Omnimaga

Calculator Community => Other Calculators => Topic started by: Lionel Debroux on June 07, 2012, 03:36:00 am

Title: Several fun facts about the Nspire family...
Post by: Lionel Debroux on June 07, 2012, 03:36:00 am
Hi,

Several fun events have occurred over the past few months in the Nspire family and its predecessor, the Nspire CAS+.
These events bear some potential and promise, and they are definitely worth explaining to a wider audience :)


1) news from the CAS+ series.

The Nspire CAS+ prototype series was made in a year before the regular Nspire series, in 2006. It's completely incompatible with regular Nspires. CAS+ handhelds were never supposed to be sold (after this series was scrapped, that is); however, dozens, probably hundreds, of items slipped from classrooms or teachers into the wild.
Their terrible "Nspire CAS+" name has made them a pleague on the aftermarket since then, because they are easily mistaken by unsuspecting buyers as more capable than the "Nspire CAS" calculators - while they are just old, non-upgradeable prototypes, with the lowest OS capabilities found on the Nspire series - that's not much !
And it's trivial to brick them, by triggering the "OS upgrade" procedure, which erases the OS. Scammed customers are even more unhappy after that...

On the one side, TI has not (yet ?) fixed the persistent problem of the CAS+ series on the marketplace; on the other side, several well-known members of the open development community have recently spent quite a bit of time on helping scammed customers, and managed to dump multiple OS versions suitable for the CAS+ series, and reconstruct OS images which make it possible to unbrick calculators (confirmed by fixing real CAS+ bricks) :)
As usual, the fact is that the open development community cares more about fellow users than TI does; but it's not too late for TI to do their part of the job...

It's a matter of time and motivation before native code runs on the CAS+ (making it possible to dump the boot1 and boot2), and possibly an emulator is made for it.
A noteworthy bit: we believe that it's possible to write to the boot1, i.e. to subvert the root trust of the calculator. In layman tems, it means that the CAS+ ought to be able to host permanent installs of arbitrary OS.

More information on the CAS+ breakthrough:
http://tiplanet.org/forum/viewtopic.php?f=43&t=9195
http://tiplanet.org/forum/viewtopic.php?f=43&t=9217
http://tiplanet.org/forum/viewtopic.php?f=43&t=9227

http://ourl.ca/15976
http://ourl.ca/16005
http://ourl.ca/16080


2) news from the Clickpad prototypes

Like the CAS+ prototypes, '2007 Clickpad prototypes slipped into the wild. Unlike the CAS+ prototypes, the Clickpad prototypes are fully compatible with production models. There are two known differences between prototypes and production models:
    * one track on the PCB (more on that later);
    * the RSA signing/validation keys are different, so prototypes won't accept production boot2 and OS.
Though easy to dump (they reply politely when the linking software asks them to send "../phoenix/install/TI-Nspire.tnc" - a schoolbook directory traversal vulnerability :D), Clickpad prototypes are as hard to upgrade as CAS+ prototypes, because TI doesn't provide OS builds suitable for them (it's just a matter of signing them with a different key !).
Clickpad prototypes are locked onto special OS builds; only the severely outdated 1.1.x and 1.2.x prototype versions are known to us, so again, there's potential for scamming customers.

Well, actually, they _used to be_ locked onto old OS versions: the boot1 of Clickpad prototypes is writable as well. It is therefore possible to permanently install production boot2 and OS, and thereby upgrade them to production status :)
critor made a detailed tutorial on this topic:
http://tiplanet.org/forum/archives_voir.php?id=4237
http://tiplanet.org/forum/viewtopic.php?f=43&t=8954

http://ourl.ca/15672

But upgrading prototype Clickpads to production status is just a special case of permanently installing arbitrary boot1, boot2 and OS on the calculator. Yes, even the CAS OS on the CAS-capable model sold as non-CAS, and/or an OS which doesn't obey PTT restrictions, as special, and inevitable, cases of the users' inalienable rights of running whatever software they see fit on the computing platforms they own.

Clickpad prototypes can trivially be smuggled into exams: not only untrained exam personnel is unlikely to notice the difference (even though most prototypes models have a "TI-XXXXXXXXXX" mark on the front, and "PROTOTYPE NOT FOR SALE" + non-standard serial numbers on the back), but anyway, the hardware of a prototype Clickpad can easily be put into the casing of a production Clickpad, effectively hiding prototypes.
It would be harder to smuggle CAS+ items into exams unnoticed, because those don't look like regular Clickpads; that said, I bet that untrained exam personnel could be fooled.


