Omnimaga

Calculator Community => Other Calculators => Topic started by: critor on March 17, 2011, 02:58:43 pm

Title: The 1st step into CAS+ flashing
Post by: critor on March 17, 2011, 02:58:43 pm: After being silent for more than 4 years as if they were under NDA, less than a hour ago a TI-Nspire CAS+ "talked" for the 1st time in the World!

Code: [Select]
Boot Loader Stage 1 (1.0.526) Build: 2006/8/11, 6:25:18 Copyright (c) 2006 Texas Instruments Incorporated Using production keys Last boot progress: 10514 System clock: 78 MHZ SDRAM memory test: Pass Clearing SDRAM...Done. Clearing SDRAM...Done. Clearing SDRAM...Done. Checking for NAND: NAND Flash ID: ST Micro NAND256W3A -- Bad Block list -- 0x00058000 (22) 0x001F0000 (124) -- Bad Block list end -- Loading DIAGS software... Error reading/validating DIAGS image Loading BOOT2 software... 99% BOOT1: loading complete (924 ticks), launching image. Boot Loader Stage 2 (1.0.526) Build: 2006/8/11, 6:29:51 Copyright (c) 2006 Texas Instruments Incorporated Using production keys Initializing graphics subsystem. Checking for NAND: NAND Flash ID: ST Micro NAND256W3A Initializing USB and networking. Initializing filesystem. Datalight Reliance v2.00.0451 Copyright (c) 2003 - 2005 Datalight, Inc. Registered to #9DE08703 FlashFX sample project for the OMAP5912 OSK running Nucleus Datalight FlashFX Pro v2.0 Build 966 Nucleus Edition for ARM9 Copyright (c) 1993-2005 Datalight, Inc. Patents: US#5860082, US#6260156. Detected FfxDelay() parameters: Count=60132 MicroSec=8192 Shift=13 FFX: NAND chip manufacturer: ST Micro (20) chip NAND256W3A (75) Filesystem ready. -- Bad Block list -- 0x00058000 (22) 0x001F0000 (124) -- Bad Block list end -- Loading Operating System... 100% BOOT2: loading complete (3272 ticks), launching image. Beginning system initialization. Preparing file system... Datalight Reliance v2.00.0451 Copyright (c) 2003 - 2005 Datalight, Inc. Registered to #9DE08703 FlashFX sample project for the OMAP5912 OSK running Nucleus Datalight FlashFX Pro v2.0 Build 966 Nucleus Edition for ARM9 Copyright (c) 1993-2005 Datalight, Inc. Patents: US#5860082, US#6260156. Detected FfxDelay() parameters: Count=58930 MicroSec=8192 Shift=13 FFX: NAND chip manufacturer: ST Micro (20) chip NAND256W3A (75) File system ready. phoenix dhcp server w/ VOODOO built 12-Jul-2006 (start at 545) phoenix enum server built 12-Jul-2006 phoenix dhcp hook fwd w/ VOODOO built 12-Jul-2006 (start at 545) System build date: Aug 28 2006, 18:55:11 Available memory: 25803332 bytes Launching system... phoenix file mgt server built 12-Jul-2006 (start at 645) pn-srv2-636: pol_init = 0

Notice it is not using the "developer keys", but the "production keys"... :hyper:

If you need a picture for a news, you can take this (http://i63.servimg.com/u/f63/13/23/13/53/img_6110.jpg).

Next step: flashing a production TI-Nspire CAS boot2.
Title: Re: The 1st step into CAS+ flashing
Post by: Happybobjr on March 17, 2011, 03:04:09 pm: What exactly does this mean. I am not skilled with this kind of thing.
Title: Re: The 1st step into CAS+ flashing
Post by: Eeems on March 17, 2011, 03:09:24 pm: Wow! Can't wait for more
Title: Re: The 1st step into CAS+ flashing
Post by: Goplat on March 17, 2011, 03:13:25 pm: I really think the BOOT2 will not work, especially considering this "OMAP5912" business. The hardware is compmletely different between OMAPs and the Zevio... (and TI-Nspire CAS+ probably is an OMAP - I found an unused function in boot1 that appears to be left over from OMAP)
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 17, 2011, 03:20:08 pm: Don't worry Goplat: I have something like 10 TI-Nspire CAS+ with either OS 1.0.554 either OS 1.0.526.

I can brick some of them by trying to flash a Boot2, an OS, or a diags through RS232.
(but I'm pretty sure a newer production OS won't work without flashing a newer production Boot2, as the OS is not located at the same place in the filesystem).
Title: Re: The 1st step into CAS+ flashing
Post by: alberthrocks on March 17, 2011, 03:22:10 pm: Basically, the debug interface has finally been unlocked, and now what used to be only seen in the emulator is now seen directly from the hardware! ;) Flashing refers to rewriting the whole OS (and potentially the BOOT2), allowing us to use the *entire* hardware! :D

(I might be wrong - please correct me if that is the case.)
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 17, 2011, 03:26:50 pm: The debug interface had allready been unlocked (check HackSpire), but never on a TI-Nspire CAS+ to my knowledge.

As far as I know, this only lets you reflash:
- the OS
- the boot2
- the diags software

It seems boot1 can be reflashed, but only through the diags software.
Title: Re: The 1st step into CAS+ flashing
Post by: bsl on March 17, 2011, 03:44:23 pm: critor,
Try the key sequence to bring up the diags menu.
You indicated nothing happened on another post, and you had to reboot.
Does this bring up the Datalight shell ?
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 17, 2011, 07:29:30 pm: Quote from: bsl on March 17, 2011, 03:44:23 pm
critor,
Try the key sequence to bring up the diags menu.
You indicated nothing happened on another post, and you had to reboot.
Does this bring up the Datalight shell ?

No... The calculator just does not turn on and I have to remove the batteries.
Note according to the above log, there is no valid diags image on this CAS+.

But, I've managed to get the boot log of 2 rare older CAS+ prototypes (loan from DataMath.org).

You should have a look as it could help us to understand more on the CAS+, and to dump them some day.

Boot1/Boot2 1.0.491 (2006/7/26):
Code: [Select]
Boot Loader Stage 1 (1.0.491) Build: 2006/7/26, 5:55:51 Copyright (c) 2006 Texas Instruments Incorporated Last boot progress: 10600 System clock: 78 MHZ SDRAM memory test: Pass Clearing SDRAM...Done. Clearing SDRAM...Done. Clearing SDRAM...Done. Checking for NAND: NAND Flash ID: ST Micro NAND256W3A Loading DIAGS software... Error reading/validating DIAGS image Loading BOOT2 software... 99% BOOT1: loading complete (933 ticks), launching image. Boot Loader Stage 2 (1.0.491) Build: 2006/7/26, 5:59:39 Copyright (c) 2006 Texas Instruments Incorporated Initializing graphics subsystem. Checking for NAND: NAND Flash ID: ST Micro NAND256W3A Initializing USB and networking. Initializing filesystem. Datalight Reliance v2.00.0451 Copyright (c) 2003 - 2005 Datalight, Inc. Registered to #9DE08703 FlashFX sample project for the OMAP5912 OSK running Nucleus Datalight FlashFX Pro v2.0 Build 966 Nucleus Edition for ARM9 Copyright (c) 1993-2005 Datalight, Inc. Patents: US#5860082, US#6260156. Detected FfxDelay() parameters: Count=58353 MicroSec=8192 Shift=13 FFX: NAND chip manufacturer: ST Micro (20) chip NAND256W3A (75) Filesystem ready. Loading Operating System... 100% BOOT2: loading complete (3036 ticks), launching image. Beginning system initialization. Preparing file system... Datalight Reliance v2.00.0451 Copyright (c) 2003 - 2005 Datalight, Inc. Registered to #9DE08703 FlashFX sample project for the OMAP5912 OSK running Nucleus Datalight FlashFX Pro v2.0 Build 966 Nucleus Edition for ARM9 Copyright (c) 1993-2005 Datalight, Inc. Patents: US#5860082, US#6260156. Detected FfxDelay() parameters: Count=60132 MicroSec=8192 Shift=13 FFX: NAND chip manufacturer: ST Micro (20) chip NAND256W3A (75) File system ready. phoenix dhcp server w/ VOODOO built 12-Jul-2006 (start at 559) phoenix enum server built 12-Jul-2006 phoenix dhcp hook fwd w/ VOODOO built 12-Jul-2006 (start at 559) System build date: Jul 27 2006, 05:55:34 Available memory: 25789100 bytes Launching system... phoenix file mgt server built 12-Jul-2006 (start at 659) pn-srv2-632: pol_init = 0It seems similar, although the developer/production keys aren't mentionned this time.

