This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Messages - BrandonW
31
« on: July 06, 2011, 11:38:40 am »
32
« on: July 06, 2011, 11:29:31 am »
where to get this OS DOWNLOADER?
As SirCmpwn said, it comes with TI Connect. You can get to it from your Start menu under TI Connect.
33
« on: July 06, 2011, 11:26:00 am »
Er...
TI Connect can't find the TI because there's no OS on it.
(I think it's because of that)
No, because obviously TI Connect needs to communicate with the calculator in order to transfer an OS in the first place. I find the best thing to do is start TI OSDownloader, select your model and cable type (make sure it's right), click Next, browse for the OS 8XU file you downloaded, THEN turn the calculator on, plug the cable in, and click Start Download. TI Connect is a little dumb when it comes to detecting the calculator and tends to send commands that the boot code (the thing you're in when you're trying to install a new OS) gets confused about.
34
« on: July 03, 2011, 10:41:01 pm »
On TI-BANK, the news about Flashy says something implying they don,t believe we permanently unlocked the 84+ with Flashy, in reference to how they countered the key factoring, Nleash, etc, and that they might try to come with another alternative to prove us wrong. However, I am wondering what kind of alternative they could find...
While it's true that TI can always do something to counter what we do, the fact remains that every 73/83+ and 84+ series calculator manufactured to date (and so far, still being manufactured) is permanently hackable. The only move they have is to modify the hardware, and if you've already bought it, you're in good shape.
35
« on: July 03, 2011, 04:36:46 pm »
The only thing TI has on us is the hardware and any read-only code on it, such as the boot code. That's what the initial fear over 1.03 was about. But now that we can change it, it doesn't matter. The 84+/SE/Pocket are permanently open.
It will be interesting to see if they remove this capability in new hardware. The very existence of it is an indicator that this might not be easy for them to do.
We can erase the boot code on the 73 and 83+, but we can't write back to it (yet). So it's not all that useful.
36
« on: July 02, 2011, 06:47:23 am »
To add some more information: The main uses for this are: 1. Testing code very early in the boot process. We can learn a lot more about the hardware now that we can get control very early in the boot process (the very first instruction executed!), and we've learned quite a bit in the past week or so. 2. Downgrading boot code 1.03 calculators, such as the TI-84 Pocket.fr (and now the 84+ and 84+SE, which have started showing up with 1.03). I have upgraded my calculators to 1.03 and downgraded them back to 1.00/1.02 without incident. This means the anti-downrgade protection and added 2048-bit RSA key is useless (epic fail). 3. Customizing the boot sectors. We can now add Calcsys-like functionality to normally read-only boot sectors and gain new emergency recovery abilities you wish you had in the past. Corrupted OS and you really need to get your programs off? Now you can (as soon as we write such a utility to flash to it). We can also change functionality we assume will always be there -- we can change (and I have changed) the ON+DEL keyboard shortcut to something secret or more complex (to prevent strangers from getting into your calculator), or whatever you want...sky's the limit. Also, if the process to create the image AppVar looks a little scary/confusing to you, you can use the pre-built AppVars made from boot code dumps available elsewhere (for the 83+SE, 84+, and 84+SE, from versions 1.00 to 1.03). I'd link you to them, but it's not exactly legal to host them. I'm sure if you look around in the "usual places", you can find them.  This program tries to be as safe as possible. The boot image AppVars it uses have up to two MD5 hashes embedded with them, one for each page. Both of these hashes are checked twice, battery levels are checked twice, the images themselves are checked for code patterns that must be present for the model being flashed to, the boot page jump table is checked for valid page and address ranges, and warnings are thrown up if anything looks amiss. It even installs a temporary cursor hook to steal back control in the unlikely event that the boot page is erased (filled with 0xFF bytes (which are interpreted as "rst 38h" instructions)), where it will attempt to complete the write. I personally tested it on my real 83+SE, 84+, and 84+SE calculators, and several other people have used it multiple times without incident. I have yet to brick a calculator using this program, even after making some pretty scary patches. So it's worth a shot, if you're brave enough.
37
« on: June 30, 2011, 04:20:36 am »
Going from 1.03 to 1.02 is equally as easy. 1.03 is defeated in oh-so-many ways.
38
« on: June 28, 2011, 12:46:21 am »
They certainly have to change things in the ASIC so that the port we're modifying no longer has any effect. How difficult that would be is unknown. Based on the fact that they put such bone-headed functionality in there, it's possible it's not that easy.
