Author Topic: Nspire OS Risk/Weakness  (Read 19487 times)

0 Members and 2 Guests are viewing this topic.

Offline willrandship

  • Omnimagus of the Multi-Base.
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2953
  • Rating: +98/-13
  • Insert sugar to begin programming subroutine.
    • View Profile
Nspire OS Risk/Weakness
« on: November 11, 2010, 10:15:08 pm »
While on Hackspire, I noticed this log file of the boot sequence of the nspire. (obtained through an rs232 cable linked to the dock
http://hackspire.unsads.com/files/log-philippburch-serial-boot.txt

Notice under "Boot Loader Stage 2" It says "Using Production Keys"

Something occurred to me: why state you are using a default if you can't change it?

Since the Boot2 is upgradeable, this means you could change the OS license key, and it appears you don't even need to go that far. The Boot1 is most likely capable (or maybe even some file in the system :D) of forcing the boot2 to use a different key when loading the OS. That means two things:

1. If we discover the RSA key to the OS, TI could change it on us with a boot2 v2.5
2. If we can figure out how to force our own key, we could easily install our own OS!

Thoughts?

Offline calc84maniac

  • eZ80 Guru
  • Coder Of Tomorrow
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2912
  • Rating: +471/-17
    • View Profile
    • TI-Boy CE
Re: Nspire OS Risk/Weakness
« Reply #1 on: November 11, 2010, 10:17:36 pm »
Well, the solution then is if we want to crack a key, crack the one for boot2 instead of the one for the OS. The key in the boot1 isn't going to change, for sure.
"Most people ask, 'What does a thing do?' Hackers ask, 'What can I make it do?'" - Pablos Holman

Offline DJ Omnimaga

  • Clacualters are teh gr33t
  • CoT Emeritus
  • LV15 Omnimagician (Next: --)
  • *
  • Posts: 55943
  • Rating: +3154/-232
  • CodeWalrus founder & retired Omnimaga founder
    • View Profile
    • Dream of Omnimaga Music
Re: Nspire OS Risk/Weakness
« Reply #2 on: November 11, 2010, 10:22:17 pm »
It would still take those 1000 Intel Core i666 8.60 GHz 128-cores computers to factor it, right?

Offline willrandship

  • Omnimagus of the Multi-Base.
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2953
  • Rating: +98/-13
  • Insert sugar to begin programming subroutine.
    • View Profile
Re: Nspire OS Risk/Weakness
« Reply #3 on: November 11, 2010, 10:23:10 pm »
Right, but I was thinking more of the possible security hole. Imagine how awesome it would be if all we had to do to make our own OS took 4 steps:
1. Send Ndless and Keychange to your calc
2. Install Ndless, run Keychange
3. Access Maintenance Menu (runs from Boot1, I think) and delete os
4. Install the new OS


Offline calc84maniac

  • eZ80 Guru
  • Coder Of Tomorrow
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2912
  • Rating: +471/-17
    • View Profile
    • TI-Boy CE
Re: Nspire OS Risk/Weakness
« Reply #4 on: November 11, 2010, 10:24:26 pm »
Maintenance Menu is actually in boot2, I think (which is why it doesn't come up until the loading bar is half full)
"Most people ask, 'What does a thing do?' Hackers ask, 'What can I make it do?'" - Pablos Holman

Offline jnesselr

  • King Graphmastur
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2270
  • Rating: +81/-20
  • TAO == epic
    • View Profile
Re: Nspire OS Risk/Weakness
« Reply #5 on: November 11, 2010, 10:28:04 pm »
So, essentially, we would need to make a boot2 with the same hash/signature as the real boot2.  Quite possible if we knew what method it used to hash it.

Offline willrandship

  • Omnimagus of the Multi-Base.
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2953
  • Rating: +98/-13
  • Insert sugar to begin programming subroutine.
    • View Profile
Re: Nspire OS Risk/Weakness
« Reply #6 on: November 11, 2010, 10:28:08 pm »
Hmm..that could be troubling. As long as it does it before it checks RSA encryption, though, it should still work fine.

How dare you ninja me :P

Not quite what I meant, Graphmastur. My point was that the Boot2 has another option for what key it uses than the default. The question lies in what accomplishes this change. It can't be the boot1, since it's read-only, and it can't be the boot2, since it is the boot2 whose actions change. There's probably a configuration somewhere in the /phoenix folder that allows you to use a different key.

