--> First discovery of nspire cm-c prototype --> -->

Author Topic: First discovery of nspire cm-c prototype  (Read 18381 times)

0 Members and 1 Guest are viewing this topic.

Offline Lionel Debroux

  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2135
  • Rating: +290/-45
    • View Profile
    • TI-Chess Team
Re: First discovery of nspire cm-c prototype
« Reply #15 on: June 05, 2013, 04:52:45 am »
Great :)
« Last Edit: June 05, 2013, 04:58:28 am by Lionel Debroux »
Member of the TI-Chess Team.
Co-maintainer of GCC4TI (GCC4TI online documentation), TILP and TIEmu.
Co-admin of TI-Planet.

Offline critor

  • Editor
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2079
  • Rating: +439/-13
    • View Profile
    • TI-Planet
Re: First discovery of nspire cm-c prototype
« Reply #16 on: June 05, 2013, 04:57:57 am »
Ok, great!

We need to dump it now ;)
Would you be ok to try some dumping tools? Nothing dangerous, but it might require several tries.

By the way, can you check the Diagnostic Software menu and version?
Hold Esc+Menu+Minus while pressing reset.
(the minus on the right near the plus - not the sign minus)

Thanks again for this great discovery.


The easiest way but not the cheapest is having two TI-Nspire CM and to star by dumping the OS.
You send the OS to the Ndlessed production unit, and I've got an Ndless tool which does get it before the installation is triggered (and aborted as it's a development OS).

Once the OS is dumped, it can be studied/tested on emulators, and some specific tools for dumpes the Boot1/Boot2/Diags can be developped.
« Last Edit: June 05, 2013, 05:01:44 am by critor »
TI-Planet co-admin.

Offline zweb

  • LV3 Member (Next: 100)
  • ***
  • Posts: 46
  • Rating: +14/-0
    • View Profile
    • Zweb's calc website
Re: First discovery of nspire cm-c prototype
« Reply #17 on: June 05, 2013, 05:59:06 am »
It seems that I have something to do with the battery...I don't have the official battery :(
« Last Edit: June 05, 2013, 06:08:50 am by zweb »

Offline critor

  • Editor
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2079
  • Rating: +439/-13
    • View Profile
    • TI-Planet
Re: First discovery of nspire cm-c prototype
« Reply #18 on: June 05, 2013, 06:10:29 am »
You should stop trying to install an OS on your prototype.

You may just manage to erase your special 3.1.0.236 development OS, and you can't install released production OSes on your prototype as it's using the development RSA keys instead of the production RSA keys.


We have never dumped any TI-Nspire CM development OS - if you erase the OS, the calculator will remain unusable - we'll have no way to repair it.


That's why the 1st priority should be to try to dump your 3.1.0.236 development OS.
If you find a production TI-Nspire CM, this can be performed quite easily.
« Last Edit: June 05, 2013, 06:11:33 am by critor »
TI-Planet co-admin.

Offline zweb

  • LV3 Member (Next: 100)
  • ***
  • Posts: 46
  • Rating: +14/-0
    • View Profile
    • Zweb's calc website
Re: First discovery of nspire cm-c prototype
« Reply #19 on: June 05, 2013, 06:17:45 am »
You should stop trying to install an OS on your prototype.

You may just manage to erase your special 3.1.0.236 development OS, and you can't install released production OSes on your prototype as it's using the development RSA keys instead of the production RSA keys.


We have never dumped any TI-Nspire CM development OS - if you erase the OS, the calculator will remain unusable - we'll have no way to repair it.


That's why the 1st priority should be to try to dump your 3.1.0.236 development OS.
If you find a production TI-Nspire CM, this can be performed quite easily.
I'm installing ndless,but failed

Offline critor

  • Editor
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2079
  • Rating: +439/-13
    • View Profile
    • TI-Planet
Re: First discovery of nspire cm-c prototype
« Reply #20 on: June 05, 2013, 06:20:47 am »
Ok, fine. :)

Ndless 'might' work.
It depends if most syscalls addresses are the same or not.

If Ndless works, you can dump everything with Polydumper CX.


For exemple, Ndless 1.7/2.0 was designed for OS 1.7.2741, but could also be used with the older OS 1.7.2733 we managed to dump after the release.


Using a charged rechargeable battery from another TI-Nspire CM/CX, TI-Nspire TouchPad or TI-84 Plus C Silver Edition should solve your problem.

« Last Edit: June 05, 2013, 06:23:21 am by critor »
TI-Planet co-admin.

