Author Topic: Bypassing TI-Nspire RSA signatures now possible?  (Read 33597 times)

0 Members and 2 Guests are viewing this topic.

Offline DJ Omnimaga

  • Clacualters are teh gr33t
  • CoT Emeritus
  • LV15 Omnimagician (Next: --)
  • *
  • Posts: 55943
  • Rating: +3154/-232
  • CodeWalrus founder & retired Omnimaga founder
    • View Profile
    • Dream of Omnimaga Music
Bypassing TI-Nspire RSA signatures now possible?
« on: March 29, 2011, 02:40:39 am »
As reported in French by TI-BANK, it seems that bsl might have managed to bypass the RSA protection on the TI-Nspire in some ways. He has released a program called DiagsLauncher, that allows you to launch any Diagnostic software images (stored in a .tns file) on your TI-Nspire, ignoring any protection against executing such image on the calculator:



Normally, the TI-Nspire includes a diagnostic software that can be accessed by holding Esc+Menu+G (ClickPad) or Esc+Menu+Moins (TouchPad) on boot. However, it is possible that your calculator doesn't include this software or that you might have previously deleted it. Also, some might have an older version that doesn't include as many options, such as ones for the Touchpad keypad.

Unfortunately, TI didn't make it possible to re-install this software on your calculator or even update it. If you deleted it, it's gone forever. With DiagsLauncher, this problem is solved. Although this software might not be useful for the average calculator user, these images contains interesting test features that can be useful for developers and could possibly allow them to accomplish even more things on the calculator in the future. Not only that, but since this software completely ignores the RSA signature of the model (TI-Nspire, TI-Nspire CAS or even prototypes) to launch diagnostic images of any commercial models or prototypes, could this mean such method could be applied to the boot1, boot2 or even the OS?

DiagsLauncher is available in TI-BANK archives.
« Last Edit: March 29, 2011, 02:46:09 am by DJ_O »

Offline critor

  • Editor
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2079
  • Rating: +439/-13
    • View Profile
    • TI-Planet
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #1 on: March 29, 2011, 05:23:59 am »
Great news! :)
TI-Planet co-admin.

Offline Munchor

  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 6199
  • Rating: +295/-121
  • Code Recycler
    • View Profile
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #2 on: March 29, 2011, 07:44:56 am »
This looks sweet, so we can access that menu, which I never heard of, in other times rather than when booting :)
It also seems like we're closer from getting the RSA algorithm :)

Offline critor

  • Editor
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2079
  • Rating: +439/-13
    • View Profile
    • TI-Planet
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #3 on: March 29, 2011, 07:53:21 am »
To be more precise, DiagsLauncher just runs any diagnostic image. It's completly independant from the diagnostic present in the NAND ROM, which is neither used nor altered.

You'll need at least a diagnostic image in order to use it.

You can find a dumper in another topic, but for Ndless 1.0/1.1.

You can find the most complete list of diagnostic images here:
http://tibank.forumactif.com/t6212-table-versions-nspire


Feel free to report any unlisted diags version.
TI-Planet co-admin.

Offline jnesselr

  • King Graphmastur
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2270
  • Rating: +81/-20
  • TAO == epic
    • View Profile
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #4 on: March 29, 2011, 07:53:22 am »
This looks sweet, so we can access that menu, which I never heard of, in other times rather than when booting :)
It also seems like we're closer from getting the RSA algorithm :)
What RSA algorithm? Are you talking about solving the RSA problem? If so, I know of no algorithm to solve it.

Offline critor

  • Editor
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2079
  • Rating: +439/-13
    • View Profile
    • TI-Planet
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #5 on: March 29, 2011, 07:54:01 am »
We're not solving: we're bypassing :P
TI-Planet co-admin.

