Join us on Discord!
You can help CodeWalrus stay online by donating here.

How does Ndless (3.9 specifically) work?

Started by Strontium, April 23, 2015, 05:56:22 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Strontium

As in, what exploits does it use, and how it allows native programs to run.

Also, does a persistent version of Ndless for OS 3.9 ever have a chance to exist?
  • Calculators owned: TI Nspire CX, HP Prime
  • Consoles, mobile devices and vintage computers owned: NES

Duke "Tape" Eiyeron

I'm sure that to avoid Ti blocking the exploit in further versions, nDless devs won't tell you their secrets anytime soon. :-°
  • Calculators owned: A lot.

Strontium

Awh man! I find that kind of stuff really interesting.
  • Calculators owned: TI Nspire CX, HP Prime
  • Consoles, mobile devices and vintage computers owned: NES

Duke "Tape" Eiyeron

Yeah, methinks the same but welp, with Ti's current position against nDless, we can't really do much more. :/
  • Calculators owned: A lot.

Snektron

I guess they won't release the source to avoid ti knowing their exploits?
  • Calculators owned: TI-84+
Legends say if you spam more than DJ Omnimaga, you will become a walrus...


matrefeytontias

Except that Ndless has always been open-source : https://github.com/ndless-nspire/Ndless

I don't see any reason why Ndless devs wouldn't explain the process if you mail them.
  • Calculators owned: TI-83+.fr, TI-Nspire CAS prototype, TI-84+ CSE, TI-Nspire CX
My TI games (some got their own article on non-calc websites !) : http://www.ticalc.org/archives/files/authors/112/11202.html

My moozik (100% free metal) : http://www.soundcloud.com/matrefeytontias

Dream of Omnimaga

They probably won't mind explaining the exploits privately, not publicly, and even privately they might be careful to only tell trusted community members, in case TI signed up on calc forum under disguise to harvest information from developers.
  • Calculators owned: TI-82 Advanced Edition Python TI-84+ TI-84+CSE TI-84+CE TI-84+CEP TI-86 TI-89T cfx-9940GT fx-7400G+ fx 1.0+ fx-9750G+ fx-9860G fx-CG10 HP 49g+ HP 39g+ HP 39gs (bricked) HP 39gII HP Prime G1 HP Prime G2 Sharp EL-9600C
  • Consoles, mobile devices and vintage computers owned: Huawei P30 Lite, Moto G 5G, Nintendo 64 (broken), Playstation, Wii U

Vogtinator

Hi, I guess that's also my first post here.
Although the idea of the exploit is not by me, I had to rewrite it to make it possible to use it for ndless installation.
It's definitely not a secret anymore as ndless is open source and TI already fixed the vulnerability in 4.0 (correctly, with vsnprintf).
The vulnerability lies in a serial logging function not checking the buffer size, basically the usual
char buffer[256];
sprintf(buffer, "%s", string);

bug you find everywhere as the typical example for buffer overflows.
In Q&A mode (that's when you have questions in a document your teacher can correct), there are some more functions publicly accessible,
like "tiassert.assert", printing an error message if the assertion fails. This is used to trigger the buffer overflow in the logging function.
Exploiting it wasn't particularly easy as "buffer" is on the heap and thus away from any code that could be overwritten easily.
Also, the exploit string must not contain any 0-bytes as sprintf stops on those.
Exactly 0xbffa2 bytes after the start of buffer there's a pointer pointing to a structure with some function pointers in it we can overwrite to point
to controlled data. The new copy of the structure has a function pointer overwritten that is called on USB connection and points to controlled data again.
At this point, custom code is executed and ndless_resources loaded into memory and executed, the struct pointer reset and ndless is installed.
Most of the magic happens in MakeQnAInst, so if you want to take a look at it, it should make more sense now with the explanation above.
Ndless 3.6 worked in a simliar way, but it was not a overflow in the logging function, it was in the toolpalette, triggered my opening the menu.
Ndless 3.1 was reboot proof because the vulnerablity was triggered on booting, AFAIK it was something unchecked in the header of the OS file.
  • Calculators owned: TI-Nspie CX CAS, Casio FX-85ES

