cnCalc计算器论坛

 找回密码
 注册
搜索
查看: 9803|回复: 9

[Nspire] New TI-Nspire CX Boot2 antidowngrade protection blocks Ndless + Nlaunch

[复制链接]
发表于 2013-8-27 00:36:20 | 显示全部楼层 |阅读模式
本帖最后由 critor 于 2013-8-27 08:00 编辑

For years, the TI-Nspire community has been working for the openness of the TI-Nspire, in order for its users to operate their calculators to their fullest potential.

And so was born Ndless, a framework for running assembly programs taking full control of the hardware in particular of the processor.
Some examples of Ndless compatible programs:

  • the nDoom 3D FPS game, a port of the Doom/Doom2 and compatible computer games
  • the Nintendo NES emulator
  • the Nintendo Game Boy Color emulator
  • the Nintendo Game Boy Advance emulator
  • the mViewer image reader



Ndless has existed in several versions, each one specific to a single or a small set of TI-Nspire systems:

Ndless versionTI-Nspire system version
1.0/1.11.1
1.1 prototype1.1 (non-CAS prototypes)
1.2 prototype1.2 (CAS prototypes)
1.31.3
1.41.4
1.71.7
2.01.7, 2.0.1, 2.1.0
3.13.1


The lack of an Ndless cross version is due to the fact that Ndless is not an officially supported program, and Texas Instruments has actively fought it since system 2.1.
Indeed, Ndless installation exploits some flaws in the TI-Nspire system. But any vulnerability exploited then quickly fixed or blocked by Texas Instruments in the next version of the system, forcing Ndless to always use new vulnerabilities.

Do you think you just don't have to update?
Except that Texas Instruments forces the update through various automated popups.
And eventually, all new TI-Nspire will come preloaded with the latest system - it is therefore not a solution for new users.


You'll tell me you just have to reinstall an earlier version of the system?
This was indeed possible until July 2010. At that date, the last 2.1 system has activated a protection which was there but disabled since the beginning, something we called the "system anti-downgrade protection".
System 2.1 and all subsequent systems are updating a minimal installable version number in a memory area not accessible to users and non clearable by any official menu.
Any previous version of the system is then rejected.





As a solution to those problems, the community did release another little tool, Nlaunch.
The TI-Nspire starts by running three pieces of software:

  • Boot Code 1
  • Boot Code 2
  • operating system


So in order to get to the operating system, there are two safety barriers to be overcome.

Where Ndless did only exploit flaws od the system, Nlaunch goes further as directly addressing the Boot Code 2 and overcoming one of both security barriers.
But as Ndless, Nlaunch is also specific to certain versions of the Boot2:

Nlaunch versionTI-Nspire Boot2 version
Nlaunch1.4
Nlaunch CX3.1 (TI-Nspire CX)


Nlaunch is able to install and run operating systems completely ignoring the minimum version of the system, and even to make a recent system to coexist with an old Ndless compatible system.

Like with operating systems, Texas Instruments quickly responded by including a TI-Nspire CX Boot2 update in its latest 3.2.4 operating system.




The TI-Nspire community wasn't worried about that:

  • current TI-Nspire users should simply be careful not to update their Boot2 when updating their system, thanks to the small TNOC tool
  • in case of omission of this manipulation, it was still possible to reprogram the older Boot2 version using an inexpensive TTL/USB interface (RS232)
  • and owners of new TI-Nspire CX could also apply this last solution






This was without counting on the wickedness of the Texas Instruments development team...

We could confirm that when updating a current TI-Nspire CX to the new 3.2.4 Boot2, it was still possible to reinstall the old Nlaunch compatible 3.1 Boot2.

But we hadn't tested this on new TI-Nspire CX coming preloaded with versions 3.2.4 of the system and the Boot2 ...
And although Boot2 3.1 is flashed successfuly through RS232 on these units, it is simply unable to run properly!  {:thumbdown:}
WE5om7P.jpg rmYeKNv.jpg

The boot2 fails on a non-recoverable error (System Error) and the RS232 console tells us a little more with the "BOOT2 Error: posix_file_init() error".

It's an error that has to do with the file system. But it's obviously still intact, as when flashing back the original 3.2.4 Boot2 the TI-Nspire CX boots successfuly.