And the oldest known CAS+ prototype with boot1/boot2 built on Feb 27 2006:
Code: [Select]
Boot Loader Stage 1 Build: Feb 27 2006, 18:04:35 Copyright (c) 2006 Texas Instruments Incorporated System clock: 78 MHZ SDRAM memory test: Data (ticks=0) Addr (ticks=1) Fill (ticks=5) Test (ticks=11) Pass (ticks=17) Checking for NAND: NAND Flash ID: ST Micro NAND256W3A Launching BOOT2 software... 100% BOOT1 complete. Boot Loader Stage 2 Build: Feb 27 2006, 18:06:34 Copyright (c) 2006 Texas Instruments Incorporated Initializing graphics subsystem. NAND Flash ID: ST Micro NAND256W3A Initializing filesystem. Datalight Reliance v2.00.0451 Copyright (c) 2003 - 2005 Datalight, Inc. Registered to #9DE08703 FlashFX sample project for the OMAP5912 OSK running Nucleus Datalight FlashFX Pro v2.0 Build 966 Nucleus Edition for ARM9 Copyright (c) 1993-2005 Datalight, Inc. Patents: US#5860082, US#6260156. Detected FfxDelay() parameters: Count=59276 MicroSec=8192 Shift=13 FFX: NAND chip manufacturer: ST Micro (20) chip NAND256W3A (75) FlashFX SDK License ID #57363077 Filesystem ready. 100% Beginning system initialization. Preparing file system... Datalight Reliance v2.00.0451 Copyright (c) 2003 - 2005 Datalight, Inc. Registered to #9DE08703 FlashFX sample project for the OMAP5912 OSK running Nucleus Datalight FlashFX Pro v2.0 Build 966 Nucleus Edition for ARM9 Copyright (c) 1993-2005 Datalight, Inc. Patents: US#5860082, US#6260156. Detected FfxDelay() parameters: Count=59365 MicroSec=8192 Shift=13 FFX: NAND chip manufacturer: ST Micro (20) chip NAND256W3A (75) FlashFX SDK License ID #57363077 File system ready. Unpacking data... Creating directory phoenix Unpacking file phoenix/components Creating directory phoenix/ctlg Unpacking file phoenix/ctlg/CtrlCtlg.sav Creating directory phoenix/ctlg/locales Creating directory phoenix/ctlg/locales/da Unpacking file phoenix/ctlg/locales/da/strings.res Creating directory phoenix/ctlg/locales/de Unpacking file phoenix/ctlg/locales/de/strings.res Creating directory phoenix/ctlg/locales/en Unpacking file phoenix/ctlg/locales/en/2dtemplates.res Unpacking file phoenix/ctlg/locales/en/all.res Unpacking file phoenix/ctlg/locales/en/math.res Unpacking file phoenix/ctlg/locales/en/strings.res Unpacking file phoenix/ctlg/locales/en/units.res Creating directory phoenix/ctlg/locales/fr Unpacking file phoenix/ctlg/locales/fr/strings.res Creating directory phoenix/ctlg/locales/it Unpacking file phoenix/ctlg/locales/it/strings.res Creating directory phoenix/ctlg/locales/no Unpacking file phoenix/ctlg/locales/no/strings.res Unpacking file phoenix/ctlg/NormCtlg.sav Creating directory phoenix/dcol Creating directory phoenix/dcol/locales Creating directory phoenix/dcol/locales/da Unpacking file phoenix/dcol/locales/da/strings.res Creating directory phoenix/dcol/locales/de Unpacking file phoenix/dcol/locales/de/strings.res Creating directory phoenix/dcol/locales/en Unpacking file phoenix/dcol/locales/en/icons.res pn-srv6-423: nuc_init usb Unpacking file phoenix/dcol/locales/en/strings.res Creating directory phoenix/dcol/locales/fr Unpacking file phoenix/dcol/locales/fr/strings.res Creating directory phoenix/dcol/locales/it Unpacking file phoenix/dcol/locales/it/strings.res Creating directory phoenix/dcol/locales/no Unpacking file phoenix/dcol/locales/no/strings.res Creating directory phoenix/dlog Creating directory phoenix/dlog/locales Creating directory phoenix/dlog/locales/da Unpacking file phoenix/dlog/locales/da/strings.res Creating directory phoenix/dlog/locales/de Unpacking file phoenix/dlog/locales/de/strings.res Creating directory phoenix/dlog/locales/en Unpacking file phoenix/dlog/locales/en/strings.res Creating directory phoenix/dlog/locales/fr Unpacking file phoenix/dlog/locales/fr/strings.res Creating directory phoenix/dlog/locales/it Unpacking file phoenix/dlog/locales/it/strings.res Creating directory phoenix/dlog/locales/no Unpacking file phoenix/dlog/locales/no/strings.res Creating directory phoenix/geog Creating directory phoenix/geog/locales Creating directory phoenix/geog/locales/da Unpacking file phoenix/geog/locales/da/strings.res Creating directory phoenix/geog/locales/de Unpacking file phoenix/geog/locales/de/strings.res Creating directory phoenix/geog/locales/en Unpacking file phoenix/geog/locales/en/icons.res pn-srv6-431: nuc_init net Unpacking file phoenix/geog/locales/en/strings.res Creating directory phoenix/geog/locales/fr Unpacking file phoenix/geog/locales/fr/strings.res Creating directory phoenix/geog/locales/it Unpacking file phoenix/geog/locales/it/strings.res Creating directory phoenix/geog/locales/no Unpacking file phoenix/geog/locales/no/strings.res Creating directory phoenix/math Creating directory phoenix/math/locales Creating directory phoenix/math/locales/da Unpacking file phoenix/math/locales/da/strings.res pn-srv6-444: nuc_init dev N=1 Creating directory phoenix/math/locales/de Unpacking file phoenix/math/locales/de/strings.res Creating directory phoenix/math/locales/en Unpacking file phoenix/math/locales/en/strings.res Creating directory phoenix/math/locales/fr Unpacking file phoenix/math/locales/fr/strings.res Creating directory phoenix/math/locales/it Unpacking file phoenix/math/locales/it/strings.res Creating directory phoenix/math/locales/no Unpacking file phoenix/math/locales/no/strings.res Creating directory phoenix/ntpd Creating directory phoenix/ntpd/locales Creating directory phoenix/ntpd/locales/da Unpacking file phoenix/ntpd/locales/da/strings.res Creating directory phoenix/ntpd/locales/de Unpacking file phoenix/ntpd/locales/de/strings.res Creating directory phoenix/ntpd/locales/en Unpacking file phoenix/ntpd/locales/en/icons.res Unpacking file phoenix/ntpd/locales/en/strings.res Creating directory phoenix/ntpd/locales/fr Unpacking file phoenix/ntpd/locales/fr/strings.res Creating directory phoenix/ntpd/locales/it Unpacking file phoenix/ntpd/locales/it/strings.res Creating directory phoenix/ntpd/locales/no Unpacking file phoenix/ntpd/locales/no/strings.res Creating directory phoenix/scpd Creating directory phoenix/scpd/locales Creating directory phoenix/scpd/locales/da Unpacking file phoenix/scpd/locales/da/strings.res Creating directory phoenix/scpd/locales/de Unpacking file phoenix/scpd/locales/de/strings.res Creating directory phoenix/scpd/locales/en Unpacking file phoenix/scpd/locales/en/icons.res Unpacking file phoenix/scpd/locales/en/strings.res Creating directory phoenix/scpd/locales/fr Unpacking file phoenix/scpd/locales/fr/strings.res Creating directory phoenix/scpd/locales/it Unpacking file phoenix/scpd/locales/it/strings.res Creating directory phoenix/scpd/locales/no Unpacking file phoenix/scpd/locales/no/strings.res Creating directory phoenix/syst Unpacking file phoenix/syst/localenames Creating directory phoenix/syst/locales Creating directory phoenix/syst/locales/da Unpacking file phoenix/syst/locales/da/dialogs.res Unpacking file phoenix/syst/locales/da/imechars.res Creating directory phoenix/syst/locales/da/sampledocuments Unpacking file phoenix/syst/locales/da/sampledocuments/Kom godt i gang.tns Creating directory phoenix/syst/locales/da/settings Unpacking file phoenix/syst/locales/da/settings/factory.zip Unpacking file phoenix/syst/locales/da/strings.res Creating directory phoenix/syst/locales/de Unpacking file phoenix/syst/locales/de/dialogs.res Unpacking file phoenix/syst/locales/de/imechars.res Creating directory phoenix/syst/locales/de/sampledocuments Unpacking file phoenix/syst/locales/de/sampledocuments/Erste Schritte.tns Creating directory phoenix/syst/locales/de/settings Unpacking file phoenix/syst/locales/de/settings/factory.zip Unpacking file phoenix/syst/locales/de/strings.res Creating directory phoenix/syst/locales/en Unpacking file phoenix/syst/locales/en/dialogs.res Unpacking file phoenix/syst/locales/en/icons.res Unpacking file phoenix/syst/locales/en/imechars.res Creating directory phoenix/syst/locales/en/sampledocuments Unpacking file phoenix/syst/locales/en/sampledocuments/Getting Started.tns Creating directory phoenix/syst/locales/en/settings Unpacking file phoenix/syst/locales/en/settings/factory.zip Unpacking file phoenix/syst/locales/en/strings.res Creating directory phoenix/syst/locales/fr Unpacking file phoenix/syst/locales/fr/dialogs.res Unpacking file phoenix/syst/locales/fr/imechars.res Creating directory phoenix/syst/locales/fr/sampledocuments Unpacking file phoenix/syst/locales/fr/sampledocuments/Prise en main rapide.tns Creating directory phoenix/syst/locales/fr/settings Unpacking file phoenix/syst/locales/fr/settings/factory.zip Unpacking file phoenix/syst/locales/fr/strings.res Creating directory phoenix/syst/locales/it Unpacking file phoenix/syst/locales/it/dialogs.res Unpacking file phoenix/syst/locales/it/imechars.res Creating directory phoenix/syst/locales/it/sampledocuments Unpacking file phoenix/syst/locales/it/sampledocuments/Guida introduttiva.tns Creating directory phoenix/syst/locales/it/settings Unpacking file phoenix/syst/locales/it/settings/factory.zip Unpacking file phoenix/syst/locales/it/strings.res Creating directory phoenix/syst/locales/no Unpacking file phoenix/syst/locales/no/dialogs.res Unpacking file phoenix/syst/locales/no/imechars.res Creating directory phoenix/syst/locales/no/sampledocuments Unpacking file phoenix/syst/locales/no/sampledocuments/Komme i gang.tns Creating directory phoenix/syst/locales/no/settings Unpacking file phoenix/syst/locales/no/settings/factory.zip Unpacking file phoenix/syst/locales/no/strings.res Creating directory phoenix/syst/settings Creating directory phoenix/tblt Creating directory phoenix/tblt/locales Creating directory phoenix/tblt/locales/da Unpacking file phoenix/tblt/locales/da/dialogs.res Unpacking file phoenix/tblt/locales/da/strings.res Creating directory phoenix/tblt/locales/de Unpacking file phoenix/tblt/locales/de/dialogs.res Unpacking file phoenix/tblt/locales/de/icons.res Unpacking file phoenix/tblt/locales/de/strings.res Creating directory phoenix/tblt/locales/en Unpacking file phoenix/tblt/locales/en/dialogs.res Unpacking file phoenix/tblt/locales/en/icons.res Unpacking file phoenix/tblt/locales/en/strings.res Creating directory phoenix/tblt/locales/fr Unpacking file phoenix/tblt/locales/fr/dialogs.res Unpacking file phoenix/tblt/locales/fr/strings.res Creating directory phoenix/tblt/locales/it Unpacking file phoenix/tblt/locales/it/dialogs.res Unpacking file phoenix/tblt/locales/it/strings.res Creating directory phoenix/tblt/locales/no Unpacking file phoenix/tblt/locales/no/dialogs.res Unpacking file phoenix/tblt/locales/no/strings.res Finished unpacking. System build date: May 1 2006, 15:15:42 Launching system... Datalight Command Shell for Nucleus A:�‘¤œ‘Ì˜">
This one seems much different.
It's running the antic OS 1.0.1.0.334T built on May 1 2006.

* Note the OS seems to be unpacked at each boot.

* Note there is no DHCP messages this time. I cannot exchange data through USB, neither with the Computer Link 1.0 (it doesn't find the calculator, and the network CAS+ interface is failing getting an IP), neither with other CAS+ calculators (no error message, the "Send" menu item seems to be "fake"...)

* Strangely, a phoenix directory is mentionned, although it is not visible on later CAS+ which are only listing the following folders:
/
/phx
/phx/documents
/phx/tmp

* Where is the OS? There's nothing in the above folders (except /phx/documents), but the file system capacity is 27.8Mb, and more than 5Mb are used...
- Hidden directories?
- Something related to the bad blocks reported in previous logs?

* At the end of this last boot, Datalight shell is mentionned, and I'm getting something which could look like a prompt, although I'm in the (very buggy) OS, and although I didn't press any special key.

Goplat, Bsl, everybody... At this point, your guess can be as good as mine.
We might succeed at flashing/dumping, but it will be together.

Thanks for reading.
Title: Re: The 1st step into CAS+ flashing
Post by: Goplat on March 17, 2011, 08:39:29 pm: Does the really old one allow you to enter commands into the command shell via RS232? It would be so awesome if it let you dump that OS to RS232 with "TYPE /phoenix/install/TI-Nspire.tnc" (or wherever it's located on the CAS+... some exploration using the DIR command might be necessary)
Title: Re: The 1st step into CAS+ flashing
Post by: bsl on March 17, 2011, 08:48:18 pm: critor,
Try this:
As the system is rebooting enter "+++" and return
This is the Hayes modem control sequence to break into command mode , which
hopefully is the shell .
If this does'nt work I will work offline with you on this.
Before there was high speed Internet, there were the days of RS232 and modem commands.
There is a key sequence to break into x-modem file transfer , but its been a while since I have done this.
Look for "modem control sequences" online to learn more.
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 17, 2011, 08:56:24 pm: I can enter commands on my oldest CAS+.
Tried "dir", "ls" and things like that, but only got things like:

Code: [Select]
A:Ôœ‘dœ‘—">01 00:00:50.000 0 | Initializing xmlrpc library A:Ôœ‘dœ‘—"> A:Ôœ‘dœ‘—"> Command not found! A:Ôœ‘dœ‘—"> Command not found! A:Ôœ‘dœ‘—"> Command not found! A:Ôœ‘dœ‘—"> Error = -1 A:Ôœ‘dœ‘—"> Error = -1 A:Ôœ‘dœ‘—">
What should I type?
Title: Re: The 1st step into CAS+ flashing
Post by: Goplat on March 17, 2011, 09:03:42 pm: Looks promising, at least! You can type "?" or "help" for a list of commands. Maybe the current directory name has gotten corrupted (explaining the weird prompt), so try "cd A:\" to fix that.
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 17, 2011, 09:04:20 pm: "dir" command isn't showing anything interesting in the A: drive.
Moreover, there seems to be some problem with the folder names encoding...

