[removed]

→ **MyCalcs** profile · by **critor** » 23 Jan 2018, 23:15

Oh, funny !

Reminds me of the Boot1 1.1.9999 patch which could be flashed on TI-Nspire ClickPad DVT1.2, DVT2.0, HW-A, and maybe HW-B :

→ **MyCalcs** profile · by **critor** » 23 Jan 2018, 23:23

@parrotgeek1
Couldn't rebuild nanoloader on cygwin, it complains about find commands, which don't appear in the Makefile...

But I've tested on nspire_emu with your prebuilt images.
No problem with both Boot1 3.0.0.99 and 4.0.1.43.

→ **MyCalcs** profile · by **critor** » 23 Jan 2018, 23:41

Also works on the splash screen, great !

→ **MyCalcs** profile · by **critor** » 23 Jan 2018, 23:59

parrotgeek1 wrote:
critor wrote:Could you check how to add a correct size to your 0x8000 HHackers!, so that BtMg is going to flash your image correctly ?

If I do that, the exploit doesn't work

Doesn't seem to be the case.

Fixed the CAS image manually in the hex editor.

Not complicated, you already specify a size for the HHackers! 0x8070 subfield. Just add 0x20 to it for the HHackers! 0x8000 root field.

Can now be flashed correctly with BtMg :

And moreover, it works !

→ **MyCalcs** profile · by **parrotgeek1** » 24 Jan 2018, 00:12

→ **MyCalcs** profile · by **critor** » 24 Jan 2018, 00:35

Sorry, and indeed

→ **MyCalcs** profile · by **critor** » 24 Jan 2018, 00:46

Indeed, very strange.

In non-CR4 mode, Boot2 is there :

Code: Select all: EXPLOIT: Created by parrotgeek1. Compiled: Jan 22 2018 17:21:49 CAS OS mode EXPLOIT: Loading complete, launching image. >d 11800000 11800000 18 F0 9F E5 18 F0 9F E5-18 F0 9F E5 18 F0 9F E5 .��.��.��.�� 11800010 18 F0 9F E5 18 F0 9F E5-18 F0 9F E5 18 F0 9F E5 .��.��.��.�� 11800020 30 BE 89 11 70 BF 89 11-AC BF 89 11 E8 BF 89 11 0��.p��.��.��. 11800030 24 C0 89 11 FC C0 89 11-C0 C8 89 11 30 C9 89 11 $��.��.��.0��. 11800040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 11800050 7C 81 6E 5B A0 A4 47 5C-39 37 C6 6E 29 0D F9 D2 |�n[��G\97�n).�� 11800060 DC 40 40 51 09 4E 07 13-93 5B B4 A5 23 38 75 03 �@@Q.N..�[��#8u. 11800070 BC 74 3D 58 48 E0 55 3B-CD 41 DC 8E 37 03 48 F0 �t=XH�U;�A��7.H�

In CR4 mode, Boot2 version is wrong because Boot2 is corrupted, shifted or just missing - don't know but it's clearly wrong :

Code: Select all: EXPLOIT: Created by parrotgeek1. Compiled: Jan 22 2018 17:21:49 CAS OS mode Wrong boot2 version >d 11800000 11800000 01 00 8F 00 8A 11 8F 00-8A 11 8F 00 8A 11 8F 00 ..�.�.�.�.�.�.�. 11800010 8A 11 8F 00 8A 11 8F 00-8A 11 8F 00 8A 11 8F 00 �.�.�.�.�.�.�.�. 11800020 01 30 0B EC 93 E5 00 50-8A 11 96 E5 E2 44 20 00 .0.��.P�.��D . 11800030 97 F8 22 3E 17 F8 22 32-0A 00 9F E5 00 0A 01 00 ��">.�"2..��.... 11800040 FE 60 1E FF 00 10 00 30-FF FF 23 12 00 10 30 C9 �`.�...0��#...0� 11800050 89 11 00 00 00 00 00 00-00 00 00 00 00 00 00 00 �............... 11800060 00 00 7C 81 6E 5B A0 A4-47 5C 39 37 C6 6E 29 0D ..|�n[��G\97�n). 11800070 F9 D2 DC 40 40 51 09 4E-07 13 93 5B B4 A5 23 38 ��@@Q.N..�[��#8

I suppose Boot1.5 is behaving differently for some obscure reason...

→ **MyCalcs** profile · by **parrotgeek1** » 24 Jan 2018, 01:02

critor wrote:Indeed, very strange.

