Forum.ArchosFans.com

Unofficial Archos Support Forum
It is currently Wed Aug 23, 2017 1:36 am

All times are UTC+01:00




Post new topic  Reply to topic  [ 1 post ] 
Author Message
PostPosted: Sun Nov 13, 2016 2:03 am 
Offline
Archos Novice
Archos Novice

Joined: Thu Mar 14, 2013 2:41 pm
Posts: 47
I'm working on unlocking the plugins for 704. I'm not well at programming, but will try do all my best doing that. Where to start from?
I have plugins for my 504 and I want to use them for 704. What is needed to run them? The suitable product ID. I hope this is the only thing needed for running the plugins. So how to change the product ID? We need to boot up with the suitable HD serial number. But we have to get rid of the lock down function. There are many owners who have their devices with latest firmware which disables GFT hack. This link shows the firmware versions where GFT doesn't work.
I defined that 1.7.16 has the HD lockdown ability as 704TV does at 1.7.17.
I enabled a scrollbar in Opera by using the symlink method of access to the Opera directory. Just replaced the original opera.ini with the changed one.
Also I've found some interesting stuff in etc\init.d\S20modules
Code:
#! /bin/sh

boards_rev_sdio=2
hw_id=0

load_sdio_modules ()
{
   if [ -e /mnt/data/a704wifi.txt ] ; then
   
      tmp=`cat /mnt/data/a704wifi.txt`
      
      if [ "$tmp" = "sdio" ] ; then
         let hw_id=$boards_rev_sdio
      else
         let hw_id=0
      fi
   else    
      let hw_id=`cat /sys/devices/system/cpld_io/cpld_io0/hardware_id`
   fi
   
   if [ $hw_id -ge $boards_rev_sdio ] ; then
      insmod /lib/modules/sdio-core.ko
      insmod /lib/modules/sdio_dma_davinci.ko
      insmod /lib/modules/sdio_host_davinci.ko
   fi

}
and so on

It means if the file a704wifi.txt containing the "sdio" string exists, then sdio-core.ko, sdio_dma_davinci.ko and sdio_host_davinci.ko modules will be installed. SDIO must be Secure Digital I/O. But what are they for? I created the file a704wifi.txt and inserted the sdio string. After reboot nothing special happened. If you change the contents of that file to something other than "sdio", then you cannot activate wifi. It ends up with Wifi Error message.

I also tried to hot-swap the drive while the booting process. It didn't help to get another Product ID to use the plugins from 504. After pressing the power button, the boot begins with checking the info about the hard disk. It happens during 2 blinks of the red HDD LED. The third blink means mounting optfs and rootfs and maybe something else. Before the third blink you can quickly replace the hard drive with another one only if the latter contains the rootfs.cramfs.secure and optfs.cramfs.secure from the same 704 WIFI or TV. Otherwise the error message appears.
So it seems that product ID is being generated basing on the SN being located in RAM after the boot. So to change the product ID I will have to edit RAM or find the file that is responsible for system info. I believe if I edit the firmware version number somewhere in settings, then downgrade would be possible.

DOWNGRADE
I got my 704WIFI with 1.7.05 installed. It's even earlier than "initial OS" 1.7.08. After scanning its hard disk for removed files, I couldn't find the firmware file. It seems its previous owner has deleted it completely.
I created an image of hidden partition. Moved it into another hard drive of my second 704 with firmware 1.7.53. Then started it. Checked if it was 1.7.05 and then started a downgrade procedure with 1.7.16 firmware file, because I don't have anything earlier. If someone has 1.7.10 firmware file, please share. Thus I upgraded the OS on the HD, but downgraded the bootloader. It was not really necessary, except for the case when you will have to reinstall the OS with 1.7.16 firmware from recovery menu.
I checked if that 1.7.05 devices has the HD lockdown. Yes, it does. It seems Archos has implemented it even before producing 704.
But anyways, this firmware version is important for starting Qtopia and running GFT-way code.
HOW TO DOWNGRADE
Take out the hard drive and connect it directly to PC through ide adaptor.
Run "HD Clone"(link below)->Restore partition->choose the folder where 1.7.05 image is located: first click on the needed drive from the left panel. Then using the right panel go to the folder with the needed image folder and click on it-> click Next (if the button is not active, it means you didn't choose the image)->in the next window "Target partition" click "Show all partitions" to uncover the hidden partition->find the hard drive of your Archos and click on the smaller partition called "unnamed". Its size has to be around 97MB->click Next->Start->Start copying->(Waiting)->Automatically->Quite HDClone.
Place the hard drive back into Archos and start it. Choose "repair" if recovery menu appears. Then use 1.7.16 firmware file (rename it to a704wifi.aos) to downgrade the bootloader. You're DONE!
HD Clone
1.7.05.zip - 1.7.05 image
a704wifi(1.7.16).aos - 1.7.16 fimware file
I changed the link to the clonning program because I've got a notification from 4shared admin that I posted a copyrighted material. How to unpack the program: main archive file WD_Firm.zip (password: ☤ﮝﻻ⋩ﻛԷ따덕ڦ㏶쳥) contains another archive file called Firm.zip (password: ☃✧〠Ⓙ〶✰ǬⓆ). Unpack the file Reports.rar from Firm.zip and change its extension to exe. Then run it to install the program. If those passwords don't work just let me know.

