While the folks at #omnimaga et al. are trying to solve this evil (plenty of big hackers running around frantic), I've decided to cross post here to inform the calc community at large what is going on.
While we have seen some substantial progression towards developer friendliness (read: Lua Scripting on the Nspire), it seems that they have taken a step backwards and attacked the developer community as well... this time where it really hurts: the Z80 devs. (TI-8x)
A new calculator released in France - the "TI-84 Pocket fr" - contains a new boot code, 1.03, as seen here: (click to enlarge)
It also seems that this calc is a new HW revision (not a surprise - it is a totally different calc, after all). The new calc still uses the newer, 48kb RAM:
New boot code 1.03! Sounds like an awesome update, right?
You would be very wrong. If you tried to downgrade the included OS 2.55MP to any lower version OS, you would receive a validation error. In fact, the new boot code takes 7 minutes to validate the OS. (The "100% Validating" screen)
It is unsure of what else this new boot code has changed, but it can't be good. Possibilities include patching flash unlock exploits, screwing up the display even more, and making it much slower.
What are your thoughts? Is this a ploy to kill the Z80 development community, and force them to migrate to the new, more tightly controlled Nspires? What do you think they have changed? Will the community at large fight back and be victorious? Post your thoughts, comments, and concerns in the topic!
Further reading
Original article: http://ti.bank.free.fr/index.php?mod=news&ac=commentaires&id=1176
Translated with Google Translate: http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&sl=fr&tl=en&u=http%3A%2F%2Fti.bank.free.fr%2Findex.php%3Fmod%3Dnews%26ac%3Dcommentaires%26id%3D1176
Critor's post on Omnimaga: http://ourl.ca/9380/219234
Orginial IRC log follows:
While we have seen some substantial progression towards developer friendliness (read: Lua Scripting on the Nspire), it seems that they have taken a step backwards and attacked the developer community as well... this time where it really hurts: the Z80 devs. (TI-8x)
A new calculator released in France - the "TI-84 Pocket fr" - contains a new boot code, 1.03, as seen here: (click to enlarge)
It also seems that this calc is a new HW revision (not a surprise - it is a totally different calc, after all). The new calc still uses the newer, 48kb RAM:
New boot code 1.03! Sounds like an awesome update, right?
You would be very wrong. If you tried to downgrade the included OS 2.55MP to any lower version OS, you would receive a validation error. In fact, the new boot code takes 7 minutes to validate the OS. (The "100% Validating" screen)
It is unsure of what else this new boot code has changed, but it can't be good. Possibilities include patching flash unlock exploits, screwing up the display even more, and making it much slower.
What are your thoughts? Is this a ploy to kill the Z80 development community, and force them to migrate to the new, more tightly controlled Nspires? What do you think they have changed? Will the community at large fight back and be victorious? Post your thoughts, comments, and concerns in the topic!
Further reading
Original article: http://ti.bank.free.fr/index.php?mod=news&ac=commentaires&id=1176
Translated with Google Translate: http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&sl=fr&tl=en&u=http%3A%2F%2Fti.bank.free.fr%2Findex.php%3Fmod%3Dnews%26ac%3Dcommentaires%26id%3D1176
Critor's post on Omnimaga: http://ourl.ca/9380/219234
Orginial IRC log follows:
Quote:
[18:22:28] <OmnomIRC> (O)<critor> I'm currently testing (downgrade, patched OS, 3rd party OSes...)
[18:23:12] <OmnomIRC> (O)<Geekboy1011> :/
[18:23:18] <OmnomIRC> (O)<thepenguin77> critor, the boot code initializes the hardware
[18:23:36] <OmnomIRC> (O)<critor> sorry, thepenguin77
[18:23:37] <OmnomIRC> (O)<thepenguin77> then it calls the OS
[18:23:51] <OmnomIRC> (O)<thepenguin77> but I did just read that whole article
[18:23:58] <OmnomIRC> (O)<critor> true that the PCB is very different
[18:24:25] <OmnomIRC> (O)<thepenguin77> I would expect the outputs to a few ports have changed
[18:24:27] <OmnomIRC> (O)<Qwerty.55> How different is it?
[18:24:53] <OmnomIRC> (O)<Qwerty.55> IE: New screen driver or just a new label on the thing?