Offline Munchor

  • LV13 Extreme Addict (Next: 9001)
  • *************
  • Posts: 6199
  • Rating: +295/-121
  • Code Recycler
    • View Profile
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #6 on: March 29, 2011, 07:55:10 am »
This looks sweet, so we can access that menu, which I never heard of, in other times rather than when booting :)
It also seems like we're closer from getting the RSA algorithm :)
What RSA algorithm? Are you talking about solving the RSA problem? If so, I know of no algorithm to solve it.

I mean whatever lets you make 3rd party OSs, which I think is the RSA key, right?

Offline compu

  • LV5 Advanced (Next: 300)
  • *****
  • Posts: 275
  • Rating: +63/-3
    • View Profile
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #7 on: March 29, 2011, 01:35:19 pm »
Nice work. Couldn't this code be used to make a simple program loader?

Offline DJ Omnimaga

  • Clacualters are teh gr33t
  • CoT Emeritus
  • LV15 Omnimagician (Next: --)
  • *
  • Posts: 55943
  • Rating: +3154/-232
  • CodeWalrus founder & retired Omnimaga founder
    • View Profile
    • Dream of Omnimaga Music
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #8 on: March 29, 2011, 02:01:33 pm »
Now if only we could use this method to launch an OS image... maybe we could have some sort of Linux for the TI-Nspire, even if not executed directly on boot like the regular OS?

Offline mikehill2003

  • LV5 Advanced (Next: 300)
  • *****
  • Posts: 279
  • Rating: +13/-4
    • View Profile
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #9 on: March 29, 2011, 02:58:26 pm »
Can you use this to launch an OS image with an invalid signature? (Or just an OS image?)
« Last Edit: March 29, 2011, 02:59:10 pm by mikehill2003 »

Offline DJ Omnimaga

  • Clacualters are teh gr33t
  • CoT Emeritus
  • LV15 Omnimagician (Next: --)
  • *
  • Posts: 55943
  • Rating: +3154/-232
  • CodeWalrus founder & retired Omnimaga founder
    • View Profile
    • Dream of Omnimaga Music
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #10 on: March 29, 2011, 02:59:27 pm »
I'M not sure yet, but as the news says, maybe the same method could be used to do so.

Offline critor

  • Editor
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2079
  • Rating: +439/-13
    • View Profile
    • TI-Planet
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #11 on: March 29, 2011, 03:02:13 pm »
It's probably what the (never released) RunOS was using.
TI-Planet co-admin.

Offline mikehill2003

  • LV5 Advanced (Next: 300)
  • *****
  • Posts: 279
  • Rating: +13/-4
    • View Profile
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #12 on: March 29, 2011, 03:04:24 pm »
It's probably what the (never released) RunOS was using.

I just got my nspire today (YAY!), do you think it would be safe to test loading an OS this way?

Offline critor

  • Editor
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2079
  • Rating: +439/-13
    • View Profile
    • TI-Planet
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #13 on: March 29, 2011, 03:09:54 pm »
In the worst case, you'll just have to reinstall an OS.


In fact, from my point of view we would need a similar boot2launcher program.
You could then launch a modified boot2 image, in order to launch an OS without checking the RSA signature.
TI-Planet co-admin.

Offline Goplat

  • LV5 Advanced (Next: 300)
  • *****
  • Posts: 289
  • Rating: +82/-0
    • View Profile
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #14 on: March 29, 2011, 03:49:08 pm »
I'm not sure I see the point in running OSes this way.

It could be nice to be able to run significantly different versions, like have 2.x installed for Ndless but run 3.0 for the additional math features (e.g. 3d graphing), but this doesn't work too well because you get mixed-up text that basically makes everything incomprehensible (see below for an example - 2.1 running on a 2.0.1 installation).

If you want to run your own code, just make it its own Ndless program. No reason to make extra work for yourself by putting it in .tno format.
Numquam te deseram; numquam te deficiam; numquam circa curram et te desolabo
Numquam te plorare faciam; numquam valedicam; numquam mendacium dicam et te vulnerabo