Author Topic: TI-Nspire prototype 1.1.7320 (Read 14958 times)

Goplat · « **Reply #45 on:** March 20, 2011, 10:20:03 pm »

I think we should forget about creating files on the calc, and instead just send the contents of boot2 out over the RS232, since you already have that set up. I'll email you a file when I finish writing and testing it.

Is it ok for it to just output raw binary or will your terminal program not be able to log that properly?

critor · « **Reply #46 on:** March 20, 2011, 10:21:42 pm »

I should be able to handle raw binary I think.
Thanks.

bsl · « **Reply #47 on:** March 21, 2011, 12:18:30 am »

After you dump boot2 , see if you can reflash boot2_1.1.7314 and OS1.1.7320 back on
as an integrity check.

critor · « **Reply #48 on:** March 21, 2011, 08:08:19 am »

Goplat, thank you for your file.

Unfortunately, I've tried it something like 10 times and I allways get this:

Code: [Select]

Boot Loader Stage 1 (1.1.7314)
Build: 2007/2/23, 20:43:36
Copyright (c) 2006, 2007 Texas Instruments Incorporated
Using developer keys

Last boot progress: 26008
Clocks:  CPU = 90MHz   AHB = 45MHz   APB = 22MHz

Available system memory: 37292
PM is turning the device OFF
PM has turned the device ON
SDRAM memory test:   Pass
Clearing SDRAM...Done.
Clearing SDRAM...Done.
Clearing SDRAM...Done.
Checking for NAND: NAND Flash ID: ST Micro NAND256R3A
Boot option: Normal

Loading DIAGS software...

Error reading/validating DIAGS image

Error loading DIAGS. Switching to BOOT2.

Loading BOOT2 software...

99%
BOOT1: loading complete (340 ticks), launching image.



Boot Loader Stage 2 (1.1.7314)
Build: 2007/2/23, 20:48:12
Copyright (c) 2006, 2007 Texas Instruments Incorporated
Using developer keys

Clocks:  CPU = 90MHz   AHB = 45MHz   APB = 22MHz


Initializing graphics subsystem.
Checking for NAND: NAND Flash ID: ST Micro NAND256R3A
Boot option: Normal


Initializing filesystem.
Datalight Reliance v2.10.1150
Copyright (c) 2003-2006 Datalight, Inc.
Datalight FlashFX Pro v3.00 Build 1358
Nucleus Edition for ARM9
Copyright (c) 1993-2006 Datalight, Inc.
Patents: US#5860082, US#6260156.
Filesystem ready.

Loading Operating System...

Error loading OS image. Removing OS remnants.
Deleting file [/phoenix/manuf.dat]
Removing directory [/phoenix/install/]

Waiting for OS download.
Starting Connectivity services.
Initializing USB subsystem...Done.
Initializing interim USB loader...Done.
USB Download is enabled.
Press <Enter> to download through the serial port.
Checking battery level.
Battery level is OK.
Begin XMODEM file transfer.
File transfer complete. Saving pre-load file.
Error saving pre-load file.
BOOT2 Error: install failed

Note I was randomly getting this with exploit1 (even when targetting the right address), but with this exploit2 it seems to happen each time...

Goplat · « **Reply #49 on:** March 21, 2011, 05:00:12 pm »

Did you remember the 32-byte header?

You could also try sending it as a temp image (headerless)...

critor · « **Reply #50 on:** March 21, 2011, 06:23:20 pm »

Quote from: Goplat on March 21, 2011, 05:00:12 pm

Did you remember the 32-byte header?

You could also try sending it as a temp image (headerless)...

Sorry, I completly forgot that!

Going to try again.

Goplat · « **Reply #51 on:** March 21, 2011, 08:50:27 pm »

Actually, sending it as a temp image doesn't work, sorry (just tested in nspire_emu)

bsl · « **Reply #52 on:** March 21, 2011, 08:57:36 pm »

Can this procedure also work for other unknown boot2's like the CAS+ ?
First you have to hunt for valid points then write the exploit.

critor · « **Reply #53 on:** March 21, 2011, 09:00:34 pm »

Quote from: bsl on March 21, 2011, 08:57:36 pm

Can this procedure also work for other unknown boot2's like the CAS+ ?
First you have to hunt for valid points then write the exploit.

Maybe, but it won't work through USB with TI-Nspire Computer Link 1.0 "as is".
The PC-side TNC format checking will fail.
It might work through RS232, as there is no file checking prior to sending.

Goplat, could I have an "exploit2" version which would wait some seconds prior to sending?
I'm under Windows, and I unless you've got a better idea, I have to use 2 terminal softwares (disconnect/reconnect):
- HyperTerminal Private Edition which supports Xmodem transfers
- DockLight which supports ascii & hex file logs

Edit: thanks!
I was just missing the first 512 bytes (wasn't quick enough to switch terminals).
Apparently, there aren't many good terminal softwares for Windows.
Linux would have been much easier I suppose with the "cat" command

Edit2: dumped.
All my basic & CAS Nspire prototypes are now fully dumped.
Now, back to the CAS+!

bsl · « **Reply #54 on:** March 21, 2011, 11:28:19 pm »

There are a lot more capable terminal programs written for MsDOS back then, because of the
direct hardware access that Window$ doesn't give you. Here is a link to some of them:
http://www.eunet.bg/simtel.net/msdos/commprog.html

critor · « **Reply #55 on:** March 22, 2011, 09:11:38 am »

The 1.1.73xx boot1/boot2/OS/diags are the only developer versions which have visible differences with the newer 1.1 developer and production versions.

They seem to be an intermediate between TI-Nspire CAS+ and basic/CAS TI-Nspire.

You can find lots of screen captures and photos of the matching prototype below:
http://tibank.forumactif.com/t6809-les-secrets-des-ti-xxxxxxxxxxx
http://ti.bank.free.fr/index.php?mod=galerie&action=img&id_gal=9&id_img=130
(with comments in french)

A very big thanks to everybody.
Omnimaga is great!

DJ Omnimaga · « **Reply #56 on:** April 03, 2011, 02:54:06 pm »

I'm glad you like the site. Also thanks a lot for your work in finding these prototypes, trying to hack them and all the other discoveries you made. I unfortunately cannot help much, though, since I know nothing about hardware stuff.

Author Topic: TI-Nspire prototype 1.1.7320 (Read 14958 times)

Goplat

Re: TI-Nspire prototype 1.1.7320

critor

Re: TI-Nspire prototype 1.1.7320

bsl

Re: TI-Nspire prototype 1.1.7320

critor

Re: TI-Nspire prototype 1.1.7320

Goplat

Re: TI-Nspire prototype 1.1.7320

critor

Re: TI-Nspire prototype 1.1.7320

Goplat

Re: TI-Nspire prototype 1.1.7320

bsl

Re: TI-Nspire prototype 1.1.7320

critor

Re: TI-Nspire prototype 1.1.7320

bsl

Re: TI-Nspire prototype 1.1.7320

critor

Re: TI-Nspire prototype 1.1.7320

DJ Omnimaga

Re: TI-Nspire prototype 1.1.7320