OS upgrade files: Difference between revisions

From Hackspire
Jump to navigation Jump to search
(Minor update about the certificates)
(1024-bit RSA public keys)
Line 23: Line 23:
:0010 - 4 : ?
:0010 - 4 : ?
:0100 - 4 : Revision Number (same field as for the TI-68k)  
:0100 - 4 : Revision Number (same field as for the TI-68k)  
:0260 - 140 : ?
:0260 - 140 : 1024-bit RSA public key
:0260 - 140 : A second one! The beginning and the end of the 2 fields are similar.
:0260 - 140 : 1024-bit RSA public key
240 - 128 : Same field ID as in the .tno/.tnc. Certificate signature.
240 - 128 : Same field ID as in the .tno/.tnc. Certificate signature.
<br/>FFF0 - 0 : END_OF_CERT
<br/>FFF0 - 0 : END_OF_CERT
Line 426: Line 426:
340 - 146 : ???
340 - 146 : ???
::0270 - 1 : ??? \x00
::0270 - 1 : ??? \x00
::0260 - 140 : ???
::0260 - 140 : 1024-bit RSA public key


0240 - 128: Signature (of field 340?)
0240 - 128: Signature (of field 340?)


FFF0 -0 : END_OF_CERT
FFF0 - 0 : END_OF_CERT
 
==1024-bit RSA public keys==
These keys can be found in ''boot2.cer'', ''boot2.img'' and ''TI-Nspire.cer''. They are formatted in [http://en.wikipedia.org/wiki/Abstract_Syntax_Notation_One ASN.1] [http://en.wikipedia.org/wiki/Distinguished_Encoding_Rules DER] format, as described [http://www.jensign.com/JavaScience/dotnet/JKeyNet/ here] or [http://stackoverflow.com/questions/1281102/reading-a-asn-1-der-encoded-rsa-public-key here]. As a bytes sequence, the format is:
30 81 89 02 81 81 00 [128 bytes: the key] 02 03 '''01 00 01'''
The final <tt>01 00 01</tt> is the RSA exponent, which means 65537 in DER, a [http://en.wikipedia.org/wiki/RSA#Key_generation_2 common value] for ''e''.
 
The meaning of these keys is currently unknown.


==We need your help==
==We need your help==

Revision as of 14:49, 30 August 2009

The latest versions of the TI-Nspire and TI-Nspire CAS Operating System are available here (v 1.4). This article describes the format and content of the current versions (v1.1.9253 and v1.1.9170) of the .tno and .tnc files.

.tno/.tnc

A .tno file is an OS image for the TI-NSpire. A .tnc is for the TI-Nspire CAS. Contrary to other calculators with flash memory, the whole OS file is received before being written to flash memory. This is possible thanks to the huge amount of RAM available on the TI-Nspire. Sending a .tno to a TI-Nspire CAS is possible and vice-versa, but at the end of the reception a message will be displayed by the Computer Link Software indicating that the file is corrupted, and the OS won't be installed.

A .tno/.tnc is a PK-Zip file with a custom ASCII header describing the OS update file. It can be opened with a simple archiving program such as WinRAR or WinZip. The PK-Zip file contains a certificate file (TI-Nspire.cer) and a .img file (TI-Nspire.img). OS 1.4, it also contains boot2.cer and boot2.img. Here is an example of .tno/.tnc header (lines starting with # are added comments):

# File, version, size of the file, ?
TI-Nspire.tno 1.1.9253  3092555 0
# __RES__, version, ?, size of the compressed file system once decompressed
__RES__ 1.1.9253 0  2420072
\0x1A

The header can have a variable size and is terminated by the byte 0x1A. The sizes in the header are used both to validate on the TI-Nspire side that there is enough available memory to install the new OS (the validation is performed as soon as the header has been received), and at the end of the transfer to ensure that everything has been received as expected. The sizes must be positive integers and must be present, else an error is returned to the Computer Link Software. Multiple spaces are ignored by the parser. The parser seems to read sizes of more than 7 digits incorrectly, accepting some huge sizes, but rejecting other huge sizes and asking for free space of random size.

