Did they really go back to having boot1 in a separate flash chip for the CX? (The Touchpad TI-Nspire has boot1 built into the ASIC, so the only feasible way to dump it is by running code.)

I was already thinking that it wouldn't be necessary, but I wasn't sure. So thanks for en lighting me

I guess that the CX will also have a similar NAND chip that can't be read

Sorry Goplat, too late unless I find a way to downgrade...

I bought a CX recently with 3.0.1

If you can set up an RS232 connection and want to try some dumping, email me.

I think that we shouldn't even be talking about the discovery of potential exploits publicly
TI is very eager to keep the platform closed.

I too have a CX running OS 3.0.1.1753, and a FTDI-TTL-232R-3V3 USB - RS232 adapter. I can perform the dumping from unspecified tools on Linux or virtualized (VirtualBox 4.1.0) Windows XP SP3.

There is no manual for the CAS+, since that calc was never meant to be sold. You might be able to find the manual for the current models on TI website somewhere at http://education.ti.com , though, although the interface in newer OSes might be different.

Welcome to the forums by the way

The interface in those old CAS+ models is indeed quite a bit different from those of newer prototype models, and production models...

Despite its "+" name, the CAS+ model is highly inferior to the regular models. It cannot be upgraded to newer OS versions, as the hardware is different, and no OS version for the CAS+ was ever published by TI, despite our requests, even for the purposes of unbricking CAS+ items whose owners had tried to upgrade them (which erases the OS, and leaves you with an unusable paperweight).
If you were scammed by a reseller into buying a CAS+ (yes, that's what the CAS+ is: a scam), complain about the reseller, and complain to TI
(even if so far, they haven't cared about a problem that pleagued up to several hundreds of users since 2006...)

Quote from: Goplat on March 23, 2011, 04:30:27 pm

Quote from: mikehill2003 on March 23, 2011, 01:33:27 pm

Unfortunately, as someone who enjoys taking things apart to learn how they work, I am still somewhat interested in the CAS+. Does anyone know if the OS is encrypted (on the NAND Flash)? Has anyone tried to directly dump the OS from it?

If the CAS+ is anything like the released TI-Nspire/TI-Nspire CAS, then the OS is encrypted but the encryption key is present in the second-stage boot loader, which is merely compressed (and we can easily decompress it).

However, I don't think anybody has tried to dump the NAND flash by means of hardware hacking; I didn't know that was even feasible.

Well, I don't own an Nspire CAS(+ or not) yet, so I can't say for sure if it is feasible on an Nspire, but it has worked just fine for me on many other NAND Flash chips.

Give me a few minutes and I'll find a simple tutorial.

This guy used an xD card reader. Simple ('cause xD cards are raw NAND in an expensive package) but it works pretty well. xD cards are pretty useful because you can use them to make a second, removable NAND. (Warning: Because the card reader contains the NAND controller chip, not all card readers work.)
http://busydizzys.com/index.php/2010/12/24/reading-embedded-flash-chips-nand-tsop-without-removal

Soldering this stuff is somewhat difficult. A microscope, steady hand, and hot glue really help.

Jimbauwens has finally soldered everything for the dumping of a TI-Nspire CAS+ NAND with an xD reader.

But it was very hard: he even had to use a microscope!!!




But unfortunately, it didn't work.
With both Linux and Windows, the reader just thinks no card is inserted.

So:
- either some connections are wrong
- either an additional trick is necessary to make the reader think an xD card is inserted
- either some other chips are interfering and the NAND chip has to be removed from the PCB
- either Jim's generic xD card has to be replaced by a high quality raw xD reader like the ones from Olympus and Fujifilm

If some of you can help - because we won't find many other people being able to solder something like that.



Bigger photo available here:
http://tiplanet.org/forum/gallery/image_page.php?album_id=77&image_id=787