But I can access a "c:" drive:

Code: [Select]
A:Ôœ‘dœ‘—">01 00:00:50.000 0 | Initializing xmlrpc library A:Ôœ‘dœ‘—"> A:Ôœ‘dœ‘—"> Command not found! A:Ôœ‘dœ‘—"> Command not found! A:Ôœ‘dœ‘—"> Command not found! A:Ôœ‘dœ‘—"> Error = -1 A:Ôœ‘dœ‘—"> Error = -1 A:Ôœ‘dœ‘—"> Command not found! A:Ôœ‘dœ‘—"> Command not found! A:Ôœ‘dœ‘—"> Command not found! A:Ôœ‘dœ‘—"> Command not found! A:Ôœ‘dœ‘—"> A:Ôœ‘dœ‘—"> Command not found! A:Ôœ‘dœ‘—"> Error = -3003 A:Ôœ‘H,o> Error = -1 A:”œ‘dœ‘Ø†X®> Error = -3003 A:> Error = -3003 A:> A:> Command not found! A:> A:> A:> Command not found! A:> Command not found! A:> Command not found! A:> A:> Error = -3003 A:> Error = -3003 A:> Command not found! A:> A:> A:> Error = -3003 A:Žœ‘> C:\> 1980-01-01 00:00:00 <Dir> tmp 1980-01-01 00:00:00 <Dir> dev 1980-01-01 00:00:00 <Dir> phoenix 1980-01-01 00:00:00 <Dir> documents 1980-01-01 00:00:00 <Dir> logs 1980-01-01 00:00:00 <Dir> widgets Free Space: 18773504 bytes C:\> C:\phoenix\> 1980-01-01 00:00:00 <Dir> . Free Space: 18773504 bytes C:\phoenix\> C:\> C:\dev\> 1980-01-01 00:00:00 <Dir> . Free Space: 18773504 bytes C:\dev\> C:\> 1980-01-01 00:00:00 <Dir> tmp 1980-01-01 00:00:00 <Dir> dev 1980-01-01 00:00:00 <Dir> phoenix 1980-01-01 00:00:00 <Dir> documents 1980-01-01 00:00:00 <Dir> logs 1980-01-01 00:00:00 <Dir> widgets Free Space: 18773504 bytes C:\> C:\tmp\> 1980-01-01 00:00:00 <Dir> . Free Space: 18773504 bytes C:\tmp\> C:\> C:\documents\> 1980-01-01 00:00:00 <Dir> . Free Space: 18773504 bytes C:\documents\> C:\> 1980-01-01 00:00:00 <Dir> tmp 1980-01-01 00:00:00 <Dir> dev 1980-01-01 00:00:00 <Dir> phoenix 1980-01-01 00:00:00 <Dir> documents 1980-01-01 00:00:00 <Dir> logs 1980-01-01 00:00:00 <Dir> widgets Free Space: 18773504 bytes C:\> Error = -3024 C:\> Command not found! C:\> C:\logs\> 1980-01-01 00:00:00 <Dir> . Free Space: 18773504 bytes C:\logs\> C:\> C:\widgets\> 1980-01-01 00:00:00 <Dir> . Free Space: 18773504 bytes C:\widgets\> C:\> 1980-01-01 00:00:00 <Dir> tmp 1980-01-01 00:00:00 <Dir> dev 1980-01-01 00:00:00 <Dir> phoenix 1980-01-01 00:00:00 <Dir> documents 1980-01-01 00:00:00 <Dir> logs 1980-01-01 00:00:00 <Dir> widgets Free Space: 18773504 bytes C:\>

There are interesting folders, but nothing inside apparently...
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 17, 2011, 09:09:54 pm: (sorry for double-posting)

No there are things in the folders.
They're just hidden.

Have a look:
Code: [Select]
C:\phoenix\> C:\phoenix\install\> 1980-01-01 00:00:00 <Dir> . 1980-01-01 00:00:00 <Dir> .. 1980-01-01 00:00:00 639280 devfiletree.zip 1980-01-01 00:00:00 17 manifest Free Space: 18773504 bytes C:\phoenix\install\>
I don't think it's big enough to be the OS though.

Unfortunately, "?" or "help" aren't triggering anything (unknown commands).
Title: Re: The 1st step into CAS+ flashing
Post by: Goplat on March 17, 2011, 09:10:32 pm: Actually, this is a command shell bug that shows up even on the production TI-Nspire - directories appear empty even when they're not.

Anyway, check if you can use the TYPE command to dump a file.
Title: Re: The 1st step into CAS+ flashing
Post by: bsl on March 17, 2011, 09:15:31 pm: Now extend Goplat's earlier idea:
copy /phoenix/install/TI-Nspire.tnc /phx/documents/examples/OS.tns
and transfer through USB :)

or something similar
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 17, 2011, 09:16:16 pm: Strangely, the /phoenix/install directory is not empty.

Code: [Select]
C:\phoenix\install\> 1980-01-01 00:00:00 <Dir> . 1980-01-01 00:00:00 <Dir> .. 1980-01-01 00:00:00 639280 devfiletree.zip 1980-01-01 00:00:00 17 manifest Free Space: 18773504 bytes
The "dir" and "cd" commands are working up to now.

Do you know other commands?

Edit: I can use the type command to get the content of a file.

Code: [Select]
C:\phoenix\install\> 1980-01-01 00:00:00 <Dir> . 1980-01-01 00:00:00 <Dir> .. 1980-01-01 00:00:00 639280 devfiletree.zip 1980-01-01 00:00:00 17 manifest Free Space: 18773504 bytes C:\phoenix\install\> devfiletree.zip C:\phoenix\install\>
"manifest" seems to only contain "devfiletree.zip".

"type devfiletree.zip" is giving me lots of system characters, starting with "PK".
But unfortunately, HyperTerminal history is not big enough...
Title: Re: The 1st step into CAS+ flashing
Post by: JonimusPrime on March 17, 2011, 09:17:50 pm: PK is part of the zip file header so that is expected with a zip.
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 17, 2011, 09:18:35 pm: Quote from: bsl on March 17, 2011, 09:15:31 pm
Now extend Goplat's earlier idea:
copy /phoenix/install/TI-Nspire.tnc /phx/documents/examples/OS.tns
and transfer through USB :)

Err....

It's the oldest CAS+ prototype.
I haven't managed to transfer anything through USB, neither with TI-Nspire Computer Link 1.0, nor with other CAS+ calculators.

I suppose there is no USB link protocol implemented in this OS.
(using the "send" menu item just returns immediatly, without any error...)
Title: Re: The 1st step into CAS+ flashing
Post by: ztrumpet on March 17, 2011, 09:25:26 pm: Oh, this looks cool. Great job, critor, Goplat, and bsl. :D
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 17, 2011, 09:30:28 pm: Wait... the zip file is not yet in my computer...

Seems the type command can't be used to get the whole content of the file, as there are many escape characters (carriage return, new line, clear screen...)

Strangely, I cannot go back to the "a:" drive (error -3003).

I'm getting "error -3003" for "b:" and "d:" drives.
Starting from "e:" drive, I'm getting "command not found".

So, any way to get the content of this zip file without usb ?

Could some other terminal software with a big enough history be used to show "exactly" (any binary mode ?...) what the type command displays?
Title: Re: The 1st step into CAS+ flashing
Post by: Goplat on March 17, 2011, 09:46:33 pm: I just checked out the type command in the current boot2 - it reads 1023 bytes at at a time, and prints using printf, so if the file has any 00 bytes it'll lose data. :(! Stupid Datalight programmers. They didn't even do printf("%s", buffer), they did printf(buffer), so if there are %s's in the file it'll likely crash (this is not exploitable, unfortunately).
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 17, 2011, 09:55:51 pm: Any command to trigger a Xmodem file transfer in DataShell ? . . .

If only DataShell was launched automatically like that on more recent CAS+...
Title: Re: The 1st step into CAS+ flashing
Post by: bsl on March 17, 2011, 10:19:00 pm: I may be leading you astray
try +++ at the hyperterminal prompt
you might start xmodem transfer.
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 17, 2011, 10:20:53 pm: Quote from: bsl on March 17, 2011, 10:19:00 pm
I may be leading you astray
try +++ at the hyperterminal prompt
you might start xmodem transfer.

Sorry, I forgot to mention.
Unrecognized command... :(
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 17, 2011, 10:28:04 pm: I found a post with a list of commands (don't know if it is complete) of the Datalight shell from Boot2 1.4:

Quote
~~? - Display help~~
APPEND - Appends data from the console to a file
CD - Change the current directory
Check - Check a Reliance disk
COMPARE - Compare the contents of two files
CompTest - Run the Reliance for Nucleus compatibility test
COPY - Copy a file
CREATE - Create a file
DCLTEST - Execute the DCL unit tests
DEL - Delete a file
DIR - Display a directory listing
EXIT - Exit the shell
FlashFXCheck - Check the spare unit on disk
FlashFXDiskInfo - Display FlashFX information
FlashFXDump - Dump a FlashFX disk image
FlashFXImage - Read or write a FlashFX disk
FlashFXRemount - Remount a disk
FlashFXStressMT - Execute the Multi-threaded VBF unit test
FlashFXTestFMSL - Execute the FMSL unit test
FlashFXTestVBF - Execute the VBF unit test
Format - Format a disk
FSIOTEST - Execute the File System I/O tests
GetTrans - Display the transaction mode
~~HELP - Display help~~
MD - Make a directory
RD - Remove a directory
REN - Rename a file
SetTrans - Set the transaction mode
Show - Display information of a Reliance disk
Test - Run the Reliance test suite
TIME - Display the current time
TYPE - Display the contents of a file on the console
WRITE - Write to a file using console input

I've striked what didn't work for me.
In bold, what worked.
The rest is untested.

Anything interesting? Anything dangerous?
Title: Re: The 1st step into CAS+ flashing
Post by: bsl on March 17, 2011, 10:42:02 pm: FlashFxDump of course. :)
Do this first:
FlashFxDump /?
Then go from there
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 18, 2011, 06:08:50 am: I don't think it's that important, but I've missed something at the end of my oldest bootlog:

Code: [Select]
Launching system... Datalight Command Shell for Nucleus A:�‘¤œ‘H>01 00:00:50.000 0 | Initializing xmlrpc library
As more recent CAS+ are only listing through USB and Computer Link modified code:
/
/phx/
/phx/documents/
/phx/tmp/

I'm wondering if this is related to those A: and C: drives.

Maybe this is the A: drive content, and "/phx/documents" and "/phx/tmp" folders are only links to the "/phoenix/documents" and "/phoenix/tmp" folders from the C: drive.

Maybe, those uninteresting folders are in A:.
If we could add the "C:" prefix in this code, maybe...

If possible, any idea about the Computer Link syntax for that?
"c:/..." ?
"/c/..." ?
"/c:/..." ?
Title: Re: The 1st step into CAS+ flashing
Post by: ExtendeD on March 18, 2011, 08:31:03 am: Maybe you could try to brute force the interface to find out the different commands.
Scripting this shouldn't be too difficult.
Title: Re: The 1st step into CAS+ flashing
Post by: bsl on March 18, 2011, 11:39:15 am: The usual UNIX xmodem commands are:
sx - xmodem send file
rx - xmodem receive file

Datalight ROMDOS manual uses TRANSFER
TRANSFER /S -- send
TRANSFER /R -- receive
see: http://www.rtd.com/NEW_manuals/software/cpumodules/ROMDOS_manual.pdf

On the shell try either:
C:\> sx /b C:\phoenix\install\devfiletree.zip
or
C:\> transfer /S C:\phoenix\install\devfiletree.zip

If this succeeds then on hyperterminal:
Transfer->Receive File->Place received file in the following folder <= select the name of the file to save as
also set the protocol:
Transfer->Receive File->Using receiving protocol->Xmodem
Then hit the Receive button
Title: Re: The 1st step into CAS+ flashing
Post by: Compynerd255 on March 18, 2011, 12:22:22 pm: Okay, this sounds really cool. So, if I understand properly, this is all being viewed from the CAS+ calculator screen? Or is it being viewed from a computer? No matter what it is, it still sounds really cool that you can get down into the calc system on such a base level. I hope to see cool programs on the nSpire soon!
Title: Re: The 1st step into CAS+ flashing
Post by: willrandship on March 18, 2011, 01:43:26 pm: It's from a PC. If you've ever used an arduino, it's like the serial console in the IDE (in fact, it's exactly the same :P)
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 18, 2011, 02:08:08 pm: Hi!

I've done other tests today.

The CAS+ driver is very different from the final driver.
It seems to setup some virtual local "USB" network.

As you could see in "recent" CAS+ logs, there is some kind of a DHCP server on the calculator.

For example, if I plug a recent CAS+, I'm getting a new peripheral: "Texas Instruments Remote NDIS Network Devices". I'm getting a new network connection, which aumatically gets its IP (for example, it can get 172.16.80.29, with 255.255.255.252 mask).

I mentionned there was no trace of it in the oldest CAS+ log.
Allow me to correct: the DHCP server is there but is not launched automatically.
It is launched when you plug the USB for the 1st time.

When I plug my oldest CAS+, the "Texas Instruments Remote NDIS Network Devices" does appear, but fails at getting an IP.
After a long time, it gets by default the bad 169.254.145.44 IP address.

TI-Nspire Computer Link 1.0 isn't finding anything.

