Omnimaga

Omnimaga => News => Topic started by: critor on January 13, 2013, 07:54:30 am

Title: Take full control with Boot1 1.1.9999
Post by: critor on January 13, 2013, 07:54:30 am
The TI-Nspire starts in 3 steps:
In this security model, each software component ensures the integrity of the next one.

Since last year (http://tiplanet.org/forum/viewtopic.php?t=8954), it became possible to reprogram the boot1 on prototypes TI-Nspire ClickPad from Q1 2007, permanently transforming these into production models accepting the latest OS released on TI website.
Indeed, these prototypes were using an external read-write Flash-NOR chip.

But this is not limited to prototypes! ;)
We already knew that the TI-Nspire TouchPad had their Flash NOR chip moved into the ASIC chip. So so far, that chip is out of our reach.
We noticed in a previous news (https://tiplanet.org/forum/viewtopic.php?t=10971&p=133815) that TI-Nspire ClickPad Hardware Revision C and later had their Flash NOR chip incorporated into the ASIC chip too.
(http://www.datamath.org/Graphing/Images/TI-NspireCASTP_SOC.jpg)
(http://tiplanet.org/forum/gallery/image.php?mode=medium&image_id=1433)

We do not know about hardware revisions B, but the very first production TI-Nspire released in 2007 and their hardware revision A have a motherboard similar to the prototypes with the same external Flash NOR chip! ;D(http://www.omnimaga.org/Themes/default/images/gpbp_arrow_up.gif)

The only problem is that their Flash NOR chip is physically set to read-only through a difference in the pinout:
(http://tiplanet.org/forum/gallery/image.php?mode=medium&image_id=596)

But a tiny hardware modification was enough to make that chip rewriteable, as presented in a previous news (http://tiplanet.org/forum/viewtopic.php?t=10446) for non-CAS TI-Nspire:
(http://tiplanet.org/forum/gallery/image.php?mode=medium&image_id=1394)

After a first successful test of a Boot1 reflashing in a previous news (http://tiplanet.org/forum/viewtopic.php?t=10960&p=133688), I'm honored to present you today the lastest achievment of the TI community, Boot1 1.1.9999! ;D(http://www.omnimaga.org/Themes/default/images/gpbp_arrow_up.gif)


This is a patch for the Boot1 1.1.8916 coming with all production TI-Nspire ClickPad and TouchPad, which will allow you to install and run:
Meaning that is does accept modified images which don't pass the RSA signature check!  :crazy:

For example, here is a TI-Nspire with Boot1 1.1.9999, running on a 1.4.1571 Boot2 whose version string has been patched to 1.4.9999:
(http://tiplanet.org/forum/gallery/image.php?mode=medium&image_id=1888)



The possibilities are simply huge!

On the one hand, this is a feat far greater than in a nLaunch previous news (http://tiplanet.org/forum/viewtopic.php?t=11018).

Ndless was taking control of your TI-Nspire inside the OS 3.1.

nLaunch was allready one step above as it was taking control of your TI-Nspire inside the Boot2 1.4, meaning that you could do everything with the OS.

And now, we're taking full control of the hardware inside the Boot1 1.1.8916, meaning that we can do everything with the Boot2 and Diagnostics software, and by extension with the OS.
(http://tiplanet.org/forum/gallery/image.php?mode=medium&image_id=1889)


Everything is now possible, just be inspired and imagine:
As a bonus for you, here is the historical video of the live first flashing of Boot1 1.1.9999! ;)
[ Invalid YouTube link ]



Source & downloads:
http://tiplanet.org/forum/viewtopic.php?t=11102&lang=en
Title: Re: Take full control with Boot1 1.1.9999
Post by: TIfanx1999 on January 13, 2013, 07:59:14 am
Great work as usual! :)
Title: Re: Take full control with Boot1 1.1.9999
Post by: ElementCoder on January 13, 2013, 10:50:48 am
What can I say but to agree with Art_of_camelot :) I keep thinking at each news 'ok, this is our last victory' but you guys keep going :) The possibility of cold launching linux and/or multiboot souds great! :D
Title: Re: Take full control with Boot1 1.1.9999
Post by: Juju on January 13, 2013, 11:39:45 am
Great work indeed! I would totally love seeing the Linux bootloader installed as Boot2.
Title: Re: Take full control with Boot1 1.1.9999
Post by: excale on January 13, 2013, 11:43:59 am
You can already have linux bootloader as your OS with nLaunch :).
Title: Re: Take full control with Boot1 1.1.9999
Post by: Sorunome on January 13, 2013, 03:15:27 pm
Awesome as usual!
But with these new cool flashing I got a question: If somebody else wants to flash it, does he/she still need to mod the hardware with that switch?
Title: Re: Take full control with Boot1 1.1.9999
Post by: Lionel Debroux on January 13, 2013, 03:17:30 pm
Quote
If somebody else wants to flash it, does he/she still need to mod the hardware with that switch?
Yes, it's still needed.
Title: Re: Take full control with Boot1 1.1.9999
Post by: TheNlightenedOne on January 25, 2013, 09:22:52 pm
That's a great development for the TI-Nspire. :D I'm excited to see what people end up doing with the ability to flash arbitrary boot1s.
Also, how did you get the ASIC scan?
Title: Re: Take full control with Boot1 1.1.9999
Post by: critor on January 26, 2013, 03:41:24 am
Hi,

I've made a news with all available scans from the first TI-Nspire ClickPad ASIC (initial hardware + hardware revision A).
http://tiplanet.org/forum/viewtopic.php?t=10486

All scans (raw) come from microblog.routed.net:
http://microblog.routed.net/2008/08/15/ic-friday-tis-nspire/

But unfortunately, the site is not updated anymore. It could have been useful to get ClickPad revision C-J, TouchPad and CX ASIC scans and look for the internal NOR chip...