1000)
  • ********
  • Posts: 876
  • Rating: +103/-10
    • View Profile
Re: Let's hack Nspire OS 2.1!
« Reply #2 on: July 16, 2010, 10:52:56 pm »
@apcalc: I would assume that if you were interested, you would know what the goal is. ;)
It is to indeed, execute community apps/programs. For Nspire, it's more or less C programs,
but can be ASM too.

I'm not sure about that though. You could go inside the file and muck around and attempt to replace files.
« Last Edit: July 16, 2010, 10:53:39 pm by alberthrocks »
Withgusto Networks Founder and Administrator
Main Server Status: http://withg.org/status/
Backup Server Status: Not available
Backup 2/MC Server Status: http://mc.withg.org/status/


Proud member of ClrHome!

Miss my old signature? Here it is!
Spoiler For Signature:
Alternate "New" IRC post notification bot (Newy) down? Go here to reset it! http://withg.org/albert/cpuhero/

Withgusto Networks Founder and Administrator
Main Server Status: http://withg.org/status/
Backup Server Status: Not available
Backup 2/MC Server Status: http://mc.withg.org/status/

Activity remains limited due to busyness from school et al. Sorry! :( Feel free to PM, email, or if you know me well enough, FB me if you have a question/concern. :)

Don't expect me to be online 24/7 until summer. Contact me via FB if you feel it's urgent.


Proud member of ClrHome!

Spoiler For "My Projects! :D":
Projects:

Computer/Web/IRC Projects:
C______c: 0% done (Doing planning and trying to not forget it :P)
A_____m: 40% done (Need to develop a sophisticated process queue, and a pretty web GUI)
AtomBot v3.0: 0% done (Planning stage, may do a litmus test of developer wants in the future)
IdeaFrenzy: 0% done (Planning and trying to not forget it :P)
wxWabbitemu: 40% done (NEED MOAR FEATURES :P)

Calculator Projects:
M__ C_____ (an A____ _____ clone): 0% done (Need to figure out physics and Axe)
C2I: 0% done (planning, checking the demand for it, and dreaming :P)

Offline TC01

  • LV6 Super Member (Next: 500)
  • ******
  • Posts: 344
  • Rating: +9/-0
    • View Profile
Re: Let's hack Nspire OS 2.1!
« Reply #3 on: July 16, 2010, 11:42:07 pm »
Perhaps also, you could find what causes the upgrade to lock out OS downgrading?

I was just wondering, can you add/delete/modify files in the .tno file in the program you are using to extract these files.  I am using 7-zip (on Windows 7) and I can access all of these files, but I cannot add/delete/modify them.

As a 7-zip user, I downloaded it (even though I don't have an Nspire, I just wanted to see if it would work) to see if I could open it. I found renaming the *.tno and the *.img files to *.7z allowed me to open/extract/edit them fine.

I'm on my XP laptop at the moment so I don't know if it works on Windows 7, though.



The userbars in my sig are links embedded links.

And in addition to calculator (and Python!) stuff, I mod Civilization 4 (frequently with Python).

Offline alberthrocks

  • Moderator
  • LV8 Addict (Next: 1000)
  • ********
  • Posts: 876
  • Rating: +103/-10
    • View Profile
Re: Let's hack Nspire OS 2.1!
« Reply #4 on: July 17, 2010, 12:01:16 am »
On my Ubuntu, p7zip is installed, so it was able to open and extract it. (p7zip is the linux version of 7zip.)

I'm not really sure about finding the causes though. That requires decrypting and extracting the OS
(and decompiling it too!), so I'm not sure.

If you want to know what the hackers are up to, check out this:
http://www.unitedti.org/forum/index.php?showtopic=8191&st=800

They are far up ahead than me. ;)
Withgusto Networks Founder and Administrator
Main Server Status: http://withg.org/status/
Backup Server Status: Not available
Backup 2/MC Server Status: http://mc.withg.org/status/


Proud member of ClrHome!

