--- Log opened Mon Jul 21 00:00:09 2008
[00:24:04] -!- Merthsoft [~Shaun@cpe-76-181-104-44.columbus.res.rr.com] has quit [Read error: Operation timed out]
[01:36:10] -!- Recursive [~Recursive@12-216-45-89.client.mchsi.com] has joined #tiasm
[01:44:06] -!- Recursive [~Recursive@12-216-45-89.client.mchsi.com] has quit [Bye for now.]
[01:54:18] -!- BrandonW [~calcmaste@75.130.72.232] has quit []
[01:58:39] -!- BrandonW [~calcmaste@75.130.72.232] has joined #tiasm
[02:23:02] -!- Merthsoft [~Shaun@cpe-76-181-108-88.columbus.res.rr.com] has joined #tiasm
[02:23:14] -!- mode/#tiasm [+v Merthsoft] by efneTI89, efneTI80
[02:43:55] -!- Recursive [~Recursive@12-216-15-194.client.mchsi.com] has joined #tiasm
[03:56:15] -!- Recursiv3 [~Kerrick@12-216-15-194.client.mchsi.com] has joined #tiasm
[04:30:15] -!- Recursiv3 [~Kerrick@12-216-15-194.client.mchsi.com] has quit [Changing server]
[04:32:05] -!- Kerrick [~Kerrick@12-216-15-194.client.mchsi.com] has joined #tiasm
[04:32:31] -!- Kerrick is now known as Recursiv3
[04:37:25] -!- Recursiv3 [~Kerrick@12-216-15-194.client.mchsi.com] has quit [leaving]
[05:03:02] -!- Tari is now known as Tari|zzz
[05:17:56] -!- Recursive [~Recursive@12-216-15-194.client.mchsi.com] has quit [Leaving]
[05:37:41] -!- Recursiv3 [~Kerrick@12-216-15-194.client.mchsi.com] has joined #tiasm
[06:03:07] -!- BrandonW [~calcmaste@75.130.72.232] has quit [Read error: Connection reset by peer]
[06:03:09] -!- BrandonW_ [~calcmaste@75.130.72.232] has joined #tiasm
[06:03:19] -!- BrandonW_ is now known as BrandonW
[06:34:41] -!- Boxknife [~chatzilla@c-98-198-238-21.hsd1.tx.comcast.net] has joined #tiasm
[06:36:20] < Boxknife> Wow, where'd all these people come from?
[06:36:23] < Boxknife> :O
[06:40:45] < BrandonW> They followed me.
[06:43:02] < Boxknife> Hi people
[06:45:46] < BrandonW> This is so wrong, but I'm pretty sure we can have ourselves a small, universal 83+ Flash unlock exploit.
[06:46:48] < BrandonW> Previously to work on OS 1.12 and below, you'd need a Flash application.
[06:47:26] < BrandonW> It's ugly...but it can work.
[06:50:06] < Boxknife> Neat
[06:51:32] -!- Merthsoft [~Shaun@cpe-76-181-108-88.columbus.res.rr.com] has quit [Ping timeout: 240 seconds]
[06:57:16] < BrandonW> Okay, maybe not. 1.03 sucks.
[07:01:33] < BrandonW> Oh, I saw this and then forgot about it...Write-to-Flash is in 1.19 as well.
[07:01:38] < BrandonW> So both 83+ and 84+ users have it.
[07:04:50] < BrandonW> That means...
[07:04:54] < BrandonW> They're still thinking of us poor 83+ users.
[07:05:02] < BrandonW> Perhaps we should search 1.19 for other things.
[07:05:18] < BrandonW> And come up with a legitimate use for using Write-to-Flash.
[07:05:45] < Recursiv3> What is Write-to-Flash?
[07:05:47] < BrandonW> If you need to create an app or write an appvar directly to the archive...there's your functionality.
[07:06:01] < BrandonW> It's an extension to the OS that lets you create Flash applications.
[07:06:07] < BrandonW> And also write appvars directly to the archive.
[07:06:22] < BrandonW> In 83+/SE OSes 1.19+ and 84+/SE OSes 2.40+.
[07:07:03] < BrandonW> And also the source of some ridiculously stupid Flash unlock exploits.
