* WalrusIRC

You need to have 5 posts and not be part of restricted usergroups in order to use the WalrusIRC embedded shoutbox. However, you can also access our IRC channel called #CodeWalrus via EFnet.

Author Topic: How does Ndless (3.9 specifically) work?  (Read 3046 times)

0 Members and 1 Guest are viewing this topic.

Offline Strontium

  • Full User
  • Join Date: Apr 2015
  • Location: CA
  • Posts: 237
  • Post Rating Ratio: +3/-2
  • hey
    • Unilunge
    • /u/thismarkstheend
    • Azmarok
  • Gender: Other
How does Ndless (3.9 specifically) work?
« on: April 23, 2015, 05:56:22 am »
As in, what exploits does it use, and how it allows native programs to run.

Also, does a persistent version of Ndless for OS 3.9 ever have a chance to exist?


  • Calculators owned: TI Nspire CX, HP Prime
  • Consoles, mobile devices and vintage computers owned: NES

Offline Duke "Tape" Eiyeron

  • Urist McEiyolobster
  • Super User
  • Join Date: Nov 2014
  • Location: (V)(-_(//));(V)
  • Posts: 1636
  • Post Rating Ratio: +11/-2
  • Fanciest Walrus of the oceans.
    • @@Eiyeron
    • Eiyeron
    • /u/Eiyeron
    • Eiyeron
    • Rétro-Actif : Rétro/Prog/Blog
  • Gender: Male
Re: How does Ndless (3.9 specifically) work?
« Reply #1 on: April 23, 2015, 07:19:57 am »
I'm sure that to avoid Ti blocking the exploit in further versions, nDless devs won't tell you their secrets anytime soon. :-°
  • Calculators owned: A lot.

Offline Strontium

  • Full User
  • Join Date: Apr 2015
  • Location: CA
  • Posts: 237
  • Post Rating Ratio: +3/-2
  • hey
    • Unilunge
    • /u/thismarkstheend
    • Azmarok
  • Gender: Other
Re: How does Ndless (3.9 specifically) work?
« Reply #2 on: April 23, 2015, 07:20:51 am »
Awh man! I find that kind of stuff really interesting.
  • Calculators owned: TI Nspire CX, HP Prime
  • Consoles, mobile devices and vintage computers owned: NES

Offline Duke "Tape" Eiyeron

  • Urist McEiyolobster
  • Super User
  • Join Date: Nov 2014
  • Location: (V)(-_(//));(V)
  • Posts: 1636
  • Post Rating Ratio: +11/-2
  • Fanciest Walrus of the oceans.
    • @@Eiyeron
    • Eiyeron
    • /u/Eiyeron
    • Eiyeron
    • Rétro-Actif : Rétro/Prog/Blog
  • Gender: Male
Re: How does Ndless (3.9 specifically) work?
« Reply #3 on: April 23, 2015, 07:33:15 am »
Yeah, methinks the same but welp, with Ti's current position against nDless, we can't really do much more. :/
  • Calculators owned: A lot.

Offline Snektron

  • Lvl 69 Russian Snake
  • Super User
  • Join Date: Dec 2014
  • Location: Netherlands
  • Posts: 3165
  • Post Rating Ratio: +32/-0
  • SSSssssss.....
    • RobinDeWalvis
    • Kzyrox
    • RobinDeWalvis
    • quantuminfinity
  • Gender: Male
Re: How does Ndless (3.9 specifically) work?
« Reply #4 on: April 23, 2015, 07:47:32 am »
I guess they won't release the source to avoid ti knowing their exploits?
  • Calculators owned: TI-84+
Legends say if you spam more than DJ Omnimaga, you will become a walrus...


Offline matrefeytontias

  • Full User
  • Join Date: Nov 2014
  • Location: France
  • Posts: 200
  • Post Rating Ratio: +5/-1
  • Axe metalhead of vengence
    • @matrefeytontias
    • matrefeytontias
    • matrefeytontias
  • Gender: Male
Re: How does Ndless (3.9 specifically) work?
« Reply #5 on: April 23, 2015, 03:23:04 pm »
Except that Ndless has always been open-source : https://github.com/ndless-nspire/Ndless

I don't see any reason why Ndless devs wouldn't explain the process if you mail them.
  • Calculators owned: TI-83+.fr, TI-Nspire CAS prototype, TI-84+ CSE, TI-Nspire CX
My TI games (some got their own article on non-calc websites !) : http://www.ticalc.org/archives/files/authors/112/11202.html