[18:25:21] <OmnomIRC> (O)<critor> 2 separate PCB (screen + keypad)
[18:25:37] <OmnomIRC> (O)<critor> allmost all the electronic is concentrated on the screen PCB
[18:26:32] <OmnomIRC> (O)<critor> here's a partiel photo of the screen PCBn showing the ROM & ASIC: http://i23.servimg.com/u/f23/13/23/13/53/pocket27.jpg
[18:26:43] <OmnomIRC> (O)<critor> according to my ongoing tests, unfortunately I was right... more infos soon...
...
[18:30:04] <OmnomIRC> (O)<critor> although the model is only for France, you might get this new Boot Code in new TI-84+ soon...
...
[18:39:18] * apcalc (ae368af6@ircip3.mibbit.com) has joined #omnimaga
[18:39:18] * Netbot45 gives voice to apcalc
...
[18:43:25] <OmnomIRC> (O)<thepenguin77> critor, so is there attempted downgrade protection?
...
[18:44:15] <OmnomIRC> (O)<critor> thepenguin77 -> yes - I can't install OS 2.53MP or older. Only 2.55MP works.
[18:44:33] <alberthro> O_O
[18:44:34] <OmnomIRC> (O)<thepenguin77> wow, that's pretty good, I guess we'll have to get a team on that one
[18:44:42] <alberthro> holy crap...
[18:44:43] <OmnomIRC> (O)<thepenguin77> this will be fun
[18:44:52] <SpyBot45> (O) New post by DrDnar in TI-84 Pocket http://omniurl.tk/6783/165113
[18:44:53] * alberthro hires one BrandonW
[18:45:45] <alberthro> Man, I did not expect for your 2.71MP OS features to get implemented so soon...
[18:46:36] <Runer112> thepenguin77, have you added delay removal to zStart yet?
[18:46:46] <OmnomIRC> (O)<critor> in fact it's even worse... I cannot even installed a patched 2.55MP OS...
[18:46:47] <OmnomIRC> (O)<thepenguin77> yes, just not updated yet
[18:46:51] <Runer112> cool
[18:47:15] <alberthro> critor: even after it's resigned? O_O
...
[18:47:28] <OmnomIRC> (O)<critor> yes...
...
[18:47:38] <OmnomIRC> (O)<critor> so Boot Code 1.03 seems to check something else than the RSA signature...
[18:47:44] <OmnomIRC> (O)<thepenguin77> haha, they added in a new encryption system
...
[18:49:11] <OmnomIRC> (O)<critor> and the thing checked by Boot Code 1.03 seems very complicated...
...
[18:50:03] <BrandonW> What is going on here?
...
[18:50:06] <BrandonW> What is this 1.03 business?
[18:50:18] <OmnomIRC> (O)<thepenguin77> new OS validation checks
[18:50:19] <OmnomIRC> (O)<critor> remember the "100% Validating..." screen?... The TI-84 Pocket.fr needs more than 6 minutes on that screen to validate the OS!!!!!! (so TI hasn't just checked the OS version string or the OS size...)
[18:50:38] <alberthro> BrandonW: TI took a page from thepenguin77's 2.71MP and are blocking downgrades and patched OSes.
[18:50:47] <BrandonW> Get me a boot page dump now.
[18:51:06] <alberthro> critor: 7 minutes? O_O
[18:51:18] <OmnomIRC> (O)<thepenguin77> brandonw, it's the moment you've finally been waiting for
[18:51:20] <BrandonW> Get me a boot page dump or send me this calculator now.
[18:51:25] <BrandonW> I will pay for it.
[18:51:50] * Flygon_ has quit (Read error: Connection reset by peer)
[18:51:56] <alberthro> If TI is looking for version numbers... that's just sad. /possiblyterribleguess
[18:52:01] <BrandonW> Do you need me to create a dumper?
[18:52:12] * Flygon_ (~Flygon@207-179-240-153.mtco.com) has joined #omnimaga
[18:52:14] * Netbot45 gives voice to Flygon_
[18:52:16] <BrandonW> I imagine you already have it since you're talking about what it does.
[18:52:41] <OmnomIRC> (O)<critor> yes, I've got it
[18:52:55] <OmnomIRC> (O)<renatose> @critor: I have ndless, oslauncher and phoenix.raw.zip.tns in root folder
[18:52:58] <OmnomIRC> (O)<critor> I don't need a dumper: Asm is still working as far as I've tested
[18:53:04] <OmnomIRC> (O)<renatose> shouldn't it work?
