Author Topic: TI-Nspire CAS prototype 1.1.6925  (Read 10696 times)

0 Members and 4 Guests are viewing this topic.

Offline Goplat

  • LV5 Advanced (Next: 300)
  • *****
  • Posts: 289
  • Rating: +82/-0
    • View Profile
Re: TI-Nspire CAS prototype 1.1.6925
« Reply #15 on: April 01, 2011, 02:23:51 pm »
Warning at PC=100BC918: Bad read_word: fffbc410
I noticed this too. If you just continue ("c") in order to ignore the bad memory accesses, it works. I suspect it's more code left over from the CAS+, trying to access now-nonexistent peripherals.

Some day I need to make nspire_emu customizable in how it handles error conditions like this (ignore vs. print message vs. break into debugger)
Numquam te deseram; numquam te deficiam; numquam circa curram et te desolabo
Numquam te plorare faciam; numquam valedicam; numquam mendacium dicam et te vulnerabo

Offline critor

  • Editor
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2079
  • Rating: +439/-13
    • View Profile
    • TI-Planet
Re: TI-Nspire CAS prototype 1.1.6925
« Reply #16 on: April 01, 2011, 02:27:59 pm »
I suspect it's more code left over from the CAS+, trying to access now-nonexistent peripherals.

Do you think such code could be usefull in our attempts to dump/flash the CAS+?


Anyway, look what I got:


(same screen on true hardware)


Seems it's a quite early OS...
« Last Edit: April 01, 2011, 03:41:47 pm by critor »
TI-Planet co-admin.

Offline Goplat

  • LV5 Advanced (Next: 300)
  • *****
  • Posts: 289
  • Rating: +82/-0
    • View Profile
Re: TI-Nspire CAS prototype 1.1.6925
« Reply #17 on: April 01, 2011, 02:54:01 pm »
Do you think such code code be usefull in our attempts to dump/flash the CAS+?

Knowing how to access the rs232 port could be quite useful, but since the code that deals with that is all in one place they wouldn't have accidentally left any of that unchanged.

I looked at this particular bit of obsolete code - the FFFBC410 register, if it existed, would have just been a 32768Hz timer. (The code that replaced it in later versions of the OS calls TMT_Retrieve_Clock instead).
Numquam te deseram; numquam te deficiam; numquam circa curram et te desolabo
Numquam te plorare faciam; numquam valedicam; numquam mendacium dicam et te vulnerabo

Offline critor

  • Editor
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2079
  • Rating: +439/-13
    • View Profile
    • TI-Planet
Re: TI-Nspire CAS prototype 1.1.6925
« Reply #18 on: April 01, 2011, 06:11:55 pm »
Boot1 & Boot2 1.1.6818 (built on 4th february 2007) are now dumped.

We're getting closer and closer to the CAS+.


Goplat, you were right.
Boot2 1.1.6818 is bigger, much bigger!
1.29Mb for the image, and then 1.85Mb when decompressed!!!


On the emulator, the boot1 does not work at all.
It's not a warning, but an error this time. I cannot continue...

Code: [Select]
Error at PC=0000A624: NAND flash: read nonexistent page 7fffff
        Backtrace:
Frame     PrvFrame Self     Return   Start
A400A568: A400A588 A400A56C 0000A75C 0000A5E0
A400A588: A400A7D8 A400A58C 0000AF38 0000A71C
A400A7D8: A400AA18 A400A7DC 0000D348 0000AEEC
A400AA18: A400AA90 A400AA1C 00000DD4 0000D304
A400AA90: A400AAA8 A400AA94 00004578 000009C8
A400AAA8: A400AAAC A400AAAC 00000000 00004550
debug>

With the boot2, I get this while trying to install a factory OS image:

Code: [Select]
IMAGE: verifying file "/tmp/TI-Nspire.tnc"
Error at PC=1184DB24: NAND flash: read nonexistent page 7fffff
        Backtrace:
Frame     PrvFrame Self     Return   Start
11A2F3A0: 11A2F3C0 11A2F3A4 1184DC5C 1184DAE0
11A2F3C0: 11A2F610 11A2F3C4 1184E438 1184DC1C
11A2F610: 11A2F850 11A2F614 1197AE80 1184E3EC
11A2F850: 11A2F8F0 11A2F854 1197F9D8 1197AE3C
11A2F8F0: 11A31BB8 11A2F8F4 1197F520 1197F9C4
11A31BB8: 11A324A0 11A31BBC 118011C4 1197E9D8
11A324A0: 11A324E8 11A324A4 1188BD30 118008A0
11A324E8: 11A32500 11A324EC 1182FCF4 1188BC94
11A32500: 11A32504 11A32504 00000000 1182FCCC
debug>

If no factory OS image is present, I get this:
Code: [Select]
Waiting for OS download.
Starting Connectivity services.
Initializing USB subsystem...Warning at PC=11877D28: Bad write_byte: e59ff018 00

debug> c
Warning at PC=11877D28: Bad write_byte: e59ff019 80
debug> c
Warning at PC=11877D28: Bad write_half: e59ff028 0040
debug> c
Warning at PC=11877D28: Bad write_byte: e59ff01a 00
debug> c
Warning at PC=11877D28: Bad write_word: e59ff02c 00000000
debug> c
Warning at PC=11877D28: Bad write_byte: e59ff030 00
debug> c
Warning at PC=1187A39C: Bad read_byte: e59ff018
debug> c
Warning at PC=1187A39C: Bad read_byte: e59ff019
debug> c
Warning at PC=1187A39C: Bad read_word: e59ff030
debug> c
Warning at PC=1187A39C: Bad read_byte: e59ff019
debug> c
Warning at PC=1187A400: Bad read_byte: e59ff018
debug> c
Warning at PC=1187A400: Bad read_word: e59ff088
debug> c
Warning at PC=1187A430: Bad read_word: e59ff090
debug> c
Warning at PC=1187A448: Bad read_byte: e59ff01a
debug> c
Warning at PC=1187A4C0: Bad read_byte: e59ff01a
debug> c
Warning at PC=1187A504: Bad read_half: e59ff028
debug> c
Warning at PC=1187A504: Bad read_byte: e59ff018
debug> c
Warning at PC=1187A504: Bad read_byte: e59ff018
debug> c
Warning at PC=1187A504: Bad read_byte: e59ff01a
debug> c
Warning at PC=1187A504: Bad read_byte: e59ff019
debug> c
Warning at PC=1187A588: Bad read_byte: e59ff019
debug> c
Warning at PC=1187A5B4: Bad read_word: e59ff098
debug>


Hope you'll find those errors very interesting ;)



Thank you all for your support.
« Last Edit: April 01, 2011, 06:12:58 pm by critor »
TI-Planet co-admin.

Offline bsl

  • LV4 Regular (Next: 200)
  • ****
  • Posts: 157
  • Rating: +14/-0
    • View Profile
Re: TI-Nspire CAS prototype 1.1.6925
« Reply #19 on: April 01, 2011, 07:01:59 pm »
This is looking more CAS+ like:
Code: [Select]
1199a7f4: /tmp/manifest_img
1199a80c: /tmp/TI-Nspire.tnc

Offline critor

  • Editor
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2079
  • Rating: +439/-13
    • View Profile
    • TI-Planet
Re: TI-Nspire CAS prototype 1.1.6925
« Reply #20 on: April 01, 2011, 07:03:52 pm »
This is looking more CAS+ like:
Code: [Select]
1199a7f4: /tmp/manifest_img
1199a80c: /tmp/TI-Nspire.tnc

Where is that?
Boot2? OS?

Does it seems to be used somewhere?
TI-Planet co-admin.