Here's the log, when I plug the USB for the 1st time (takes some time):

Code: [Select]
C:\>pn-srv6-457: nuc_init, release the hounds 01 00:23:23.000 0 | Waiting for next RPC call... pn-srv6-463: nuc_init done pn-srv6-333: msg Q id = 8 pn-srv6-1073: bound dhcp-wake [127.0.0.1:10005] to 1 pn-srv6-1073: bound dhcp-req [0.0.0.0:67] to 2 phoenix dhcp server built 25-Apr-2006 running pn-srv6-1193: usb insert 2,0,14 pn-srv6-1073: bound dhcp-ans [172.16.46.58:68] to 4 pn-srv6-701: request type 1 pn-srv6-821: ready to reply(hh=4, sz=281), typ=2, to port 68 pn-srv6-838: sent reply 2, len=281, to port 68 pn-srv6-701: request type 1 pn-srv6-821: ready to reply(hh=4, sz=281), typ=2, to port 68 pn-srv6-838: sent reply 2, len=281, to port 68 phoenix enum server built 25-Apr-2006 pn-srv6-701: request type 1 pn-srv6-821: ready to reply(hh=4, sz=281), typ=2, to port 68 pn-srv6-838: sent reply 2, len=281, to port 68 pn-srv6-701: request type 1 pn-srv6-1073: bound dhcp-ans [172.16.177.46:68] to 8 pn-srv6-821: ready to reply(hh=8, sz=281), typ=2, to port 68 pn-srv6-838: sent reply 2, len=281, to port 68 pn-srv6-701: request type 1 pn-srv6-821: ready to reply(hh=8, sz=281), typ=2, to port 68 pn-srv6-838: sent reply 2, len=281, to port 68 pn-srv6-701: request type 1 pn-srv6-821: ready to reply(hh=8, sz=281), typ=2, to port 68 pn-srv6-838: sent reply 2, len=281, to port 68 pn-srv6-701: request type 1 pn-srv6-821: ready to reply(hh=8, sz=281), typ=2, to port 68 pn-srv6-838: sent reply 2, len=281, to port 68 pn-srv6-701: request type 1 pn-srv6-1073: bound dhcp-ans [172.16.50.34:68] to 9 pn-srv6-821: ready to reply(hh=9, sz=281), typ=2, to port 68 pn-srv6-838: sent reply 2, len=281, to port 68
If I unplug the USB, I get:

Code: [Select]
C:\>pn-srv6-1116: usb notify (0) 2,0,9 pn-srv6-1286: usb remove 2,0,9
If I replug the USB, I get:
Code: [Select]
pn-srv6-1116: usb notify (0) 2,0,9 pn-srv6-1286: usb remove 2,0,9 pn-srv6-1116: usb notify (0) 2,0,9 pn-srv6-1286: usb remove 2,0,9 pn-srv6-1116: usb notify (1) 2,0,9 pn-srv6-1193: usb insert 2,0,9
I've tried to force 172.16.80.29 as an IP address.
TI-Nspire Computer Link 1.0 doesn't find any calculator, but is taking more time looking for them...

Has somebody any idea of the problem?

The zip file from /phoenix/install is in the documents folder.
If I can just transfer one file, we can start looking into the OS.

Other various informations:

The "check" command is working:
Code: [Select]
check c: relFs_Check v2.00.0451 Copyright (c) 2003 - 2005 Datalight, Inc. Checking 27M Byte drive C: Checking critical meta blocks.................................OK Checking indices..............................................OK Checking all directory contents and inodes....................OK Checking allocation map.......................................OK Checking for stranded blocks..................................OK relFs_Check completed. Volume Information: 29,188,096 bytes in volume 11,594,240 bytes in 238 files 66,048 bytes in 102 directories 34,304 bytes system overhead 17,493,504 bytes available for use 512 bytes per block 57,008 total blocks in volume 34,167 blocks available
The "show" command is working too:
Code: [Select]
show c: Datalight Reliance v2.00 Build 0451 Copyright (c) 2003 - 2005 Datalight, Inc. Settings for Volume 'c:' Drive number: 2 Total file/directory handles: 30 Handles in use: 0 Physical Disk Info Sector size: 512 Total sectors: 57008 Logical Disk Info Block size: 512 Total blocks: 57008 Used blocks: 22866 Free blocks: 34142 Transaction points: 7945 Transaction flags: 0x0FA7 Driver Settings: Maximum logical block size: 65536 Cache size: 256Kb Buffers: 456 Buffer size: 512 Write gather size: 16Kb Timed Transactions: Disabled Discards: Enabled Supported by this volume Initial table size: 1024 Current table size: 1024 Dynamic Growth: Disabled Byte order: Big Endian Character mode: ASCII Case sensitivity: Off C:\phoenix\install\>show a: Datalight Reliance v2.00 Build 0451 Copyright (c) 2003 - 2005 Datalight, Inc. Drive "a:" is not open. Error = -3003 C:\phoenix\install\>show b: Datalight Reliance v2.00 Build 0451 Copyright (c) 2003 - 2005 Datalight, Inc. Drive "b:" is not open. Error = -3003
"time" command is working too:
Code: [Select]
C:\phoenix\install\>time Jan 01 00:12:20 1980
The following commands are unknown:
* exit
* sx
* rx
* transfer
* flashfxdump
* flashfxdiskinfo

You've read all this?
You deserve a little photo:

Spoiler For Spoiler:
(http://i63.servimg.com/u/f63/13/23/13/53/caspda11.jpg)
Title: Re: The 1st step into CAS+ flashing
Post by: Goplat on March 18, 2011, 04:28:30 pm: Quote from: critor on March 18, 2011, 02:08:08 pm
I've tried to force 172.16.80.29 as an IP address.
TI-Nspire Computer Link 1.0 doesn't find any calculator, but is taking more time looking for them...
What if you put in the IP address that appears in the rs232 log after "dhcp-ans"?

Edit:
Quote
Byte order: Big Endian
More evidence of the CAS+ hardware being different from the TI-Nspire and TI-Nspire CAS (which are little-endian)...
Title: Re: The 1st step into CAS+ flashing
Post by: bsl on March 18, 2011, 04:58:08 pm: See if any of these commands work:

dump /?
comm /?
ned /?
rsz /?
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 18, 2011, 06:02:57 pm: I'm going to try all that.

I've used another terminal, and was able to get the complete hexadecimal output (including raw control/escape characters) from the "type devfiletree.zip" command.

As mentionned previously, there is no 0x00 byte in the file, meaning each time a 0x00 byte is encoutered, the rest of the read buffer is skipped/lost.

The success rate is very low: I only got 29Kb of data (the file is 624Kb).

In fact, I mainly got the system messages, and allmost no code I suppose.
So I'm attaching the file publicly, as I think there is no problem with such a bad allmost text-only file.

But if you think I'm wrong, just tell me.

Anything interesting in this file?

Would there be any command to segment files?
We might be able to get more data like that...
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 19, 2011, 01:09:11 pm: Quote from: bsl on March 18, 2011, 04:58:08 pm
See if any of these commands work:

dump /?
comm /?
ned /?
rsz /?

None worked.

By the way, I'm now able to flash boot2 images in RS232 (only tested on TI-Nspire / TI-Nspire CAS for now).

I know what test you're all waiting for... :P
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 22, 2011, 12:41:01 pm: I'm back on the TI-Nspire CAS+.

Today, I can finally answer you about flashing.

I've taken a standard TI-Nspire CAS+ with boot1/boot2 1.0.526.

Using Menu+Enter+B and Menu+Enter+G, I've tried to flash developer & production basic/CAS TI-Nspire boot2 & diags.

Diags flashing:
Code: [Select]
Boot Loader Stage 1 (1.0.526) Build: 2006/8/11, 6:25:18 Copyright (c) 2006 Texas Instruments Incorporated Using production keys Last boot progress: 1 System clock: 78 MHZ SDRAM memory test: Pass Clearing SDRAM...Done. Clearing SDRAM...Done. Clearing SDRAM...Done. Checking for NAND: NAND Flash ID: ST Micro NAND256W3A -- Bad Block list -- 0x00058000 (22) 0x001F0000 (124) -- Bad Block list end -- Keypad request - installing DIAGS software... Erasing old DIAGS image. Ready to download DIAGS software... Begin XMODEM file transfer. Updating DIAGS image. DIAGS image has been updated. Restarting now. Boot Loader Stage 1 (1.0.526) Build: 2006/8/11, 6:25:18 Copyright (c) 2006 Texas Instruments Incorporated Using production keys Last boot progress: 15474 System clock: 78 MHZ SDRAM memory test: Pass Clearing SDRAM...Done. Clearing SDRAM...Done. Clearing SDRAM...Done. Checking for NAND: NAND Flash ID: ST Micro NAND256W3A -- Bad Block list -- 0x00058000 (22) 0x001F0000 (124) -- Bad Block list end -- Loading DIAGS software... 20%Error reading/validating DIAGS image Loading BOOT2 software...
Boot2 flashing:
Code: [Select]
Boot Loader Stage 1 (1.0.526) Build: 2006/8/11, 6:25:18 Copyright (c) 2006 Texas Instruments Incorporated Using production keys Last boot progress: 1 System clock: 78 MHZ SDRAM memory test: Pass Clearing SDRAM...Done. Clearing SDRAM...Done. Clearing SDRAM...Done. Checking for NAND: NAND Flash ID: ST Micro NAND256W3A -- Bad Block list -- 0x00058000 (22) 0x001F0000 (124) -- Bad Block list end -- Ready to download BOOT2 image... Begin XMODEM file transfer. Erasing old BOOT2 image. Updating BOOT2 image. BOOT2 image has been updated. Restarting now. Boot Loader Stage 1 (1.0.526) Build: 2006/8/11, 6:25:18 Copyright (c) 2006 Texas Instruments Incorporated Using production keys Last boot progress: 15474 System clock: 78 MHZ SDRAM memory test: Pass Clearing SDRAM...Done. Clearing SDRAM...Done. Clearing SDRAM...Done. Checking for NAND: NAND Flash ID: ST Micro NAND256W3A -- Bad Block list -- 0x00058000 (22) 0x001F0000 (124) -- Bad Block list end -- Loading DIAGS software... Error reading/validating DIAGS image Loading BOOT2 software... 20%Error reading/validating BOOT2 image Error loading BOOT2, looking for pre-installed images. Checking for DIAGS image in pre-install area. No DIAGS image found. Checking for BOOT2 image in pre-install area. No BOOT2 image found. Error loading BOOT2, install new version. Checking battery level. Battery level is OK. Ready to download BOOT2 software... Begin XMODEM file transfer.

The RSA production keys used on the TI-Nspire CAS+ seem different from both RSA developer and production keys used on basic/CAS TI-Nspire.

Which mean we won't be able to flash a 1.1 OS before many years.

But it's still interesting to dig into the CAS+ in order to:
- dump boot1/boot2/OS
- be able to update boot2/OS
- be able to reinstall boot2/OS if they are damaged
- develop a compatible Ndless version
Title: Re: The 1st step into CAS+ flashing
Post by: bsl on March 22, 2011, 01:06:08 pm: Critor,
When you get a chance - on the older calculator enter these commands:
Code: [Select]
C:\phoenix\> type components C:\phoenix\syst\> dir C:\phoenix\syst\locales\en\>dir C:\phoenix\syst\locales\>dir C:\phoenix\syst\locales\>type copysamplesThe shell has a command for creating files:
C:\documents\examples\> write test.tns 5
<Enter 5 characters then hit return>

I was able to enter control characters, but this is limiting to entering a whole binary file like loader.tns :)
Can you also type this command:
C:\documents\examples\>showcopyrights
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 22, 2011, 01:20:04 pm: Bsl, here is what you've asked for:

Code: [Select]
C:\phoenix\>type components ctlg dcol dlog geog math ntpd scpd syst tblt C:\phoenix\>cd syst C:\phoenix\syst\>dir 1980-01-01 00:00:00 <Dir> . 1980-01-01 00:00:00 <Dir> .. 1980-01-01 00:00:00 109 localenames 1980-01-01 00:00:00 <Dir> locales 1980-01-01 00:00:00 <Dir> settings 1980-01-01 00:00:00 66 docbrowser.data 1980-01-01 00:00:00 1140 imechars.res Free Space: 17480704 bytes C:\phoenix\syst\>cd locales C:\phoenix\syst\locales\>dir 1980-01-01 00:00:00 <Dir> . 1980-01-01 00:00:00 <Dir> .. 1980-01-01 00:00:00 <Dir> da 1980-01-01 00:00:00 <Dir> de 1980-01-01 00:00:00 <Dir> en 1980-01-01 00:00:00 <Dir> fr 1980-01-01 00:00:00 <Dir> it 1980-01-01 00:00:00 <Dir> no Free Space: 17480704 bytes C:\phoenix\syst\locales\>type copysamples Error = -1 C:\phoenix\syst\locales\>cd en C:\phoenix\syst\locales\en\>dir 1980-01-01 00:00:00 <Dir> . 1980-01-01 00:00:00 <Dir> .. 1980-01-01 00:00:00 1090 dialogs.res 1980-01-01 00:00:00 56008 icons.res 1980-01-01 00:00:00 <Dir> settings 1980-01-01 00:00:00 6154 strings.res 1980-01-01 00:00:00 1284 imechars.res 1980-01-01 00:00:00 <Dir> sampledocuments Free Space: 17480704 bytes C:\phoenix\syst\locales\en\>showcopyrights Command not found! C:\phoenix\syst\locales\en\>
Title: Re: The 1st step into CAS+ flashing
Post by: bsl on March 22, 2011, 01:40:39 pm: strings.res is about half the size of the other prototypes, even 1.7320.
Try: c:\>type strings.res
The reason for "showcopyrights" was a possible second shell exists that might have this command.
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 22, 2011, 02:02:53 pm: Here what the "type" command is showing me for "string.res":

Code: [Select]
C:\phoenix\syst\locales\en\>type strings.res tionains a file named 'åðŸåðŸåðŸå�˜ ™™™™™(¡P¡'. Do you want to replace it?ion is managing data collection; if you wish to collect data within TI-Nspire please close TI-Nspire and the other data collection application then restart TI-Nspire.etry OS upgrade.(remember the type command is buggy, unfortunately...)
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 22, 2011, 02:35:33 pm: I'm back on the production TI-Nspire CAS+with boot1/boot2 1.0.526.

