Omnimaga
Omnimaga => News => Topic started by: thepenguin77 on August 23, 2011, 05:54:25 pm
-
In short, this is the boot code 1.03 hack.
When boot code 1.03 first came out, I searched pretty hard for an exploit that would allow unsigned OS's to be sent to the calculator. I ended up disassembling the entire boot code only to come up short. So I figured it wasn't possible. But then, brandonW said that he had found a way to do it, but of course, was not going to tell anyone (for safety reason, the same reason I'm releasing this so late.) This energized me to look through the boot code, and sure enough, I figured out how to do it.
But guess what? Brandon and I had come up with entirely different ways to beat the boot code. This is actually really cool because it means we are covered the next time TI releases an boot code. So, we should be able to downgrade operating systems for quite some time.
The reason I had to wait so long to release this was so that it would not be easy for TI to change their boot code to beat my exploit. I think now is a good time to release this because TI has already made their supply of calculators for the 2011-2012 school year and it's about this time of year that people will start looking for a way to downgrade. And actually, I'm not even sure that TI will be able to reverse engineer my exploit once they find out about it, but that's another story.
So, here is the patcher: This is just an extension of my old AboutNam, the code has been finished for several months now, I just had to wait to release it. Here's what the exploit does:
- Allows unsigned OS's (512 bit RSA and 1024 bit RSA)
- Allows unsigned apps
The cool part is that this exploit works on all boot codes all the way back to the 83+, so feel free to use it there. And allowing/disallowing is as simple as selecting "Unsigned OS's" vs "Signed OS's." While you're at it, you might as well put your name in the certifiacte :D
As far as side effects go, here's what I've noticed:
- Validation of OS's in boot code 1.03 takes ~5 minutes less :D
- If the unsigned OS's are selected, the calculator will finish receiving the OS and reboot without telling the sending calculator/Ti-connect that it has finished. This is because I intercept control before the final confirmation packet is sent (which is after validation) and I have no way to tell whether the OS was received via USB or I/O. A very simple work around is to just close Ti-connect. When sending from another calculator, the calculator will just say Error in Xmit, so there's really no problem there.
- The above is also true for receiving apps with unsigned apps enabled
- When you run this program on an 83+BE, it will clear ram when it's done. I did this on purpose.
- If you always use unsigned apps, you'll have no idea whether the apps will actually work on other calculators (not really a side effect)
If you want a copy of the source, just PM me, I'll be happy to send you a copy as long as you are: not TI, or are not going to send it to TI. In fact, it actually makes me happy when people look at the source, so don't feel at all like it will annoy me. I'd attach it, but like I said, I want this exploit to remain valid for a while.
Lastly, if you are going to run this program from a shell (yes you can), be sure that the program is archived. This is because it manually deallocates itself and jumps to the OS, which means if it's in ram, it's essentially deleting itself. If you run it from TI-OS, it will just run like a normal program. Why does it deallocate itself you ask? Because I encrypted it :D
Edit:
Why do you need this?
If you don't understand any of the above information, then the only reason you need this program is to downgrade your calculator from OS 2.55 to something else if you have boot code 1.03.
First off, your calculator won't have boot code 1.03 unless you bought it within the past month. Secondly, to check, press [Mode][Alpha][Ln]. If it does not say BOOT Code 1.03, then you have nothing to worry about.
The reason you would run this is because TI added in anti-downgrade protection in the boot code that would only allow you to run OS's 2.55 and higher. Of course, some people won't want to run that OS, so run this and you'll be able to downgrade.
-
Why does it deallocate itself you ask? Because I encrypted it :D
thepenguin, you really are the best XD
i now feel secure in buying new calcs.
-
I'll just inquire over a general detail: since it works (presumably) on the 83+, I take it that it modifies the certificate and not the boot code?
Also, what's the point of encrypting it? It has to decrypt itself to run, and thus it should be easy to get a decrypted version to study.
Also, does it only work against 1.03, or does it work for 1.02 (and perhaps 1.00) too?
Edit: Moved to News.
-
So, is there any chance of finding something like this in the nspire? I'd love to see that.
Great news!
-
I'll just inquire over a general detail: since it works (presumably) on the 83+, I take it that it modifies the certificate and not the boot code?
Correct, it modifies the certificate.
Also, what's the point of encrypting it? It has to decrypt itself to run, and thus it should be easy to get a decrypted version to study.