Offline bsl

  • LV4 Regular (Next: 200)
  • ****
  • Posts: 157
  • Rating: +14/-0
    • View Profile
Re: TI-Nspire CAS prototype 1.1.6925
« Reply #21 on: April 01, 2011, 07:11:09 pm »
boot2,  hint:boot2launcher code
Start the emulator with a /d
then :
debug> d 1199a7f4

if you are booting with boot1:
k 11800000 +x
then continue, following a dump at that address

Offline Goplat

  • LV5 Advanced (Next: 300)
  • *****
  • Posts: 289
  • Rating: +82/-0
    • View Profile
Re: TI-Nspire CAS prototype 1.1.6925
« Reply #22 on: April 01, 2011, 07:14:00 pm »
Those filenames are still there even in boot2 1.4. When sending an OS by RS232, you send both a manifest_img (with size given in header bytes 18-1B) and a TI-Nspire.tnc (with size given in header bytes 1C-1F). But since making manifest_img 0 bytes long works fine, it's probably vestigial.
Numquam te deseram; numquam te deficiam; numquam circa curram et te desolabo
Numquam te plorare faciam; numquam valedicam; numquam mendacium dicam et te vulnerabo

Offline critor

  • Editor
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2079
  • Rating: +439/-13
    • View Profile
    • TI-Planet
Re: TI-Nspire CAS prototype 1.1.6925
« Reply #23 on: April 01, 2011, 07:27:37 pm »
Then, why is this boot2 so big?

Unoptimized code?
Unused/useless code?
Unused CAS+ code remnants?


By the way, I made a little error.
The boot2 1.1.6818 image size is "only" 1.27Mo, but that's still 206Kb more than the 1.1.7313 boot2.
The uncompressed size is still 1.85Mb, 408 Kb more than the 1.1.7313 boot2.

And by the way, all later boot2 versions are smaller.


What's inside this one?...
TI-Planet co-admin.

Offline Goplat

  • LV5 Advanced (Next: 300)
  • *****
  • Posts: 289
  • Rating: +82/-0
    • View Profile
Re: TI-Nspire CAS prototype 1.1.6925
« Reply #24 on: April 01, 2011, 07:37:17 pm »
Then, why is this boot2 so big?

Unoptimized code?
You got it. Most of the C code in boot1 and boot2, and some in the OS, seems to have been compiled without optimizations in these versions.

Here's a little example, the CSC_Place_On_List function. In boot1 1.1.6914:
Code: [Select]
00002edc: e1a0c00d      mov     r12,sp
00002ee0: e92dd800      stmdb   sp!,{r11-r12,lr-pc}
00002ee4: e24cb004      sub     r11,r12,00000004
00002ee8: e24dd008      sub     sp,sp,00000008
00002eec: e50b0010      str     r0,[r11 - 010]
00002ef0: e50b1014      str     r1,[r11 - 014]
00002ef4: e51b3010      ldr     r3,[r11 - 010]
00002ef8: e5933000      ldr     r3,[r3]
00002efc: e3530000      cmp     r3,00000000
00002f00: 0a000011      beq     00002f4c
00002f04: e51b2014      ldr     r2,[r11 - 014]
00002f08: e51b3010      ldr     r3,[r11 - 010]
00002f0c: e5933000      ldr     r3,[r3]
00002f10: e5933000      ldr     r3,[r3]
00002f14: e5823000      str     r3,[r2]
00002f18: e51b3014      ldr     r3,[r11 - 014]
00002f1c: e5932000      ldr     r2,[r3]
00002f20: e51b3014      ldr     r3,[r11 - 014]
00002f24: e5823004      str     r3,[r2 + 004]
00002f28: e51b2014      ldr     r2,[r11 - 014]
00002f2c: e51b3010      ldr     r3,[r11 - 010]
00002f30: e5933000      ldr     r3,[r3]
00002f34: e5823004      str     r3,[r2 + 004]
00002f38: e51b3014      ldr     r3,[r11 - 014]
00002f3c: e5932004      ldr     r2,[r3 + 004]
00002f40: e51b3014      ldr     r3,[r11 - 014]
00002f44: e5823000      str     r3,[r2]
00002f48: ea000008      b       00002f70
00002f4c: e51b2010      ldr     r2,[r11 - 010]
00002f50: e51b3014      ldr     r3,[r11 - 014]
00002f54: e5823000      str     r3,[r2]
00002f58: e51b2014      ldr     r2,[r11 - 014]
00002f5c: e51b3014      ldr     r3,[r11 - 014]
00002f60: e5823000      str     r3,[r2]
00002f64: e51b2014      ldr     r2,[r11 - 014]
00002f68: e51b3014      ldr     r3,[r11 - 014]
00002f6c: e5823004      str     r3,[r2 + 004]
00002f70: e24bd00c      sub     sp,r11,0000000c
00002f74: e89da800      ldmia   sp,{r11,sp,pc}