All those who have tried the maintenance menu on their TI-Nspire CAS+ (Menu+Enter+P) ended up with the OS being deleted, without seeing any menu.

Finally, here is a full log of what Menu+Enter+P is triggering:

Code: [Select]
Boot Loader Stage 1 (1.0.526) Build: 2006/8/11, 6:25:18 Copyright (c) 2006 Texas Instruments Incorporated Using production keys Last boot progress: 10546 System clock: 78 MHZ SDRAM memory test: Pass Clearing SDRAM...Done. Clearing SDRAM...Done. Clearing SDRAM...Done. Checking for NAND: NAND Flash ID: ST Micro NAND256W3A -- Bad Block list -- 0x00058000 (22) 0x001F0000 (124) -- Bad Block list end -- Loading DIAGS software... Error reading/validating DIAGS image Loading BOOT2 software... 99% BOOT1: loading complete (924 ticks), launching image. Boot Loader Stage 2 (1.0.526) Build: 2006/8/11, 6:29:51 Copyright (c) 2006 Texas Instruments Incorporated Using production keys Initializing graphics subsystem. Checking for NAND: NAND Flash ID: ST Micro NAND256W3A Initializing USB and networking. Initializing filesystem. Datalight Reliance v2.00.0451 Copyright (c) 2003 - 2005 Datalight, Inc. Registered to #9DE08703 FlashFX sample project for the OMAP5912 OSK running Nucleus Datalight FlashFX Pro v2.0 Build 966 Nucleus Edition for ARM9 Copyright (c) 1993-2005 Datalight, Inc. Patents: US#5860082, US#6260156. Detected FfxDelay() parameters: Count=58776 MicroSec=8192 Shift=13 FFX: NAND chip manufacturer: ST Micro (20) chip NAND256W3A (75) Filesystem ready. -- Bad Block list -- 0x00058000 (22) 0x001F0000 (124) -- Bad Block list end -- Keypad request, deleting current OS to force upgrade. Checking battery level. Batteries are low - install fresh batteries. Battery level is OK. Loading Operating System... Error loading OS image. Removing OS remnants. Deleting file [/phoenix/install/manifest_img] Deleting file [/phoenix/components] Deleting file [/phoenix/policy.dat] Deleting file [/phoenix/manuf.dat] Removing directory [/phoenix/install/] Deleting file [/phoenix/ctlg/locales/da/strings.res] Removing directory [/phoenix/ctlg/locales/da/] Deleting file [/phoenix/ctlg/locales/de/strings.res] Removing directory [/phoenix/ctlg/locales/de/] Deleting file [/phoenix/ctlg/locales/en/2dtemplates.res] Deleting file [/phoenix/ctlg/locales/en/all.res] Deleting file [/phoenix/ctlg/locales/en/math.res] Deleting file [/phoenix/ctlg/locales/en/strings.res] Deleting file [/phoenix/ctlg/locales/en/units.res] Removing directory [/phoenix/ctlg/locales/en/] Deleting file [/phoenix/ctlg/locales/fr/strings.res] Removing directory [/phoenix/ctlg/locales/fr/] Deleting file [/phoenix/ctlg/locales/it/strings.res] Removing directory [/phoenix/ctlg/locales/it/] Deleting file [/phoenix/ctlg/locales/no/strings.res] Removing directory [/phoenix/ctlg/locales/no/] Removing directory [/phoenix/ctlg/locales/] Removing directory [/phoenix/ctlg/] Deleting file [/phoenix/dcol/locales/da/strings.res] Removing directory [/phoenix/dcol/locales/da/] Deleting file [/phoenix/dcol/locales/de/strings.res] Removing directory [/phoenix/dcol/locales/de/] Deleting file [/phoenix/dcol/locales/en/icons.res] Deleting file [/phoenix/dcol/locales/en/strings.res] Removing directory [/phoenix/dcol/locales/en/] Deleting file [/phoenix/dcol/locales/fr/strings.res] Removing directory [/phoenix/dcol/locales/fr/] Deleting file [/phoenix/dcol/locales/it/strings.res] Removing directory [/phoenix/dcol/locales/it/] Deleting file [/phoenix/dcol/locales/no/strings.res] Removing directory [/phoenix/dcol/locales/no/] Removing directory [/phoenix/dcol/locales/] Removing directory [/phoenix/dcol/] Deleting file [/phoenix/dlog/locales/da/strings.res] Removing directory [/phoenix/dlog/locales/da/] Deleting file [/phoenix/dlog/locales/de/strings.res] Removing directory [/phoenix/dlog/locales/de/] Deleting file [/phoenix/dlog/locales/en/strings.res] Removing directory [/phoenix/dlog/locales/en/] Deleting file [/phoenix/dlog/locales/fr/strings.res] Removing directory [/phoenix/dlog/locales/fr/] Deleting file [/phoenix/dlog/locales/it/strings.res] Removing directory [/phoenix/dlog/locales/it/] Deleting file [/phoenix/dlog/locales/no/strings.res] Removing directory [/phoenix/dlog/locales/no/] Removing directory [/phoenix/dlog/locales/] Removing directory [/phoenix/dlog/] Deleting file [/phoenix/geog/locales/da/strings.res] Removing directory [/phoenix/geog/locales/da/] Deleting file [/phoenix/geog/locales/de/strings.res] Removing directory [/phoenix/geog/locales/de/] Deleting file [/phoenix/geog/locales/en/icons.res] Deleting file [/phoenix/geog/locales/en/strings.res] Removing directory [/phoenix/geog/locales/en/] Deleting file [/phoenix/geog/locales/fr/strings.res] Removing directory [/phoenix/geog/locales/fr/] Deleting file [/phoenix/geog/locales/it/strings.res] Removing directory [/phoenix/geog/locales/it/] Deleting file [/phoenix/geog/locales/no/strings.res] Removing directory [/phoenix/geog/locales/no/] Removing directory [/phoenix/geog/locales/] Removing directory [/phoenix/geog/] Deleting file [/phoenix/math/locales/da/strings.res] Removing directory [/phoenix/math/locales/da/] Deleting file [/phoenix/math/locales/de/strings.res] Removing directory [/phoenix/math/locales/de/] Deleting file [/phoenix/math/locales/en/strings.res] Removing directory [/phoenix/math/locales/en/] Deleting file [/phoenix/math/locales/fr/strings.res] Removing directory [/phoenix/math/locales/fr/] Deleting file [/phoenix/math/locales/it/strings.res] Removing directory [/phoenix/math/locales/it/] Deleting file [/phoenix/math/locales/no/strings.res] Removing directory [/phoenix/math/locales/no/] Removing directory [/phoenix/math/locales/] Removing directory [/phoenix/math/] Deleting file [/phoenix/ntpd/locales/da/strings.res] Removing directory [/phoenix/ntpd/locales/da/] Deleting file [/phoenix/ntpd/locales/de/strings.res] Removing directory [/phoenix/ntpd/locales/de/] Deleting file [/phoenix/ntpd/locales/en/icons.res] Deleting file [/phoenix/ntpd/locales/en/strings.res] Removing directory [/phoenix/ntpd/locales/en/] Deleting file [/phoenix/ntpd/locales/fr/strings.res] Removing directory [/phoenix/ntpd/locales/fr/] Deleting file [/phoenix/ntpd/locales/it/strings.res] Removing directory [/phoenix/ntpd/locales/it/] Deleting file [/phoenix/ntpd/locales/no/strings.res] Removing directory [/phoenix/ntpd/locales/no/] Removing directory [/phoenix/ntpd/locales/] Removing directory [/phoenix/ntpd/] Deleting file [/phoenix/scpd/locales/da/strings.res] Removing directory [/phoenix/scpd/locales/da/] Deleting file [/phoenix/scpd/locales/de/strings.res] Removing directory [/phoenix/scpd/locales/de/] Deleting file [/phoenix/scpd/locales/en/icons.res] Deleting file [/phoenix/scpd/locales/en/strings.res] Removing directory [/phoenix/scpd/locales/en/] Deleting file [/phoenix/scpd/locales/fr/strings.res] Removing directory [/phoenix/scpd/locales/fr/] Deleting file [/phoenix/scpd/locales/it/strings.res] Removing directory [/phoenix/scpd/locales/it/] Deleting file [/phoenix/scpd/locales/no/strings.res] Removing directory [/phoenix/scpd/locales/no/] Removing directory [/phoenix/scpd/locales/] Removing directory [/phoenix/scpd/] Deleting file [/phoenix/syst/localenames] Deleting file [/phoenix/syst/docbrowser.data] Deleting file [/phoenix/syst/locales/da/dialogs.res] Deleting file [/phoenix/syst/locales/da/imechars.res] Deleting file [/phoenix/syst/locales/da/strings.res] Deleting file [/phoenix/syst/locales/da/sampledocuments/KomGodtIGang.tns] Removing directory [/phoenix/syst/locales/da/sampledocuments/] Deleting file [/phoenix/syst/locales/da/settings/factory.zip] Removing directory [/phoenix/syst/locales/da/settings/] Removing directory [/phoenix/syst/locales/da/] Deleting file [/phoenix/syst/locales/de/dialogs.res] Deleting file [/phoenix/syst/locales/de/imechars.res] Deleting file [/phoenix/syst/locales/de/strings.res] Deleting file [/phoenix/syst/locales/de/sampledocuments/ErsteSchritte.tns] Removing directory [/phoenix/syst/locales/de/sampledocuments/] Deleting file [/phoenix/syst/locales/de/settings/factory.zip] Removing directory [/phoenix/syst/locales/de/settings/] Removing directory [/phoenix/syst/locales/de/] Deleting file [/phoenix/syst/locales/en/dialogs.res] Deleting file [/phoenix/syst/locales/en/icons.res] Deleting file [/phoenix/syst/locales/en/imechars.res] Deleting file [/phoenix/syst/locales/en/strings.res] Deleting file [/phoenix/syst/locales/en/sampledocuments/GettingStarted.tns] Removing directory [/phoenix/syst/locales/en/sampledocuments/] Deleting file [/phoenix/syst/locales/en/settings/factory.zip] Removing directory [/phoenix/syst/locales/en/settings/] Removing directory [/phoenix/syst/locales/en/] Deleting file [/phoenix/syst/locales/fr/dialogs.res] Deleting file [/phoenix/syst/locales/fr/imechars.res] Deleting file [/phoenix/syst/locales/fr/strings.res] Deleting file [/phoenix/syst/locales/fr/sampledocuments/PriseEnMainRapide.tns] Removing directory [/phoenix/syst/locales/fr/sampledocuments/] Deleting file [/phoenix/syst/locales/fr/settings/factory.zip] Removing directory [/phoenix/syst/locales/fr/settings/] Removing directory [/phoenix/syst/locales/fr/] Deleting file [/phoenix/syst/locales/it/dialogs.res] Deleting file [/phoenix/syst/locales/it/imechars.res] Deleting file [/phoenix/syst/locales/it/strings.res] Deleting file [/phoenix/syst/locales/it/sampledocuments/GuidaIntroduttiva.tns] Removing directory [/phoenix/syst/locales/it/sampledocuments/] Deleting file [/phoenix/syst/locales/it/settings/factory.zip] Removing directory [/phoenix/syst/locales/it/settings/] Removing directory [/phoenix/syst/locales/it/] Deleting file [/phoenix/syst/locales/no/dialogs.res] Deleting file [/phoenix/syst/locales/no/imechars.res] Deleting file [/phoenix/syst/locales/no/strings.res] Deleting file [/phoenix/syst/locales/no/sampledocuments/KommeIGang.tns] Removing directory [/phoenix/syst/locales/no/sampledocuments/] Deleting file [/phoenix/syst/locales/no/settings/factory.zip] Removing directory [/phoenix/syst/locales/no/settings/] Removing directory [/phoenix/syst/locales/no/] Removing directory [/phoenix/syst/locales/] Deleting file [/phoenix/syst/settings/current.zip] Deleting file [/phoenix/syst/settings/initialized] Removing directory [/phoenix/syst/settings/] Removing directory [/phoenix/syst/] Deleting file [/phoenix/tblt/locales/da/dialogs.res] Deleting file [/phoenix/tblt/locales/da/strings.res] Removing directory [/phoenix/tblt/locales/da/] Deleting file [/phoenix/tblt/locales/de/dialogs.res] Deleting file [/phoenix/tblt/locales/de/icons.res] Deleting file [/phoenix/tblt/locales/de/strings.res] Removing directory [/phoenix/tblt/locales/de/] Deleting file [/phoenix/tblt/locales/en/dialogs.res] Deleting file [/phoenix/tblt/locales/en/icons.res] Deleting file [/phoenix/tblt/locales/en/strings.res] Removing directory [/phoenix/tblt/locales/en/] Deleting file [/phoenix/tblt/locales/fr/dialogs.res] Deleting file [/phoenix/tblt/locales/fr/strings.res] Removing directory [/phoenix/tblt/locales/fr/] Deleting file [/phoenix/tblt/locales/it/dialogs.res] Deleting file [/phoenix/tblt/locales/it/strings.res] Removing directory [/phoenix/tblt/locales/it/] Deleting file [/phoenix/tblt/locales/no/dialogs.res] Deleting file [/phoenix/tblt/locales/no/strings.res] Removing directory [/phoenix/tblt/locales/no/] Removing directory [/phoenix/tblt/locales/] Removing directory [/phoenix/tblt/] Waiting for OS download. Starting Connectivity services. USB Download is enabled. Press <Enter> to download through the serial port. phoenix dhcp server w/ VOODOO built 12-Jul-2006 (start at 7140) phoenix enum server built 12-Jul-2006 phoenix dhcp hook fwd w/ VOODOO built 12-Jul-2006 (start at 7140) phoenix file mgt server built 12-Jul-2006 (start at 7240) pn-srv2-636: pol_init = -1