Two reasons, 1) you can't just use IDA on it this way, 2) the way I encrypted it makes it very hard to NOP code (I can't give away too many details in permanent posts like this)
Also, does it only work against 1.03, or does it work for 1.02 (and perhaps 1.00) too?
This works on every boot code that has been released to date. Though, there are far fewer reasons to use it on anything besides boot code 1.03.
-
Very cool. I think I'll install :D
-
Wow. Thepenguin, this is awesome. I've been wondering if you'd found a way to do things like this a while back, but then forgot about it. This is epic.
Did you ever figure out a way to keep "trial apps" from deleting themselves?
Oh, and...
Why does it deallocate itself you ask? Because I encrypted it :D
You, my friend, are a beast. :D
-
wait, what are Trial Apps?
-
Wow. Thepenguin, this is awesome. I've been wondering if you'd found a way to do things like this a while back, but then forgot about it. This is epic.
Did you ever figure out a way to keep "trial apps" from deleting themselves?
Well, if you install them with this they won't. But yes, keeping them from deleting themselves is easy.
wait, what are Trial Apps?
Back when you used to have to pay for apps, people would make apps that would only run a certain number of times and then delete themselves.
-
wait, what are Trial Apps?
Back when you used to have to pay for apps, people would make apps that would only run a certain number of times and then delete themselves.
(These are also the type of Apps that Axe makes.)
-
Really? That's a really easy fix. Check here (http://wikiti.brandonw.net/index.php?title=83Plus:OS:Certificate/Headers#App_Trials_Table) for info. A quick writeAByte to the certificate and your app is valid.
I'll go tell quigibo.
-
:o O.O amazingly cool
-
Great job! Now I am not afraid to buy any new calcs!
-
Damn thepenguin77, I cannot handle your awesomeness. You are now our hero.
-
Thepenguin, you are a calculator god.
-
will this work on my ti-84??
-
will this work on my ti-84??
ThePenguin said it works on just about everything, so give it a shot.
-
i dont understand what this does do i really need it??
-
i dont understand what this does do i really need it??
It allows you to downgrade any Ti-OS into an older version. This can be useful if you have the unstable 2.55 MP, because MP is awful and slow and buggy
-
how do i tell my version??
-
Hit [2nd], then +, then [enter] and it says something like
TI-84 Plus
2.55MP
It could say a different number though
-
mine says 2.43 is there something wrong with it??
-
No, that is the most stable version released, which means that you don't really need to use this program
-
Welcome to the forums netwolf. In summary, this is for people who got newer TI-84 Plus models such as the French TI-84 Pocket.Fr or any calc running Boot code 1.03, which prevents downgrading to something lower than OS 2.55MP. Basically, my 84+ from 2009 do not need this, but 2011 calcs might.
Also it makes it easier to install third-party OSes like GlassOS, PongOS, etc.
By the way Nice job ThePenguin77 :thumbsup: *.*(http://omnimaga.org/Themes/default/images/gpbp_arrow_up.gif)
-
Awesomeness! :D
-
oh i get it now good job thepenguin
-
Great ;)
-
As always, great work! =)
-
great job indeed:)
-
Now WFRNG OS is free to plague us once more! Yay! :P
-
wait, what are Trial Apps?
Back when you used to have to pay for apps, people would make apps that would only run a certain number of times and then delete themselves.
(These are also the type of Apps that Axe makes.)
AXE doesn't make permanent apps? (i've never made an app)
-
wait, what are Trial Apps?
Back when you used to have to pay for apps, people would make apps that would only run a certain number of times and then delete themselves.
(These are also the type of Apps that Axe makes.)
AXE doesn't make permanent apps? (i've never made an app)
You have to send them to the computer, sign them, and send them back in order to make them stay longer than 16ish runs.
-
I did not know that. (about axe)
Someone I know just got a new calc, with 1.0.3, and now he can downgrade :w00t: Great job!
-
I knew about the whole signing issue, but I didn't know that was why it mattered. :P
-
I wonder how TI will respond to the Boot 1.03 protection bypassing/breaking?
-
Maybe they'll give up and give us the nspire keys! :P
-
Don't count on it. After all they upgraded to 2048 bit keys for the CX :P
EDIT: Actually as a gift they will probably upgrade to 4096 bit keys <_<.