Code: [Select]
Is disassembling illegal? As long as we're not using their code for anything, it's not a copyright violation, right?
If it isn't, then we could disassemble the boot2 bin and see what exactly it is doing at that stage.
« Last Edit: November 11, 2010, 11:25:14 pm by willrandship »

Offline willrandship

  • Omnimagus of the Multi-Base.
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2953
  • Rating: +98/-13
  • Insert sugar to begin programming subroutine.
    • View Profile
Re: Nspire OS Risk/Weakness
« Reply #7 on: November 12, 2010, 11:38:36 am »
Does anyone know of a good ARM disassembler? Any that I can find only take .elf files, and I was hoping for one for .bin files.

Offline AngelFish

  • Is this my custom title?
  • Administrator
  • LV12 Extreme Poster (Next: 5000)
  • ************
  • Posts: 3242
  • Rating: +270/-27
  • I'm a Fishbot
    • View Profile
Re: Nspire OS Risk/Weakness
« Reply #8 on: November 12, 2010, 11:43:56 am »
Will this work?
∂²Ψ    -(2m(V(x)-E)Ψ
---  = -------------
∂x²        ℏ²Ψ

Offline willrandship

  • Omnimagus of the Multi-Base.
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2953
  • Rating: +98/-13
  • Insert sugar to begin programming subroutine.
    • View Profile
Re: Nspire OS Risk/Weakness
« Reply #9 on: November 12, 2010, 06:09:08 pm »
That one sorta works. I ran it at the school's pc, and it just spits out the output into the command line. Unfortunately, the windows command line erases after ~200 lines, so I lose most of it. It should really save it to a file.

It runs in Wine though :D I'm going to see if I can get it to record.
« Last Edit: November 12, 2010, 06:12:56 pm by willrandship »

Offline calc84maniac

  • eZ80 Guru
  • Coder Of Tomorrow
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2912
  • Rating: +471/-17
    • View Profile
    • TI-Boy CE
Re: Nspire OS Risk/Weakness
« Reply #10 on: November 12, 2010, 06:13:14 pm »
Code: [Select]
program.exe arguments > output.txt
"Most people ask, 'What does a thing do?' Hackers ask, 'What can I make it do?'" - Pablos Holman

Offline willrandship

  • Omnimagus of the Multi-Base.
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2953
  • Rating: +98/-13
  • Insert sugar to begin programming subroutine.
    • View Profile
Re: Nspire OS Risk/Weakness
« Reply #11 on: November 12, 2010, 06:29:45 pm »
Eh, I got it through the linux terminal. Hallelujah for infinite backscrolling!

Here's the file. does it looks like complete nonsense to any of you? I'm afraid I don't really know asm that well.

Offline calc84maniac

  • eZ80 Guru
  • Coder Of Tomorrow
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2912
  • Rating: +471/-17
    • View Profile
    • TI-Boy CE
Re: Nspire OS Risk/Weakness
« Reply #12 on: November 12, 2010, 06:31:45 pm »
Yep, it's complete nonsense. What were you disassembling?

Edit:
Never mind, I see now. Are you sure about that "infinite backscrolling"? I only see 195 lines in that text file.
« Last Edit: November 12, 2010, 06:33:50 pm by calc84maniac »
"Most people ask, 'What does a thing do?' Hackers ask, 'What can I make it do?'" - Pablos Holman

Offline willrandship

  • Omnimagus of the Multi-Base.
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2953
  • Rating: +98/-13
  • Insert sugar to begin programming subroutine.
    • View Profile
Re: Nspire OS Risk/Weakness
« Reply #13 on: November 12, 2010, 08:37:56 pm »
It went all the way back to the input command. This was only the boot2. I'll try again though.

Just the Boot2.bin file extracted from the OS upgrade. Oh, wait, that was encrypted, wasn't it?
« Last Edit: November 12, 2010, 08:38:31 pm by willrandship »

Offline AngelFish

  • Is this my custom title?
  • Administrator
  • LV12 Extreme Poster (Next: 5000)
  • ************
  • Posts: 3242
  • Rating: +270/-27
  • I'm a Fishbot
    • View Profile
Re: Nspire OS Risk/Weakness
« Reply #14 on: November 12, 2010, 09:54:26 pm »
It went all the way back to the input command. This was only the boot2. I'll try again though.

Just the Boot2.bin file extracted from the OS upgrade. Oh, wait, that was encrypted, wasn't it?

It was compressed with a weird compression algorithm. Goplat managed to decompress it, though. You should E-mail him about the format.
« Last Edit: November 12, 2010, 09:54:46 pm by Qwerty.55 »
∂²Ψ    -(2m(V(x)-E)Ψ
---  = -------------
∂x²        ℏ²Ψ