The same function in boot1 1.1.8916:
Code: [Select]
000029c4: e5903000      ldr     r3,[r0]
000029c8: e3530000      cmp     r3,00000000
000029cc: 15933000      ldrne   r3,[r3]
000029d0: 05801000      streq   r1,[r0]
000029d4: 15831004      strne   r1,[r3 + 004]
000029d8: 15813000      strne   r3,[r1]
000029dc: 15902000      ldrne   r2,[r0]
000029e0: 05811004      streq   r1,[r1 + 004]
000029e4: 15821000      strne   r1,[r2]
000029e8: 15812004      strne   r2,[r1 + 004]
000029ec: 05811000      streq   r1,[r1]
000029f0: e12fff1e      bx      lr
Numquam te deseram; numquam te deficiam; numquam circa curram et te desolabo
Numquam te plorare faciam; numquam valedicam; numquam mendacium dicam et te vulnerabo

Offline critor

  • Editor
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2079
  • Rating: +439/-13
    • View Profile
    • TI-Planet
Re: TI-Nspire CAS prototype 1.1.6925
« Reply #25 on: April 01, 2011, 07:39:13 pm »
Oh thank you for checking so fast :)

By the way, what do you think about that "page 7fffff" error?
TI-Planet co-admin.

Offline Goplat

  • LV5 Advanced (Next: 300)
  • *****
  • Posts: 289
  • Rating: +82/-0
    • View Profile
Re: TI-Nspire CAS prototype 1.1.6925
« Reply #26 on: April 01, 2011, 08:04:53 pm »
Oh thank you for checking so fast :)

By the way, what do you think about that "page 7fffff" error?
It's a bug in TI's code for reading the "bootdata". If it can't find it, it tries to read from offset FFFFFFFF, because they didn't do the error checking quite right. This was fixed in later versions.

Presumably the effect on real hardware would be that either the read fails, or it reads the last actual page of flash. Either way, the code won't get a valid bootdata structure, so the end result is it just uses the default.
Numquam te deseram; numquam te deficiam; numquam circa curram et te desolabo
Numquam te plorare faciam; numquam valedicam; numquam mendacium dicam et te vulnerabo

Offline critor

  • Editor
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2079
  • Rating: +439/-13
    • View Profile
    • TI-Planet
Re: TI-Nspire CAS prototype 1.1.6925
« Reply #27 on: April 02, 2011, 10:24:06 am »
Oh thank you for checking so fast :)

By the way, what do you think about that "page 7fffff" error?
It's a bug in TI's code for reading the "bootdata". If it can't find it, it tries to read from offset FFFFFFFF, because they didn't do the error checking quite right. This was fixed in later versions.

Presumably the effect on real hardware would be that either the read fails, or it reads the last actual page of flash. Either way, the code won't get a valid bootdata structure, so the end result is it just uses the default.

Does this mean the "downgrade protection" (included in bootdata) won't work on this model if I don't update the boot2 ?
TI-Planet co-admin.

Offline Goplat

  • LV5 Advanced (Next: 300)
  • *****
  • Posts: 289
  • Rating: +82/-0
    • View Profile
Re: TI-Nspire CAS prototype 1.1.6925
« Reply #28 on: April 02, 2011, 12:58:39 pm »
Does this mean the "downgrade protection" (included in bootdata) won't work on this model if I don't update the boot2 ?
No, the downgrade protection will still work. The bug only affects the case where bootdata has never been written.
Numquam te deseram; numquam te deficiam; numquam circa curram et te desolabo
Numquam te plorare faciam; numquam valedicam; numquam mendacium dicam et te vulnerabo