Miss my old signature? Here it is!
Spoiler For Signature:
Alternate "New" IRC post notification bot (Newy) down? Go here to reset it! http://withg.org/albert/cpuhero/

Withgusto Networks Founder and Administrator
Main Server Status: http://withg.org/status/
Backup Server Status: Not available
Backup 2/MC Server Status: http://mc.withg.org/status/

Activity remains limited due to busyness from school et al. Sorry! :( Feel free to PM, email, or if you know me well enough, FB me if you have a question/concern. :)

Don't expect me to be online 24/7 until summer. Contact me via FB if you feel it's urgent.


Proud member of ClrHome!

Spoiler For "My Projects! :D":
Projects:

Computer/Web/IRC Projects:
C______c: 0% done (Doing planning and trying to not forget it :P)
A_____m: 40% done (Need to develop a sophisticated process queue, and a pretty web GUI)
AtomBot v3.0: 0% done (Planning stage, may do a litmus test of developer wants in the future)
IdeaFrenzy: 0% done (Planning and trying to not forget it :P)
wxWabbitemu: 40% done (NEED MOAR FEATURES :P)

Calculator Projects:
M__ C_____ (an A____ _____ clone): 0% done (Need to figure out physics and Axe)
C2I: 0% done (planning, checking the demand for it, and dreaming :P)

Offline Ancient Power

  • LV3 Member (Next: 100)
  • ***
  • Posts: 45
  • Rating: +0/-0
    • View Profile
Re: Let's hack Nspire OS 2.1!
« Reply #5 on: July 17, 2010, 01:46:52 am »
If you're modifying the OS, how do you plan to send an unsigned patched version to the device?  :)

Offline Lionel Debroux

  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2135
  • Rating: +290/-45
    • View Profile
    • TI-Chess Team
Re: Let's hack Nspire OS 2.1!
« Reply #6 on: July 17, 2010, 01:55:46 am »
You're reinventing the wheel, alberthrocks. Use (and expand if you can find new things) the information already posted at http://hackspire.unsads.com ;)
Between other things, how the upgrade locks out OS downgrading has been documented for more than 24 hours already, on UTI, and cross-posted at least to TI-Bank and yAronet: http://www.unitedti.org/forum/index.php?showtopic=8191&view=findpost&p=141968 :)
« Last Edit: July 17, 2010, 05:09:47 am by Lionel Debroux »
Member of the TI-Chess Team.
Co-maintainer of GCC4TI (GCC4TI online documentation), TILP and TIEmu.
Co-admin of TI-Planet.

Offline DJ Omnimaga

  • Clacualters are teh gr33t
  • CoT Emeritus
  • LV15 Omnimagician (Next: --)
  • *
  • Posts: 55941
  • Rating: +3154/-232
  • CodeWalrus founder & retired Omnimaga founder
    • View Profile
    • Dream of Omnimaga Music
Re: Let's hack Nspire OS 2.1!
« Reply #7 on: July 17, 2010, 01:40:39 pm »
Btw, Critor has been trying to figure out how to remove the downgrade protection as well on TI-BANK at http://tibank.forumactif.com/actualites-f25/os-21-sorti-t5803-60.htm

Use Google language tools.

Offline TC01

  • LV6 Super Member (Next: 500)
  • ******
  • Posts: 344
  • Rating: +9/-0
    • View Profile
Re: Let's hack Nspire OS 2.1!
« Reply #8 on: July 17, 2010, 02:01:28 pm »
If you open up the Nspire OS with a text editor (without using 7-zip or some other program to extract the files contained within), you can clearly see the minimum OS version (in plain text, not even in hex).

Could you change it to "1.1.9523", save, and send to your calculator? Based on ExtendeD's and Goplat's posts on UTI, I assume this would work presuming you haven't already sent 2.1 to your calculator- unless of course it invalidates the OS in some way.



The userbars in my sig are links embedded links.

