Here are the "programs" used when booting a Nspire:

• boot 1
• boot 2
• OS

Boot1 is checking boot2 signature, then launching it.
Boot2 is checking OS signature, then launching it.

Up to now, we were believing that boot2 could be updated by a software, but not boot1.


Then, if we ever managed to factor the OS key, TI just would have to use a different signing key for new OSes. This would force you to update your boot2 to a new version that would launch the new OSes signed with the new key, but not the old OSes signed with the old key.

Then, we just had to factor the boot2 key.
If boot1 couldn't be updated by a software, only new TI-Nspire could get a new boot1 using a new key and refusing to load boot2 signed with the old key.


The TI-Nspire diagnostic software 1.3 can update the NAND ROM code (boot2, diagnostic software, test program, OS). Here are the related messages:
The NandFlash has more than 20 bad blocks, please change it!!
Nand Flash Test
UpdatedNandFlash(528B)
NAND
Copy Nand  Data To SD Card
SDCard Update NandFlash Code
Search  Nand
Erasing the Nand
Copy Nand.bin to NandFlash
Search  Nand.Chk
Copy Nand.bin to RAM
Copy RAM to NandFlash
Verify SDCard Update NandFlash Code
NandIDFlashFailed
Nandflash Check
Please enter nandflash address
Nandflash Address
Please input nandflash address again
ST Micro NAND128R3A
ST Micro NAND128W3A
ST Micro NAND128R4A
ST Micro NAND128W4A
ST Micro NAND256R3A
ST Micro NAND256W3A
ST Micro NAND256R4A
ST Micro NAND256W4A
ST Micro NAND512R3A
ST Micro NAND512W3A
ST Micro NAND512R4A
ST Micro NAND512W4A
ST Micro NAND01GR3A
ST Micro NAND01GW3A
ST Micro NAND01GR4A
ST Micro NAND01GW4A
NAND_BI_RSN_READ
NAND_BI_RSN_ERASE
NAND_BI_RSN_WRITE
NAND_BI_RSN_ECC
NAND_BI_RSN_TEST
Nand Flash Test


But... it also seems the TI-Nspire diagnostic software 1.3 can update NOR ROM code (boot1), by looking for a "Nor.raw" file on the external SD card.
NOR
Verify SDCard Update NorFlash Code
Search  Nor.raw
Comparing  Nor.raw with Norflash
SDCard Update NorFlash Code
Search  Nor.Chk
Copy Nor.raw to RAM
Erasing the Norflash
Copy RAM to Norflash
NorFlash
NorFlash Test
NorFlash_ID

Then, as boot1 can be updated by a software, TI could make a new TI-Nspire OS which would update boot1 to a new version using a different key and boot2 to a new version signed with the new key. We wouldn't be able to load boot2 signed with the old key any more.


But... If I am right, boot1 is not signed.
Then, it means we would just have to disable the boot2 signature checking in boot1 in order to load a modified boot2 and then a modified OS...

Of course, TI could then release OSes that would update boot1 again (and maybe won't want to run with the hacked boot1) but we would just have to disable that security by modifying the new OSes before installing them.


Did I make a mistake somewhere?

Does anybody have the courage to try something like that on Goplat's emulator ? (for now...)
I can give the diagnostic software 1.3 dump, in order to look for the flashing code.

The big problem with modifying BOOT1: If anything goes wrong, your calculator is completely bricked unless you can somehow remove the BOOT1 flash chip, build a device to re-flash it, and put it back in. Maybe critor could pull this off but I certainly can't

Note that on the newer hardware models, the BOOT1 flash chip is not present. Their BOOT1 is most likely built in to the big ASIC as just a read-only ROM rather than Flash.

But for the moment, we don't have any code.
I've said in the 1st post not to try writing on a real calculator for now.

A faulty boot1 or even a faulty boot2 will make your Nspire completly unusable.


Goplat -> It doesn't prove anything, but the TI-Nspire Diagnostic Software 2.00.1183 (the one included in TouchPad Nspire with the new hardware) still contains the NOR flashing/updating strings. The chip has been merged with the ASIC, but seems to be still writeable...

Goplat -> It doesn't prove anything, but the TI-Nspire Diagnostic Software 2.00.1183 (the one included in TouchPad Nspire with the new hardware) still contains the NOR flashing/updating strings. The chip has been merged with the ASIC, but seems to be still writeable...

IIRC, the diagnostic software contains a lot of useless stuff such as the SD card test. That NOR flashing exists does not necessarily mean that it's possible. (Correct me if I'm wrong - I'm not really an Nspire guy.)

At least we'll have lots of paperweights

Hmm I see now, I wondered if it was because they planned to release SD card reading support in the future or something, but it seems to become more clear that it's for their own personal use now...

Ninja'd
A dock would be sweet! Battery charging, Ed reader and serial port are all on there and who knows what else?

OS, and Boot2 disassembly is very easy, it's just only semi-legal. Let's call it a "grey area"

Does anybody know what type of connector the nspire's dock would be called? I'm thinking card edge, but I need something single sided as well.