This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Messages - critor
Pages: 1 ... 94 95 [96] 97 98 ... 137
1426
« on: March 25, 2011, 06:48:59 pm »
If I were to buy a CAS+ on ebay, which is the OS version it would most likely come with?
Probably 1.0.554 if the CAS+ is manufactured in september or october 2006 (which are the most frequent). Early production CAS+ manufactured in august or early september 2006 should come with the 1.0.529 OS, but it's much more rare. Any other version would be collector! 
1427
« on: March 25, 2011, 06:43:46 pm »
Thanks 
edit: I believe I remember someone saying that arrows have been mapped to 1-9? Does this work in gbc4nspire or not?
gbc4nspire came out before the touchpad was even announced. It'll probably need another hex editing session to make a touchpad version (perhaps even with support for reading the actual arrow keys if that could be pulled off -- I've been checking out how to interface with it)
Any news about a fully functional TouchPad version of gbc4Nspire?
1428
« on: March 25, 2011, 06:35:20 pm »
ExtendeD worked a bit on the J04 connector in commercial models, indeed. But no JTAG (in standard format) seemed to be available.
So is a NAND reader our best chance right now?
Seems so. Who is skilled enough to try? I cannot keep the oldest 1.0.3xx and 1.0.4xx CAS+ forever... - So we need to hard-dump OS 1.0.554 (the most common on production CAS+). I could try, but I'm sure I'll break everything... - Then we should test soft-exploits to dump the older 1.0.529 OS (early production CAS+) - as I have severall of them. - Then once the soft-exploits are safe enough, we should try them with the older 1.0.3xx and 1.0.4xx OSes. The 1.0.4xx OS seems quite similar to 1.0.5xx OSes. I suppose it should work. The 1.0.3xx OS is different and "strange"...
1429
« on: March 25, 2011, 04:15:47 pm »
As I feared, looks like the command shell code is different (and unlike the later version, the address of RelDclVPrintf doesn't show up in uninitialized space in the TYPE command's stack frame). Without knowing the addresses of any useful functions we can't exploit the buffer overflow safely yet.  We had better wait for another CAS+ OS to be dumped, so we can see the older command shell code, and come back to this then.
What's the best way to dump the OS?
As far as we know up to now, the production CAS+ OS can only be dumped by connecting the NAND ROM chip to a reader... TI-Nspire Computer Link 1.0 does only access a virtual drive content... And it seems we can't run the DataLight shell to access the physical drive content without assembly... But once the production OS is dumped, me may be able to dump other CAS+ OSes easier through some exploits. Note the Ndless 1.7 installer exploit does freeze the CAS+ OS. (calculator can still be turned off/on and the pointer can still be moved through the joypad, but that's all)
1430
« on: March 25, 2011, 02:56:53 pm »
For now, an immediate goal would be to dump a CAS+ OS, in order to make it reinstallable.
Remember TI has never released the TNC update files for the CAS+.
If the OS gets corrupted and/or removed (it happened to several of us), the only thing you'll ever see on your CAS+ screen is a progress bar stuck at 60%...
1431
« on: March 25, 2011, 02:26:45 pm »
And here's the other test! First step is to dump the stack to get some addresses... Try this (in whatever directory you're comfortable creating files in):
write stackdump 192
%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x
type stackdump
C:\documents\ndless\>write stackdump.tns 192
%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8
x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%
8x%8x%8x%8x%8x%8x%8x%8x%8x%8x%8x
C:\documents\ndless\>dir
1980-01-01 00:00:00 <Dir> .
1980-01-01 00:00:00 <Dir> ..
1980-01-01 00:00:00 639280 os.tns
1980-01-01 00:00:00 19 test.tns
1980-01-01 00:00:00 192 stackdump.tns
Free Space: 17479680 bytes
C:\documents\ndless\>type stackdump.tns
20000013106F2648 010919DA0 0 C0 010919DB4 210919E48
10919DAC101A923C101A9C7C1091A490 0106F2188106F218D106F219C 01091A3A0
3B10919DF810919DDC101AC3A4101F1B2410917E841091A3A81091A3A0 3B10919E10
10919DFC1091A3A8FFFFFFFF106A1CB41091A3C710919E3010919E14101A93041014BA38 0
1091A3A8101AA97C106A1CA810919E4810919E34101AA70C 2 1106FB5C010919E60
10919E4C10000994101A9194 0 010919E7810919E64101279841000097C10000040
10917E8410919E7C10919E7C 0
C:\documents\ndless\>
1432
« on: March 25, 2011, 02:18:37 pm »
critor : for a quick test try:
c:\>write test.tns 19
c:\>AAAA,%08x,%08x,%08x <RETURN>
c:\>type test.tns
C:\documents\ndless\>write test.tns 19
AAAA,%08x,%08x,%08x
C:\documents\ndless\>dir
1980-01-01 00:00:00 <Dir> .