Note the "Keypad request, deleting current OS to force upgrade".

Strangely, accessing the maintenance menu on basic/CAS TI-Nspire does log "Boot option: Download Basecode", although it doesn't download any basecode to my knowledge. According to the above log, this message could come from the original Menu+Enter+P use on the CAS+.

By the way, we have a partial view of the production CAS+ filesystem in the above log.
Title: Re: The 1st step into CAS+ flashing
Post by: bsl on March 22, 2011, 03:49:00 pm: Looks like manifest_img is the OS.
Now you can start sending boot2 exploits through RS232.
Even though the files are deleted , they may not really be deleted , only unlinked in the inode of the filesystem[Hopefully].
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 22, 2011, 03:51:17 pm: Ok, so the CAS+ RSA keys are different, which means:
- we can't flash a boot2
- we can't flash a diags (I've never seen any diags on a CAS+)
- we can't flash an OS
- we can't run a test image

Moreover, we can't access the whole filesystem through the USB driver.
(seems we only have access to a virtual drive, which just links to 2 "safe" folders: /documents and /phoenix/tmp ).

Well... The CAS+ seems much more closed than the final TI-Nspire.

I've tried to send an OS with "exploit1" in RS232, and I've added the header this time.
Here's what I got:
Code: [Select]
Loading Operating System... Error loading OS image. Removing OS remnants. Deleting file [/phoenix/manuf.dat] Removing directory [/phoenix/install/] Waiting for OS download. Starting Connectivity services. USB Download is enabled. Press <Enter> to download through the serial port. phoenix dhcp server w/ VOODOO built 12-Jul-2006 (start at 832) phoenix enum server built 12-Jul-2006 phoenix dhcp hook fwd w/ VOODOO built 12-Jul-2006 (start at 832) phoenix file mgt server built 12-Jul-2006 (start at 932) pn-srv2-636: pol_init = -1 Checking battery level. Battery level is OK. TI_OS_INSTALL_PRECHECK (5) TI_OS_INSTALL_VERIFYING_IMAGE (10) TI_OS_INSTALL_VERIFYING_RESOURCE (95) Deleting file [/tmp/manifest_img] Deleting file [/tmp/phoenix.img] TI_OS_INSTALL_FAILED TI_OS_INSTALL_MANIFEST_INVALID
Seems the CAS+ absolutely wants a manifest file.

On my oldest orange-blue CAS+ (OS 1.0.1.0.334T), that file was just named "manifest" and did only include the name of another file: "devfiletree.zip".
But it may be different on production CAS+. According to several logs, the /phoenix/install files are using different names...

Any idea on how to generate a TNC file which would at least pass the "precheck" of the CAS+?
Maybe a look at the TI-Nspire Computer Link 1.0 Java code can be usefull:
http://ti.bank.free.fr/index.php?mod=archives&ac=voir&id=1439
It does some checking on the TNC file too, prior to sending it.
Title: Re: The 1st step into CAS+ flashing
Post by: jnesselr on March 22, 2011, 04:07:24 pm: So do we have the public key, though?
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 22, 2011, 04:09:48 pm: Quote from: graphmastur on March 22, 2011, 04:07:24 pm
So do we have the public key, though?

No, because it's not dumped yet.
We're trying to dump...
Title: Re: The 1st step into CAS+ flashing
Post by: Goplat on March 22, 2011, 06:58:10 pm: Quote from: critor on March 22, 2011, 03:51:17 pm
Any idea on how to generate a TNC file which would at least pass the "precheck" of the CAS+?
It looks like the two parts of an rs232-sent OS are saved to /tmp/manifest_img and /tmp/phoenix.img. So a good guess would be that a CAS+ .tnc file is a zip file containing a manifest_img file and a phoenix.img file. phoenix.img is probably the equivalent of TI-Nspire.img in the released TI-Nspire.

On another note, I did a little reverse engineering of pn-net.dll. It connects to a CAS+ on TCP port 10001, and the protocol is text based. You could probably use a telnet-type program to communicate with the CAS+ manually. The "info 1" command gets some information about the calculator; the command to list a directory is "dir directoryname". Might be worth seeing if you can access more of the filesystem this way than by using Computer Link.
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 22, 2011, 07:38:12 pm: On another note, I've got a strange key combo for the TI-Nspire CAS+:
Menu+Esc

The calculator just does not turn on and can't be turned on.
I have to remove the batteries.

Maybe the combo to launch the diagnostic software, which is not included in the CAS+?

Strangely, with Esc+Menu+Joypad, the calculator does turn on...
Title: Re: The 1st step into CAS+ flashing
Post by: Goplat on March 22, 2011, 07:42:13 pm: Quote from: critor on March 22, 2011, 07:38:12 pm
Maybe the combo to launch the diagnostic software, which is not included in the CAS+?
The RS232 log should tell if that's what it is.
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 22, 2011, 07:43:10 pm: Allready tried -> nothing...
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 22, 2011, 08:07:58 pm: Quote from: Goplat on March 22, 2011, 06:58:10 pm
On another note, I did a little reverse engineering of pn-net.dll. It connects to a CAS+ on TCP port 10001, and the protocol is text based. You could probably use a telnet-type program to communicate with the CAS+ manually. The "info 1" command gets some information about the calculator; the command to list a directory is "dir directoryname". Might be worth seeing if you can access more of the filesystem this way than by using Computer Link.

Very interesting.
Just tried this.

I plugged a production CAS+ and my "Texas Instrument" network interface got the IP 172.16.50.25 (this is the IP of my computer on the "CAS+" network).
Seems the Nspire CAS+ was using the IP 172.16.50.26.

Here is what "info 1" is printing with the production CAS+ (boot1/boot2 1.0.526 + OS 1.0.554)
Code: [Select]
0 addr=2886742554 mask=4294967292 b1v=01,00,02,14 b2v=01,00,02,14 bat=0,3,0,0,0,0,0,0 clk=78 disk=29188096,22750208,4294967295 eid=0C0FE480C1986857BA3 hwv=00,00,00,192 na me=phoenix ram=0,0,20971760 ready=32864,0 run=3 scrn=38400 ser=254,72,12,25,00,00,00, 00 sgeo=240,320,4,0 ver=01,00,02,42
Anything interesting?

Unfortunately, the "dir" command doesn't seem to show anything more than the usual TI-Nspire Computer Link "virtual" drive:
/
/phx
/phx/documents
/phx/tmp

We don't have access to the real file system...
(I wonder why TI didn't keep things like that for the final Nspire...)

Edit: the protocol doesn't seem to unstand special folders like ".", "..", or "~".

Edit2: retried with my developer CAS+ (Boot1/2 1.0.491 + OS 1.0.494)
Code: [Select]
0 addr=2886748730 mask=4294967292 b1v=01,00,01,235 b2v=01,00,01,235 bat=0,0,0,0,0,0,0 ,0 clk=78 disk=29188096,23237632,4294967295 eid=0C039C11C25D761EEFE hwv=00,00,00,192 name=phoenix ram=0,0,20971760 ready=32864,0 run=3 scrn=38400 ser=57,193,28,37,00,00,0 0,00 sgeo=240,320,4,0 ver=01,00,01,238This time, the computer got the IP 172.16.74.58 and the CAS+ 172.16.74.59.
Title: Re: The 1st step into CAS+ flashing
Post by: bsl on March 23, 2011, 01:39:21 am: Now that you have deleted the OS off one calculator,
USB connect two CAS+ together, reboot the one without the OS.
Does this now activate the Send OS selection ?
Monitor the RS232 traffic while doing this.

If this works , then you can tap into USB to dump the OS.
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 23, 2011, 06:41:22 am: No, the "Send OS" remains disabled.
Anyway, it is enabled on my two oldest CAS+ and seems to do nothing.
Title: Re: The 1st step into CAS+ flashing
Post by: garbage on March 23, 2011, 07:02:40 am: Hi. I've been following thist thread ever since it exists and I want to say that keep up with good work. I also have a CAS + and I deleted the OS before I read what the diag key combination actually do.

I also tried to "hack" into my CAS+ but I have none experience with hacking nor the knowledge to do that. All I've done is connect my computer and calculator with USB cable and use TI-Nspire Computer Link to acces files on my cas. Meanwile doing so, I captured TCP and UDP packets and came across following commands:
   - fput
   - fget
   - fdel
   - info 1
   - dir
   - attrib
   - mkdir
   - scrn 1 0 38400.

