This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Messages - Goplat
Pages: 1 ... 9 10 [11] 12 13 ... 20
151
« on: March 22, 2011, 07:42:13 pm »
Maybe the combo to launch the diagnostic software, which is not included in the CAS+?
The RS232 log should tell if that's what it is.
152
« on: March 22, 2011, 06:58:10 pm »
Any idea on how to generate a TNC file which would at least pass the "precheck" of the CAS+?
It looks like the two parts of an rs232-sent OS are saved to /tmp/manifest_img and /tmp/phoenix.img. So a good guess would be that a CAS+ .tnc file is a zip file containing a manifest_img file and a phoenix.img file. phoenix.img is probably the equivalent of TI-Nspire.img in the released TI-Nspire. On another note, I did a little reverse engineering of pn-net.dll. It connects to a CAS+ on TCP port 10001, and the protocol is text based. You could probably use a telnet-type program to communicate with the CAS+ manually. The "info 1" command gets some information about the calculator; the command to list a directory is "dir directoryname". Might be worth seeing if you can access more of the filesystem this way than by using Computer Link.
153
« on: March 22, 2011, 03:30:20 pm »
Here you go
154
« on: March 21, 2011, 08:50:27 pm »
Actually, sending it as a temp image doesn't work, sorry (just tested in nspire_emu)
155
« on: March 21, 2011, 05:00:12 pm »
Did you remember the 32-byte header?
You could also try sending it as a temp image (headerless)...
156
« on: March 20, 2011, 10:20:03 pm »
I think we should forget about creating files on the calc, and instead just send the contents of boot2 out over the RS232, since you already have that set up. I'll email you a file when I finish writing and testing it.
Is it ok for it to just output raw binary or will your terminal program not be able to log that properly?
157
« on: March 20, 2011, 02:21:12 pm »
I don't know. I haven't yet tested exploiting the bug over rs232 in nspire_emu.
158
« on: March 20, 2011, 01:53:46 pm »
In OS 1.1.7320, the NavNet code is present, but appears to be unused. (TI_NN_Init is at address 10291578, and is not called from anywhere) The growth in size from 1.1.7320 to 1.1.8008 was due to added flash apps in the TI-84+ emulator. Seems exploit1 is not working correctly on this oldest boot2... (or in RS232).
Any idea?
The right address is going to be a lot lower if you're using rs232. For 1.1.8007 it would be around 11a00000. Since 1.1.7314 is about 150kB smaller when uncompressed, I would try 119d8000.
159
« on: March 19, 2011, 11:45:36 pm »
It allways stops at 21%...
Strangely, I've tried my modified 1.1.9227 OS (with the added header), and I got the same error, but at 97%...
You can prepend almost whatever you want at the beginning of the file - boot2 searches for the first 0x1A byte and starts working from there, so as long as you don't add a 0x1A byte, it shouldn't affect things. Maybe there's an xmodem issue that's truncating the file? Try some different amounts of padding, like try to make the file a multiple of 0x400 bytes (the maximum xmodem packet size) or something. Edit: it also tolerates padding at the end; 0x400 extra null bytes at the end should fix any xmodem truncation issues.
160
« on: March 19, 2011, 07:20:29 pm »
It worked with boot2 1.1.8008 in nspire_emu... I guess 1.1.7314 probably has yet another bug. (With all these boot2 bugs, it's a wonder TI managed to ever get the OS on these calcs in the first place.) An alternative would be to try to use our exploit (modified to dump boot2 to rs232 instead of to a file) but you know how finicky that can be. The message "Initializing interim USB loader...Done." is intriguing - the current boot2 still has unused vestiges of this "interim USB loader". I'd like to help more, but I have school work to deal with right now.  Maybe tomorrow.
161
« on: March 19, 2011, 06:26:57 pm »
Heisenberg uncertainty principle: Δx Δp = h/4π
I think most physicists would agree that the more natural constant is ħ = h/2π. (There's that 2π again.)
162
« on: March 19, 2011, 04:52:18 pm »
Stupid bug... TI messed up with /tmp/TI-Nspire.tno and /tmp/TI-Nspire.tnc.
I suppose the send OS is stored to /tmp/TI-Nspire.tnc.
But the boot2 does check /tmp/TI-Nspire.tno, and complains that the file length is 0 (as it doesn't exist).
But guess what... as the check did fail, it then removes /tmp/TI-Nspire.tnc!!!
Any idea to bypass this problem ? Hex-edit the .tno file you're trying to send. In the header, change "TI-Nspire.tno" to "TI-Nspire.tnc". (This header has no signature protection  ) By the way... any info on the RS232 diags image?
Sending my 640Kb images through RS232 just doesn't work...
(no error message: the Nspire just turns off, and Esc+Menu+G doesn't trigger anything)
Maybe they got the size check wrong so a full 640kB isn't allowed. (Note that the last 64kB of the space reserved for diags is actually used for storing test results, so the actual image will never be larger than 576kB.) Try truncating it to just the size of the actual image (for a development-signed diags, the last few bytes are 24 57 c3 c6 90 ff f0).
163
« on: March 19, 2011, 01:35:16 pm »
Although boot2.img is sent on RS232 as-is, OSes must be sent with a 32-byte header. The first 24 bytes, as far as I know, are unused. Bytes 24-27 are the size of the data to write to /tmp/manifest_img (nspire_emu always just set this to 0, and it worked, so I guess it's not important. Probably something left over from the CAS+.), and bytes 28-31 are the size of the data to write to /tmp/TI-Nspire.tnc. (Note: these sizes are big-endian) printf("Loading OS from %s\n", os_filename);
FILE *f = fopen(os_filename, "rb");
if (f) {
u8 *mem = ram_ptr(arm.reg[0]);
u32 size = fread(mem + 32, 1, arm.reg[1], f);
memset(mem, 0, 28);
mem[28] = size >> 24;
mem[29] = size >> 16;
mem[30] = size >> 8;
mem[31] = size;
fclose(f);
arm.reg[0] = 0;
} else {
perror(os_filename);
arm.reg[0] = 1;
}
arm.reg[15] = arm.reg[14];
Edit: Here's a possibility to recover the OS. Use Home-Enter-X to send a "temp image" (a .tno/.tnc file, without the 32 byte header) - it will run the sent OS without installing it. It will have to be compatible with the installed OS, though, in terms of filesystem contents. I tried using a modified nspire_emu to run 1.1.9227 on top of a 1.1.8008 installation; there were some messed-up text messages but other than that it seemed to work fine. If you could run a USB-capable OS on top of a 1.1.7320 installation, then you could probably just dump the old OS with TiLP.
164
« on: March 19, 2011, 02:33:13 am »
The & operator has lower precedence than ==. So "ADD_v == instruction & ADD_v" is equivalent to "(ADD_v == instruction) & ADD_v", rather than to the intended "ADD_v == (instruction & ADD_v)". This is just an annoying feature of C and C++ (it trips me up all the time...)
Also, the bit mask that you AND with should have all the bits identifying the instruction set to 1 - even the bits that must be 0 to match that instruction. For example:
0x7000 == (0x7001 & 0x7000) - this is true, as we want
0x7000 == (0xF001 & 0x7000) - but this is also true!
165
« on: March 19, 2011, 02:00:37 am »
Goplat, if it's parsing "70" to the ASCII codes 0x37 and 0x30, then "01" would read 0x3031, not 0x3001. 0x01 is a non-printable ASCII control character.
Right, that was a typo, sorry
Pages: 1 ... 9 10 [11] 12 13 ... 20
|
Show Posts
