This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Messages - Goplat
Pages: 1 ... 7 8 [9] 10 11 ... 20
121
« on: April 02, 2011, 12:58:39 pm »
Does this mean the "downgrade protection" (included in bootdata) won't work on this model if I don't update the boot2 ?
No, the downgrade protection will still work. The bug only affects the case where bootdata has never been written.
122
« on: April 01, 2011, 08:04:53 pm »
Oh thank you for checking so fast 
By the way, what do you think about that "page 7fffff" error?
It's a bug in TI's code for reading the "bootdata". If it can't find it, it tries to read from offset FFFFFFFF, because they didn't do the error checking quite right. This was fixed in later versions. Presumably the effect on real hardware would be that either the read fails, or it reads the last actual page of flash. Either way, the code won't get a valid bootdata structure, so the end result is it just uses the default.
123
« on: April 01, 2011, 07:37:17 pm »
Then, why is this boot2 so big?
Unoptimized code?
You got it. Most of the C code in boot1 and boot2, and some in the OS, seems to have been compiled without optimizations in these versions. Here's a little example, the CSC_Place_On_List function. In boot1 1.1.6914: 00002edc: e1a0c00d mov r12,sp
00002ee0: e92dd800 stmdb sp!,{r11-r12,lr-pc}
00002ee4: e24cb004 sub r11,r12,00000004
00002ee8: e24dd008 sub sp,sp,00000008
00002eec: e50b0010 str r0,[r11 - 010]
00002ef0: e50b1014 str r1,[r11 - 014]
00002ef4: e51b3010 ldr r3,[r11 - 010]
00002ef8: e5933000 ldr r3,[r3]
00002efc: e3530000 cmp r3,00000000
00002f00: 0a000011 beq 00002f4c
00002f04: e51b2014 ldr r2,[r11 - 014]
00002f08: e51b3010 ldr r3,[r11 - 010]
00002f0c: e5933000 ldr r3,[r3]
00002f10: e5933000 ldr r3,[r3]
00002f14: e5823000 str r3,[r2]
00002f18: e51b3014 ldr r3,[r11 - 014]
00002f1c: e5932000 ldr r2,[r3]
00002f20: e51b3014 ldr r3,[r11 - 014]
00002f24: e5823004 str r3,[r2 + 004]
00002f28: e51b2014 ldr r2,[r11 - 014]
00002f2c: e51b3010 ldr r3,[r11 - 010]
00002f30: e5933000 ldr r3,[r3]
00002f34: e5823004 str r3,[r2 + 004]
00002f38: e51b3014 ldr r3,[r11 - 014]
00002f3c: e5932004 ldr r2,[r3 + 004]
00002f40: e51b3014 ldr r3,[r11 - 014]
00002f44: e5823000 str r3,[r2]
00002f48: ea000008 b 00002f70
00002f4c: e51b2010 ldr r2,[r11 - 010]
00002f50: e51b3014 ldr r3,[r11 - 014]
00002f54: e5823000 str r3,[r2]
00002f58: e51b2014 ldr r2,[r11 - 014]
00002f5c: e51b3014 ldr r3,[r11 - 014]
00002f60: e5823000 str r3,[r2]
00002f64: e51b2014 ldr r2,[r11 - 014]
00002f68: e51b3014 ldr r3,[r11 - 014]
00002f6c: e5823004 str r3,[r2 + 004]
00002f70: e24bd00c sub sp,r11,0000000c
00002f74: e89da800 ldmia sp,{r11,sp,pc}
The same function in boot1 1.1.8916: 000029c4: e5903000 ldr r3,[r0]
000029c8: e3530000 cmp r3,00000000
000029cc: 15933000 ldrne r3,[r3]
000029d0: 05801000 streq r1,[r0]
000029d4: 15831004 strne r1,[r3 + 004]
000029d8: 15813000 strne r3,[r1]
000029dc: 15902000 ldrne r2,[r0]
000029e0: 05811004 streq r1,[r1 + 004]
000029e4: 15821000 strne r1,[r2]
000029e8: 15812004 strne r2,[r1 + 004]
000029ec: 05811000 streq r1,[r1]
000029f0: e12fff1e bx lr
124
« on: April 01, 2011, 07:21:21 pm »
I've been working on this all day and I think I've cleaned up the mess. This patch should fix 2.71MP.