-
And it will take four hours to boot up the nspire.
-
lol
-
so the CX won't startup untill the end of a test :P
-
so the CX won't startup untill the end of a test :P
lol O0
My vote is for unbreakable 1 bit keys...
-
And it will take four hours to boot up the nspire.
I already notice the CX takes a friggin long while to boot actually. I think it takes 2x longer than my clickpad. X.x
-
And it will take four hours to boot up the nspire.
I already notice the CX takes a friggin long while to boot actually. I think it takes 2x longer than my clickpad. X.x
I remember first time I turned on the prizm, I was like "Great, this is always going to happen?"
just the first time btw (:
Awesome program btw. I'll keep this thread in mind ;D
-
READ THIS, TI SPIES!
And it will take four hours to boot up the nspire.
I already notice the CX takes a friggin long while to boot actually. I think it takes 2x longer than my clickpad. X.x
They are focusing too much on blocking us than their main target -- students. Students and teachers want a fast calculator that can boot up quickly and calculate expressions within fractions of a second. Most students, even on the relatively open 83+ family, did not play games. Those who do play games are tech savvy enough to find an exploit or use an already existing program. TI is shooting themselves in the foot: they are making it harder for students to use and pushing hobbyists away from TI brand calculators.
-
Yeah the boot time annoys me. Granted, you can disable hibernation mode so the boot never happens, but then your battery get drained faster while the calc is turned OFF.
On the Prizm there isn't even a boot delay, except you have to configure the calc the first time you turn in ON. The only delay is when turning it OFF, where you see the CASIO logo for about 3 seconds.
-
Yeah the boot time annoys me. Granted, you can disable hibernation mode so the boot never happens, but then your battery get drained faster while the calc is turned OFF.
On the Prizm there isn't even a boot delay, except you have to configure the calc the first time you turn in ON. The only delay is when turning it OFF, where you see the CASIO logo for about 3 seconds.
I think there's a three second loading time when you turn it on for the first time too, but it's fine since it's not very long.
-
Yeah, by the way the reason for the 2x longer boot is because of the 2x longer key :P The nspire could have as fast of boot times as an 84+ without boot1 and boot2 getting in the way (Yes I realize you'd need a small boot1 to load the OS files, but that hardly counts.) and you wouldn't even need a standby option anymore.
I do see the wisdom of having, say, a 32 bit key on the OS to act as a form of corruption check, so the inexperienced don't screw up their calc sending a renamed program as the OS unintentionally.
-
Quick question: How stable is this? Is there a huge chance of doing something unrepairable to your calc?
-
Quick question: How stable is this? Is there a huge chance of doing something unrepairable to your calc?
As I understand it, it works perfectly :) (Though thepenguin77 would know better of any potential shortcomings.)
-
Yeah, by the way the reason for the 2x longer boot is because of the 2x longer key :P The nspire could have as fast of boot times as an 84+ without boot1 and boot2 getting in the way (Yes I realize you'd need a small boot1 to load the OS files, but that hardly counts.) and you wouldn't even need a standby option anymore.
Well, it still does take a significant amount of time to load the OS into RAM. The OSes on the earlier TI calcs run directly from the Flash memory, but that's not possible on the Nspire. But yeah, it would be faster without the validation checks.
-
Quick question: How stable is this? Is there a huge chance of doing something unrepairable to your calc?
As far as I can test, this is very stable. The whole certificate modification system is the same one I used in my old AboutNam program, and I haven't had a single person complain about it not working.
For the exploits, I've watched the whole code process take place in wabbitemu on, 84+SE boot 1.02, 84+BE boot 1.03, 83+ boot 1.01, 83+ boot 1.00. And on all of those, it worked perfectly.
I've also tested this a bunch on my real 84+SE. I've tested sending signed and unsigned OS's as well as signed and unsigned apps. Calcdude's also sent a few custom OS's to his calculator.
So, as far as I know, this is super stable.
-
Awesome! My bro got a new calc, and I wanted to make sure this was safe before I tried it.
-
Just wanted to say thanks for this :) Just got a 84+SE and am now happy I have my beloved 2.43 OS back on it ;D
-
How do I run this patch on my TI-84?
I am still unfamiliar with the ti-84 so who wants a step by step action plan to give
-
Upload the program to your TI-84 and run it with Asm( (which is in Catalog). The rest should be pretty straightforward I think.