1980-01-01 00:00:00 <Dir> ..
1980-01-01 00:00:00 639280 os.tns
1980-01-01 00:00:00 19 test.tns
Free Space: 17480192 bytes
C:\documents\ndless\>type test.tns
AAAA,20000013,106F259B,00000000
C:\documents\ndless\>
1433
« on: March 23, 2011, 09:40:17 pm »
Yes, the two are signed with different keys.
Darn.
Please pardon my ignorance, it will be a week or two before I get my Nspire basic (v2 with touchpad and ti-84 emu [I wanted an Nspire CAS, but this was nearly new and $60. A CAS would have cost twice as much.]).
Are boot1 and boot2 stored on the same NAND flash rom?
If so, is there any chance of using Ndless to flash an OS with an invalid signature and a boot2 to load it?
Or would I need to re-flash the NAND directly?
Boot2 & OS are stored in the same NAND ROM chip. But, Boot1 is stored in a separate NOR ROM chip. Without modifying the boot2, no invalid OS. But without modifying the boot1, no modified boot2... As for Ndless, with ExtendeD and then Bsl we have made some tests, trying to (re)flash the diagnostic software accessible at boot time through Esc+Menu+G (so something which is not "vital"). With more than 20 tests and 10 different versions of the flasher, the flashing succeeded just once... Untill we can understand more about that very low success rate, we can assume you cannot flash anything safely in NAND ROM through Ndless. Note: according to some messages found in the diagnostic software images, the NOR ROM seems flashable...
1434
« on: March 23, 2011, 09:14:06 pm »
Wow! Thanks for pointing that out bsl! Looking at the CAS+ and CAS boards side by side, there are some large differences between them. Now I really doubt that the CAS+ can run a production OS.
Those aren't for the keyboard?
J02, probably...
But what's the purpose of the J04 present on older CAS+?
I can't really tell from that photo where the traces lead.
You might see better on this one: http://www.datamath.org/Graphing/JPEG_NSpire_P.htm#PCBA TI-XXXXXXXXXXX (basic TI-Nspire prototype), which seems to have a similar connector. The connector is not soldered on final basic TI-Nspire.
1435
« on: March 23, 2011, 06:05:57 pm »
Ça aide ceux qui savent s'en servir. Et crois-moi, ce n'est pas la majorité. Sur TI-Bank on a sans arrêt des messages: "la Nspire/68k est nulle, car elle me donne pas les étapes pour la primitive/dérivée/intégrale/limite! comment faire?..." Bref, tu vois? Ils ont le superbe résultat formel final que les TI-z80 ne donnent pas, et trouvent en plus le moyen de venir se plaindre! Ils ne prennent même pas la peine de "comprendre" ce résultat, ce qui pourtant leur donnerait les étapes. Mais paradoxalement ceux qui savent s'en servir... sont ceux qui ont le moins besoin d'être aidés!
1436
« on: March 23, 2011, 05:57:51 pm »
Here's the CAS+ inf file content:
;Texas Instruments Incorporated
;Driver Information File for TI-Nspire
;Copyright (c) Texas Instruments Inc. All rights reserved.
[Version]
Signature = "$Windows NT$"
Class = Net
ClassGUID = {4d36e972-e325-11ce-bfc1-08002be10318}
Provider = %TI%
DriverVer = 05/24/2006,5.2.3790.1454
CatalogFile = tirndis.cat
[Manufacturer]
%TI% = TIDevices,NT.5.1
[TIDevices]
%TIDevice% = RNDIS, USB\VID_0451&PID_E011
[TIDevices.NT.5.1]
%TIDevice% = RNDIS.NT.5.1, USB\VID_0451&PID_E011
[ControlFlags]
ExcludeFromSelect=*
; Windows 2000 specific sections ---------------------------------
[RNDIS.NT]
Characteristics = 0x84 ; NCF_PHYSICAL + NCF_HAS_UI
BusType = 15
DriverVer = 05/24/2006,5.2.3790.1454
AddReg = RNDIS_AddReg_NT, RNDIS_AddReg_WIN2K_XP
CopyFiles = RNDIS_CopyFiles_NT
; DO NOT MODIFY THE SERVICE NAME
[RNDIS.NT.Services]
AddService = USB_RNDISY, 2, RNDIS_ServiceInst_NT, RNDIS_EventLog
[RNDIS_CopyFiles_NT]
; no rename of files on Windows 2000, use the 'y' names as is