[07:07:24] < BrandonW> The entry point is BCALL 50CBh.
[07:07:43] < BrandonW> All you have to do is "ld a,1 \ ld (appInfo+2),a \ bcall(50CBh)" and Flash is unlocked.
[07:07:58]  * BrandonW headdesks
[07:08:00] < Boxknife> lol
[07:08:38] < BrandonW> I documented it...
[07:08:46] < BrandonW> http://brandonw.net/calcstuff/WriteToFlash.txt if memory serves.
[07:09:03] < Recursiv3> "Lets you create flash applications" means that it is intended to do that?
[07:09:12] < BrandonW> Yes, that is its actual purpose.
[07:09:17] < BrandonW> TI-Navigator uses it to do exactly that.
[07:09:27] < Boxknife> How do you find this stuff?
[07:09:50] < BrandonW> I live a sad, miserable existence and I disassemble all OS versions as well as their official Flash applications.
[07:10:05] < Boxknife> It seems almost magical
[07:10:16] < Boxknife> lol, wow. What do you use to disassemble them?
[07:10:28] < BrandonW> We found Write-to-Flash in a secret TI Word document which explains changes between OS versions, and that was mentioned in it. So I took it upon myself to find it.
[07:10:31] < BrandonW> IDA Pro.
[07:10:55] < Boxknife> Awesome
[07:11:00] < BrandonW> The Word document we found is basically this: http://wikiti.denglend.net/index.php?title=83Plus:OS:VersionDifferences
[07:11:50] < Boxknife> Wow.
[07:12:00] < BrandonW> The reason why none of us could find it is because they replaced an old BCALL (50CBh).
[07:12:03] < BrandonW> We kept looking at new ones.
[07:12:25] < BrandonW> I really have no idea what the old one did, but my absolute best guess is that it lets you receive a Flash application over I/O.
[07:12:36] < BrandonW> So they killed that.
[07:13:20] < BrandonW> We would even overlook it in the TI-Navigator disassembly.
[07:13:21] < Boxknife> Hey, happy birthday! lol
[07:13:23] < BrandonW> Since it was an old BCALL.
[07:13:28] < BrandonW> Thank you.
[07:13:54] < Recursiv3> Was it 2:19 or 2:29?
[07:14:00] < BrandonW> 2:19.
[07:15:06] < Boxknife> I don't think I even know how to write a Flash Application. Do you need to manually load parts of the program into the RAM like in overlays?
[07:15:35] < BrandonW> Write-to-Flash is intended for you to call it first with an app header, and then again as many times as you want to write as much as you want.
[07:16:04] < BrandonW> Every app has a max 128-byte header which describes pretty much everything about it.
[07:16:21] < BrandonW> Name, minimum OS version, splash screen on/off, trial information, number of pages, etc...
[07:16:39] < BrandonW> It uses that to set up some memory in the certificate so it can remember the upper/lower bounds for the area you're allowed to write to.
[07:16:47] < BrandonW> That's how it prevents you from using it to write to Flash just anywhere.
[07:17:30] < BrandonW> Which is really smart, and really overkill.
[07:17:40] < BrandonW> Fortunately, they're idiots and didn't implement it correctly.
[07:19:09] < BrandonW> And they do actually check, you can only use it for appvars.
[07:19:11] < BrandonW> No other types.
[07:19:13] < BrandonW> And apps.
[07:20:21] < BrandonW> Hm...I wonder how they stop you from writing funky apps...
[07:20:28] < BrandonW> Ones that don't sign properly.
[07:20:33] < BrandonW> They probably don't.
[07:20:59] < BrandonW> So you could write something PC-side or even calc-side to send an invalid app to a TI-Navigator equipped calculator.
[07:21:22] < BrandonW> I'm sure TI-Navigator tries to delete it if it finds it invalid, that's why you'd send the whole thing, and then keep sending it garbage over and over to some other address.
[07:21:27] < BrandonW> And while that's going on, you could pull the battery.
[07:21:32] < BrandonW> But that's speculation.
[07:21:43] < BrandonW> Anyway, I'm going to do something scary and attempt some sleep.
[07:21:47] < BrandonW> I get up in 3 hours.
[07:22:02] < Recursiv3> What changes were made in the recent upgrades to the operating system of the original 84+?