TI-Nspire.cer

The file follows TI's standard certificate format used on many caculator models. See TIGCC's documentation for more information (more particularly cread and cfindfield).

This file hasn't change between the different upgrades released by TI, up to version 1.7.

(Format of the following section: Field ID (hex) - size (dec) : comment. The indentation corresponds to subfields.)

350 - 298 : top-level field, similar to TI-68k's FLASH_APP_CERT (0x0300), PRODUCT_CODE (0x0320), FLASH_ROM_CERT (0x0330), etc.

0010 - 4 : ?
0100 - 4 : Revision Number (same field as for the TI-68k)
0260 - 140 : 1024-bit RSA public key
0260 - 140 : 1024-bit RSA public key

240 - 128 : Same field ID as in the .tno/.tnc. Certificate signature.
FFF0 - 0 : END_OF_CERT

TI-Nspire.img

Structure

As for TI-Nspire.cer, the file is organized as a certificate.

(Format of the following section: Field ID (hex) - size (dec) - @TI-Nspire: offset of the current version (hex) - @TI-Nspire CAS: offset): comment. The indentation corresponds to subfields.)

8000 : AMS Header

8040 : Product Name: "TI-Nspire"
8010 : First part of Product ID
80E0 : Different on TI-Nspire and TI-Nspire CAS
8020 : Version number: "1.1.9253"/"1.1.9170"
8020 : Version number, a second time
8080 : ?
0320 - 6 : Product code : 0
80F0 - 64 : A signature? Equivalent to TI-68k's field 0200? (but it doesn't seem to be the MD5 of the product code). The first 8 bytes and the 16 last bytes are the same on TI-Nspire and TI-Nspire CAS.
8210 : ? 24ED68 on TI-Nspire, 0BA9CB on TI-Nspire CAS
8200 : Starts with PK. PK-Zipped file system, see further.
8070 - TI-Nspire:2403720, TI-Nspire CAS:2339224 - @TI-Nspire: A7F36, @TI-Nspire CAS: 490E2: Encrypted, probably also compressed. Contains the OS code. Only the 8 first bytes are the same between the .tno and the .tnc. The size is a multiple of 32, so a 128 or 256 bit symmetric encryption may be used. It may be one of the algorithms supported by Nucleus RTOS.

0240 (024D) - 128 - @TI-Nspire: 2F2CBE, @TI-Nspire CAS : 28427A: the signature of the .img, similar to TI-68k's 64 bytes long field 0200.
FFF0 - 0 : END_OF_CERT

The crypted field 8070 is 195568 bytes longer in the .tno than in the .tnc, that is the TI-84 Plus emulator of the TI-Nspire would be ~200kb bigger than the CAS of the TI-Nspire CAS! May be the two OS integrates a CAS, but it is not enabled on the TI-Nspire.

Directory Listing

Directory listing of ti-nspire.img (TI-Nspire CAS version), from WinRAR 3.71.