Even if they did fix it, there are still numerous boot code exploits to get an OS on there, and it appears they made some pretty crappy attempts to block some other hacks.
I hope you're reading this, TI: you have truly failed. The harder you try, the worse you make it on yourself.
39
« on: June 27, 2011, 11:37:02 pm »
The boot code is the first sector of code that's executed when you power on the calculator. It's responsible for checking to make sure there's a valid OS installed, and if so, booting it. If not, it waits for one to be received over a link cable, and then boots it.
It also provides common routines that the OS uses, for Flash reading/writing, certificate manipulation, cryptographic functions, etc.
It must always be there.
40
« on: June 13, 2011, 06:18:31 am »
They're the same. I think singapore is the code name for the OS.
False. The codename for the 83+ series OS is "Cerberus." You can still see references to this in ti83plus.inc such as "new apps for Cerberus" (the new "external" applications (Flash applications)). And as stated, the "Singapore" reset leaves a couple more Flash applications intact on reset.
41
« on: February 05, 2011, 03:48:12 pm »
Or we could just use WFRNG OS.
I converted that already and booted it off an 89Ti; I put WFRNGOS1.89K somewhere in http://brandonw.net/calcstuff/, maybe even in the same zip as the program. That would probably work, actually. Or we could make a custom OS that acts as a flash drive, thus expanding our available space. We have the TI-89 key.
The 89 key was used to sign the NT Offline Password and Registry Editor boot image. I believe it's officially the largest signed 68k Flash application ever created at 2.3MB. EDIT: MenuetOS will fit on a floppy.
42
« on: February 04, 2011, 08:06:39 pm »
Brandon Wilson recently managed to get Linky ( http://brandonw.net/svn/calcstuff/Linky/) to the point that you can emulate a USB flash drive using the TI-89 Titanium and a raw image of sectors you supply. He packaged the program, the image for the NT Offline Password and Registry Editor boot disc, and the PC program to create TI-89 Titanium Flash applications out of raw sector images at: http://brandonw.net/calcstuff/NTPasswd.zip. YouTube video showing it: This same thing could be used to boot DOS or Windows 3.1 as well -- anything known to fit on a floppy disk (or bigger -- there's about 2.3MB to work with). Hopefully this also gets people more excited about the prospect of a real USB library coming to the TI-89 Titanium, so that it can enjoy all the usb8x goodness that the 84+/SE has.
43
« on: January 12, 2011, 07:55:46 am »
(cross-posted from elsewhere) With the release of OS 2.55MP, it seems we're going to have to disassemble each update TI pushes out and see what they change, so I put together a little package to make it easier for myself, and if you care, you too. I created a little C# thing last night called Pterodactyl that creates IDC scripts for use with IDA Pro generated from elements of ti83plus.inc to automagically set labels and cross references of page 0 calls and BCALLs throughout all (now 19) pages of the TI-OS, plus RAM equates. This makes it very easy to get IDA to analyze most of the code for us and it makes it a lot easier to dive into any OS version and find out exactly what it's doing and why. It's at http://brandonw.net/calcstuff/pterodactyl.zip and the source is at http://brandonw.net/svn/calcstuff/Pterodactyl/trunk/ if anyone wants to use it. I was able to pound out an OS 2.55MP disassembly inside of an hour using this tool which I've uploaded at http://brandonw.net/crap/OS2.55MPDisassembly.zip if you want to dig into it yourself. Hopefully this will help me/us analyze differences in OS versions quickly and more easily than before, and possibly figure out what TI did wrong with the MathPrint OSes and maybe even fix them. Forgive the horrible code, it was quick and dirty and never meant to be used by your average user.
44
« on: December 31, 2010, 11:37:55 pm »
That's a pretty loaded question and would take a while to answer. At the risk of sounding rude, I would recommend reading the source to see where it puts the signature after it calculates it ("MD5" and "Rabin"/"RSA" are things to look for to find where it calculates the signature and then does something with it).
45
« on: December 16, 2010, 12:16:03 pm »
I couldn't speak towards Axe, but from a pure assembly perspective, the only way to do this is to use a loader program whose only purpose is to take the name of a program as a string, look it up, and run it, similar to what ZASMLOAD used to do way back in the day:
"MYPROG
Asm(prgmLOADER
(and prgmLOADER would look up Ans as a string, get the name out of it, look up the program, and load it)
|
Show Posts