My moozik (100% free metal) : http://www.soundcloud.com/matrefeytontias

Online xlibman

  • Omni founder & CW co-founder
  • Super User
  • Original 5
  • CodeWalrus Supporter
  • *
  • Join Date: Nov 2014
  • Location: Quebec, Canada
  • Posts: 18908
  • Post Rating Ratio: +100/-5
    • dj_omnimaga
    • DJOmnimaga.music
    • @DJOmnimaga
    • dj_omnimaga
    • @DJOmnimaga
    • /u/DJ_Omnimaga
    • DJOmnimaga
    • 112/11286
    • @djomnimaga
    • @DJOmnimaga
    • DJ Omnimaga music store
  • Gender: Male
Re: How does Ndless (3.9 specifically) work?
« Reply #6 on: April 23, 2015, 03:37:40 pm »
They probably won't mind explaining the exploits privately, not publicly, and even privately they might be careful to only tell trusted community members, in case TI signed up on calc forum under disguise to harvest information from developers.
  • Calculators owned: TI-57, 73, TI-80 (broken), TI-81, TI-82, TI-83, TI-83+ (broken), TI-83+ (broken), TI-83+SE (broken), TI-84+, TI-84+CSE, TI-84+CE, TI-85, TI-86, TI-89T, TI-92, TI-Nspire, TI-Nspire CX (semi-broken), HP 39gII, HP Prime, Casio fx-7000G, fx-7400G+, fx-7700GE, fx-9750G+, fx-9750GII, fx-9860G, cfx-9850G, FX-1.0+, fx-CG10, fx-CP400
  • Consoles, mobile devices and vintage computers owned: Samsung i5510, Nexus 5, Atari 2600, Lynx, SMS, Game Gear, Genesis, Dreamcast, NES, SNES, N64, GCN, Wii, Wii U, GBA, DS, 3DS, PS2, PS3, PS4, PSP, PSVita, XBox 360, XBOne

Bandcamp|Reverbnation|Facebook|Youtube|Twitter
Retired Omnimaga admin (2001-11) and editor (2012-14)

Offline Vogtinator

  • Full User
  • Join Date: Dec 2014
  • Location: Germany
  • Posts: 109
  • Post Rating Ratio: +4/-0
  • Instruction counter
    • @UCii1mkxAsrIGvjFwS80YSmg
    • /u/Vogtinator
    • Vogtinator
    • ../../../cgi-bin/acct-view.cgi?userid=87663#
Re: How does Ndless (3.9 specifically) work?
« Reply #7 on: May 01, 2015, 11:08:03 am »
Hi, I guess that's also my first post here.
Although the idea of the exploit is not by me, I had to rewrite it to make it possible to use it for ndless installation.
It's definitely not a secret anymore as ndless is open source and TI already fixed the vulnerability in 4.0 (correctly, with vsnprintf).
The vulnerability lies in a serial logging function not checking the buffer size, basically the usual
Code: [Select]
char buffer[256];
sprintf(buffer, "%s", string);
bug you find everywhere as the typical example for buffer overflows.
In Q&A mode (that's when you have questions in a document your teacher can correct), there are some more functions publicly accessible,
like "tiassert.assert", printing an error message if the assertion fails. This is used to trigger the buffer overflow in the logging function.
Exploiting it wasn't particularly easy as "buffer" is on the heap and thus away from any code that could be overwritten easily.
Also, the exploit string must not contain any 0-bytes as sprintf stops on those.
Exactly 0xbffa2 bytes after the start of buffer there's a pointer pointing to a structure with some function pointers in it we can overwrite to point
to controlled data. The new copy of the structure has a function pointer overwritten that is called on USB connection and points to controlled data again.
At this point, custom code is executed and ndless_resources loaded into memory and executed, the struct pointer reset and ndless is installed.
Most of the magic happens in MakeQnAInst, so if you want to take a look at it, it should make more sense now with the explanation above.
Ndless 3.6 worked in a simliar way, but it was not a overflow in the logging function, it was in the toolpalette, triggered my opening the menu.
Ndless 3.1 was reboot proof because the vulnerablity was triggered on booting, AFAIK it was something unchecked in the header of the OS file.
  • Calculators owned: TI-Nspie CX CAS, Casio FX-85ES