usb8023y.sys, , , 0
rndismpy.sys, , , 0
[RNDIS_ServiceInst_NT]
DisplayName = %ServiceDisplayName%
ServiceType = 1
StartType = 3
ErrorControl = 1
ServiceBinary = %12%\usb8023y.sys
LoadOrderGroup = NDIS
AddReg = RNDIS_WMI_AddReg_NT
[RNDIS_WMI_AddReg_NT]
HKR, , MofImagePath, 0x00020000, "System32\drivers\rndismpy.sys"
; Windows XP specific sections -----------------------------------
[RNDIS.NT.5.1]
Characteristics = 0x84 ; NCF_PHYSICAL + NCF_HAS_UI
BusType = 15
DriverVer = 05/24/2006,5.2.3790.1454
AddReg = RNDIS_AddReg_NT, RNDIS_AddReg_WIN2K_XP
; no copyfiles - the files are already in place
[RNDIS.NT.5.1.Services]
AddService = USB_RNDIS, 2, RNDIS_ServiceInst_5_1, RNDIS_EventLog
[RNDIS_ServiceInst_5_1]
DisplayName = %ServiceDisplayName%
ServiceType = 1
StartType = 3
ErrorControl = 1
ServiceBinary = %12%\usb8023.sys
LoadOrderGroup = NDIS
AddReg = RNDIS_WMI_AddReg_5_1
[RNDIS_WMI_AddReg_5_1]
HKR, , MofImagePath, 0x00020000, "System32\drivers\rndismp.sys"
; Windows XP and Windows 2000 Sections
[RNDIS_AddReg_NT]
HKR, Ndi, Service, 0, "USB_RNDISY"
HKR, Ndi\Interfaces, UpperRange, 0, "ndis5_ip"
HKR, Ndi\Interfaces, LowerRange, 0, "nolower"
[RNDIS_AddReg_WIN2K_XP]
HKR, NDI\params\NetworkAddress, ParamDesc, 0, %NetworkAddress%
HKR, NDI\params\NetworkAddress, type, 0, "edit"
HKR, NDI\params\NetworkAddress, LimitText, 0, "12"
HKR, NDI\params\NetworkAddress, UpperCase, 0, "1"
HKR, NDI\params\NetworkAddress, default, 0, " "
HKR, NDI\params\NetworkAddress, optional, 0, "1"
[RNDIS_EventLog]
AddReg = RNDIS_EventLog_AddReg
[RNDIS_EventLog_AddReg]
HKR, , EventMessageFile, 0x00020000, "%%SystemRoot%%\System32\netevent.dll"
HKR, , TypesSupported, 0x00010001, 7
[SourceDisksNames]
1=%SourceDisk%,,1
[SourceDisksFiles]
usb8023y.sys=1
rndismpy.sys=1
[DestinationDirs]
RNDIS_CopyFiles_NT = 12
[Strings]
ServiceDisplayName = "USB Remote NDIS Network Device Driver"
NetworkAddress = "Network Address"
TI = "Texas Instruments Incorporated"
TIDevice = "Texas Instruments Remote NDIS Network Device"
SourceDisk = "TI USB Network Driver Install Disk"
Note that the date is posterior to my oldest orange-blue CAS+ boot1/boot2/OS build dates.
(the one on which I have the OS image in the documents folder, but which doesn't work with TI-Nspire Computer Link 1.0)
The oldest CAS+ DHCP server is sending 3 to 4 IP adresses to the TI virtual network interface on my computer, which is reqesting them.
But it seems that for some reason my computer is either not receiving those IPs, either not acknowledging them.
I've tried what you proposed: manually assigning the proposed IP.
But it doesn't work: "the IP is allready in use".
I've tried assigning another IP in the same subnet, but no other active IP was visible in the subnet.
Remember the CAS+ IP seems to be the interface IP plus one.
So it might be affected after the computer acknowledges.
And of course, I have no problems with more recent CAS+ DHCP servers.
1437
« on: March 23, 2011, 05:44:00 pm »
Hm... I'm not good at soldering... Allready had problems with the dock connector.
And I'll probably be much worse at micro-soldering...
Bsl? You think you could try that?
Once we get at least one image of a CAS+ boot2 + OS, we may find software-ways for dumping all other CAS+ versions.
1438
« on: March 23, 2011, 05:35:06 pm »
Those aren't for the keyboard?
J02, probably... But what's the purpose of the J04 present on older CAS+?
1440
« on: March 23, 2011, 05:23:50 pm »
Le BAC n'est pas un QCM.
A ma connaissance, la calculatrice ne dit pas encore quoi écrire sur la copie.
Un résultat sans la démarche qui y conduit ne sert à rien.
La calculatrice, que ce soit une z80, une 68k ou une Nspire, ne permet essentiellement que de vérifier son résultat.
Pages: 1 ... 94 95 [96] 97 98 ... 137
|
Show Posts