[07:22:04] < Boxknife> Good night, good to see you again
[07:22:28] < BrandonW> That page describes all the 84+/SE OS changes.
[07:22:32] < BrandonW> I'm not sure what else you mean.
[07:22:36] < Recursiv3> Goodnight and never mind.
[07:23:06] < BrandonW> 1.x is 83+ and 83+SE, 2.x is 84+ and 84+SE.
[07:23:13] < BrandonW> It's the same OS for the 84+ and the 84+SE.
[07:23:38] < BrandonW> Although you CAN put 1.19 on an 84+SE.
[07:23:45] < BrandonW> But it's odd.
[07:24:11] < BrandonW> 2.43 on an 83+SE...I tried it and it doesn't work, but with some tweaking I think it could.
[07:24:23] < BrandonW> But that's another day.
[08:01:17] -!- [1]Recurs [~Recursiv3@12-216-15-194.client.mchsi.com] has joined #tiasm
[08:03:40] -!- [1]Recurs [~Recursiv3@12-216-15-194.client.mchsi.com] has quit [Read error: Connection reset by peer]
[08:03:41] -!- Recursiv3 [~Kerrick@12-216-15-194.client.mchsi.com] has quit [Read error: Connection reset by peer]
[08:35:12] -!- Boxknife [~chatzilla@c-98-198-238-21.hsd1.tx.comcast.net] has quit [Quit: ChatZilla 0.9.83 [Firefox 3.0.1/2008070208]]
[08:35:17] -!- boxknife_ [~goodbitst@c-98-198-238-21.hsd1.tx.comcast.net] has joined #tiasm
[08:49:42] -!- boxknife_ is now known as boxknife
[08:49:44] -!- boxknife [~goodbitst@c-98-198-238-21.hsd1.tx.comcast.net] has quit [Connection closed]
[08:50:27] -!- boxknife [~goodbitst@c-98-198-238-21.hsd1.tx.comcast.net] has joined #tiasm
[09:47:16] -!- NikkyJr [~nikky@dante01.u.washington.edu] has joined #tiasm
[09:47:46] -!- Nikky [~nikky@dante01.u.washington.edu] has quit [Ping timeout: 480 seconds]
[13:36:47] -!- NikkyJr is now known as Nikky
[15:07:45] -!- Recursive [~Recursive@12-216-15-194.client.mchsi.com] has joined #tiasm
[15:07:59] -!- Tari|zzz is now known as Tari
[17:03:32] -!- sgm [~sgm@d75-155-170-78.bchsia.telus.net] has joined #tiasm
[17:22:30] -!- Recursive is now known as Recuraway
[17:23:04] -!- sgm [~sgm@d75-155-170-78.bchsia.telus.net] has left #tiasm [Konversation terminated!]
[17:24:31] -!- Recuraway is now known as Recursive
[17:46:39] -!- Merthsoft [~Shaun@140.141.215.129] has joined #tiasm
[17:46:49] -!- mode/#tiasm [+v Merthsoft] by Remius
[18:47:52] -!- Storm_Log [~TheStorm@CPE-75-86-224-40.wi.res.rr.com] has quit [Ping timeout: 306 seconds]
[18:50:49] -!- Storm_Log [~TheStorm@CPE-75-86-224-40.wi.res.rr.com] has joined #tiasm
[18:51:02] -!- mode/#tiasm [+v Storm_Log] by SnowCrash
[19:02:06] -!- Recursiv3 [~Kerrick@12-216-15-194.client.mchsi.com] has joined #tiasm
[19:02:33] < Recursiv3> BrandonW, do you know what was changed in 2.43?
[19:03:34] <+Tari> I know they fixed the clock
[19:03:43] <+Tari> it no longer resets upon a RAM clear
[19:03:44] < Recursiv3> Howso?
[19:03:54] < Recursiv3> I see.
[19:04:12] <+Tari> probably added a couple more useless bcalls
[19:05:23] < Recursiv3> The WikiTI page doesn't have any data about 2.43.
