|604 Wifi Plugins Unlock + Downgrade
|Page 1 of 1|
|Author:||Remdale [ Fri Aug 18, 2017 11:13 pm ]|
|Post subject:||604 Wifi Plugins Unlock + Downgrade|
I've successfully downgraded firmware by replacing a new OS version with an old one. I have 2 devices now with 2 different firmwares: the latest 1.6.53 (With HDD lockdown) and the oldest 1.3.10 (without HDD lockdown). I successfully used HD Clone software to clone the hidden partition of both devices. Thus, I downgraded (replaced) 1.6.53 to 1.3.10 by moving the hidden partition from 1.3.10 HDD over 1.6.53 HDD. The bootloader version stays the same, but you can downgrade the bootloader by starting for example 1.5.53 firmware file or anything older than 1.6.53 to be able to hack your device with GFT technique using arcwelder's hack.
Also I successfully unlocked plugins on the old 1.3.10 device by just replacing its HD with the one having 1.6.53 installed and used the same plugin files bought for the second 1.6.53 device. Because the hard drive stayed the same, the same plugin files worked fine!
But I had to hurry because after my old player started with the new 1.6.53 (even 1.5.53) I have around 5-6 seconds to start the file because the player reboots suddenly. So I quickly started one file, updated, rebooted and started another file, rebooted. It happens because old bootloader and new OS version are incompatible.
I will release a hack for bootloader which will unlock the plugins with no pain. But for now here are the files you will need (Edit: not really needed if you read further):
a604wifi(1.5.53).aos the firmware file for downgrade
1_3_10(604Wifi).zip - 1.3.10 hidden partition image
1_6_53(604Wifi).zip - 1.6.53 hidden partition image
WD_Firm.zip - HD Clone for installing those images (follow my links below to get a password)
flash - an utility for dumping and flashing bootloader
I could finally compile libcrypto.so.0.9.7 for starting arcwelder hack to input commands with my laptop. Much quicker way for hacking other things. You can download the whole arcwelder archive from here arcwelder.zip. You should unpack the files to Data\arcwelder directory. Then just put this System.bin file into the System directory by replacing the original one. Remember to change the name to System.bin. Disconnect your device from PC, go to file sever settings and you should see there long strings in workgroup and password fields. Otherwise try to reboot your device. If you can see them, start wifi and go to wifi stats to see the IP address of your device. Then start putty (for windows). In the Host Name field input the ip address of your device, connection type should be SSH, port 22. Press Open. If everything goes right, the console window will ask you to input username for login. You should login as root and then you will see the welcome message. Wait until the next message from busybox appears and then welcome to your device! Have fun!
How to unpack WD_Firm.zip: the main archive file WD_Firm.zip (password: ☤ﮝﻻ⋩ﻛԷ따덕ڦ㏶쳥) contains another archive file called Firm.zip (password: ☃✧〠Ⓙ〶✰ǬⓆ). Unpack the file Reports.rar from Firm.zip and change its extension to exe. Then run it to install the HD Clone. If those passwords don't work just let me know.
Follow this link on how to use the software for downgrade:
The final file bootloader_1.3.10_a604wifi.dump is a bootloader dump (WITH UNLOCKED PLUGINS!!) in case if you want to replace an almost dead hard drive with a new one or install an SSD. The HDD lockdown function is disabled there. You can use the flash utility for flashing the dump file. DANGEROUS!! Read my 704 topic about it.
How to start it. Put it into whatever folder you like. Let's say you put it into Data. All gen4 devices have a 16Mbit Intel flash chip called 28F160C3BD. According to the datasheet its memory ends at FFFFF (In HEX). Let convert it into decimals for bytes. It becomes 1048575 bytes.
Let's dump the whole flash memory into a file:
/mnt/data/Data/flash -d /mnt/data/dump.bin 0x0 2097152
/mnt/data/Data/flash is a path to the utility
-d is a dump flag
/mnt/data/dump.bin is a path for saving the dump file
0x0 is a starting address
2097152 is the number of bytes to be read (full flash dump: 2MB or 16Mbit)
How to write your file back:
/mnt/data/Data/flash -f /mnt/data/dump.bin 0x0
-f is a flash flag
But if you start flashing from 0x0 address, you might brick your device because it may just hang up like it had happened to my 704wifi.
I suppose my device froze because maybe I should have killed avos_helper.sh first.
I don't know why, but if you kill avos_helper.sh the avos gets frozen.
By the way, if you kill avos, Archos will stop responding to any button and touches as it is responsible for all the controls. Even lights will not respond when you connect a charger. But the file server will keep running so you can keep using the console.
As gen4 devices are almost identical among each other I recommend you to read more information on other stuff like getting a remote access with SSH, bootloader hacks and more ideas:
HOW TO UNLOCK THE PLUGINS
I compared 2 bootloaders from 704 and 604 and found some interesting place via hex editor. I decided to try my luck and it worked!!
My 604wifi has the plugins unlocked so I found that some part in both dump files at the addresses 0xA004 and 0xA005. 604wifi bootloader contained 55 (hex) at both addresses whilst the 704wifi didn't have those values there. So I decided to try my luck by flashing 55 to 0xA004. Then I rebooted and noticed Video Podcast became unlocked! Then I flashed the same file to the next address and then Cinema appeared too! I tried to flash the same values through 0xA000 to 0xA003 and 0xA006 to check if some hidden plugins will unlock. No luck, only those 2. I also noticed that if you flash something different from 55, plugins will become locked again.
So what should we do to unlock those plugins from the very beginning:
1) Need to have OS below 1.6.53 (read above for downgrade)
2) Download and install arcwelder folder via GFT: download my System.bin and replace the original one in the System folder. Download arcwelder.zip and unpack the files into the Data folder.
3) Download the plugins unlock file and copy it into the root of your device.
4) Download the flash utility file and copy it into the root of your Archos.
5) Assuming that you have already replace System.bin, start Wifi on your device and connect it to your Wifi hotspot.
6) Check IP in your player and start a file server.
7) Start a SSH session with putty by entering that IP into Putty and opening a connection.
Once the console started you should input:
press Enter and wait for around 30 seconds until the a Busybox message appears.
9) Input the flash command to flash the file:
/mnt/data/Data/flash -f /mnt/data/plugins_55 0xA004
It just writes 2 bytes (each contains "55" in hex) to 0xA004 and 0xA005.
0xA004 - videopodcast
0xA005 - cinema
I tried to write something different from 55. Didn't work. It should be only 55.
I also found the location of HDD serial number. It can be changed and flashed for inserting an SSD. It starts from 0xAFD4 and can be easily changed. Just create a text file, insert your new S/N and flash it in the same way as plugins, but change the address to 0xAFD4. For example:
/mnt/data/Data/flash -f /mnt/data/sn.txt 0xAFD4
I tried to delete the serial number, but it returned back after reboot. So it seems that Archos will attach any drive at the boot process once the S/N has been deleted.
|Page 1 of 1||All times are UTC+01:00|
|Powered by phpBB® Forum Software © phpBB Limited