Ok, so the CAS+ RSA keys are different, which means:
- we can't flash a boot2
- we can't flash a diags (I've never seen any diags on a CAS+)
- we can't flash an OS
- we can't run a test image

Moreover, we can't access the whole filesystem through the USB driver.
(seems we only have access to a virtual drive, which just links to 2 "safe" folders: /documents and /phoenix/tmp ).

Well... The CAS+ seems much more closed than the final TI-Nspire.


I've tried to send an OS with "exploit1" in RS232, and I've added the header this time.
Here's what I got:
Loading Operating System...

Error loading OS image. Removing OS remnants.
Deleting file [/phoenix/manuf.dat]
Removing directory [/phoenix/install/]

Waiting for OS download.
Starting Connectivity services.
USB Download is enabled.
Press <Enter> to download through the serial port.
phoenix dhcp server w/ VOODOO  built 12-Jul-2006 (start at 832)


phoenix enum server  built 12-Jul-2006


phoenix dhcp hook fwd w/ VOODOO  built 12-Jul-2006 (start at 832)


phoenix file mgt server  built 12-Jul-2006 (start at 932)

pn-srv2-636: pol_init = -1
Checking battery level.
Battery level is OK.
TI_OS_INSTALL_PRECHECK (5)
TI_OS_INSTALL_VERIFYING_IMAGE (10)
TI_OS_INSTALL_VERIFYING_RESOURCE (95)
Deleting file [/tmp/manifest_img]
Deleting file [/tmp/phoenix.img]
TI_OS_INSTALL_FAILED
  TI_OS_INSTALL_MANIFEST_INVALID
Seems the CAS+ absolutely wants a manifest file.

On my oldest orange-blue CAS+ (OS 1.0.1.0.334T), that file was just named "manifest" and did only include the name of another file: "devfiletree.zip".
But it may be different on production CAS+. According to several logs, the /phoenix/install files are using different names...

Any idea on how to generate a TNC file which would at least pass the "precheck" of the CAS+?
Maybe a look at the TI-Nspire Computer Link 1.0 Java code can be usefull:
http://ti.bank.free.fr/index.php?mod=archives&ac=voir&id=1439
It does some checking on the TNC file too, prior to sending it.

So do we have the public key, though?

No, because it's not dumped yet.
We're trying to dump...

On another note, I've got a strange key combo for the TI-Nspire CAS+:
Menu+Esc

The calculator just does not turn on and can't be turned on.
I have to remove the batteries.

Maybe the combo to launch the diagnostic software, which is not included in the CAS+?


Strangely, with Esc+Menu+Joypad, the calculator does turn on...

Allready tried -> nothing...

Now that you have deleted the OS off one calculator,
USB connect two CAS+ together, reboot the one without the OS.
Does this now activate the Send OS selection ?
Monitor the RS232 traffic while doing this.

If this works , then you can tap into USB to dump the OS.

Hi. I've been following thist thread ever since it exists and I want to say that keep up with good work. I also have a CAS + and I deleted the OS before I read what the diag key combination actually do.

I also tried to "hack" into my CAS+ but I have none experience with hacking nor the knowledge to do that. All I've done is connect my computer and calculator with USB cable and use TI-Nspire Computer Link to acces files on my cas. Meanwile doing so, I captured TCP and UDP packets and came across following commands:
                - fput
                - fget
                - fdel
                - info 1
                - dir
                - attrib
                - mkdir
                - scrn 1 0 38400.

Edit:  another command: - copy      (when you move file from one folder to another in computer link software)

Btw, sorry for my English cause it's kinda rusty  

Great! Thank you very much for the list of commands

Np... If there is anything else I can do just say.

I don't understand anything there, being illiterate about that stuff, but I'm glad to see some progress into attempting hacking the CAS+ prototypes. Also welcome to our new forum member above.