.\
 \documents\
           \MyLib\
                 \linalgcas.tns             (TI-Nspire Document)
 \phoenix\
         \clnk\
              \locales\
                      \da\
                         \strings.res
                      \de\
                         \strings.res
                      \en\
                         \strings.res
                      \es\
                         \strings.res
                      \fi\
                         \strings.res
                      \fr\
                         \strings.res
                      \it\
                         \strings.res
                      \nl\
                         \strings.res
                      \nl_BE\
                            \strings.res
                      \no\
                         \strings.res
                      \pt\
                         \strings.res
                      \sv\
                         \strings.res
         \ctlg\
              \locales\
                      \da\
                         \strings.res
                      \de\
                         \strings.res
                      \en\
                         \strings.res
                      \es\
                         \strings.res
                      \fi\
                         \strings.res
                      \fr\
                         \strings.res
                      \it\
                         \strings.res
                      \nl\
                         \strings.res
                      \nl_BE\
                            \strings.res
                      \no\
                         \strings.res
                      \pt\
                         \strings.res
                      \sv\
                         \strings.res
         \dcol\
              \locales\
                      \da\
                         \strings.res
                      \de\
                         \strings.res
                      \en\
                         \strings.res
                      \es\
                         \strings.res
                      \fi\
                         \strings.res
                      \fr\
                         \strings.res
                      \it\
                         \strings.res
                      \nl\
                         \strings.res
                      \nl_BE\
                            \strings.res
                      \no\
                         \strings.res
                      \pt\
                         \strings.res
                      \sv\
                         \strings.res
         \dlog\
              \locales\
                      \da\
                         \strings.res
                      \de\
                         \strings.res
                      \en\
                         \strings.res
                      \es\
                         \strings.res
                      \fi\
                         \strings.res
                      \fr\
                         \strings.res
                      \it\
                         \strings.res
                      \nl\
                         \strings.res
                      \nl_BE\
                            \strings.res
                      \no\
                         \strings.res
                      \pt\
                         \strings.res
                      \sv\
                         \strings.res
         \dtst\
              \locales\
                      \da\
                         \strings.res
                      \de\
                         \strings.res
                      \en\
                         \strings.res
                      \es\
                         \strings.res
                      \fi\
                         \strings.res
                      \fr\
                         \strings.res
                      \it\
                         \strings.res
                      \nl\
                         \strings.res
                      \nl_BE\
                            \strings.res
                      \no\
                         \strings.res
                      \pt\
                         \strings.res
                      \sv\
                         \strings.res
         \geog\
              \locales\
                      \da\
                         \strings.res
                      \de\
                         \strings.res
                      \en\
                         \strings.res
                      \es\
                         \strings.res
                      \fi\
                         \strings.res
                      \fr\
                         \strings.res
                      \it\
                         \strings.res
                      \nl\
                         \strings.res
                      \nl_BE\
                            \strings.res
                      \no\
                         \strings.res
                      \pt\
                         \strings.res
                      \sv\
                         \strings.res
         \math\
              \locales\
                      \da\
                         \strings.res
                      \de\
                         \strings.res
                      \en\
                         \strings.res
                      \es\
                         \strings.res
                      \fi\
                         \strings.res
                      \fr\
                         \strings.res
                      \it\
                         \strings.res
                      \nl\
                         \strings.res
                      \nl_BE\
                            \strings.res
                      \no\
                         \strings.res
                      \pt\
                         \strings.res
                      \sv\
                         \strings.res
         \mwiz\
              \locales\
                      \da\
                         \strings.res
                      \de\
                         \strings.res
                      \en\
                         \strings.res
                      \es\
                         \strings.res
                      \fi\
                         \strings.res
                      \fr\
                         \strings.res
                      \it\
                         \strings.res
                      \nl\
                         \strings.res
                      \nl_BE\
                            \strings.res
                      \no\
                         \strings.res
                      \pt\
                         \strings.res
                      \sv\
                         \strings.res
         \ntpd\
              \locales\
                      \da\
                         \strings.res
                      \de\
                         \strings.res
                      \en\
                         \strings.res
                      \es\
                         \strings.res
                      \fi\
                         \strings.res
                      \fr\
                         \strings.res
                      \it\
                         \strings.res
                      \nl\
                         \strings.res
                      \nl_BE\
                            \strings.res
                      \no\
                         \strings.res
                      \pt\
                         \strings.res
                      \sv\
                         \strings.res
         \pged\
              \locales\
                      \da\
                         \strings.res
                      \de\
                         \strings.res
                      \en\
                         \strings.res
                      \es\
                         \strings.res
                      \fi\
                         \strings.res
                      \fr\
                         \strings.res
                      \it\
                         \strings.res
                      \nl\
                         \strings.res
                      \nl_BE\
                            \strings.res
                      \no\
                         \strings.res
                      \pt\
                         \strings.res
                      \sv\
                         \strings.res
         \scpd\
              \locales\
                      \da\
                         \strings.res
                      \de\
                         \strings.res
                      \en\
                         \strings.res
                      \es\
                         \strings.res
                      \fi\
                         \strings.res
                      \fr\
                         \strings.res
                      \it\
                         \strings.res
                      \nl\
                         \strings.res
                      \nl_BE\
                            \strings.res
                      \no\
                         \strings.res
                      \pt\
                         \strings.res
                      \sv\
                         \strings.res
         \syst\
              \locales\
                      \da\
                         \strings.res
                      \de\
                         \strings.res
                      \en\
                         \strings.res
                      \es\
                         \strings.res
                      \fi\
                         \strings.res
                      \fr\
                         \strings.res
                      \it\
                         \strings.res
                      \nl\
                         \strings.res
                      \nl_BE\
                            \strings.res
                      \no\
                         \strings.res
                      \pt\
                         \strings.res
                      \sv\
                         \strings.res
         \tblt\
              \locales\
                      \da\
                         \strings.res
                      \de\
                         \strings.res
                      \en\
                         \strings.res
                      \es\
                         \strings.res
                      \fi\
                         \strings.res
                      \fr\
                         \strings.res
                      \it\
                         \strings.res
                      \nl\
                         \strings.res
                      \nl_BE\
                            \strings.res
                      \no\
                         \strings.res
                      \pt\
                         \strings.res
                      \sv\
                         \strings.res
         \components            (no file extension)

