Quote from: Camdenmil on August 15, 2011, 05:21:13 pm

The run on home option appears to break the Basic Menu( command. It always gives Label errors even if the label is valid.

Yeah, I know, I need to let them accumulate a little. I want 1.3.001 to fix all the bugs.

I also have this bug, plus two other ones :
Phoenix IV doesn't want to launch, sometimes. It freezes the calc, or displays the ship and all then freezes or just shut down the calc (it even shut it down without making RAM cleared, once). Removing "Stats wizard" made it work well then it screwed up back . It is a MirageOS prog and I set DoorsCS as the shell option, if that helps resolving the problem.

I'm not sure what's going on there. Phoenix works for me with DCS. Do you have the latest DCS? This is Pheonix 4.0 By Patrick Davidson correct?

Also, the displayed pic at the beginning worked well until yesterday: the contrast was not set right and the "top of the screen" was at 1/3 from the top, until I Ram clear.

That's really strange. One thing it could be is that your More>Hardware>Get Delay is set way too low, but that's probably not it. Since you have two strange errors, trying deleting the appVar and starting fresh. Maybe something weird happened to it.

This should help. They're in the exact same order as the .rar, so you can fill in the gaps between known screenshots.



That's about the best I can pull off without getting too extreme.

Really? That's a really easy fix. Check here for info. A quick writeAByte to the certificate and your app is valid.

I'll go tell quigibo.

I'll just inquire over a general detail: since it works (presumably) on the 83+, I take it that it modifies the certificate and not the boot code?

Correct, it modifies the certificate.

Also, what's the point of encrypting it? It has to decrypt itself to run, and thus it should be easy to get a decrypted version to study.

Two reasons, 1) you can't just use IDA on it this way, 2) the way I encrypted it makes it very hard to NOP code (I can't give away too many details in permanent posts like this)

Also, does it only work against 1.03, or does it work for 1.02 (and perhaps 1.00) too?

This works on every boot code that has been released to date. Though, there are far fewer reasons to use it on anything besides boot code 1.03.

In short, this is the boot code 1.03 hack.

When boot code 1.03 first came out, I searched pretty hard for an exploit that would allow unsigned OS's to be sent to the calculator. I ended up disassembling the entire boot code only to come up short. So I figured it wasn't possible. But then, brandonW said that he had found a way to do it, but of course, was not going to tell anyone (for safety reason, the same reason I'm releasing this so late.) This energized me to look through the boot code, and sure enough, I figured out how to do it.

But guess what? Brandon and I had come up with entirely different ways to beat the boot code. This is actually really cool because it means we are covered the next time TI releases an boot code. So, we should be able to downgrade operating systems for quite some time.

The reason I had to wait so long to release this was so that it would not be easy for TI to change their boot code to beat my exploit. I think now is a good time to release this because TI has already made their supply of calculators for the 2011-2012 school year and it's about this time of year that people will start looking for a way to downgrade. And actually, I'm not even sure that TI will be able to reverse engineer my exploit once they find out about it, but that's another story.


So, here is the patcher: This is just an extension of my old AboutNam, the code has been finished for several months now, I just had to wait to release it. Here's what the exploit does:

• Allows unsigned OS's (512 bit RSA and 1024 bit RSA)
• Allows unsigned apps

The cool part is that this exploit works on all boot codes all the way back to the 83+, so feel free to use it there. And allowing/disallowing is as simple as selecting "Unsigned OS's" vs "Signed OS's." While you're at it, you might as well put your name in the certifiacte :D


As far as side effects go, here's what I've noticed:

• Validation of OS's in boot code 1.03 takes ~5 minutes less :D
• If the unsigned OS's are selected, the calculator will finish receiving the OS and reboot without telling the sending calculator/Ti-connect that it has finished. This is because I intercept control before the final confirmation packet is sent (which is after validation) and I have no way to tell whether the OS was received via USB or I/O. A very simple work around is to just close Ti-connect. When sending from another calculator, the calculator will just say Error in Xmit, so there's really no problem there.
• The above is also true for receiving apps with unsigned apps enabled
• When you run this program on an 83+BE, it will clear ram when it's done. I did this on purpose.
• If you always use unsigned apps, you'll have no idea whether the apps will actually work on other calculators (not really a side effect)

If you want a copy of the source, just PM me, I'll be happy to send you a copy as long as you are: not TI, or are not going to send it to TI. In fact, it actually makes me happy when people look at the source, so don't feel at all like it will annoy me. I'd attach it, but like I said, I want this exploit to remain valid for a while.

Lastly, if you are going to run this program from a shell (yes you can), be sure that the program is archived. This is because it manually deallocates itself and jumps to the OS, which means if it's in ram, it's essentially deleting itself. If you run it from TI-OS, it will just run like a normal program. Why does it deallocate itself you ask? Because I encrypted it :D


Edit:
Why do you need this?
If you don't understand any of the above information, then the only reason you need this program is to downgrade your calculator from OS 2.55 to something else if you have boot code 1.03.

First off, your calculator won't have boot code 1.03 unless you bought it within the past month. Secondly, to check, press [Mode][Alpha][Ln]. If it does not say BOOT Code 1.03, then you have nothing to worry about.

The reason you would run this is because TI added in anti-downgrade protection in the boot code that would only allow you to run OS's 2.55 and higher. Of course, some people won't want to run that OS, so run this and you'll be able to downgrade.

DJ_O, you're in luck (assuming you haven't made the screen shots yet). The newest versions of wabbitemu support recording AVI's, which I'm sure movie maker can handle.

I made it use 'z' = 0x7A by simply adding -- right before the final [<++>-]. But then nothing changed.

So I debugged the whole thing and I saw the magic in action. It was so cool to see the whole thing work out perfectly and end with 00's. But what I saw is that it doesn't actually update the screen, it just deletes the memory. So now I know.