This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Messages - bsl
Pages: 1 ... 4 5 [6] 7 8 ... 11
76
« on: March 25, 2011, 06:47:36 pm »
So is a NAND reader our best chance right now?
Another choice- if you know someone that works with embedded systems and has the equipment for this
77
« on: March 25, 2011, 12:09:50 am »
I was just looking at that vulnerability.
I was trying:
AAAA%08x%08x%08x.....%08x
and hoping to get one of the "%08x" would give me 41414141 - then replace that with %s
to read arbitrary memory addresses - could not find it so far.
Seems this technique ignores %p, havent tried %n.
critor : for a quick test try:
c:\>write test.tns 19
c:\>AAAA,%08x,%08x,%08x <RETURN>
c:\>type test.tns
EDIT: If this format string is in the stack on the CAS+ instead of a buffer like the later models, then this looks more promising.
78
« on: March 23, 2011, 05:58:16 pm »
Its between a card reader or a JTAG connection.
I haven't done hardware stuff for a while.
The card reader is the direct approach, a JTAG connection would be the best way(If it can be done at all ?)
There is JTAG software out there already, I would have to read more about JTAG and trace runs on the board.
I think ExtendeD did a little work on this.
79
« on: March 23, 2011, 05:36:07 pm »
Yes , I did - I just pick one photo.
Its interesting thats the one obvious connection inside the Nspire, that
to my knowledge no one has attempted ?
81
« on: March 23, 2011, 01:39:21 am »
Now that you have deleted the OS off one calculator,
USB connect two CAS+ together, reboot the one without the OS.
Does this now activate the Send OS selection ?
Monitor the RS232 traffic while doing this.
If this works , then you can tap into USB to dump the OS.
82
« on: March 22, 2011, 03:49:00 pm »
Looks like manifest_img is the OS.
Now you can start sending boot2 exploits through RS232.
Even though the files are deleted , they may not really be deleted , only unlinked in the inode of the filesystem[Hopefully].
83
« on: March 22, 2011, 01:40:39 pm »
strings.res is about half the size of the other prototypes, even 1.7320.
Try: c:\>type strings.res
The reason for "showcopyrights" was a possible second shell exists that might have this command.
84
« on: March 22, 2011, 01:06:08 pm »
Critor, When you get a chance - on the older calculator enter these commands: C:\phoenix\> type components
C:\phoenix\syst\> dir
C:\phoenix\syst\locales\en\>dir
C:\phoenix\syst\locales\>dir
C:\phoenix\syst\locales\>type copysamples
The shell has a command for creating files: C:\documents\examples\> write test.tns 5 <Enter 5 characters then hit return> I was able to enter control characters, but this is limiting to entering a whole binary file like loader.tns  Can you also type this command: C:\documents\examples\>showcopyrights
85
« on: March 21, 2011, 11:28:19 pm »
There are a lot more capable terminal programs written for MsDOS back then, because of the direct hardware access that Window$ doesn't give you. Here is a link to some of them: http://www.eunet.bg/simtel.net/msdos/commprog.html
86
« on: March 21, 2011, 08:57:36 pm »
Can this procedure also work for other unknown boot2's like the CAS+ ?
First you have to hunt for valid points then write the exploit.
87
« on: March 21, 2011, 12:18:30 am »
After you dump boot2 , see if you can reflash boot2_1.1.7314 and OS1.1.7320 back on
as an integrity check.
88
« on: March 20, 2011, 12:23:50 pm »
It will be interesting to look at OS 1.1.7320 .
Without USB support, it would be unusual to see
that it would not support more shell/RS232 utilities,
then what we have been seeing.
If we are really lucky debugging information on those old OS's
89
« on: March 20, 2011, 02:35:32 am »
It might become necessary to rewrite the Ndless loader
assuming you get the test image working.
There is a reboot in the Ndless installation which might mean
loosing the test image.
The loader would be rewritten to hexdump the nand to RS232
and would not install Ndless - just using the exploit to dump the nand.
90
« on: March 19, 2011, 05:21:23 pm »
I was able to run that diags with the DiagsLauncher program.
Runs on the emulator, should run on the calc without signature checking.
Subtract 8 more bytes from that program I sent for the larger diags proto header.
EDIT: change one line to look like:
if (fread((void *)0x117FFFB4 , 1, DIAGS_SIZE, ifile) != DIAGS_SIZE) {
Pages: 1 ... 4 5 [6] 7 8 ... 11
|
Show Posts