,
28 tweets,
11 min read
Read on Twitter
Next up at @BSidesKnoxville on the Scruffy City Hall stage is @brandonwilson telling the history of Texas Instruments graphing calculator hacking! I've been waiting years for this lecture. 
He has one of every model, including engineering prototypes and development samples.
ZSHELL on the TI-85 executes native code by patching a function pointer in the Custom Menu through a patched backup of SRAM. You can then run other native code from string variables.
TI 82 had no Custom Menu, but it still had RAM backups, so they changed the address of a variable to be CxMain and then copied an address into it from a real variable!
TI 83 had a backdoor in Send(), and for the TI 86, they made it an official feature with public documentation and OS hooks!
"I don't want to offend anybody, but I really hate these models."
Hardware is identical, but they really want to keep the European firmware on the right from running on the American model on the left.
"So you had to pay good money to sign free applications!"
Press-to-Test is a key combo that locks the calculator out of advanced features until it's connected to a computer, so if you don't like somebody, you can quickly hit three buttons and they can't do their classwork!
He's now explaining how the Z80 devices lock their flash memory. There us a simple sequence of instructions, but they *must* run from a privileged page and interrupts are disabled. You can't modify the OS unless you are the OS, or you are clever.
They check for tricky stack addresses and page mappings.
The stack pointer trick they check for would be to have the stack in ROM, returning to the wrong address. Sadly, they check for it.
Another brilliant trick that can't quite work involves executing off-by-one, so that the right bytes are read but they execute very differently.
83+ Silver Edition has an extra memory bank, whose mapping they forgot to check! This lets them mirror banks to corrupt the return pointer, allowing a return to the exploit while flash is still unlocked!
But what they really wanted was a universal exploit, that wasn't model specific.
So they considered that the smallest app was larger than RAM and must be written in pieces, and they might repurpose this as a ram to ram memcpy.
So they considered that the smallest app was larger than RAM and must be written in pieces, and they might repurpose this as a ram to ram memcpy.
But software bugs come and go, and even with a large collection, it might run out. So one guy on one PC factored the RSA512 key in one month!
TI scared him silent with a house call, so the community factored the remaining keys!
Kind thanks to the @EFF for saving the day!
TI scared him silent with a house call, so the community factored the remaining keys!
Kind thanks to the @EFF for saving the day!
So then TI switches to RSA2048, which takes SIX MINUTES on an eight bit micro! A new exploit is needed.
The length field isn't checked, so they can overflow all of RAM into corrupting the call stack!
84+ and 84+ silver edition are the same software, with checks for IO port to know where the topmost page is mapped. But also writing to port 21 control the write locking, so they can modify the boot code!
And lo, they modified the boot page to disable the signature check, and it was good!
And with the TI 84+ C Silver Edition, TI reused the community's trick to defeat their own write protection!
The the 84+ CE, they ditched Z80 for eZ80, and paging for flat layout. Protection is now by region, not by page.
But the eZ80 has Z80 emulation, and the protections of IO ports doesn't work in Z80 mode!
And for the TI82 Advanced, the old memory backup trick from decades ago can be ported if you write your own linking software!
Damn this was a fine talk, a fitting tribute to the machines that taught so many of us assembly language for the very first time.
And sadly, I tagged the wrong Brandon Wilson. Follow @brandonlwilson for top notch reverse engineering work.