And in addition to calculator (and Python!) stuff, I mod Civilization 4 (frequently with Python).

Offline Lionel Debroux

  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2135
  • Rating: +290/-45
    • View Profile
    • TI-Chess Team
Re: Let's hack Nspire OS 2.1!
« Reply #9 on: July 17, 2010, 02:15:06 pm »
Quote
Could you change it to "1.1.9523", save, and send to your calculator?
TI is not that stupid ;)
Even after recreating the encrypted version of the 8020 field (critor did in http://tibank.forumactif.com/actualites-f25/os-21-sorti-t5803-60.htm , referencing a post by ExtendeD on UTI), the whole file is signed by a 1024-bit RSA key. That key contained in the TI-Nspire.cer file, which is itself signed with a 1024-bit RSA key...
Member of the TI-Chess Team.
Co-maintainer of GCC4TI (GCC4TI online documentation), TILP and TIEmu.
Co-admin of TI-Planet.

Offline alberthrocks

  • Moderator
  • LV8 Addict (Next: 1000)
  • ********
  • Posts: 876
  • Rating: +103/-10
    • View Profile
Re: Let's hack Nspire OS 2.1!
« Reply #10 on: July 17, 2010, 10:37:01 pm »
@Ancient Power: My goal is to disassemble it and find bugs that way. ;)

@Lionel Debroux: Wow.... well, I'm certainly behind! :-o I'll look into it.
It seems though that nobody in the UnitedTI forums noticed (nor in the Wiki) that the Nspire OS is BSD based.

Also... in theory, couldn't the boot1 be extracted and used to find the keys?
RSA is public/private key based - it should be decrypting it with the private key.
Finding the private key can lead to the public key...?

BTW, are you the TiLP developer by any chance?

@DJ Omnimaga: I've looked into that. I don't think it'll work, since it's bound to break CRC/MD5/SHA1/whatever checks.
(And possibly the 1028 bit RSA key encryption too!)

And some French will do me some good. ;) I take French, and I think it's a cool language! :) (Je pense français est très super!)

EDIT: Wow... unfortunately, I was right about the process not working. :(

@TC01: I wish it was that way. I'm pretty sure there are some interesting checks that they put in (listed above).
« Last Edit: July 17, 2010, 10:39:38 pm by alberthrocks »
Withgusto Networks Founder and Administrator
Main Server Status: http://withg.org/status/
Backup Server Status: Not available
Backup 2/MC Server Status: http://mc.withg.org/status/


Proud member of ClrHome!

Miss my old signature? Here it is!
Spoiler For Signature:
Alternate "New" IRC post notification bot (Newy) down? Go here to reset it! http://withg.org/albert/cpuhero/

Withgusto Networks Founder and Administrator
Main Server Status: http://withg.org/status/
Backup Server Status: Not available
Backup 2/MC Server Status: http://mc.withg.org/status/

Activity remains limited due to busyness from school et al. Sorry! :( Feel free to PM, email, or if you know me well enough, FB me if you have a question/concern. :)

Don't expect me to be online 24/7 until summer. Contact me via FB if you feel it's urgent.


Proud member of ClrHome!

Spoiler For "My Projects! :D":
Projects:

Computer/Web/IRC Projects:
C______c: 0% done (Doing planning and trying to not forget it :P)
A_____m: 40% done (Need to develop a sophisticated process queue, and a pretty web GUI)
AtomBot v3.0: 0% done (Planning stage, may do a litmus test of developer wants in the future)
IdeaFrenzy: 0% done (Planning and trying to not forget it :P)
wxWabbitemu: 40% done (NEED MOAR FEATURES :P)

Calculator Projects:
M__ C_____ (an A____ _____ clone): 0% done (Need to figure out physics and Axe)
C2I: 0% done (planning, checking the demand for it, and dreaming :P)

Offline jnesselr

  • King Graphmastur
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2270
  • Rating: +81/-20
  • TAO == epic
    • View Profile
Re: Let's hack Nspire OS 2.1!
« Reply #11 on: July 17, 2010, 10:52:51 pm »
RSA keys can be used in a few ways.  One of which is encryption/decryption.  Another one is validation.  Say I have a program called "TEST".  I produce a checksum on TEST, and then use my private key to encrypt it.  I distribute TEST with it's encrypted checksum and public key.  Then, if a person wants to make sure my program TEST is really from me and unmodified then they use the included public key and do their own checksum of the program, and then encrypt it.  If the two encrypted checksums match, then the program is said to be valid.

