Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - bsl

Pages: 1 ... 4 5 [6] 7 8 ... 11
76
Other Calculators / Re: TI Nspire CAS+ ---- Is it worth it?
« on: March 25, 2011, 06:47:36 pm »
Quote from: mikehill2003 on March 25, 2011, 06:18:53 pm
So is a NAND reader our best chance right now?
Another choice- if you know someone that works with embedded systems and has the equipment for this

77
Other Calculators / Re: The 1st step into CAS+ flashing
« on: March 25, 2011, 12:09:50 am »
I was just looking at that vulnerability.
I was trying:
AAAA%08x%08x%08x.....%08x
and hoping to get one of the "%08x" would give me 41414141 - then replace that with %s
to read arbitrary memory addresses - could not find it so far.
Seems this technique ignores %p, havent tried %n.

critor : for a quick test try:
c:\>write test.tns 19
c:\>AAAA,%08x,%08x,%08x  <RETURN>
c:\>type test.tns
EDIT: If this format string is in the stack on the CAS+ instead of a buffer like the later models, then this looks more promising.

78
Other Calculators / Re: TI Nspire CAS+ ---- Is it worth it?
« on: March 23, 2011, 05:58:16 pm »
Its between a card reader or a JTAG connection.
I haven't done hardware stuff for a while.
The card reader is the direct approach, a JTAG connection would be the best way(If it can be done at all ?)
There is JTAG software out there already, I would have to read more about JTAG and trace runs on the board.
I think ExtendeD did a little work on this.

79
Other Calculators / Re: TI Nspire CAS+ ---- Is it worth it?
« on: March 23, 2011, 05:36:07 pm »
Yes , I did  - I just pick one photo.
Its interesting thats the one obvious connection inside the Nspire, that
to my knowledge no one has attempted ?

80
Other Calculators / Re: TI Nspire CAS+ ---- Is it worth it?
« on: March 23, 2011, 05:18:49 pm »
There is a photo of the inside of a CAS+ plus that I have been
wondering about for a year and a half:
http://www.datamath.org/Graphing/JPEG_NSpire_CASP.htm#memory
Is that white 30 pin J02 connector possibly the JTAG connector ?

81
Other Calculators / Re: The 1st step into CAS+ flashing
« on: March 23, 2011, 01:39:21 am »
Now that you have deleted the OS off one calculator,
USB connect two CAS+ together, reboot the one without the OS.
Does this now activate the Send OS selection ?
Monitor the RS232 traffic while doing this.

If this works , then you can tap into USB to dump the OS.

82
Other Calculators / Re: The 1st step into CAS+ flashing
« on: March 22, 2011, 03:49:00 pm »
Looks like manifest_img is the OS.
Now you can  start sending boot2 exploits through RS232.
Even though the files are deleted , they may not really be deleted , only unlinked in the inode of the filesystem[Hopefully].

83
Other Calculators / Re: The 1st step into CAS+ flashing
« on: March 22, 2011, 01:40:39 pm »
strings.res is about half the size of the other prototypes, even 1.7320.
Try: c:\>type  strings.res
The reason for "showcopyrights" was a possible second shell exists that might have this command.

84
Other Calculators / Re: The 1st step into CAS+ flashing
« on: March 22, 2011, 01:06:08 pm »
Critor,
 When you get a chance - on the older calculator enter these commands:
Code: [Select]
C:\phoenix\> type components
C:\phoenix\syst\> dir
C:\phoenix\syst\locales\en\>dir
C:\phoenix\syst\locales\>dir
C:\phoenix\syst\locales\>type copysamples
The shell has a command for creating files:
C:\documents\examples\> write test.tns 5
<Enter 5 characters then hit return>

I was able to enter control characters, but this is limiting to entering a whole binary file like loader.tns :)
Can you also type this command:
C:\documents\examples\>showcopyrights

85
Other Calculators / Re: TI-Nspire prototype 1.1.7320
« on: March 21, 2011, 11:28:19 pm »
There are a lot more capable terminal programs written for MsDOS back then, because of the
direct hardware access that Window$ doesn't give you. Here is a link to some of them:
http://www.eunet.bg/simtel.net/msdos/commprog.html

86
Other Calculators / Re: TI-Nspire prototype 1.1.7320
« on: March 21, 2011, 08:57:36 pm »
Can this procedure also work for other unknown boot2's like the CAS+ ?
First you have to hunt for valid points then write the exploit.

87
Other Calculators / Re: TI-Nspire prototype 1.1.7320
« on: March 21, 2011, 12:18:30 am »
After you dump boot2 , see if you can reflash boot2_1.1.7314 and OS1.1.7320 back on
as an integrity check.

88
Other Calculators / Re: TI-Nspire prototype 1.1.7320
« on: March 20, 2011, 12:23:50 pm »
It will be interesting to look at OS 1.1.7320 .
Without USB support, it would be unusual to see
that it would not support more shell/RS232 utilities,
then what we have been seeing.
If we are really lucky debugging information on those old OS's

89
Other Calculators / Re: TI-Nspire prototype 1.1.7320
« on: March 20, 2011, 02:35:32 am »
It might become necessary to rewrite the Ndless loader
assuming you get the test image working.
There is a reboot in the Ndless installation which might mean
loosing the test image.
The loader would be rewritten to hexdump the nand to RS232
and would not install Ndless - just using the exploit to dump the nand.

90
Other Calculators / Re: TI-Nspire prototype 1.1.7320
« on: March 19, 2011, 05:21:23 pm »
I was able to run that diags with the DiagsLauncher program.
Runs on the emulator, should run on the calc without signature checking.
Subtract 8 more bytes from that program I sent for the larger diags proto header.


EDIT: change one line to look like:
Code: [Select]
if (fread((void *)0x117FFFB4 , 1, DIAGS_SIZE, ifile) != DIAGS_SIZE) {

Pages: 1 ... 4 5 [6] 7 8 ... 11