The 1.1.73xx boot1/boot2/OS/diags are the only developer versions which have visible differences with the newer 1.1 developer and production versions.

They seem to be an intermediate between TI-Nspire CAS+ and basic/CAS TI-Nspire.

You can find lots of screen captures and photos of the matching prototype below:
http://tibank.forumactif.com/t6809-les-secrets-des-ti-xxxxxxxxxxx
http://ti.bank.free.fr/index.php?mod=galerie&action=img&id_gal=9&id_img=130
(with comments in french)


A very big thanks to everybody.
Omnimaga is great!

Did you remember the 32-byte header?

You could also try sending it as a temp image (headerless)...

Sorry, I completly forgot that!
Going to try again.

I should be able to handle raw binary I think.
Thanks.

The TI-Nspire CX will be using new 3.0 versions of the boot1 and boot2.
http://ti.bank.free.fr/index.php?mod=news&ac=commentaires&id=1010

Currently (may not be final):
* Boot1 3.0.99
* Boot2 3.0.127
(information asked to DataMath.org)

Ok. We're still missing Boot2 1.1.7314.


Let's sum up what's left for dumping:
- a TI-Nspire with Boot2 1.1.7314 and with OS 1.1.7320.
- a TI-Nspire with Boot2 1.1.7314 and without any OS.

According to previous tests, it seems it's not possible to install a newer OS without updating the Boot2.
(no full USB support in this Boot2, and seems OSes can't be installed through RS232 because of some bugs)


I've tried "exploit1" for 1.1 boot2, by sending special TNC files (adding them the header needed for RS232) targetting various addresses.

With newer 1.1 boot2, most of the time the calculator just freezed. The rest of the time, it displayed some artifacts, or rebooted. And when the right address was targetted, it displayed what we wanted.

With this oldest boot2, on the 1st try (targetting address 0x11b00000) I got a strange garbage I've never seen on the screen. I was just thinking "why not?...".

But then I targetted:
0x11b08000
0x11b10000
0x11b18000
0x11b20000
0x11b28000
0x11b30000

I allways got exactly the same garbage on the screen.

Knowing that this boot2 is smaller than newer boot2, I targetted the minimum and maximum address:
0x11a00000
0x11cf8000

Again, the same garbage on the screen.




Seems exploit1 is not working correctly on this oldest boot2... (or in RS232).
Any idea?

Using boot2 1.1.9170, I've tried to run a test image over the 1.1.7320 OS.

I've tried OSes 1.1.8008, 1.1.8410, and 1.1.9227.
(I've sent the original tno files, without adding any header)

It didn't work.
I'm getting the same error each time:

Keypad request, preparing to load a test image.
Checking battery level.
Battery level is OK.
Begin XMODEM file transfer.
§§File transfer complete. Saving file.
File saved. Loading temp image...
21% Error loading temp image.
It allways stops at 21%...

Strangely, I've tried my modified 1.1.9227 OS (with the added header), and I got the same error, but at 97%...


Something I've missed again?

Although boot2.img is sent on RS232 as-is, OSes must be sent with a 32-byte header. The first 24 bytes, as far as I know, are unused. Bytes 24-27 are the size of the data to write to /tmp/manifest_img (nspire_emu always just set this to 0, and it worked, so I guess it's not important. Probably something left over from the CAS+.), and bytes 28-31 are the size of the data to write to /tmp/TI-Nspire.tnc. (Note: these sizes are big-endian)

Quote from: nspire_emu v0.01 source code, exec_hack() function (run in place of the xmodem receive function)

printf("Loading OS from %s\n", os_filename);
FILE *f = fopen(os_filename, "rb");
if (f) {
        u8 *mem = ram_ptr(arm.reg[0]);
        u32 size = fread(mem + 32, 1, arm.reg[1], f);
        memset(mem, 0, 28);
        mem[28] = size >> 24;
        mem[29] = size >> 16;
        mem[30] = size >> 8;
        mem[31] = size;
        fclose(f);
        arm.reg[0] = 0;
} else {
        perror(os_filename);
        arm.reg[0] = 1;
}
arm.reg[15] = arm.reg[14];

I've tried flashing an OS through RS232 on a "normal" Nspire and it worked - thanks!


Ok, I still have 3 prototypes running boot2 1.1.7314 and OS 1.1.7320.


I've just taken one of them:

1) remove the 1.1.7320 OS

ok

2) send the 1.1.9227 ndlessable OS in RS232 with its header

failed...