Edit: another command: - copy (when you move file from one folder to another in computer link software)

Btw, sorry for my English cause it's kinda rusty :-\
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 23, 2011, 07:04:41 am: Great! Thank you very much for the list of commands :)
Title: Re: The 1st step into CAS+ flashing
Post by: garbage on March 23, 2011, 07:07:43 am: Quote from: critor on March 23, 2011, 07:04:41 am
Great! Thank you very much for the list of commands :)

Np... If there is anything else I can do just say.
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 23, 2011, 10:30:07 am: Some more "TI-Nspire Computer Links" CAS+ commands:

info %d ("%d" must be "1")
stat %d (seems to work with "1" or "3" as "%d")
tune %d%s rtime=%lu xtime=%lu (seems to work with "1" or "2" as "%d")
scrn %d %lu %d ("%d" must be "1", "%lu" seems to be the start, and "%d" the size)

mkdir %s
rmdir %s
dir %s
attr %s
fdel %s

fget %s %u ("%u" seems to be the size)
fput %s %ld %u

copy %s %s
move %s %s
osupg %s %s (probably manifest + image files)

All "%s" pathes seems relative to the virtual drive.
/ and /phx directories seems write protected. No file can be added, and the content can't be removed.
Title: Re: The 1st step into CAS+ flashing
Post by: DJ Omnimaga on March 23, 2011, 02:24:28 pm: I don't understand anything there, being illiterate about that stuff, but I'm glad to see some progress into attempting hacking the CAS+ prototypes. Also welcome to our new forum member above.
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 23, 2011, 05:57:51 pm: Here's the CAS+ inf file content:

Code: [Select]
;Texas Instruments Incorporated ;Driver Information File for TI-Nspire ;Copyright (c) Texas Instruments Inc. All rights reserved. [Version] Signature = "$Windows NT$" Class = Net ClassGUID = {4d36e972-e325-11ce-bfc1-08002be10318} Provider = %TI% DriverVer = 05/24/2006,5.2.3790.1454 CatalogFile = tirndis.cat [Manufacturer] %TI% = TIDevices,NT.5.1 [TIDevices] %TIDevice% = RNDIS, USB\VID_0451&PID_E011 [TIDevices.NT.5.1] %TIDevice% = RNDIS.NT.5.1, USB\VID_0451&PID_E011 [ControlFlags] ExcludeFromSelect=* ; Windows 2000 specific sections --------------------------------- [RNDIS.NT] Characteristics = 0x84 ; NCF_PHYSICAL + NCF_HAS_UI BusType = 15 DriverVer = 05/24/2006,5.2.3790.1454 AddReg = RNDIS_AddReg_NT, RNDIS_AddReg_WIN2K_XP CopyFiles = RNDIS_CopyFiles_NT ; DO NOT MODIFY THE SERVICE NAME [RNDIS.NT.Services] AddService = USB_RNDISY, 2, RNDIS_ServiceInst_NT, RNDIS_EventLog [RNDIS_CopyFiles_NT] ; no rename of files on Windows 2000, use the 'y' names as is usb8023y.sys, , , 0 rndismpy.sys, , , 0 [RNDIS_ServiceInst_NT] DisplayName = %ServiceDisplayName% ServiceType = 1 StartType = 3 ErrorControl = 1 ServiceBinary = %12%\usb8023y.sys LoadOrderGroup = NDIS AddReg = RNDIS_WMI_AddReg_NT [RNDIS_WMI_AddReg_NT] HKR, , MofImagePath, 0x00020000, "System32\drivers\rndismpy.sys" ; Windows XP specific sections ----------------------------------- [RNDIS.NT.5.1] Characteristics = 0x84 ; NCF_PHYSICAL + NCF_HAS_UI BusType = 15 DriverVer = 05/24/2006,5.2.3790.1454 AddReg = RNDIS_AddReg_NT, RNDIS_AddReg_WIN2K_XP ; no copyfiles - the files are already in place [RNDIS.NT.5.1.Services] AddService = USB_RNDIS, 2, RNDIS_ServiceInst_5_1, RNDIS_EventLog [RNDIS_ServiceInst_5_1] DisplayName = %ServiceDisplayName% ServiceType = 1 StartType = 3 ErrorControl = 1 ServiceBinary = %12%\usb8023.sys LoadOrderGroup = NDIS AddReg = RNDIS_WMI_AddReg_5_1 [RNDIS_WMI_AddReg_5_1] HKR, , MofImagePath, 0x00020000, "System32\drivers\rndismp.sys" ; Windows XP and Windows 2000 Sections [RNDIS_AddReg_NT] HKR, Ndi, Service, 0, "USB_RNDISY" HKR, Ndi\Interfaces, UpperRange, 0, "ndis5_ip" HKR, Ndi\Interfaces, LowerRange, 0, "nolower" [RNDIS_AddReg_WIN2K_XP] HKR, NDI\params\NetworkAddress, ParamDesc, 0, %NetworkAddress% HKR, NDI\params\NetworkAddress, type, 0, "edit" HKR, NDI\params\NetworkAddress, LimitText, 0, "12" HKR, NDI\params\NetworkAddress, UpperCase, 0, "1" HKR, NDI\params\NetworkAddress, default, 0, " " HKR, NDI\params\NetworkAddress, optional, 0, "1" [RNDIS_EventLog] AddReg = RNDIS_EventLog_AddReg [RNDIS_EventLog_AddReg] HKR, , EventMessageFile, 0x00020000, "%%SystemRoot%%\System32\netevent.dll" HKR, , TypesSupported, 0x00010001, 7 [SourceDisksNames] 1=%SourceDisk%,,1 [SourceDisksFiles] usb8023y.sys=1 rndismpy.sys=1 [DestinationDirs] RNDIS_CopyFiles_NT = 12 [Strings] ServiceDisplayName = "USB Remote NDIS Network Device Driver" NetworkAddress = "Network Address" TI = "Texas Instruments Incorporated" TIDevice = "Texas Instruments Remote NDIS Network Device" SourceDisk = "TI USB Network Driver Install Disk"
Note that the date is posterior to my oldest orange-blue CAS+ boot1/boot2/OS build dates.
(the one on which I have the OS image in the documents folder, but which doesn't work with TI-Nspire Computer Link 1.0)

The oldest CAS+ DHCP server is sending 3 to 4 IP adresses to the TI virtual network interface on my computer, which is reqesting them.
But it seems that for some reason my computer is either not receiving those IPs, either not acknowledging them.

I've tried what you proposed: manually assigning the proposed IP.
But it doesn't work: "the IP is allready in use".
I've tried assigning another IP in the same subnet, but no other active IP was visible in the subnet.

Remember the CAS+ IP seems to be the interface IP plus one.
So it might be affected after the computer acknowledges.

And of course, I have no problems with more recent CAS+ DHCP servers.
Title: Re: The 1st step into CAS+ flashing
Post by: Goplat on March 24, 2011, 08:02:26 pm: I've found a buffer overflow vulnerability in the command shell's printf routine, which could potentially allow executing code by TYPEing a file. We may not be able to exploit it at this time because
- the code may have changed (the CAS+ has Reliance v2.00.0451/FlashFX v2.0, instead of Reliance v2.10.1150/FlashFX v3.00).
- the WRITE command can't create a file with 00, 08, 0A, or 0D bytes in it (this could be insurmountable, or not a problem at all, depending on what the addresses of the relevant functions and stack items turn out to be)
but I think it might be worth a try.

First step is to dump the stack to get some addresses... Try this (in whatever directory you're comfortable creating files in):

write stackdump 192
%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x
type stackdump
Title: Re: The 1st step into CAS+ flashing
Post by: bsl on March 25, 2011, 12:09:50 am: I was just looking at that vulnerability.
I was trying:
AAAA%08x%08x%08x.....%08x
and hoping to get one of the "%08x" would give me 41414141 - then replace that with %s
to read arbitrary memory addresses - could not find it so far.
Seems this technique ignores %p, havent tried %n.

critor : for a quick test try:
c:\>write test.tns 19
c:\>AAAA,%08x,%08x,%08x <RETURN>
c:\>type test.tns
EDIT: If this format string is in the stack on the CAS+ instead of a buffer like the later models, then this looks more promising.
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 25, 2011, 02:18:37 pm: Quote from: bsl on March 25, 2011, 12:09:50 am
critor : for a quick test try:
c:\>write test.tns 19
c:\>AAAA,%08x,%08x,%08x <RETURN>
c:\>type test.tns

Code: [Select]
C:\documents\ndless\>write test.tns 19 AAAA,%08x,%08x,%08x C:\documents\ndless\>dir 1980-01-01 00:00:00 <Dir> . 1980-01-01 00:00:00 <Dir> .. 1980-01-01 00:00:00 639280 os.tns 1980-01-01 00:00:00 19 test.tns Free Space: 17480192 bytes C:\documents\ndless\>type test.tns AAAA,20000013,106F259B,00000000 C:\documents\ndless\>
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 25, 2011, 02:26:45 pm: And here's the other test!

Quote from: Goplat on March 24, 2011, 08:02:26 pm
First step is to dump the stack to get some addresses... Try this (in whatever directory you're comfortable creating files in):

write stackdump 192
%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x
type stackdump

Code: [Select]
C:\documents\ndless\>write stackdump.tns 192 %8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8 x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x% 8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x C:\documents\ndless\>dir 1980-01-01 00:00:00 <Dir> . 1980-01-01 00:00:00 <Dir> .. 1980-01-01 00:00:00 639280 os.tns 1980-01-01 00:00:00 19 test.tns 1980-01-01 00:00:00 192 stackdump.tns Free Space: 17479680 bytes C:\documents\ndless\>type stackdump.tns 20000013106F2648 010919DA0 0 C0 010919DB4 210919E48 10919DAC101A923C101A9C7C1091A490 0106F2188106F218D106F219C 01091A3A0 3B10919DF810919DDC101AC3A4101F1B2410917E841091A3A81091A3A0 3B10919E10 10919DFC1091A3A8FFFFFFFF106A1CB41091A3C710919E3010919E14101A93041014BA38 0 1091A3A8101AA97C106A1CA810919E4810919E34101AA70C 2 1106FB5C010919E60 10919E4C10000994101A9194 0 010919E7810919E64101279841000097C10000040 10917E8410919E7C10919E7C 0 C:\documents\ndless\>
Title: Re: The 1st step into CAS+ flashing
Post by: Goplat on March 25, 2011, 04:05:34 pm: As I feared, looks like the command shell code is different (and unlike the later version, the address of RelDclVPrintf doesn't show up in uninitialized space in the TYPE command's stack frame). Without knowing the addresses of any useful functions we can't exploit the buffer overflow safely yet. :( We had better wait for another CAS+ OS to be dumped, so we can see the older command shell code, and come back to this then.
Title: Re: The 1st step into CAS+ flashing
Post by: mikehill2003 on March 25, 2011, 04:08:31 pm: Quote from: Goplat on March 25, 2011, 04:05:34 pm
As I feared, looks like the command shell code is different (and unlike the later version, the address of RelDclVPrintf doesn't show up in uninitialized space in the TYPE command's stack frame). Without knowing the addresses of any useful functions we can't exploit the buffer overflow safely yet. :( We had better wait for another CAS+ OS to be dumped, so we can see the older command shell code, and come back to this then.

What's the best way to dump the OS?
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 25, 2011, 04:15:47 pm: Quote from: mikehill2003 on March 25, 2011, 04:08:31 pm
Quote from: Goplat on March 25, 2011, 04:05:34 pm
As I feared, looks like the command shell code is different (and unlike the later version, the address of RelDclVPrintf doesn't show up in uninitialized space in the TYPE command's stack frame). Without knowing the addresses of any useful functions we can't exploit the buffer overflow safely yet. :( We had better wait for another CAS+ OS to be dumped, so we can see the older command shell code, and come back to this then.

What's the best way to dump the OS?

As far as we know up to now, the production CAS+ OS can only be dumped by connecting the NAND ROM chip to a reader...

TI-Nspire Computer Link 1.0 does only access a virtual drive content...
And it seems we can't run the DataLight shell to access the physical drive content without assembly...

But once the production OS is dumped, me may be able to dump other CAS+ OSes easier through some exploits.

Note the Ndless 1.7 installer exploit does freeze the CAS+ OS.
(calculator can still be turned off/on and the pointer can still be moved through the joypad, but that's all)
Title: Re: The 1st step into CAS+ flashing
Post by: bsl on March 25, 2011, 10:17:27 pm: Try:
type /phoenix/policy.dat

Maybe changing something in this file is all that is needed !!!!!

EDIT: re-naming this file to policy.back :
Code: [Select]
copy policy.dat policy.back del policy.dat, may enable USB, and other features.
Title: Re: The 1st step into CAS+ flashing
Post by: Goplat on March 26, 2011, 02:32:25 pm: Are you completely sure of what policy.dat does? I don't think we should risk the possibility that the OS won't boot without it. This is the only known copy of this OS in the world.
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 26, 2011, 04:04:52 pm: Anyway, there seems to be no "policy.dat" file on the oldest 1.0.3xx OS.

Code: [Select]
C:\phoenix\>type policy.dat Error = -1
Title: Re: The 1st step into CAS+ flashing
Post by: critor on March 26, 2011, 04:11:43 pm: By the way, when I connect a more recent CAS+, I get a much smaller DHCP log:

Code: [Select]
pn-srv6-1217: sent reply 2, len=281, to 172.16.80.65:68 pn-srv6-1217: sent reply 5, len=281, to 172.16.80.65:68
Title: Re: The 1st step into CAS+ flashing
Post by: critor on April 03, 2011, 12:43:27 pm: Let's talk about the CAS+ DHCP server again.