Offline zweb

  • LV3 Member (Next: 100)
  • ***
  • Posts: 46
  • Rating: +14/-0
    • View Profile
    • Zweb's calc website
Re: First discovery of nspire cm-c prototype
« Reply #21 on: June 05, 2013, 06:21:08 am »
You should stop trying to install an OS on your prototype.

You may just manage to erase your special 3.1.0.236 development OS, and you can't install released production OSes on your prototype as it's using the development RSA keys instead of the production RSA keys.


We have never dumped any TI-Nspire CM development OS - if you erase the OS, the calculator will remain unusable - we'll have no way to repair it.


That's why the 1st priority should be to try to dump your 3.1.0.236 development OS.
If you find a production TI-Nspire CM, this can be performed quite easily.
How to dump the OS without having another CM?Dump tools can't run without ndless

Offline critor

  • Editor
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2079
  • Rating: +439/-13
    • View Profile
    • TI-Planet
Re: First discovery of nspire cm-c prototype
« Reply #22 on: June 05, 2013, 06:30:52 am »
The exploits used by Ndless on production OS 3.1 are likely present on your development OS 3.1.

If Ndless 3.1 doesn't work, a special tool or light Ndless could be developped for your model.


I can see several ways for now:
- installing Ndless 3.1 and running Polydumper CX (which might not work if your OS is too different - you'll have to solve your battery problem first)
- sending the OS to another Ndlessed production TI-Nspire CM
- using specific tools exploiting some flaws, but developing them will be easier and faster if the OS is dumped first
- lending the calculator to one of us if you trust us
TI-Planet co-admin.

Offline zweb

  • LV3 Member (Next: 100)
  • ***
  • Posts: 46
  • Rating: +14/-0
    • View Profile
    • Zweb's calc website
Re: First discovery of nspire cm-c prototype
« Reply #23 on: June 05, 2013, 06:37:01 am »
The exploits used by Ndless on production OS 3.1 are likely present on your development OS 3.1.

If Ndless 3.1 doesn't work, a special tool or light Ndless could be developped for your model.


I can see several ways for now:
- installing Ndless 3.1 and running Polydumper CX (which might not work if your OS is too different - you'll have to solve your battery problem first)
- sending the OS to another Ndlessed production TI-Nspire CM
- using specific tools exploiting some flaws, but developing them will be easier and faster if the OS is dumped first
- lending the calculator to one of us if you trust us
I solved the battery problem but it reboots while installing ndless.
I have a Clickpad and my parents won't let me to buy another CM :(
Lending the calculator seems to be a great idea,but I'm in mainland China,so It will take lot of money :(
I will try JTAG way but nobody succeed before...Any way to dump the OS with UART?
« Last Edit: June 05, 2013, 06:37:45 am by zweb »

Offline critor

  • Editor
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2079
  • Rating: +439/-13
    • View Profile
    • TI-Planet
Re: First discovery of nspire cm-c prototype
« Reply #24 on: June 05, 2013, 06:41:53 am »
Yes we have tools which do print the Boot1/Boot2/Diags data on RS232, but adapting them for your OS would require to dump the OS first.

I've just sent an email, asking if somebody had an idea to help you. Let's see in the next few days...


In the worst case, money isn't a problem. :)
« Last Edit: June 05, 2013, 08:00:31 am by critor »
TI-Planet co-admin.

Offline TIfanx1999

  • ಠ_ಠ ( ͡° ͜ʖ ͡°)
  • CoT Emeritus
  • LV13 Extreme Addict (Next: 9001)
  • *
  • Posts: 6173
  • Rating: +191/-9
    • View Profile
Re: First discovery of nspire cm-c prototype
« Reply #25 on: June 05, 2013, 07:27:12 am »
Hey zweb, thanks for sharing all the pics and info on your prototype model. :)

Offline zweb

  • LV3 Member (Next: 100)
  • ***
  • Posts: 46
  • Rating: +14/-0
    • View Profile
    • Zweb's calc website
Re: First discovery of nspire cm-c prototype
« Reply #26 on: June 06, 2013, 01:48:49 am »
- sending the OS to another Ndlessed production TI-Nspire CM
I wonder if it's possible to use a CX instead of CM?or TI-XXXXXXXXXX(Clickpad Prototype)
« Last Edit: June 06, 2013, 04:11:27 am by zweb »

Offline critor

  • Editor
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2079
  • Rating: +439/-13
    • View Profile
    • TI-Planet
Re: First discovery of nspire cm-c prototype
« Reply #27 on: June 06, 2013, 05:04:18 am »
In theory, no.