Online xlibman

  • Omni founder & CW co-founder
  • Super User
  • Original 5
  • CodeWalrus Supporter
  • *
  • Join Date: Nov 2014
  • Location: Quebec, Canada
  • Posts: 18908
  • Post Rating Ratio: +100/-5
    • dj_omnimaga
    • DJOmnimaga.music
    • @DJOmnimaga
    • dj_omnimaga
    • @DJOmnimaga
    • /u/DJ_Omnimaga
    • DJOmnimaga
    • 112/11286
    • @djomnimaga
    • @DJOmnimaga
    • DJ Omnimaga music store
  • Gender: Male
Re: How does Ndless (3.9 specifically) work?
« Reply #8 on: May 02, 2015, 06:27:31 am »
Hiya and welcome Vogtinator. Reboot-proofness was why I kept OS 3.1 for so long personally. I might upgrade to 3..6 soon once I learned how to use and install nLaunchy, but 3.9 is staying away from my calc as long as possible (and is why the programming contest requires every Nspire entry to run on 3.1 or 3.6 (doesn't necessarily have to be both))
  • Calculators owned: TI-57, 73, TI-80 (broken), TI-81, TI-82, TI-83, TI-83+ (broken), TI-83+ (broken), TI-83+SE (broken), TI-84+, TI-84+CSE, TI-84+CE, TI-85, TI-86, TI-89T, TI-92, TI-Nspire, TI-Nspire CX (semi-broken), HP 39gII, HP Prime, Casio fx-7000G, fx-7400G+, fx-7700GE, fx-9750G+, fx-9750GII, fx-9860G, cfx-9850G, FX-1.0+, fx-CG10, fx-CP400
  • Consoles, mobile devices and vintage computers owned: Samsung i5510, Nexus 5, Atari 2600, Lynx, SMS, Game Gear, Genesis, Dreamcast, NES, SNES, N64, GCN, Wii, Wii U, GBA, DS, 3DS, PS2, PS3, PS4, PSP, PSVita, XBox 360, XBOne

Bandcamp|Reverbnation|Facebook|Youtube|Twitter
Retired Omnimaga admin (2001-11) and editor (2012-14)

Offline Strontium

  • Full User
  • Join Date: Apr 2015
  • Location: CA
  • Posts: 237
  • Post Rating Ratio: +3/-2
  • hey
    • Unilunge
    • /u/thismarkstheend
    • Azmarok
  • Gender: Other
Re: How does Ndless (3.9 specifically) work?
« Reply #9 on: May 02, 2015, 07:22:37 am »
Hi, I guess that's also my first post here.
Although the idea of the exploit is not by me, I had to rewrite it to make it possible to use it for ndless installation.
It's definitely not a secret anymore as ndless is open source and TI already fixed the vulnerability in 4.0 (correctly, with vsnprintf).
The vulnerability lies in a serial logging function not checking the buffer size, basically the usual
Code: [Select]
char buffer[256];
sprintf(buffer, "%s", string);
bug you find everywhere as the typical example for buffer overflows.
In Q&A mode (that's when you have questions in a document your teacher can correct), there are some more functions publicly accessible,
like "tiassert.assert", printing an error message if the assertion fails. This is used to trigger the buffer overflow in the logging function.
Exploiting it wasn't particularly easy as "buffer" is on the heap and thus away from any code that could be overwritten easily.
Also, the exploit string must not contain any 0-bytes as sprintf stops on those.
Exactly 0xbffa2 bytes after the start of buffer there's a pointer pointing to a structure with some function pointers in it we can overwrite to point
to controlled data. The new copy of the structure has a function pointer overwritten that is called on USB connection and points to controlled data again.
At this point, custom code is executed and ndless_resources loaded into memory and executed, the struct pointer reset and ndless is installed.
Most of the magic happens in MakeQnAInst, so if you want to take a look at it, it should make more sense now with the explanation above.
Ndless 3.6 worked in a simliar way, but it was not a overflow in the logging function, it was in the toolpalette, triggered my opening the menu.
Ndless 3.1 was reboot proof because the vulnerablity was triggered on booting, AFAIK it was something unchecked in the header of the OS file.

Oh, neat. I learned about buffer exploits a while ago with this video by Tom Scott:


Also, why does the exploit require connecting the calculator to the computer? Does it have something to do with the serial logging?
  • Calculators owned: TI Nspire CX, HP Prime
  • Consoles, mobile devices and vintage computers owned: NES

Online xlibman

  • Omni founder & CW co-founder
  • Super User
  • Original 5
  • CodeWalrus Supporter
  • *
  • Join Date: Nov 2014
  • Location: Quebec, Canada
  • Posts: 18908
  • Post Rating Ratio: +100/-5
    • dj_omnimaga
    • DJOmnimaga.music
    • @DJOmnimaga
    • dj_omnimaga
    • @DJOmnimaga
    • /u/DJ_Omnimaga
    • DJOmnimaga
    • 112/11286
    • @djomnimaga
    • @DJOmnimaga
    • DJ Omnimaga music store
  • Gender: Male
Re: How does Ndless (3.9 specifically) work?
« Reply #10 on: May 02, 2015, 07:23:41 am »
Could it be that the exploit can only be triggered via USB communication?
  • Calculators owned: TI-57, 73, TI-80 (broken), TI-81, TI-82, TI-83, TI-83+ (broken), TI-83+ (broken), TI-83+SE (broken), TI-84+, TI-84+CSE, TI-84+CE, TI-85, TI-86, TI-89T, TI-92, TI-Nspire, TI-Nspire CX (semi-broken), HP 39gII, HP Prime, Casio fx-7000G, fx-7400G+, fx-7700GE, fx-9750G+, fx-9750GII, fx-9860G, cfx-9850G, FX-1.0+, fx-CG10, fx-CP400
  • Consoles, mobile devices and vintage computers owned: Samsung i5510, Nexus 5, Atari 2600, Lynx, SMS, Game Gear, Genesis, Dreamcast, NES, SNES, N64, GCN, Wii, Wii U, GBA, DS, 3DS, PS2, PS3, PS4, PSP, PSVita, XBox 360, XBOne