When I connect the old blue-orange CAS+, I get:
Code: [Select]
pn-srv6-701: request type 1 pn-srv6-821: ready to reply(hh=4, sz=281), typ=2, to port 68 pn-srv6-838: sent reply 2, len=281, to port 68 pn-srv6-701: request type 1 pn-srv6-1073: bound dhcp-ans [172.16.177.46:68] to 8 pn-srv6-821: ready to reply(hh=8, sz=281), typ=2, to port 68 pn-srv6-838: sent reply 2, len=281, to port 68 pn-srv6-701: request type 1 pn-srv6-821: ready to reply(hh=8, sz=281), typ=2, to port 68 pn-srv6-838: sent reply 2, len=281, to port 68 pn-srv6-701: request type 1 pn-srv6-821: ready to reply(hh=8, sz=281), typ=2, to port 68 pn-srv6-838: sent reply 2, len=281, to port 68 pn-srv6-701: request type 1 pn-srv6-821: ready to reply(hh=8, sz=281), typ=2, to port 68 pn-srv6-838: sent reply 2, len=281, to port 68 pn-srv6-701: request type 1 pn-srv6-1073: bound dhcp-ans [172.16.50.34:68] to 9 pn-srv6-821: ready to reply(hh=9, sz=281), typ=2, to port 68 pn-srv6-838: sent reply 2, len=281, to port 68The CAS+ RNIS interface doesn't get a valid IP and I cannot send/receive files.

When I connect a more recent CAS+, I get:
Code: [Select]
pn-srv6-1217: sent reply 2, len=281, to 172.16.80.65:68 pn-srv6-1217: sent reply 5, len=281, to 172.16.80.65:68The CAS+ RNIS interface does get a valid IP immediatly and I can send/receive files.

Has somebody a good knowledge of the DHCP protocol, and of what could be wrong in the 1st log?

In the 1st log, after "sent reply 2", I just get "request type 1" again...
As if the sent IP was not accepted/understood by the computer, which is just asking again...

Do you know of any way of logging what is sent/received by an IP-less interface?
Title: Re: The 1st step into CAS+ flashing
Post by: perennial on July 31, 2011, 12:13:29 am: Goplat, if you want to experiment some more with the CAS+, I can send you the CAS+ calculator (experiment however you like until you are satisfied then you can send it back) also with the TI-Nspire broken ribbon(keep). Please let me know if you are interested.
(I keep deleting and posted again to get your attention.) Don't mean to spam.
Title: Re: The 1st step into CAS+ flashing
Post by: Goplat on July 31, 2011, 12:34:53 am: Thanks for the offer, but there isn't anything I could do with a CAS+; I don't know of any way to run code on it.
Regarding the other calc, I am not a hardware guy; I can't fix a broken ribbon cable (and I already have a TI-Nspire anyway).
Title: Re: The 1st step into CAS+ flashing
Post by: perennial on July 31, 2011, 12:42:50 am: So, there's no way to connect the CAS+ using the software and come up with a simple code to locate the addresses of those shell code? I understand about the TI-nspire calculator. So, beside that, what is the 3.0.1.1753 boot 1 and boot2 versions because I notice on mine it is 3.1..... not 3.0.1. Is that weird?
Title: Re: The 1st step into CAS+ flashing
Post by: AngelFish on July 31, 2011, 01:10:32 am: Not if the calculator presents a virtual filesystem to the computer.
Title: Re: The 1st step into CAS+ flashing
Post by: perennial on July 31, 2011, 01:21:32 am: Can one compile a virtual filesystem based on the file structure of 1.1 CAS+ OS since we have 1.1 CAS+ OS system right? I know it is super difficult. No joke.
I know I don't know much about computer science. The first course I took was only one semester and that was a year and a half ago. It was called:
"The first book of from here to there" by Bronson Third edition.
I still confused so bad with computer science even though I did good in that class.
I forgot what really the meaning of if then, if else. all the good stuff.. Even now, I still don't know why one need to put header and declare function in the compiler program.
Title: Re: The 1st step into CAS+ flashing
Post by: critor on July 31, 2011, 05:46:14 am: The 1.1 OS will never be able to work on a CAS+ (completly incompatible: different CPU).

It doesn't use a virtual filesystem anymore to exchange data with another handheld or a computer. You have direct access to the physical filesystem.

Anyway, we allready know what's inside the CAS+ virtual filesystem (allmost nothing).
And I've allready managed to list the CAS+ physical filesystem content in 2 different ways and have posted everything here, somewhere.

It seems totally impossible to hack the CAS+ through the linking protocol as you have no access to the physical filesystem.

But if we manage to dump the 1.0 OS, then we might be able to study it and find some software exploits we've been unable to guess up to now...
Title: Re: The 1st step into CAS+ flashing
Post by: AngelFish on July 31, 2011, 05:49:43 am: Quote from: perennial on July 31, 2011, 01:21:32 am
I know I don't know much about computer science. The first course I took was only one semester and that was a year and a half ago. It was called:
"The first book of from here to there" by Bronson Third edition.
I still confused so bad with computer science even though I did good in that class.
I forgot what really the meaning of if then, if else. all the good stuff.. Even now, I still don't know why one need to put header and declare function in the compiler program.

Not meaning to distract from the main topic, but those things could have entire books written about them. Feel free to make a topic or something if you're curious.
Title: Re: The 1st step into CAS+ flashing
Post by: critor on April 29, 2012, 02:47:40 pm: One further step...

It was tricky, but I've now got 90% of the TI-Nspire CAS+ 1.0.1.0.334T devfiletree.zip content!
Title: Re: The 1st step into CAS+ flashing
Post by: critor on April 29, 2012, 03:18:46 pm: We now have the content of all the following files on the CAS+ P1-EVT2.
(those are the files which are systematically extracted at each reboot)

phoenix/
phoenix/ctlg/
phoenix/ctlg/NormCtlg.sav
phoenix/ctlg/locales/
phoenix/ctlg/locales/de/
phoenix/ctlg/locales/en/
phoenix/ctlg/locales/en/all.res
phoenix/ctlg/locales/en/math.res
phoenix/ctlg/locales/en/strings.res
phoenix/ctlg/locales/en/units.res
phoenix/ctlg/locales/fr/
phoenix/ctlg/locales/it/
phoenix/ctlg/locales/no/
phoenix/dcol/
phoenix/dcol/locales/de/
phoenix/dcol/locales/en/
phoenix/dcol/locales/en/strings.res
phoenix/dcol/locales/fr/
phoenix/dcol/locales/it/
phoenix/dcol/locales/no/
phoenix/dlog/
phoenix/dlog/locales/de/
phoenix/dlog/locales/en/
phoenix/dlog/locales/fr/
phoenix/dlog/locales/it/
phoenix/dlog/locales/no/
phoenix/geog/
phoenix/geog/locales/de/
phoenix/geog/locales/en/
phoenix/geog/locales/en/strings.res
phoenix/geog/locales/fr/
phoenix/geog/locales/it/
phoenix/geog/locales/no/
phoenix/math/
phoenix/math/locales/de/
phoenix/math/locales/en/
phoenix/math/locales/fr/
phoenix/math/locales/it/
phoenix/math/locales/it/strings.res
phoenix/math/locales/no/
phoenix/math/locales/no/strings.res
phoenix/ntpd/
phoenix/ntpd/locales/da/strings.res
phoenix/ntpd/locales/de/
phoenix/ntpd/locales/de/strings.res
phoenix/ntpd/locales/en/
phoenix/ntpd/locales/en/strings.res
phoenix/ntpd/locales/fr/
phoenix/ntpd/locales/fr/strings.res
phoenix/ntpd/locales/it/
phoenix/ntpd/locales/it/strings.res
phoenix/ntpd/locales/no/
phoenix/ntpd/locales/no/strings.res
phoenix/scpd/
phoenix/scpd/locales/
phoenix/scpd/locales/da/
phoenix/scpd/locales/da/strings.res
phoenix/scpd/locales/de/
phoenix/scpd/locales/de/strings.res
phoenix/scpd/locales/en/
phoenix/scpd/locales/en/icons.res
phoenix/scpd/locales/en/strings.res
phoenix/scpd/locales/fr/
phoenix/scpd/locales/fr/strings.res
phoenix/scpd/locales/it/
phoenix/scpd/locales/it/strings.res
phoenix/scpd/locales/no/
phoenix/scpd/locales/no/strings.res
phoenix/syst/
phoenix/syst/localenames
phoenix/syst/locales/
phoenix/syst/locales/da/
phoenix/syst/locales/da/dialogs.res
phoenix/syst/locales/da/imechars.res
phoenix/syst/locales/da/sampledocuments/
phoenix/syst/locales/da/sampledocuments/Kom godt i gang.tns
phoenix/syst/locales/da/settings/
phoenix/syst/locales/da/settings/factory.zip
phoenix/syst/locales/da/strings.res
phoenix/syst/locales/de/
phoenix/syst/locales/de/dialogs.res
phoenix/syst/locales/de/imechars.res
phoenix/syst/locales/de/sampledocuments/
phoenix/syst/locales/de/sampledocuments/Erste Schritte.tns
phoenix/syst/locales/de/settings/
phoenix/syst/locales/de/settings/factory.zip
phoenix/syst/locales/de/strings.res
phoenix/syst/locales/en/
phoenix/syst/locales/en/dialogs.res
phoenix/syst/locales/en/icons.res
phoenix/syst/locales/en/imechars.res
phoenix/syst/locales/en/sampledocuments/
phoenix/syst/locales/en/sampledocuments/Getting Started.tns
phoenix/syst/locales/en/settings/
phoenix/syst/locales/en/settings/factory.zip
phoenix/syst/locales/en/strings.res
phoenix/syst/locales/fr/
phoenix/syst/locales/fr/dialogs.res
phoenix/syst/locales/fr/imechars.res
phoenix/syst/locales/fr/sampledocuments/
phoenix/syst/locales/fr/sampledocuments/Prise en main rapide.tns
phoenix/syst/locales/fr/settings/
phoenix/syst/locales/fr/settings/factory.zip
phoenix/syst/locales/fr/strings.res
phoenix/syst/locales/it/
phoenix/syst/locales/it/dialogs.res
phoenix/syst/locales/it/imechars.res
phoenix/syst/locales/it/sampledocuments/
phoenix/syst/locales/it/sampledocuments/Guida introduttiva.tns
phoenix/syst/locales/it/settings/
phoenix/syst/locales/it/settings/factory.zip
phoenix/syst/locales/it/strings.res
phoenix/syst/locales/no/
phoenix/syst/locales/no/dialogs.res
phoenix/syst/locales/no/imechars.res
phoenix/syst/locales/no/sampledocuments/
phoenix/syst/locales/no/sampledocuments/Komme i gang.tns
phoenix/syst/locales/no/settings/
phoenix/syst/locales/no/settings/factory.zip
phoenix/syst/locales/no/strings.res
phoenix/syst/settings/
phoenix/tblt/
phoenix/tblt/locales/
phoenix/tblt/locales/da/
phoenix/tblt/locales/da/dialogs.res
phoenix/tblt/locales/da/strings.res
phoenix/tblt/locales/de/
phoenix/tblt/locales/de/dialogs.res
phoenix/tblt/locales/de/icons.res
phoenix/tblt/locales/de/strings.res
phoenix/tblt/locales/en/
phoenix/tblt/locales/en/dialogs.res
phoenix/tblt/locales/en/icons.res
phoenix/tblt/locales/en/strings.res
phoenix/tblt/locales/fr/
phoenix/tblt/locales/fr/dialogs.res
phoenix/tblt/locales/fr/strings.res
phoenix/tblt/locales/it/
phoenix/tblt/locales/it/dialogs.res
phoenix/tblt/locales/it/strings.res
phoenix/tblt/locales/no/
phoenix/tblt/locales/no/dialogs.res
phoenix/tblt/locales/no/strings.res
phoenix/tblt/locales/no/strings.res
Title: Re: The 1st step into CAS+ flashing
Post by: AzNg0d1030 on April 29, 2012, 09:20:55 pm: Wow nice job, how long did that take to extract and also type into the forum? XD
Title: Re: The 1st step into CAS+ flashing
Post by: Jim Bauwens on April 30, 2012, 03:15:53 am: Copy and paste :P
Title: Re: The 1st step into CAS+ flashing
Post by: AzNg0d1030 on April 30, 2012, 05:44:55 pm: Quote from: jimbauwens on April 30, 2012, 03:15:53 am
Copy and paste :P
Good point :D