76
Other Calculators / Re: TI Nspire CAS+ ---- Is it worth it?
« on: March 25, 2011, 06:47:36 pm »So is a NAND reader our best chance right now?Another choice- if you know someone that works with embedded systems and has the equipment for this
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to. 76
Other Calculators / Re: TI Nspire CAS+ ---- Is it worth it?« on: March 25, 2011, 06:47:36 pm »So is a NAND reader our best chance right now?Another choice- if you know someone that works with embedded systems and has the equipment for this 77
Other Calculators / Re: The 1st step into CAS+ flashing« on: March 25, 2011, 12:09:50 am »
I was just looking at that vulnerability.
I was trying: AAAA%08x%08x%08x.....%08x and hoping to get one of the "%08x" would give me 41414141 - then replace that with %s to read arbitrary memory addresses - could not find it so far. Seems this technique ignores %p, havent tried %n. critor : for a quick test try: c:\>write test.tns 19 c:\>AAAA,%08x,%08x,%08x <RETURN> c:\>type test.tns EDIT: If this format string is in the stack on the CAS+ instead of a buffer like the later models, then this looks more promising. 78
Other Calculators / Re: TI Nspire CAS+ ---- Is it worth it?« on: March 23, 2011, 05:58:16 pm »
Its between a card reader or a JTAG connection.
I haven't done hardware stuff for a while. The card reader is the direct approach, a JTAG connection would be the best way(If it can be done at all ?) There is JTAG software out there already, I would have to read more about JTAG and trace runs on the board. I think ExtendeD did a little work on this. 79
Other Calculators / Re: TI Nspire CAS+ ---- Is it worth it?« on: March 23, 2011, 05:36:07 pm »
Yes , I did - I just pick one photo.
Its interesting thats the one obvious connection inside the Nspire, that to my knowledge no one has attempted ? 80
Other Calculators / Re: TI Nspire CAS+ ---- Is it worth it?« on: March 23, 2011, 05:18:49 pm »
There is a photo of the inside of a CAS+ plus that I have been
wondering about for a year and a half: http://www.datamath.org/Graphing/JPEG_NSpire_CASP.htm#memory Is that white 30 pin J02 connector possibly the JTAG connector ? 81
Other Calculators / Re: The 1st step into CAS+ flashing« on: March 23, 2011, 01:39:21 am »
Now that you have deleted the OS off one calculator,
USB connect two CAS+ together, reboot the one without the OS. Does this now activate the Send OS selection ? Monitor the RS232 traffic while doing this. If this works , then you can tap into USB to dump the OS. 82
Other Calculators / Re: The 1st step into CAS+ flashing« on: March 22, 2011, 03:49:00 pm »
Looks like manifest_img is the OS.
Now you can start sending boot2 exploits through RS232. Even though the files are deleted , they may not really be deleted , only unlinked in the inode of the filesystem[Hopefully]. 83
Other Calculators / Re: The 1st step into CAS+ flashing« on: March 22, 2011, 01:40:39 pm »
strings.res is about half the size of the other prototypes, even 1.7320.
Try: c:\>type strings.res The reason for "showcopyrights" was a possible second shell exists that might have this command. 84
Other Calculators / Re: The 1st step into CAS+ flashing« on: March 22, 2011, 01:06:08 pm »
Critor,
When you get a chance - on the older calculator enter these commands: Code: [Select] C:\phoenix\> type components The shell has a command for creating files:C:\documents\examples\> write test.tns 5 <Enter 5 characters then hit return> I was able to enter control characters, but this is limiting to entering a whole binary file like loader.tns Can you also type this command: C:\documents\examples\>showcopyrights 85
Other Calculators / Re: TI-Nspire prototype 1.1.7320« on: March 21, 2011, 11:28:19 pm »
There are a lot more capable terminal programs written for MsDOS back then, because of the
direct hardware access that Window$ doesn't give you. Here is a link to some of them: http://www.eunet.bg/simtel.net/msdos/commprog.html 86
Other Calculators / Re: TI-Nspire prototype 1.1.7320« on: March 21, 2011, 08:57:36 pm »
Can this procedure also work for other unknown boot2's like the CAS+ ?
First you have to hunt for valid points then write the exploit. 87
Other Calculators / Re: TI-Nspire prototype 1.1.7320« on: March 21, 2011, 12:18:30 am »
After you dump boot2 , see if you can reflash boot2_1.1.7314 and OS1.1.7320 back on
as an integrity check. 88
Other Calculators / Re: TI-Nspire prototype 1.1.7320« on: March 20, 2011, 12:23:50 pm »
It will be interesting to look at OS 1.1.7320 .
Without USB support, it would be unusual to see that it would not support more shell/RS232 utilities, then what we have been seeing. If we are really lucky debugging information on those old OS's 89
Other Calculators / Re: TI-Nspire prototype 1.1.7320« on: March 20, 2011, 02:35:32 am »
It might become necessary to rewrite the Ndless loader
assuming you get the test image working. There is a reboot in the Ndless installation which might mean loosing the test image. The loader would be rewritten to hexdump the nand to RS232 and would not install Ndless - just using the exploit to dump the nand. 90
Other Calculators / Re: TI-Nspire prototype 1.1.7320« on: March 19, 2011, 05:21:23 pm »
I was able to run that diags with the DiagsLauncher program.
Runs on the emulator, should run on the calc without signature checking. Subtract 8 more bytes from that program I sent for the larger diags proto header. EDIT: change one line to look like: Code: [Select] if (fread((void *)0x117FFFB4 , 1, DIAGS_SIZE, ifile) != DIAGS_SIZE) {
|
|