[19:33:05] -!- Merthsoft [~Shaun@140.141.215.129] has quit [Read error: Connection reset by peer]
[20:00:45] -!- Recursiv3 [~Kerrick@12-216-15-194.client.mchsi.com] has quit [leaving]
[20:31:14] -!- Remius [~Remius@c-67-161-29-44.hsd1.ca.comcast.net] has quit [Read error: Operation timed out]
[20:35:28] -!- Remius [~Remius@c-67-161-29-44.hsd1.ca.comcast.net] has joined #tiasm
[20:37:20] -!- mode/#tiasm [+o Remius] by efneTI80
[20:43:33] < Recursive> How many bits does the RSA encryption in the TI-OS use?
[20:44:09] <+Tari> it handles the Rabin stuff
[20:44:20] <+Tari> the public key is 512 bits
[20:44:49] < Recursive> The OS for the 83+ uses 512 bits?
[20:45:41] -!- BrandonW [~calcmaste@75.130.72.232] has quit [Ping timeout: 370 seconds]
[20:46:40] < Recursive> I was thinking that it could probably be hacked if it were 32 bits, but that would be too easy.
[20:48:31] <+Tari> yeah
[20:49:05] <+Tari> if someone wants to try to factor the public key into 2 256-bit primes..
[20:49:53] < Recursive> Factoring is much better than brute force, right?
[20:52:14] <+Tari> yeah
[20:52:19] < Recursive> I was figuring that for a 32 bit encryption, a 2 GHz processor could generate a 16 GB lookup table for all of the possible 32 bit numbers in a few days.
[20:52:20] <+Tari> er
[20:52:32] <+Tari> factoring is basically brute force
[20:52:50] <+Tari> you factor the public key into the two primes which generated it
[20:52:56] < Recursive> But then I realize that my calculator could probably factor a 32 bit number xD
[20:53:09] <+Tari> the two primes consitute the private key
[20:53:32] < Recursive> Yeah, I know how it works.
[20:55:30] <+Tari> if you have a fast machine and lots of time, you could start it running a general number field sieve on it
[20:56:18] < Recursive> How would that work?
[20:58:26] < Recursive> 2^256 is about 1.15*10^77.  I figure that if you divide by about 10 for skipped numbers, 10^7 for processor capabilities, and 10^4 for a distributed computing project encompassing the entire TI community, you're still nowhere there.
[20:58:30] <+Tari> that's the most efficient way to factor very large numbers
[21:51:20] -!- sgm [~sgm@d75-155-170-78.bchsia.telus.net] has joined #tiasm
[22:02:08] -!- Merthsoft [~Shaun@cpe-76-181-97-99.columbus.res.rr.com] has joined #tiasm
[22:02:16] -!- mode/#tiasm [+v Merthsoft] by efneTI85
[22:36:56] -!- Merth [~Shaun@cpe-76-181-97-99.columbus.res.rr.com] has joined #tiasm
[22:37:06] -!- mode/#tiasm [+v Merth] by efneTI83
[22:38:20] -!- Merthsoft [~Shaun@cpe-76-181-97-99.columbus.res.rr.com] has quit [Ping timeout: 240 seconds]
[23:00:52] -!- Tari [~Tari@mke-66-97-118-227.milwpc.com] has quit [Quit: router switchover]
[23:09:09] -!- sgm [~sgm@d75-155-170-78.bchsia.telus.net] has left #tiasm [Konversation terminated!]
[23:24:01] -!- Spence1 [~Spencer@76.252.186.42] has joined #tiasm
[23:31:31] -!- Tari [~Tari@mke-66-97-119-241.milwpc.com] has joined #tiasm
[23:31:44] -!- mode/#tiasm [+v Tari] by efneTI92
[23:40:58] -!- Tari_ [~Tari@mke-66-97-119-183.milwpc.com] has joined #tiasm
[23:41:08] -!- mode/#tiasm [+v Tari_] by efneTI86
[23:43:57] -!- Tari [~Tari@mke-66-97-119-241.milwpc.com] has quit [Ping timeout: 246 seconds]
[23:52:13] -!- Tari_ is now known as Tari
[23:58:05] -!- DrDnar [DrDnar@dialup-4.249.210.81.Dial1.Washington2.Level3.net] has joined #tiasm
[23:58:21] -!- mode/#tiasm [+v DrDnar] by Remius
--- Log closed Tue Jul 22 00:00:09 2008