3) news from the production Clickpads

Unlike that of Clickpad prototypes, the boot1 of production Clickpads is not directly writable. It's because the PCB track which makes it possible to act on the WE# pin of the SST39WF400A NOR Flash chip, visible on the prototype PCB, does not exist on the production PCB.

But chances are that it doesn't matter: adding an equivalent wire between the main R/Wbar line of the Nspire's bus (found e.g. onto the appropriate pin of the Zevio processor, and onto other places of the PCB) and the WE# pin, thereby making the boot1 writable, may work. Then, people can proceed to subvert the root trust of the calculator, so as to be able to permanently install arbitrary boot2 and OS, and exercise their full user rights on the platform :)


4) news from the Touchpads and Lab Cradles

Touchpad Nspires do not have an external NOR Flash chip for the boot1, so we assume that the boot1 is embedded into the Zevio processor. That said, there has to be a way to program it into the processor, as part of the calculator production process: either very early on, by the manufacturer, during the production of the Zevio chip, or later by the
user of the Zevio chip (TI).

A related fact is that while Lab Cradles use a Zevio chip with the same name as Touchpad Nspires, they contain an external EN39SL800 NOR Flash chip. See http://tiplanet.org/forum/viewtopic.php?f=43&t=9251 . For obvious cost reasons, few manufacturers add unnecessary hardware / PCB tracks on their boards... so the presence of an external NOR Flash
chip means that the Lab Cradles' Zevio supports an external NOR Flash.

Grafting an external NOR Flash chip onto Touchpad calculators, if at all possible, is expected to be highly impractical, as it requires significant equipment and expertise.


5) news from Clickpads, Touchpads, CX (and undoubtedly CM).

Ndless 3.1 can be installed on a calculator in a resident way; one of the capabilities of Ndless 3.1 is to launch programs at OS startup, before most of the OS's code runs.
Like the rest of developments mentioned here, it's perfectly legal, and besides, it fulfills interesting purposes, such as hot-fixing TI's bugs, e.g. the removal of the useful serial port output in Lua, reverted by a team work of open development community members ( http://tiplanet.org/forum/viewtopic.php?t=8931 and http://ourl.ca/15649 ).

Obviously, Ndless doesn't care about not working at all PTT mode; if it did, checks for the PTT mode would be easily removed, and the modified versions would be easily distributed, so it's completely pointless to add such checks.
As a result:
* since OSLauncher for Ndless 3.1 works (more or less) in startup mode ( http://tiplanet.org/forum/viewtopic.php?f=43&t=9235 ), it's harder to disable than the first iteration (for Ndless 1.7/2.0), last year, was;
* since the PTT implementation itself proves to be fairy dust, it's trivially subverted. See for instance http://ourl.ca/16356 .

Unsurprisingly, the Nspire's so-called protection is just as much of a laughingstock as the 84+'s protection. It is fundamentally impossible to make a foolproof protection, and the lower the cost and complexity, the worse the protection.
Like on the 84+, it's _technically_ possible to defeat the PTT and to install a CAS-capable OS on some Nspire models. But these possibilities didn't get the 84+ banned from the ACT and IB, so there's no reason why the Nspire series should be banned.
That said, since the incompetents who regulate standardized tests freaked about OSLauncher in 2011, though it was clearly perfectly harmless (because its effect went away by just rebooting into PTT mode), who knows what they would do this time...



You might think that this is an avalanche, but on the contrary, the truth is that programmers and users have barely scratched the surface :)
When TI's repeated egregious violations of our basic user rights to do whatever we want with the hardware we own have _really_ angered people, the Nspire series will go the way of the PS3, and it won't be pretty.
As I told them months ago (I spent the equivalent of two full-time days to write stuff for them - as expected, I failed to convince them, but at least, I'll have tried), all of that could be avoided with TI Education showing respect to its paying customers, who make that division rich enough...


Lionel.
Title: Re: Several fun facts about the Nspire family...
Post by: Jim Bauwens on June 07, 2012, 04:23:53 am
Interesting post :)

Title: Re: Several fun facts about the Nspire family...
Post by: Lionel Debroux on September 16, 2012, 01:48:58 am
See also http://ourl.ca/17037 .
Title: Re: Several fun facts about the Nspire family...
Post by: Sorunome on September 16, 2012, 04:08:19 am
Very interesting stuff :)