So, Texas Instruments did probably change something on the new TI-Nspire CX, something that is managed properly by the new 3.2.4 Boot2 but not the old 3.1 Boot2.
Up to date, we do not know exactly what it is

So basically, Texas Instruments just invented us a new antidowngrade protection, "Boot2 antidowngrade protection". But managing to make its own older version of the code crash instead of giving you a clear and related error message is not very clean from my point of view - it just looks like a dirty hack - we were used to much cleaner protections so far...




In conclusion, the new TI-Nspire CX sold from now on are completely closed, with no known way to install Ndless or Nlaunch up to date.  {:thumbdown:}

If you want to use Ndless or Nlaunch, we'd advise you to give up on purchasing a brand new TI-Nspire CX and to look for it on the second-hand market.

In fact on the back of the TI-Nspire CX, on the right of the serial number, is what is called the datestamp, a 7-character code.
Vpd0R09.jpg

The new TI-Nspire CX crashing Boot2 3.1 which have been reported to us up to date have the datestamp 'P-0313J'.
This means that they were manufactured in the TI factory code P (China) in March 2013, and that they include the hardware revision J (11th version) of the motherboard.

On the second hand market you'll be able to ask the seller the datestamp of the calculator, and to buy only TI-Nspire CX whose datestamp ends with a letter from A to I.




This is a sad day for the community. For the third time, Ndless and all its compatible programs have been beaten to death, and even stronger than the previous times. Will they be able to survive this time? ... :'(




Source:
http://tiplanet.org/forum/viewtopic.php?p=147130&lang=en

发表于 2013-8-27 01:20:29 | 显示全部楼层
Too bad... It seemed that we need TNOC to use this system?
RS232 is dead...... But I believe that we will use ndless on this system one day.
 楼主| 发表于 2013-8-27 01:23:07 | 显示全部楼层
You can still use TNOC & RS232 together with OS/Boot2 3.2.4 if you have an old TI-Nspire CX with hardware revision A to I.

The problem is only for new TI-Nspire CX with hardware revision J whose Boot2 & OS cannot be downgraded successfuly, even through RS232.
发表于 2013-8-27 01:32:06 | 显示全部楼层
My have TI-Nspire(tm) CX hardware revision E, it looks good. But can this system compatible with nlaunch?
And if the old Boot2 works well on this system on a classic TI-Nspire(tm) version?
 楼主| 发表于 2013-8-29 03:47:45 | 显示全部楼层
In France, it is possible to easily spot new back-to-school 2013 anti-Ndless/Nlaunch TI-Nspire CX in shops.
http://tiplanet.org/forum/viewtopic.php?p=147203#p147203

Check in your local shops if a hint like that could apply to you.
 楼主| 发表于 2013-8-30 07:29:56 | 显示全部楼层
TI-Nspire CX CAS hardware revision J:


New NAND chip, new motherboard with a completely different reference, removal of the internal J04/JTAG connector.

There are some similarities with the strange TI-Nspire CX discovered by ust.
Pictures in the TI-Planet hardware J news:
http://tiplanet.org/forum/viewtopic.php?f=43&t=12898


I think that I might be bringing more questions than answers.
Feel free to comment - your guess may be as good as mine.
发表于 2013-8-30 18:06:02 | 显示全部楼层
That's bad.
But I'm interested in the new hardware.
发表于 2013-8-31 16:19:57 | 显示全部楼层
本帖最后由 nbzwt 于 2013-8-31 16:54 编辑

Well, that's not a NAND chip, but a MCP chip.
And the specification of the new MCP chip:
8bit NAND Flash + 16bit mSDR RAM
1.8V NAND + 1.8V DRAM
1Gbit(128Mbyte) NAND Flash
512Mbit(64MByte) SDRAM
And DRAM speed is 166MHz (max).
发表于 2013-8-31 16:59:00 | 显示全部楼层
I compared the new chip with the old one, and I found something interesting:
both of them used mobile SDR(or called LPSDR), but the speed has been increased from 133MHz to 166MHz. May the main freq. has increased too with the new boot2? Or the TI will overclock Rev.J in next OS update?
 楼主| 发表于 2013-8-31 20:20:44 | 显示全部楼层
Thank you nbzwt - quite interesting.

For now, the frequencies we get in the RS232 log remain the sames.
您需要登录后才可以回帖 登录 | 注册

本版积分规则

Archiver|手机版|cnCalc计算器论坛

GMT+8, 2024-12-22 14:02 , Processed in 0.113853 second(s), 25 queries .

Powered by Discuz! X3.4

© 2001-2023 Discuz! Team.

快速回复 返回顶部 返回列表