Author Topic: Bypassing TI-Nspire RSA signatures now possible?  (Read 33690 times)

0 Members and 2 Guests are viewing this topic.

Offline critor

  • Editor
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2079
  • Rating: +439/-13
    • View Profile
    • TI-Planet
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #45 on: March 30, 2011, 02:05:14 pm »
According to the video that was posted, RunOS was launching the OS directly.

But, you'd have to get a decrypted OS image first, which is not easy at all for the end user.
So it might be usefull to use a modified boot2 in order to launch the OS from a simple tnc/tno file.
« Last Edit: March 30, 2011, 02:41:57 pm by critor »
TI-Planet co-admin.

Offline Lionel Debroux

  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2135
  • Rating: +290/-45
    • View Profile
    • TI-Chess Team
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #46 on: March 30, 2011, 02:20:12 pm »
Quote
But, you had to get a decrypted OS image first, which is not easy at all for the end user.
A Ndless program running on the calculator could perform the Blowfish decryption of the .tnc/.tno downloaded from TI or other sources :)

Spoiler For Spoiler:
Part of the necessary information was available in several posts by Goplat in http://www.unitedti.org/forum/index.php?showtopic=8191 , but he redacted these posts. However, both the boot2 (and the OS) contain Blowfish encryption and decryption routines, and these routines are undoubtedly called from a small number of places. IOW, the Blowfish key wouldn't be hard to find in the boot2.
« Last Edit: March 30, 2011, 02:30:00 pm by Lionel Debroux »
Member of the TI-Chess Team.
Co-maintainer of GCC4TI (GCC4TI online documentation), TILP and TIEmu.
Co-admin of TI-Planet.

Offline mikehill2003

  • LV5 Advanced (Next: 300)
  • *****
  • Posts: 279
  • Rating: +13/-4
    • View Profile
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #47 on: March 30, 2011, 04:04:11 pm »
Why are the boot2 images so large in this video?
http://ti.bank.free.fr/index.php?mod=news&ac=commentaires&id=1026

It looks like they are ~300kb more than what TNOC removes from a standard tno/tnc.

Offline critor

  • Editor
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2079
  • Rating: +439/-13
    • View Profile
    • TI-Planet
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #48 on: March 30, 2011, 04:17:28 pm »
Why are the boot2 images so large in this video?
http://ti.bank.free.fr/index.php?mod=news&ac=commentaires&id=1026

It looks like they are ~300kb more than what TNOC removes from a standard tno/tnc.

Like RunOS, Boot2Launcher is using uncompressed boot2 images.
TI-Planet co-admin.

Offline mikehill2003

  • LV5 Advanced (Next: 300)
  • *****
  • Posts: 279
  • Rating: +13/-4
    • View Profile
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #49 on: March 30, 2011, 04:19:09 pm »
How are they uncompressed? Nevermind.
« Last Edit: March 30, 2011, 06:56:24 pm by mikehill2003 »

Offline FloppusMaximus

  • LV5 Advanced (Next: 300)
  • *****
  • Posts: 290
  • Rating: +57/-5
    • View Profile
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #50 on: March 30, 2011, 10:53:34 pm »
I believe it's actually encrypted using Wolbhsif ;)

Offline Lionel Debroux

  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2135
  • Rating: +290/-45
    • View Profile
    • TI-Chess Team
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #51 on: March 31, 2011, 12:38:19 pm »
The boot2 is compressed in a weird format (documented on UTI), and the OS is encrypted with Blowfish.
Member of the TI-Chess Team.
Co-maintainer of GCC4TI (GCC4TI online documentation), TILP and TIEmu.
Co-admin of TI-Planet.

Offline compu

  • LV5 Advanced (Next: 300)
  • *****
  • Posts: 275
  • Rating: +63/-3
    • View Profile
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #52 on: April 04, 2011, 03:29:08 pm »
I have decrypted the OS now using a method described on yAronet and modified boot2launcher's source (instead of 0x1180000 0x10000000 + size changed) but it seems that this method would be too easy. The emulator reboots with
Code: [Select]
data abort exception, lr=101f9ddc
So, is anybody gonna help me or does nobody want to talk about this because they don't want to upset TI?