Bandcamp|Reverbnation|Facebook|Youtube|Twitter
Retired Omnimaga admin (2001-11) and editor (2012-14)

Offline Vogtinator

  • Full User
  • Join Date: Dec 2014
  • Location: Germany
  • Posts: 109
  • Post Rating Ratio: +4/-0
  • Instruction counter
    • @UCii1mkxAsrIGvjFwS80YSmg
    • /u/Vogtinator
    • Vogtinator
    • ../../../cgi-bin/acct-view.cgi?userid=87663#
Re: How does Ndless (3.9 specifically) work?
« Reply #11 on: May 02, 2015, 10:12:40 am »
Could it be that the exploit can only be triggered via USB communication?
Quote
The new copy of the structure has a function pointer overwritten that is called on USB connection and points to controlled data again.

Edit: Hmm, the bold tag doesn't show up in quotes, it should be that is called on USB connection.
  • Calculators owned: TI-Nspie CX CAS, Casio FX-85ES

Online xlibman

  • Omni founder & CW co-founder
  • Super User
  • Original 5
  • CodeWalrus Supporter
  • *
  • Join Date: Nov 2014
  • Location: Quebec, Canada
  • Posts: 18908
  • Post Rating Ratio: +100/-5
    • dj_omnimaga
    • DJOmnimaga.music
    • @DJOmnimaga
    • dj_omnimaga
    • @DJOmnimaga
    • /u/DJ_Omnimaga
    • DJOmnimaga
    • 112/11286
    • @djomnimaga
    • @DJOmnimaga
    • DJ Omnimaga music store
  • Gender: Male
Re: How does Ndless (3.9 specifically) work?
« Reply #12 on: May 02, 2015, 11:05:36 am »
Ah right I didn't really get that part for some reasons. Also bold appears to work fine in quotes in Chrome.
  • Calculators owned: TI-57, 73, TI-80 (broken), TI-81, TI-82, TI-83, TI-83+ (broken), TI-83+ (broken), TI-83+SE (broken), TI-84+, TI-84+CSE, TI-84+CE, TI-85, TI-86, TI-89T, TI-92, TI-Nspire, TI-Nspire CX (semi-broken), HP 39gII, HP Prime, Casio fx-7000G, fx-7400G+, fx-7700GE, fx-9750G+, fx-9750GII, fx-9860G, cfx-9850G, FX-1.0+, fx-CG10, fx-CP400
  • Consoles, mobile devices and vintage computers owned: Samsung i5510, Nexus 5, Atari 2600, Lynx, SMS, Game Gear, Genesis, Dreamcast, NES, SNES, N64, GCN, Wii, Wii U, GBA, DS, 3DS, PS2, PS3, PS4, PSP, PSVita, XBox 360, XBOne

Bandcamp|Reverbnation|Facebook|Youtube|Twitter
Retired Omnimaga admin (2001-11) and editor (2012-14)

Offline Unicorn

  • ??? ??? ??? ??? ???
  • Super User
  • CW Contest II - 2nd place
  • *
  • Join Date: Jan 2015
  • Location: ??? ??? ??? ??? ???
  • Posts: 2826
  • Post Rating Ratio: +5/-2
  • make :PICKACHUP: a thing!
    • Unicorn808
    • 114/11432
    • ??? ??? ??? ??? ???
  • Gender: Male
Re: How does Ndless (3.9 specifically) work?
« Reply #13 on: May 02, 2015, 05:14:42 pm »
Bold appears in quotes on Safari IOS...
  • Calculators owned: I own all of them: PICKACHUP TI 84+ CSE TI 83+ SE TI something something ??? ??? ??? ??? ???
  • Consoles, mobile devices and vintage computers owned: PICKACHUP ??? ??? ??? ??? ???



??? ??? ??? ??? ???

 


You can also use the following HTML or bulletin board code to share it on your page or forum signature!


Also do not forget to check our affiliates below.
Planet Casio TI-Planet Calc.news BroniesQC BosaikNet Velocity Games