Dream of Omnimaga

Hiya and welcome Vogtinator. Reboot-proofness was why I kept OS 3.1 for so long personally. I might upgrade to 3..6 soon once I learned how to use and install nLaunchy, but 3.9 is staying away from my calc as long as possible (and is why the programming contest requires every Nspire entry to run on 3.1 or 3.6 (doesn't necessarily have to be both))
  • Calculators owned: TI-82 Advanced Edition Python TI-84+ TI-84+CSE TI-84+CE TI-84+CEP TI-86 TI-89T cfx-9940GT fx-7400G+ fx 1.0+ fx-9750G+ fx-9860G fx-CG10 HP 49g+ HP 39g+ HP 39gs (bricked) HP 39gII HP Prime G1 HP Prime G2 Sharp EL-9600C
  • Consoles, mobile devices and vintage computers owned: Huawei P30 Lite, Moto G 5G, Nintendo 64 (broken), Playstation, Wii U

Strontium

Quote from: Vogtinator on May 01, 2015, 11:08:03 AM
Hi, I guess that's also my first post here.
Although the idea of the exploit is not by me, I had to rewrite it to make it possible to use it for ndless installation.
It's definitely not a secret anymore as ndless is open source and TI already fixed the vulnerability in 4.0 (correctly, with vsnprintf).
The vulnerability lies in a serial logging function not checking the buffer size, basically the usual
char buffer[256];
sprintf(buffer, "%s", string);

bug you find everywhere as the typical example for buffer overflows.
In Q&A mode (that's when you have questions in a document your teacher can correct), there are some more functions publicly accessible,
like "tiassert.assert", printing an error message if the assertion fails. This is used to trigger the buffer overflow in the logging function.
Exploiting it wasn't particularly easy as "buffer" is on the heap and thus away from any code that could be overwritten easily.
Also, the exploit string must not contain any 0-bytes as sprintf stops on those.
Exactly 0xbffa2 bytes after the start of buffer there's a pointer pointing to a structure with some function pointers in it we can overwrite to point
to controlled data. The new copy of the structure has a function pointer overwritten that is called on USB connection and points to controlled data again.
At this point, custom code is executed and ndless_resources loaded into memory and executed, the struct pointer reset and ndless is installed.
Most of the magic happens in MakeQnAInst, so if you want to take a look at it, it should make more sense now with the explanation above.
Ndless 3.6 worked in a simliar way, but it was not a overflow in the logging function, it was in the toolpalette, triggered my opening the menu.
Ndless 3.1 was reboot proof because the vulnerablity was triggered on booting, AFAIK it was something unchecked in the header of the OS file.

Oh, neat. I learned about buffer exploits a while ago with this video by Tom Scott:


Also, why does the exploit require connecting the calculator to the computer? Does it have something to do with the serial logging?
  • Calculators owned: TI Nspire CX, HP Prime
  • Consoles, mobile devices and vintage computers owned: NES

Dream of Omnimaga

Could it be that the exploit can only be triggered via USB communication?
  • Calculators owned: TI-82 Advanced Edition Python TI-84+ TI-84+CSE TI-84+CE TI-84+CEP TI-86 TI-89T cfx-9940GT fx-7400G+ fx 1.0+ fx-9750G+ fx-9860G fx-CG10 HP 49g+ HP 39g+ HP 39gs (bricked) HP 39gII HP Prime G1 HP Prime G2 Sharp EL-9600C
  • Consoles, mobile devices and vintage computers owned: Huawei P30 Lite, Moto G 5G, Nintendo 64 (broken), Playstation, Wii U

Vogtinator

Quote from: DJ Omnimaga on May 02, 2015, 07:23:41 AMCould it be that the exploit can only be triggered via USB communication?
QuoteThe new copy of the structure has a function pointer overwritten that is called on USB connection and points to controlled data again.

Edit: Hmm, the bold tag doesn't show up in quotes, it should be that is called on USB connection.
  • Calculators owned: TI-Nspie CX CAS, Casio FX-85ES

Dream of Omnimaga

Ah right I didn't really get that part for some reasons. Also bold appears to work fine in quotes in Chrome.
  • Calculators owned: TI-82 Advanced Edition Python TI-84+ TI-84+CSE TI-84+CE TI-84+CEP TI-86 TI-89T cfx-9940GT fx-7400G+ fx 1.0+ fx-9750G+ fx-9860G fx-CG10 HP 49g+ HP 39g+ HP 39gs (bricked) HP 39gII HP Prime G1 HP Prime G2 Sharp EL-9600C
  • Consoles, mobile devices and vintage computers owned: Huawei P30 Lite, Moto G 5G, Nintendo 64 (broken), Playstation, Wii U

Unicorn

Bold appears in quotes on Safari IOS...
  • Calculators owned: I own all of them: PICKACHUP TI 84+ CSE TI 83+ SE TI something something ??? ??? ??? ??? ???
  • Consoles, mobile devices and vintage computers owned: PICKACHUP ??? ??? ??? ??? ???



??? ??? ??? ??? ???

Powered by EzPortal