[18:53:15] <BrandonW> You're scaring me, get me a dump!
[18:53:48] <BrandonW> Look at _CheckHeaderKey or _SetupOSPubKey and make sure it's still looking for 04.
[18:54:02] <BrandonW> If not, we need to get whatever they've done factored.
[18:54:49] <BrandonW> If we can't, we need to make sure they aren't checking additional things in the certificate.
[18:54:56] * Fishbot (Mibbit@97-117-129-222.phnx.qwest.net) has joined #omnimaga
[18:54:56] * Netbot45 gives voice to Fishbot
[18:54:59] <BrandonW> So that we can still use something Free83P-ish.
[18:55:53] <alberthro> critor: Play around with zStart or some other thing that patches the OS. Do they block flash writing?
[18:56:05] <alberthro> *flash unlock + writing?
[18:56:11] <OmnomIRC> (O)<thepenguin77> I would assume they killed the os unlock exploits
[18:56:21] <Fishbot> :/
[18:56:25] <Fishbot> Wait, exploits?
[18:56:27] <BrandonW> You are seriously scaring me.
[18:56:36] <BrandonW> critor, come on, dump time.
[18:56:40] <apcalc> hold on, does this really block downgrading!?!?!
[18:56:41] <Fishbot> You mean flash writing isn't done the way the OS does it?
[18:56:46] * apcalc goes to write a news article
[18:56:55] <Runer112> Fishbot, it's done in the same way
[18:56:57] <Fishbot> apcalc, hold on for a minute.
[18:57:00] <OmnomIRC> (O)<thepenguin77> well, it still is, but you have to glitch the calculator into unlocking flash
[18:57:12] <Runer112> that's the point, we call a part of the OS that the OS doesn't want us to call
[18:57:26] <Runer112> because it unlcocks flash
[18:57:33] <alberthro> It's a new HW and boot code revision, so I would expect that there's somethings that are fixed.
[18:57:49] <alberthro> Both HW and software wise.
[18:57:52] <BrandonW> What OS is it?
[18:58:01] <alberthro> It's stuck on 2.55MP.
[18:58:35] <apcalc> BrandonW - some info/pics are here: http://ti.bank.free.fr/index.php?mod=news&ac=commentaires&id=1176
[18:58:37] <alberthro> If you're going to add downgrade protection, TI, at least make your OSes decent!
[18:59:07] <OmnomIRC> (O)<critor> yes, it's the same 2.55MP OS
[18:59:15] <Fishbot> Wonderful.
...
[19:08:32] <OmnomIRC> (O)<critor> the RSA key is probably the same, as the 2.55MP OS is working... unless TI hid a 2nd signature in the additional bytes of the 2.55MP OS...
...
[19:09:35] <OmnomIRC> (O)<calc84maniac> I wonder if this new bootcode is in any normal TI-84+ calcs now or soon O_O
[19:09:50] <OmnomIRC> (O)<critor> that's what I'm fearing...
...
[19:10:07] <OmnomIRC> (O)<thepenguin77> I'm not very good at OS sending, so the first thing I'll do is look for a flash unlock
[19:10:25] <OmnomIRC> (O)<thepenguin77> os sending is all brandon
[19:10:59] <OmnomIRC> (O)<calc84maniac> oh man, I guess I might have to change the flash unlock method in TI-Boy
...
[19:12:42] <BrandonW> critor, when you tried to send a different OS to it, what cable did you use?
...
[19:14:14] <OmnomIRC> (O)<critor> I've tried to send the OS from the computer with the SilverLink cable
...
[19:14:35] <OmnomIRC> (O)<critor> I've also tried to send the OS from another TI-84+ with bothe the USB and I/O cables
...
[19:16:25] <BrandonW> I'll go to Wal-Mart tonight and buy a brand new 84+.
[19:16:29] <BrandonW> And see what boot code version it has.
[18:23:12] <OmnomIRC> (O)<Geekboy1011> :/
[18:23:18] <OmnomIRC> (O)<thepenguin77> critor, the boot code initializes the hardware
[18:23:36] <OmnomIRC> (O)<critor> sorry, thepenguin77
[18:23:37] <OmnomIRC> (O)<thepenguin77> then it calls the OS
[18:23:51] <OmnomIRC> (O)<thepenguin77> but I did just read that whole article
[18:23:58] <OmnomIRC> (O)<critor> true that the PCB is very different
[18:24:25] <OmnomIRC> (O)<thepenguin77> I would expect the outputs to a few ports have changed
[18:24:27] <OmnomIRC> (O)<Qwerty.55> How different is it?