Offline DJ Omnimaga

  • Clacualters are teh gr33t
  • CoT Emeritus
  • LV15 Omnimagician (Next: --)
  • *
  • Posts: 55943
  • Rating: +3154/-232
  • CodeWalrus founder & retired Omnimaga founder
    • View Profile
    • Dream of Omnimaga Music
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #53 on: April 04, 2011, 03:46:53 pm »
Well make sure to not post any copyrighted stuff like code, that's for sure. I unfortunately do not know about that stuff, though, so whatever you would post, I wouldn't even know what is it. X.x. At least avoid describing completely how to perform things like running a CAS OS on Nspires it isn't supposed to run on, though, so TI won't get mad.

Offline compu

  • LV5 Advanced (Next: 300)
  • *****
  • Posts: 275
  • Rating: +63/-3
    • View Profile
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #54 on: April 04, 2011, 03:51:26 pm »
Well make sure to not post any copyrighted stuff like code, that's for sure. I unfortunately do not know about that stuff, though, so whatever you would post, I wouldn't even know what is it. X.x. At least avoid describing completely how to perform things like running a CAS OS on Nspires it isn't supposed to run on, though, so TI won't get mad.
Of course I won't post copyrighted material and I can't describe how to run the CAS because I don't know how to do this.
If you want to, I can redact my post :-X

Offline critor

  • Editor
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2079
  • Rating: +439/-13
    • View Profile
    • TI-Planet
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #55 on: April 04, 2011, 04:01:44 pm »
I have decrypted the OS now using a method described on yAronet and modified boot2launcher's source (instead of 0x1180000 0x10000000 + size changed) but it seems that this method would be too easy. The emulator reboots with
Code: [Select]
data abort exception, lr=101f9ddc
So, is anybody gonna help me or does nobody want to talk about this because they don't want to upset TI?

I have the code to make a "hot reboot". It's tested and working.
The OS decrypted code has to be copied some way at 0x10000000.

But you have to make sure no OS code is used at that time.
So I suppose you can neither fread directly at 0x100000000, nor use memcpy().
I've tried to use standard C functions (malloc, fread, and then a for loop and pointers...), but in the end it didn't work either.
I've disabled interrupts, same thing...
I've disabled the compiler optimisations, same thing...

I'm either getting errors speaking of:
- code allready in use
- misaligned data
either a freeze or full reboot.

I suppose, some part of the old OS code is still in use...
Maybe performing the copy operation in assembly would be a way.

It's probably quite simple, for someone who understands ARM assembly.
« Last Edit: April 04, 2011, 04:05:06 pm by critor »
TI-Planet co-admin.

Offline compu

  • LV5 Advanced (Next: 300)
  • *****
  • Posts: 275
  • Rating: +63/-3
    • View Profile
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #56 on: April 05, 2011, 08:25:52 am »
So this has to be done in asm?
I have never used it. :(

Offline critor

  • Editor
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2079
  • Rating: +439/-13
    • View Profile
    • TI-Planet
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #57 on: April 05, 2011, 08:39:59 am »
So this has to be done in asm?
I have never used it. :(

Anyway, the "hot reboot" code is allready in asm.
So adding the "OS copy code" just before it wouldn't be a problem for me.
TI-Planet co-admin.

Offline compu

  • LV5 Advanced (Next: 300)
  • *****
  • Posts: 275
  • Rating: +63/-3
    • View Profile
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #58 on: April 05, 2011, 08:49:51 am »
What do you mean by hot reboot code?
This one line of assembly in boot2-/diagslauncher that loads the OS base address into r15/pc?
« Last Edit: April 05, 2011, 08:50:02 am by compu »

Offline critor

  • Editor
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2079
  • Rating: +439/-13
    • View Profile
    • TI-Planet
Re: Bypassing TI-Nspire RSA signatures now possible?
« Reply #59 on: April 05, 2011, 09:23:55 am »
What do you mean by hot reboot code?
This one line of assembly in boot2-/diagslauncher that loads the OS base address into r15/pc?

For the OS, it's a little more complicated than that.
TI-Planet co-admin.