The model ID is different, and the transfer will be denied.
TI-Planet co-admin.

Offline Lionel Debroux

  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2135
  • Rating: +290/-45
    • View Profile
    • TI-Chess Team
Re: First discovery of nspire cm-c prototype
« Reply #28 on: June 06, 2013, 05:22:41 am »
There's a computer-side program for dumping the OS (which is not libticalcs/tilp, that works only on OS 1.x by taking advantage of a glaring directory traversal vulnerability), but we need to check it first, so as to make sure it can work for you in its current state :)
Meanwhile, don't take any initiatives which could destroy the calculator (as critor wrote above, that's what will happen, for practical purposes, if the OS is erased somehow).

EDIT: the C# program is http://brandonw.net/svn/calcstuff/Fron/trunk/ , and you need to open Fron\Startup.cs and change the "if (true)" to "if (false)" and run it so it can receive the OS upgrade (information courtesy of BrandonW). It may, or may not, work for you.
« Last Edit: June 06, 2013, 05:36:00 am by Lionel Debroux »
Member of the TI-Chess Team.
Co-maintainer of GCC4TI (GCC4TI online documentation), TILP and TIEmu.
Co-admin of TI-Planet.

Offline zweb

  • LV3 Member (Next: 100)
  • ***
  • Posts: 46
  • Rating: +14/-0
    • View Profile
    • Zweb's calc website
Re: First discovery of nspire cm-c prototype
« Reply #29 on: June 07, 2013, 09:01:46 am »
I thought that from Clickpad to CX,there is always a SDIO test in DIAG,is that means J04 may contains SDIO?
And I got the bootlog:
Code: [Select]
Boot Loader Stage 1 (3.00.99)
Build: 2010/9/9, 17:29:13
Copyright (c) 2006-2010 Texas Instruments Incorporated
Using production keys

Last boot progress: 65

Available system memory: 33196
Checking for NAND: NAND Flash ID: MICRON     
SDRAM size: 32 MB
Wakeup Event: ON.
SDRAM memory test:   Pass
Clearing SDRAM...Done.
Clocks:  CPU = 132MHz   AHB = 66MHz   APB = 33MHz   
Clearing SDRAM...Done.
Clearing SDRAM...Done.
Boot option: Normal

Loading BOOT2 software...

99%
BOOT1: loading complete (307 ticks), launching image.



Boot Loader Stage 2 (3.10.DEVBUILD)
Build: 2011/5/19, 12:34:34
Copyright (c) 2006-2010 Texas Instruments Incorporated
Using production keys

Clocks:  CPU = 132MHz   AHB = 66MHz   APB = 33MHz
Checking for NAND: NAND Flash ID: MICRON     


Initializing graphics subsystem.
Boot option: Normal


Initializing filesystem.
Datalight Reliance v2.10.1150
Copyright (c) 2003-2006 Datalight, Inc.
Datalight FlashFX Pro v3.00 Build 1358
Nucleus Edition for ARM9
Copyright (c) 1993-2006 Datalight, Inc.
Patents: US#5860082, US#6260156.
Filesystem ready.
Purging temporary files...
TI_OS_INSTALL_PRECHECK_OK (0)

Loading Operating System...

100%

BOOT2: loading complete (2130 ticks), launching image.


Beginning system initialization.
Clocks:  CPU = 132 MHz AHB = 66 MHz APB = 33 MHz

Preparing file system. This takes a while...
   POSIX layer initialized.
   POSIX "NULL" device initialized.
   POSIX "CONSOLE" device initialized.
Datalight Reliance v2.10.1150
Copyright (c) 2003-2006 Datalight, Inc.
Datalight FlashFX Pro v3.00 Build 1358
Nucleus Edition for ARM9
Copyright (c) 1993-2006 Datalight, Inc.
Patents: US#5860082, US#6260156.

   POSIX file system initialized.
File system ready.
BOOT2 updater not needed
* No battery door detection
System build date: Jun  6 2011, 02:18:23
Available memory: 15525412 bytes
Purging temporary files...
Launching system...
TouchPad Firmware Revision : 01060000

Created Execution Context
                         NavNet Ready.
Creating new IME Dialog

 

\n\t\t\t\t\t\t\t\t\t
<' + '/div>\n\t\t\t\t\t\t\t\t\t