Author Topic: Nspire OS Risk/Weakness (Read 18901 times)

willrandship · « **on:** November 11, 2010, 10:15:08 pm »

While on Hackspire, I noticed this log file of the boot sequence of the nspire. (obtained through an rs232 cable linked to the dock
http://hackspire.unsads.com/files/log-philippburch-serial-boot.txt

Notice under "Boot Loader Stage 2" It says "Using Production Keys"

Something occurred to me: why state you are using a default if you can't change it?

Since the Boot2 is upgradeable, this means you could change the OS license key, and it appears you don't even need to go that far. The Boot1 is most likely capable (or maybe even some file in the system

) of forcing the boot2 to use a different key when loading the OS. That means two things:

1. If we discover the RSA key to the OS, TI could change it on us with a boot2 v2.5
2. If we can figure out how to force our own key, we could easily install our own OS!

Thoughts?

calc84maniac · « **Reply #1 on:** November 11, 2010, 10:17:36 pm »

Well, the solution then is if we want to crack a key, crack the one for boot2 instead of the one for the OS. The key in the boot1 isn't going to change, for sure.

DJ Omnimaga · « **Reply #2 on:** November 11, 2010, 10:22:17 pm »

It would still take those 1000 Intel Core i666 8.60 GHz 128-cores computers to factor it, right?

willrandship · « **Reply #3 on:** November 11, 2010, 10:23:10 pm »

Right, but I was thinking more of the possible security hole. Imagine how awesome it would be if all we had to do to make our own OS took 4 steps:
1. Send Ndless and Keychange to your calc
2. Install Ndless, run Keychange
3. Access Maintenance Menu (runs from Boot1, I think) and delete os
4. Install the new OS

calc84maniac · « **Reply #4 on:** November 11, 2010, 10:24:26 pm »

Maintenance Menu is actually in boot2, I think (which is why it doesn't come up until the loading bar is half full)

jnesselr · « **Reply #5 on:** November 11, 2010, 10:28:04 pm »

So, essentially, we would need to make a boot2 with the same hash/signature as the real boot2. Quite possible if we knew what method it used to hash it.

willrandship · « **Reply #6 on:** November 11, 2010, 10:28:08 pm »

Hmm..that could be troubling. As long as it does it before it checks RSA encryption, though, it should still work fine.

How dare you ninja me

Not quite what I meant, Graphmastur. My point was that the Boot2 has another option for what key it uses than the default. The question lies in what accomplishes this change. It can't be the boot1, since it's read-only, and it can't be the boot2, since it is the boot2 whose actions change. There's probably a configuration somewhere in the /phoenix folder that allows you to use a different key.

Code: [Select]

Is disassembling illegal? As long as we're not using their code for anything, it's not a copyright violation, right?
If it isn't, then we could disassemble the boot2 bin and see what exactly it is doing at that stage.

willrandship · « **Reply #7 on:** November 12, 2010, 11:38:36 am »

Does anyone know of a good ARM disassembler? Any that I can find only take .elf files, and I was hoping for one for .bin files.

AngelFish · « **Reply #8 on:** November 12, 2010, 11:43:56 am »

Will this work?

willrandship · « **Reply #9 on:** November 12, 2010, 06:09:08 pm »

That one sorta works. I ran it at the school's pc, and it just spits out the output into the command line. Unfortunately, the windows command line erases after ~200 lines, so I lose most of it. It should really save it to a file.

It runs in Wine though

I'm going to see if I can get it to record.

calc84maniac · « **Reply #10 on:** November 12, 2010, 06:13:14 pm »

Code: [Select]

program.exe arguments > output.txt

willrandship · « **Reply #11 on:** November 12, 2010, 06:29:45 pm »

Eh, I got it through the linux terminal. Hallelujah for infinite backscrolling!

Here's the file. does it looks like complete nonsense to any of you? I'm afraid I don't really know asm that well.

calc84maniac · « **Reply #12 on:** November 12, 2010, 06:31:45 pm »

Yep, it's complete nonsense. What were you disassembling?

Edit:
Never mind, I see now. Are you sure about that "infinite backscrolling"? I only see 195 lines in that text file.

willrandship · « **Reply #13 on:** November 12, 2010, 08:37:56 pm »

It went all the way back to the input command. This was only the boot2. I'll try again though.

Just the Boot2.bin file extracted from the OS upgrade. Oh, wait, that was encrypted, wasn't it?

AngelFish · « **Reply #14 on:** November 12, 2010, 09:54:26 pm »

Quote from: willrandship on November 12, 2010, 08:37:56 pm

It went all the way back to the input command. This was only the boot2. I'll try again though.

Just the Boot2.bin file extracted from the OS upgrade. Oh, wait, that was encrypted, wasn't it?

It was compressed with a weird compression algorithm. Goplat managed to decompress it, though. You should E-mail him about the format.

Author Topic: Nspire OS Risk/Weakness (Read 18901 times)

willrandship

Nspire OS Risk/Weakness

calc84maniac

Re: Nspire OS Risk/Weakness

DJ Omnimaga

Re: Nspire OS Risk/Weakness

willrandship

Re: Nspire OS Risk/Weakness

calc84maniac

Re: Nspire OS Risk/Weakness

jnesselr

Re: Nspire OS Risk/Weakness

willrandship

Re: Nspire OS Risk/Weakness

willrandship

Re: Nspire OS Risk/Weakness

AngelFish

Re: Nspire OS Risk/Weakness

willrandship

Re: Nspire OS Risk/Weakness

calc84maniac

Re: Nspire OS Risk/Weakness

willrandship

Re: Nspire OS Risk/Weakness

calc84maniac

Re: Nspire OS Risk/Weakness

willrandship

Re: Nspire OS Risk/Weakness

AngelFish

Re: Nspire OS Risk/Weakness