[18:24:53] <OmnomIRC> (O)<Qwerty.55> IE: New screen driver or just a new label on the thing?
[18:25:21] <OmnomIRC> (O)<critor> 2 separate PCB (screen + keypad)
[18:25:37] <OmnomIRC> (O)<critor> allmost all the electronic is concentrated on the screen PCB
[18:26:32] <OmnomIRC> (O)<critor> here's a partiel photo of the screen PCBn showing the ROM & ASIC: http://i23.servimg.com/u/f23/13/23/13/53/pocket27.jpg
[18:26:43] <OmnomIRC> (O)<critor> according to my ongoing tests, unfortunately I was right... more infos soon...
...
[18:30:04] <OmnomIRC> (O)<critor> although the model is only for France, you might get this new Boot Code in new TI-84+ soon...
...
[18:39:18] * apcalc (ae368af6@ircip3.mibbit.com) has joined #omnimaga
[18:39:18] * Netbot45 gives voice to apcalc
...
[18:43:25] <OmnomIRC> (O)<thepenguin77> critor, so is there attempted downgrade protection?
...
[18:44:15] <OmnomIRC> (O)<critor> thepenguin77 -> yes - I can't install OS 2.53MP or older. Only 2.55MP works.
[18:44:33] <alberthro> O_O
[18:44:34] <OmnomIRC> (O)<thepenguin77> wow, that's pretty good, I guess we'll have to get a team on that one
[18:44:42] <alberthro> holy crap...
[18:44:43] <OmnomIRC> (O)<thepenguin77> this will be fun
[18:44:52] <SpyBot45> (O) New post by DrDnar in TI-84 Pocket http://omniurl.tk/6783/165113
[18:44:53] * alberthro hires one BrandonW
[18:45:45] <alberthro> Man, I did not expect for your 2.71MP OS features to get implemented so soon...
[18:46:36] <Runer112> thepenguin77, have you added delay removal to zStart yet?
[18:46:46] <OmnomIRC> (O)<critor> in fact it's even worse... I cannot even installed a patched 2.55MP OS...
[18:46:47] <OmnomIRC> (O)<thepenguin77> yes, just not updated yet
[18:46:51] <Runer112> cool
[18:47:15] <alberthro> critor: even after it's resigned? O_O
...
[18:47:28] <OmnomIRC> (O)<critor> yes...
...
[18:47:38] <OmnomIRC> (O)<critor> so Boot Code 1.03 seems to check something else than the RSA signature...
[18:47:44] <OmnomIRC> (O)<thepenguin77> haha, they added in a new encryption system
...
[18:49:11] <OmnomIRC> (O)<critor> and the thing checked by Boot Code 1.03 seems very complicated...
...
[18:50:03] <BrandonW> What is going on here?
...
[18:50:06] <BrandonW> What is this 1.03 business?
[18:50:18] <OmnomIRC> (O)<thepenguin77> new OS validation checks
[18:50:19] <OmnomIRC> (O)<critor> remember the "100% Validating..." screen?... The TI-84 Pocket.fr needs more than 6 minutes on that screen to validate the OS!!!!!! (so TI hasn't just checked the OS version string or the OS size...)
[18:50:38] <alberthro> BrandonW: TI took a page from thepenguin77's 2.71MP and are blocking downgrades and patched OSes.
[18:50:47] <BrandonW> Get me a boot page dump now.
[18:51:06] <alberthro> critor: 7 minutes? O_O
[18:51:18] <OmnomIRC> (O)<thepenguin77> brandonw, it's the moment you've finally been waiting for
[18:51:20] <BrandonW> Get me a boot page dump or send me this calculator now.
[18:51:25] <BrandonW> I will pay for it.
[18:51:50] * Flygon_ has quit (Read error: Connection reset by peer)
[18:51:56] <alberthro> If TI is looking for version numbers... that's just sad. /possiblyterribleguess
[18:52:01] <BrandonW> Do you need me to create a dumper?
[18:52:12] * Flygon_ (~Flygon@207-179-240-153.mtco.com) has joined #omnimaga
[18:52:14] * Netbot45 gives voice to Flygon_
[18:52:16] <BrandonW> I imagine you already have it since you're talking about what it does.