Compressed file system

Field 8200 of TI-Nspire.img contains PK-Zipped files, used to setup the file system of the TI-Nspire. Its structure probably follows the target file system tree. The .tnc and .tno both have a phoenix/ directory, with a sub-directory for each module of the OS which contain localized resource files (.res), the 'getting started' .tnc file, and factory settings. The .tnc has a special directory ti84/ which contains an image of the TI-84 Plus archive memory splitted into 64kb files, used to setup the memory of the emulated TI-84 Plus. Some flash apps are preinstalled in this image.

The files in the sub-directory phoenix/ are the same between the TI-Nspire and the TI-Nspire CAS, excepted the sample document Getting Started, the .res files of ctlg (catalog) and syst (system), and the factory settings in factory.zip (the TI-Nspire is set to real for Real or Complex, the TI-Nspire is set to 4=??).

boot2.cer

Only present if the OS file contains an update of the boot 2.

Contains the field 340 of boot2.img and its signature 240.

boot2.img

Only present if the OS file contains an update of the boot 2.

Structure (TI-Nspire 1.4 as example):

8000

8040 : Product Name: 'BOOT2 '
8010 : ProductID '50C'
8010 : ProductID '50E'
8020 : Product ID '1.4.1571'
8020 : Product ID (empty)
8080 : ??? 1180000000000001
0320 - 6 : Product Code: 0
8070 : Encrypted, probably also compressed.

0240 - 128 - @TI-Nspire 1.4: 12FEC7. Signature.

340 - 146 : ???

0270 - 1 : ??? \x00
0260 - 140 : 1024-bit RSA public key

0240 - 128: Signature (of field 340?)

FFF0 - 0 : END_OF_CERT

1024-bit RSA public keys

These keys can be found in boot2.cer, boot2.img and TI-Nspire.cer. They are formatted in ASN.1 DER format, as described here or here. As a bytes sequence, the format is:

30 81 89 02 81 81 00 [128 bytes: the key] 02 03 01 00 01

The final 01 00 01 is the RSA exponent, which means 65537 in DER, a common value for e.

The meaning of these keys is currently unknown.

We need your help

  • Find out what the unknown fields of TI-Nspire.cer and TI-Nspire.img mean
  • Help us to break the encryption of field 8070 in TI-Nspire.img
  • Find all the differences between the official release of the TI-84 Plus OS and the OS image used in the TI-Nspire for its emulator. But DON'T try to flash it to your TI-84 Plus. The TilEm emulator which worked perfectly with all real TI-84 Plus ROMs up to 2.43, just freezes with the 2.44 & 2.46 special Nspire ROM dumped with TiLP: this is because all Nspire 84+SE OSes contain invalid instructions (to perform emulator functions) which will lock any real calculator or emulator.