Offline DJ Omnimaga

  • Clacualters are teh gr33t
  • CoT Emeritus
  • LV15 Omnimagician (Next: --)
  • *
  • Posts: 55941
  • Rating: +3154/-232
  • CodeWalrus founder & retired Omnimaga founder
    • View Profile
    • Dream of Omnimaga Music
Re: Let's hack Nspire OS 2.1!
« Reply #12 on: July 17, 2010, 11:05:18 pm »
And some French will do me some good. ;) I take French, and I think it's a cool language! :) (Je pense français est très super!)
I agree it can be good to know multiple languages, even if not perfectly. In the TI community case, the 2nd most popular language is French, followed by Dutch, with German lagging far behind.

Anyway, sadly I am not into low level stuff, so I wouldn't be able to help much, unless it was to factor a key or something, I would be happy to put my two computers to contribution. I wish you guys (and girls?) good luck on hacking the OS or the calc

Offline Lionel Debroux

  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2135
  • Rating: +290/-45
    • View Profile
    • TI-Chess Team
Re: Let's hack Nspire OS 2.1!
« Reply #13 on: July 18, 2010, 02:48:21 am »
Quote
It seems though that nobody in the UnitedTI forums noticed (nor in the Wiki) that the Nspire OS is BSD based.
Perhaps because it is not BSD-based, AFAWCT ? ;)
The boot2 and the OS (at least up to 2.0.x) are based on Nucleus. Hundreds of symbols for OS 1.7.2741 have been posted at http://www.yaronet.com/posts.php?s=125502 , and packed together (for easier use) into a privately-distributed file.

Quote
Also... in theory, couldn't the boot1 be extracted and used to find the keys?
The boot1 was extracted months ago.

Quote
Finding the private key can lead to the public key...?
For our purposes, it's the reciprocal way: factoring the public key leads to the private key. But while this was possible (and even quite easy) for the 512-bit RSA keys of TI-Z80 and TI-68k calculators, this is outright impossible at the moment for 1024-bit RSA keys used in Nspire calcs. See http://ourl.ca/6236

Quote
BTW, are you the TiLP developer by any chance?
Yes, I am the current TILP maintainer.

Quote
@DJ Omnimaga: I've looked into that. I don't think it'll work, since it's bound to break CRC/MD5/SHA1/whatever checks.
(And possibly the 1028 bit RSA key encryption too!)
Here, it's signature, not encryption, as explained by graphmastur; and factoring 1024-bit RSA keys is not practical, even with GNFS, see the topic I linked to :)
« Last Edit: July 18, 2010, 02:58:24 am by Lionel Debroux »
Member of the TI-Chess Team.
Co-maintainer of GCC4TI (GCC4TI online documentation), TILP and TIEmu.
Co-admin of TI-Planet.

Offline bwang

  • LV7 Elite (Next: 700)
  • *******
  • Posts: 634
  • Rating: +30/-11
    • View Profile
Re: Let's hack Nspire OS 2.1!
« Reply #14 on: July 18, 2010, 03:09:56 am »
Wait, what exactly are we trying to do here?
We can already execute machine code on OS 1.1, and Ndless 2 is rumored to function on OS 1.7, so barring future downgrade protection, Ndless 2 will bring with it the ability to execute unsigned applications on all versions of the Nspire hardware.
Or are we trying to remove the downgrade protection from 2.1?
Or are we just brainstorming general discoveries?