I took care of:
-Parser Hook
-USB hook
-Asm(, AsmComp(, and AsmPrgm tokens, all reinstated and all working
-The random crashing
-ClrHome, Output(, Disp, and ClrDraw being slow
-Apps over 2 pages not running
-Output( not displaying in row 8
-Asm(, AsmComp(, and AsmPrgm no appearing in the catalog
-The weird advertisement
Did you also change the version number back to 2.55MP?
125
« on: April 01, 2011, 07:14:00 pm »
Those filenames are still there even in boot2 1.4. When sending an OS by RS232, you send both a manifest_img (with size given in header bytes 18-1B) and a TI-Nspire.tnc (with size given in header bytes 1C-1F). But since making manifest_img 0 bytes long works fine, it's probably vestigial.
126
« on: April 01, 2011, 02:54:01 pm »
Do you think such code code be usefull in our attempts to dump/flash the CAS+?
Knowing how to access the rs232 port could be quite useful, but since the code that deals with that is all in one place they wouldn't have accidentally left any of that unchanged. I looked at this particular bit of obsolete code - the FFFBC410 register, if it existed, would have just been a 32768Hz timer. (The code that replaced it in later versions of the OS calls TMT_Retrieve_Clock instead).
127
« on: April 01, 2011, 02:23:51 pm »
Warning at PC=100BC918: Bad read_word: fffbc410
I noticed this too. If you just continue ("c") in order to ignore the bad memory accesses, it works. I suspect it's more code left over from the CAS+, trying to access now-nonexistent peripherals. Some day I need to make nspire_emu customizable in how it handles error conditions like this (ignore vs. print message vs. break into debugger)
128
« on: April 01, 2011, 01:45:09 pm »
BOOT2: loading complete (428 ticks), launching image.
Error at PC=101675BC: Bad or unimplemented control register value: 5127f
If the OS validates fully and then doesn't work, it's probably my fault. Does it work any differently in nspire_emu 0.51, which implemented support for the 0x100 and 0x200 bits in the control register?
129
« on: April 01, 2011, 02:46:01 am »
I'm seeing a lot of RAM clears even without doing anything fancy. One time I tried to clear the screen and I got this. Singapore? WTF?
130
« on: March 31, 2011, 10:25:40 pm »
I wonder if they mean anything....
My guess is it's just a side effect of the bus speed getting changed (Boot2 uses 45MHz AHB and 22.5MHz APB, but reduces it to 15MHz AHB and 7.5MHz APB just before starting the OS). It never happens in nspire_emu, only on real hardware.
131
« on: March 31, 2011, 05:33:52 pm »
BOOT1: loading complete (560 ticks), launching image.
I wonder why it takes so long? (Recall that the 1.1.73xx prototype took only 339 ticks to load BOOT2.) Maybe TI accidentally put in a production version of DIAGS, so it takes time to read but ends up getting skipped.  Either that or they optimized some code between this version and 1.1.7314. Initializing USB and networking. Interesting, this message isn't in later versions of boot2 (they initialize USB later on, and only if the OS fails to load). Goplat, do you think the boot2 1.1 exploit1 can work by trying to load it as a test image through RS232?...
Any idea of the address I should target in that case?
Let's take that discussion to email.
132
« on: March 29, 2011, 11:17:37 pm »
It also means that, if you have room, you could launch a 3rd party OS from the regular OS.
But why would you want to have to go through this process: TI's OS → Ndless → boot2launcher → modified boot2 → your OS (as a .tno file) when you could just go through this one: TI's OS → Ndless → your OS (as an Ndless program)
133
« on: March 29, 2011, 08:26:05 pm »
If you want to modify the OS, it would be far easier and quicker to just do it in-memory.
134
« on: March 29, 2011, 04:02:15 pm »
Nice. I wish somehow it was possible to just launch an Ndless program that overwrites the entire OS content and bypass the protections...
Overwriting the OS in memory is easy. What do you mean by "bypass the protections"?
135
« on: March 29, 2011, 03:55:47 pm »
And how do you run 2.1 on 2.0.1? 
Same way I do all these hacks - modified nspire_emu. Edit: You could theoretically do this on calc by using Home-Enter-X and sending the OS over RS232; it runs the received OS without installing it (since this has an 8MB limit, you would have to TNOC the OS)
Pages: 1 ... 7 8 [9] 10 11 ... 20
|
Show Posts