In non-CR4 mode, Boot2 is there :
Code: Select all
EXPLOIT: Created by parrotgeek1. Compiled: Jan 22 2018 17:21:49 CAS OS mode EXPLOIT: Loading complete, launching image. >d 11800000 11800000 18 F0 9F E5 18 F0 9F E5-18 F0 9F E5 18 F0 9F E5 .��.��.��.�� 11800010 18 F0 9F E5 18 F0 9F E5-18 F0 9F E5 18 F0 9F E5 .��.��.��.�� 11800020 30 BE 89 11 70 BF 89 11-AC BF 89 11 E8 BF 89 11 0��.p��.��.��. 11800030 24 C0 89 11 FC C0 89 11-C0 C8 89 11 30 C9 89 11 $��.��.��.0��. 11800040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 11800050 7C 81 6E 5B A0 A4 47 5C-39 37 C6 6E 29 0D F9 D2 |�n[��G\97�n).�� 11800060 DC 40 40 51 09 4E 07 13-93 5B B4 A5 23 38 75 03 �@@Q.N..�[��#8u. 11800070 BC 74 3D 58 48 E0 55 3B-CD 41 DC 8E 37 03 48 F0 �t=XH�U;�A��7.H�

In CR4 mode, Boot2 version is wrong because Boot2 is corrupted, shifted or just missing - don't know but it's clearly wrong :
Code: Select all
EXPLOIT: Created by parrotgeek1. Compiled: Jan 22 2018 17:21:49 CAS OS mode Wrong boot2 version >d 11800000 11800000 01 00 8F 00 8A 11 8F 00-8A 11 8F 00 8A 11 8F 00 ..�.�.�.�.�.�.�. 11800010 8A 11 8F 00 8A 11 8F 00-8A 11 8F 00 8A 11 8F 00 �.�.�.�.�.�.�.�. 11800020 01 30 0B EC 93 E5 00 50-8A 11 96 E5 E2 44 20 00 .0.��.P�.��D . 11800030 97 F8 22 3E 17 F8 22 32-0A 00 9F E5 00 0A 01 00 ��">.�"2..��.... 11800040 FE 60 1E FF 00 10 00 30-FF FF 23 12 00 10 30 C9 �`.�...0��#...0� 11800050 89 11 00 00 00 00 00 00-00 00 00 00 00 00 00 00 �............... 11800060 00 00 7C 81 6E 5B A0 A4-47 5C 39 37 C6 6E 29 0D ..|�n[��G\97�n). 11800070 F9 D2 DC 40 40 51 09 4E-07 13 93 5B B4 A5 23 38 ��@@Q.N..�[��#8

I suppose Boot1.5 is behaving differently for some obscure reason...

If you "k 111e0000" the compressed boot2 is in the right place, but it fails to decompress it...why?!

→ **MyCalcs** profile · by **critor** » 24 Jan 2018, 23:54

Added some debug in the Boot2 decompression, with the fields encountered.

Here is the normal behaviour :

Code: Select all: Loading from Boot 2 partition... 19% EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01 8000 8040 8010 8010 8020 8020 8080 320 8070 CAS OS mode EXPLOIT: Loading complete, launching image.

And now, here is the totally abnormal CR4 behaviour :

Code: Select all: Loading from Boot 2 partition... 19% EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01 8000 8040 8010 8010 8020 8020 8080 320 8070 EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01 8000 8040 8010 8010 8020 8020 8080 320 8070 CAS OS mode Wrong boot2 version

So it appears decompressFiles() is launched a 1st time, but then we don't reach patch_Boot2().
Instead your exploit is launched a 2nd time...

Something's clearly bad, so a corrupted decompressed Boot2 image doesn't surprise me at all.

→ **MyCalcs** profile · by **critor** » 25 Jan 2018, 00:05

Also seems to be random.

Just worked after a reset, but with the exploit still being launched twice :

Code: Select all: Loading from Boot 2 partition... 19% EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01 8000 8040 8010 8010 8020 8020 8080 320 8070 EXPLOIT: Created by parrotgeek1. Compiled: Jan 24 2018 23:36:01 8000 8040 8010 8010 8020 8020 8080 320 8070 CAS OS mode EXPLOIT: Loading complete, launching image. Boot Loader Stage 2 (4.0.3.49) Build: 2015/11/6, 12:44:23 Copyright (c) 2006-2015 Texas Instruments Incorporated Using production keys Clocks: CPU = 132MHz AHB = 66MHz APB = 33MHz Checking for NAND: NAND Flash ID: Generic 1 GBit (0xA1) This device is a CXCR. TI_PM_SetShipMode: FALSE Unknown LCD(0x00 0x00 0x00). Initializing graphics subsystem. Unknown LCD(0x00 0x00 0x00). Boot option: Normal Initializing filesystem. Skipping NAND workaround. Datalight Reliance v2.10.1150 Copyright (c) 2003-2006 Datalight, Inc. Datalight FlashFX Pro v3.00 Build 1358 Nucleus Edition for ARM9 Copyright (c) 1993-2006 Datalight, Inc. Patents: US#5860082, US#6260156. FB NAND Flash Controller FFX: BBM Format found 0 bad blocks (IOError=0 Factory=0 Marked=0 Legacy=0) FlashFX: Formatting... One moment please 100% FlashFX: Format complete, Status=0x00000000 relFs_Format v2.10.1150 Copyright (c) 2003-2006 Datalight, Inc. Writing file system...100 Block size: 2048 Total blocks: 59008 Used blocks: 21 Free blocks: 58987 Filesystem ready. deleteTree(): path /tmp TI_OS_deleteTree: deleteAllFiles Done! Loading Operating System... Error loading OS image. Removing OS remnants. Waiting for OS download. Starting Connectivity services. Initializing USB subsystem...Done. USB Download is enabled.