I think you should news, or edit the 1st post about the downgrade protection.

The TNOC way can only work if applied before the 3.0 upgrade.
Else, you'll have to buy an RS232 interface, or send the calculator to me.

Is it possible to downgrade boot2 on TI-Nspire calculators?

Yes, I've done it many times on prototype Nspire calculators, with my RS232 interface.
You can send me all your bricked Nspire. Just include the return shipping cost

But I don't know if downgrading the boot2 will be enough. It might have allready modified something permanently in the NAND ROM...

so critor is there a way to modify the boot2 so nspire 2.x or 1.x documents can work on the new os (3.0)?

Old documents don't work?...

I've just removed the boot2 from the 3.0 TNO file.
I'm currently installing that file on a basic TI-Nspire running boot2 1.4.


I'll tell you if I get anything interesting.

Anybody analysing the new downgrade protection?

It's not in the TNC/TNO header anymore...


Hard-coded in the OS?



By the way, lots of comprehensive informations and secrets here:
http://ti.bank.free.fr/index.php?mod=news&ac=commentaires&id=1036

Bugs with some CAS functions have allready been reported in the 3.0 OS that should be released tomorrow:

http://tibank.forumactif.com/t6864-os-30-buggue (in french)


It's possible that many CAS oriented documents won't work any more on this OS.

But TI just doesn't care, as usual.
(I've reported a TI-83/83+/84+ bug with complex numbers 2 years ago... the result is just wrong! It's still not corrected,although new OSes are still being released worldwide, and new TI-83 harware are still being released for France...)

What do you mean by hot reboot code?
This one line of assembly in boot2-/diagslauncher that loads the OS base address into r15/pc?

For the OS, it's a little more complicated than that.

Or maybe try updating http://xandrean.free.fr/TI8XEmu.html to support the calc with flash mem?

Seems it won't be possible to convert this one.
I've digged into it, and a part of the core of the emulator is only included as a precompiled library.
Of course, I've asked for the sources to Brandon Meyer, but didn't get a reply either.

I have decrypted the OS now using a method described on yAronet and modified boot2launcher's source (instead of 0x1180000 0x10000000 + size changed) but it seems that this method would be too easy. The emulator reboots with

Code: [Select]

data abort exception, lr=101f9ddc
So, is anybody gonna help me or does nobody want to talk about this because they don't want to upset TI?

I have the code to make a "hot reboot". It's tested and working.
The OS decrypted code has to be copied some way at 0x10000000.

But you have to make sure no OS code is used at that time.
So I suppose you can neither fread directly at 0x100000000, nor use memcpy().
I've tried to use standard C functions (malloc, fread, and then a for loop and pointers...), but in the end it didn't work either.
I've disabled interrupts, same thing...
I've disabled the compiler optimisations, same thing...

I'm either getting errors speaking of:
- code allready in use
- misaligned data
either a freeze or full reboot.

I suppose, some part of the old OS code is still in use...
Maybe performing the copy operation in assembly would be a way.

It's probably quite simple, for someone who understands ARM assembly.