Boot Loader Stage 1 (1.1.7314)
Build: 2007/2/23, 20:43:36
Copyright (c) 2006, 2007 Texas Instruments Incorporated
Using developer keys

Last boot progress: 32
Clocks:  CPU = 90MHz   AHB = 45MHz   APB = 22MHz

Available system memory: 37292
SDRAM memory test:   Pass
Clearing SDRAM...Done.
Clearing SDRAM...Done.
Clearing SDRAM...Done.
Checking for NAND: NAND Flash ID: ST Micro NAND256R3A
Boot option: Normal

Loading DIAGS software...

Error reading/validating DIAGS image

Error loading DIAGS. Switching to BOOT2.

Loading BOOT2 software...

99%
BOOT1: loading complete (331 ticks), launching image.



Boot Loader Stage 2 (1.1.7314)
Build: 2007/2/23, 20:48:12
Copyright (c) 2006, 2007 Texas Instruments Incorporated
Using developer keys

Clocks:  CPU = 90MHz   AHB = 45MHz   APB = 22MHz


Initializing graphics subsystem.
Checking for NAND: NAND Flash ID: ST Micro NAND256R3A
Boot option: Normal


Initializing filesystem.
Datalight Reliance v2.10.1150
Copyright (c) 2003-2006 Datalight, Inc.
Datalight FlashFX Pro v3.00 Build 1358
Nucleus Edition for ARM9
Copyright (c) 1993-2006 Datalight, Inc.
Patents: US#5860082, US#6260156.
Filesystem ready.

Loading Operating System...

Error loading OS image. Removing OS remnants.
Deleting file [/phoenix/manuf.dat]
Removing directory [/phoenix/install/]

Waiting for OS download.
Starting Connectivity services.
Initializing USB subsystem...Done.
Initializing interim USB loader...Done.
USB Download is enabled.
Press <Enter> to download through the serial port.
Checking battery level.
Battery level is OK.
Begin XMODEM file transfer.
File transfer complete. Saving pre-load file.
File saved. Installing new Operating System...
TI_OS_INSTALL_PRECHECK (5)
TI_OS_INSTALL_VERIFYING_IMAGE (10)
IMAGE: verifying file "/tmp/TI-Nspire.tno"
IMAGE: file length is 0
TI_OS_INSTALL_VERIFYING_RESOURCE (95)
Deleting file [/tmp/TI-Nspire.tnc]
TI_OS_INSTALL_FAILED
  TI_OS_INSTALL_IMAGE_INVALID



Boot Loader Stage 1 (1.1.7314)
Build: 2007/2/23, 20:43:36
Copyright (c) 2006, 2007 Texas Instruments Incorporated
Using developer keys

Last boot progress: 35
Clocks:  CPU = 90MHz   AHB = 45MHz   APB = 22MHz

Available system memory: 37292
PM is turning the device OFF
Stupid bug... TI messed up with /tmp/TI-Nspire.tno and /tmp/TI-Nspire.tnc.
I suppose the send OS is stored to /tmp/TI-Nspire.tnc.
But the boot2 does check /tmp/TI-Nspire.tno, and complains that the file length is 0 (as it doesn't exist).
But guess what... as the check did fail, it then removes /tmp/TI-Nspire.tnc!!!

Any idea to bypass this problem ?


So now, I have only 2 prototypes running boot2 1.1.7314 and OS 1.1.7320 left.
By using such "destructive" methods, I can only fail 1 more time...

Edit: Here's a possibility to recover the OS. Use Home-Enter-X to send a "temp image" (a .tno/.tnc file, without the 32 byte header) - it will run the sent OS without installing it. It will have to be compatible with the installed OS, though, in terms of filesystem contents. I tried using a modified nspire_emu to run 1.1.9227 on top of a 1.1.8008 installation; there were some messed-up text messages but other than that it seemed to work fine. If you could run a USB-capable OS on top of a 1.1.7320 installation, then you could probably just dump the old OS with TiLP.

Going to try that.

Doesn't seem dangerous!


By the way... any info on the RS232 diags image?
Sending my 640Kb images through RS232 just doesn't work...
(no error message: the Nspire just turns off, and Esc+Menu+G doesn't trigger anything)

Thanks for saving me the trouble on those video files.
I learned something about Video Text Recognition
which seems to be more of an art than a science .

Thanks for all your hard work, bsl.


But we're not done yet...
I could take a video of the boot2 and the OS!

Note that even if I manage to dump the boot2 by flashing an Ndlessable OS using the 1.1.7314 boot2, I can't see any way of dumping the OS...


By the way, any idea about that RS232 OS flashing problem ?