[18:52:41] <OmnomIRC> (O)<critor> yes, I've got it
[18:52:55] <OmnomIRC> (O)<renatose> @critor: I have ndless, oslauncher and phoenix.raw.zip.tns in root folder
[18:52:58] <OmnomIRC> (O)<critor> I don't need a dumper: Asm is still working as far as I've tested
[18:53:04] <OmnomIRC> (O)<renatose> shouldn't it work?
[18:53:15] <BrandonW> You're scaring me, get me a dump!
[18:53:48] <BrandonW> Look at _CheckHeaderKey or _SetupOSPubKey and make sure it's still looking for 04.
[18:54:02] <BrandonW> If not, we need to get whatever they've done factored.
[18:54:49] <BrandonW> If we can't, we need to make sure they aren't checking additional things in the certificate.
[18:54:56] * Fishbot (Mibbit@97-117-129-222.phnx.qwest.net) has joined #omnimaga
[18:54:56] * Netbot45 gives voice to Fishbot
[18:54:59] <BrandonW> So that we can still use something Free83P-ish.
[18:55:53] <alberthro> critor: Play around with zStart or some other thing that patches the OS. Do they block flash writing?
[18:56:05] <alberthro> *flash unlock + writing?
[18:56:11] <OmnomIRC> (O)<thepenguin77> I would assume they killed the os unlock exploits
[18:56:21] <Fishbot> :/
[18:56:25] <Fishbot> Wait, exploits?
[18:56:27] <BrandonW> You are seriously scaring me.
[18:56:36] <BrandonW> critor, come on, dump time.
[18:56:40] <apcalc> hold on, does this really block downgrading!?!?!
[18:56:41] <Fishbot> You mean flash writing isn't done the way the OS does it?
[18:56:46] * apcalc goes to write a news article
[18:56:55] <Runer112> Fishbot, it's done in the same way
[18:56:57] <Fishbot> apcalc, hold on for a minute.
[18:57:00] <OmnomIRC> (O)<thepenguin77> well, it still is, but you have to glitch the calculator into unlocking flash
[18:57:12] <Runer112> that's the point, we call a part of the OS that the OS doesn't want us to call
[18:57:26] <Runer112> because it unlcocks flash
[18:57:33] <alberthro> It's a new HW and boot code revision, so I would expect that there's somethings that are fixed.
[18:57:49] <alberthro> Both HW and software wise.
[18:57:52] <BrandonW> What OS is it?
[18:58:01] <alberthro> It's stuck on 2.55MP.
[18:58:35] <apcalc> BrandonW - some info/pics are here: http://ti.bank.free.fr/index.php?mod=news&ac=commentaires&id=1176
[18:58:37] <alberthro> If you're going to add downgrade protection, TI, at least make your OSes decent!
[18:59:07] <OmnomIRC> (O)<critor> yes, it's the same 2.55MP OS
[18:59:15] <Fishbot> Wonderful.
...
[19:08:32] <OmnomIRC> (O)<critor> the RSA key is probably the same, as the 2.55MP OS is working... unless TI hid a 2nd signature in the additional bytes of the 2.55MP OS...
...
[19:09:35] <OmnomIRC> (O)<calc84maniac> I wonder if this new bootcode is in any normal TI-84+ calcs now or soon O_O
[19:09:50] <OmnomIRC> (O)<critor> that's what I'm fearing...
...
[19:10:07] <OmnomIRC> (O)<thepenguin77> I'm not very good at OS sending, so the first thing I'll do is look for a flash unlock
[19:10:25] <OmnomIRC> (O)<thepenguin77> os sending is all brandon
[19:10:59] <OmnomIRC> (O)<calc84maniac> oh man, I guess I might have to change the flash unlock method in TI-Boy
...
[19:12:42] <BrandonW> critor, when you tried to send a different OS to it, what cable did you use?
...
[19:14:14] <OmnomIRC> (O)<critor> I've tried to send the OS from the computer with the SilverLink cable
...
[19:14:35] <OmnomIRC> (O)<critor> I've also tried to send the OS from another TI-84+ with bothe the USB and I/O cables
...
[19:16:25] <BrandonW> I'll go to Wal-Mart tonight and buy a brand new 84+.
[19:16:29] <BrandonW> And see what boot code version it has.
Our apologies if that's the case X.x
