Author Topic: Difference Between TI-Nspire and TI-Nspire CAS (Read 5459 times)

mikehill2003 · « **on:** March 23, 2011, 08:45:10 pm »

Can anyone tell me what the differences are (besides the obvious)? I assume TI provides two separate OS images, and something prevents the CAS OS from loading on the regular Nspire. Are they signed with two different keys?

apcalc · « **Reply #1 on:** March 23, 2011, 09:01:12 pm »

Yes, the two are signed with different keys.

The only two differences I can think of between the two are (1) the obvious, the CAS has a full Computer Algebra System, and (2) the non-CAS, excluding the new CX model, supports 84 emulation. Other than that, both calcs are really the same thing.

mikehill2003 · « **Reply #2 on:** March 23, 2011, 09:24:51 pm »

Quote from: apcalc on March 23, 2011, 09:01:12 pm

Yes, the two are signed with different keys. :(

Darn.

Please pardon my ignorance, it will be a week or two before I get my Nspire basic (v2 with touchpad and ti-84 emu [I wanted an Nspire CAS, but this was nearly new and $60. A CAS would have cost twice as much.]).

Are boot1 and boot2 stored on the same NAND flash rom?
If so, is there any chance of using Ndless to flash an OS with an invalid signature and a boot2 to load it?

Or would I need to re-flash the NAND directly?
Soldering onto those tiny traces is tough (see attachment).

critor · « **Reply #3 on:** March 23, 2011, 09:40:17 pm »

Quote from: mikehill2003 on March 23, 2011, 09:24:51 pm

Quote from: apcalc on March 23, 2011, 09:01:12 pm
Yes, the two are signed with different keys.
Darn.

Please pardon my ignorance, it will be a week or two before I get my Nspire basic (v2 with touchpad and ti-84 emu [I wanted an Nspire CAS, but this was nearly new and $60. A CAS would have cost twice as much.]).

Are boot1 and boot2 stored on the same NAND flash rom?
If so, is there any chance of using Ndless to flash an OS with an invalid signature and a boot2 to load it?

Or would I need to re-flash the NAND directly?

Boot2 & OS are stored in the same NAND ROM chip.

But, Boot1 is stored in a separate NOR ROM chip.

Without modifying the boot2, no invalid OS.
But without modifying the boot1, no modified boot2...

As for Ndless, with ExtendeD and then Bsl we have made some tests, trying to (re)flash the diagnostic software accessible at boot time through Esc+Menu+G (so something which is not "vital").
With more than 20 tests and 10 different versions of the flasher, the flashing succeeded just once...

Untill we can understand more about that very low success rate, we can assume you cannot flash anything safely in NAND ROM through Ndless.

Note: according to some messages found in the diagnostic software images, the NOR ROM seems flashable...

mikehill2003 · « **Reply #4 on:** March 23, 2011, 10:04:11 pm »

So... boot1 might be changeable, boot2 is not. Flashing the NAND with Ndless is very unstable, and the reason has not yet been discovered. Do you think that the low success rate was due to some form of protection? Is it possible to see how the OS re-flashes the NAND, and possibly modify that routine if it checks the OS image signature?

Thanks for all the info! I really enjoy learning about systems like this.

jnesselr · « **Reply #5 on:** March 23, 2011, 10:06:16 pm »

Quote from: mikehill2003 on March 23, 2011, 10:04:11 pm

So... boot1 might be changeable, boot2 is not. Flashing the NAND with Ndless is very unstable, and the reason has not yet been discovered. Do you think that the low success rate was due to some form of protection? Is it possible to see how the OS re-flashes the NAND, and possibly modify that routine if it checks the OS image signature?

Thanks for all the info! I really enjoy learning about systems like this.

The other way around. Although boot1 might be erasable, modifiable would be more difficult. And no, I don't think it's possible to see how the OS does it, or if it is, I don't think it's modifiable. It might be, though.

mikehill2003 · « **Reply #6 on:** March 23, 2011, 10:10:55 pm »

Quote from: graphmastur on March 23, 2011, 10:06:16 pm

Quote from: mikehill2003 on March 23, 2011, 10:04:11 pm
So... boot1 might be changeable, boot2 is not. Flashing the NAND with Ndless is very unstable, and the reason has not yet been discovered. Do you think that the low success rate was due to some form of protection? Is it possible to see how the OS re-flashes the NAND, and possibly modify that routine if it checks the OS image signature?

Thanks for all the info! I really enjoy learning about systems like this.
The other way around. Although boot1 might be erasable, modifiable would be more difficult. And no, I don't think it's possible to see how the OS does it, or if it is, I don't think it's modifiable. It might be, though.

So the NAND can be changed, but the NOR cannot?

Goplat · « **Reply #7 on:** March 23, 2011, 10:52:54 pm »

Quote from: apcalc on March 23, 2011, 09:01:12 pm

Yes, the two are signed with different keys.

Actually, they are signed with the same key. The reason you cannot use a TI-Nspire CAS OS on the TI-Nspire or vice versa is because for an OS to validate:

There must be an 8010 field present which matches the first two characters of the Product ID, which are stored in NAND flash (but don't bother trying to change it, because of the other protection described next)
The 80E0 field must contain a byte matching a part of the value read from address 0x900A0028/0x900A002C (presumably, this is an 8 byte ROM inside the ASIC and cannot be changed)

Changing these fields in the OS image will mean the signature isn't valid and the OS won't load.

mikehill2003 · « **Reply #8 on:** March 23, 2011, 11:17:58 pm »

Quote from: Goplat on March 23, 2011, 10:52:54 pm

Quote from: apcalc on March 23, 2011, 09:01:12 pm
Yes, the two are signed with different keys.
Actually, they are signed with the same key. The reason you cannot use a TI-Nspire CAS OS on the TI-Nspire or vice versa is because for an OS to validate:
There must be an 8010 field present which matches the first two characters of the Product ID, which are stored in NAND flash (but don't bother trying to change it, because of the other protection described next)
The 80E0 field must contain a byte matching a part of the value read from address 0x900A0028/0x900A002C (presumably, this is an 8 byte ROM inside the ASIC and cannot be changed)

Changing these fields in the OS image will mean the signature isn't valid and the OS won't load.

Fascinating. Is it boot1 or boot2 and/or the OS that does this?

Goplat · « **Reply #9 on:** March 23, 2011, 11:49:52 pm »

The two requirements are enforced in boot2's validation of an OS image. (Actually, the 8010 field requirement is also enforced in boot1's validation of a boot2 image. However, so far every version of boot2 has had two 8010 fields, one for CAS and one for non-CAS, so the possibility of a boot2 that works on only one of them is only theoretical so far.)

Author Topic: Difference Between TI-Nspire and TI-Nspire CAS (Read 5459 times)

mikehill2003

Difference Between TI-Nspire and TI-Nspire CAS

apcalc

Re: Difference Between TI-Nspire and TI-Nspire CAS

mikehill2003

Re: Difference Between TI-Nspire and TI-Nspire CAS

critor

Re: Difference Between TI-Nspire and TI-Nspire CAS

mikehill2003

Re: Difference Between TI-Nspire and TI-Nspire CAS

jnesselr

Re: Difference Between TI-Nspire and TI-Nspire CAS

mikehill2003

Re: Difference Between TI-Nspire and TI-Nspire CAS

Goplat

Re: Difference Between TI-Nspire and TI-Nspire CAS

mikehill2003

Re: Difference Between TI-Nspire and TI-Nspire CAS

Goplat

Re: Difference Between TI-Nspire and TI-Nspire CAS