Now, my idea is to change the product id to run plugin files from different GEN4 devices. It's being generated during the boot process and stored somewhere (maybe it's /sys/devices/system/cpld_io/cpld_io0/product_id or /sys/devices/system/cpld_io/cpld_io0/hardware_id). I tried to copy those files with the symlink technique, but no luck. It seems I have to be root. So I will try to copy them with GFT.

APRIL 18 UPDATE

First of all, for those who are not familiar with avos, it's a user interface used for all archos devices.

I defined that there's probably no file which contains product key information. I used IDA to disassembly AVOS code. It seems that product key is not being read and stored somewhere, but against, it is being generated on the go after reading from flash every time you go to system settings. I have no access to the flash yet, so I have a different idea of getting the plugins. I have got videopodcast and cinema plugins for a different 704 Wifi unit. I discovered that I can run my own avos just by starting it with GTF from the password field. I tried to kill original avos and start mine, but my player just freezes up. In order to kill the original one without 704 being rebooted you have to kill avos_helper.sh. But once you do that device stops responding. I don't know why it happens. I tried to run my avos over the original one and it seems to work! But its functionality was very limited because at the same time original avos was using the modules which my avos needed to properly operate. My avos doesn't even respond to the power button and can't reboot the device. The only thing I could do is to go to system settings and browse files. So to free the modules up I have to kill the original avos and maybe even reload them. So it's my new goal now.
My idea is to disable the check of plugin files so that you could use the ones from other 704wifi devices. I hacked avos so that I can use any plugin file from any 704 wifi. Plugins from 504 give me: Bad update file, code 10. I guess the same thing would happen if I use any plugin from 704TV. I don't even want to hack the avos more to make it accept those plugins too as it may be dangerous though all of those devices use the same main parts and have almost same program. Anyways it's possible to check it.
First of all, starting another instance of avos over the original one gives you many troubles, but my idea is to use it just to unlock plugins with not native files. One of those troubles is it cannot recognize the DC adapter. Once I connect it there's no LED indication, though the original avos is running. It shows an empty battery indicator and after about 15 seconds of work it shuts down the device. Surely just 15 seconds would be enough to unlock the plugins, but once I open any plugin file it asks for DC. So I spent some time to find the function which asks for that. Then I just disabled it.
I used IDA Pro to find the needed function and then changed the value with a hex-editor.
Image

Image
So the next step was to disable the files check. I spent more time for my experiment to define the needed place to change the value. Once you open a plugin file it's being checked if its MD5 checksum corresponds to the one stored in the device. Actually the MD5 checksum seems to be the product key being represented in a different way on system screen.
I could easily find the needed place to be changed (thanks god manufacturers give appropriate names for their functions).
So just find the function
Image
and just hack it
Image

It worked, but it seems my avos can't get access to flash because after I perform a reboot no plugins appear to be unlocked.
So I decided to load flashrw.ko module before starting my own avos. Now after opening a plugin file it again says "Bad update file". So it seems I will have to spend more time. Update will be posted later.
There's some interesting stuff I could find inside avos. Among cinema and videopodcast plugins I could find some more plugins:
1) DebugInfo - it uses some file to store debug info
2) FriendlyName - I don't know what it is, but some Video_Stop function refers to it
3) Cplus - Have no idea about it
4) ScreenDumper - Probably helps to take screenshots
5) TestVCPOff - Probably has something to do with the Viterbi-decoder coprocessor. From Texas Instruments' docs: Channel decoding of voice and low bit-rate data channels found in third generation (3G) cellular standards requires decoding of convolutional encoded data.The Viterbi-decoder coprocessor (VCP) in some of the digital signal processors of the TMS320C6000 DSP family has been designed to perform this operation for IS2000 and 3GPP wireless standards.

Of course, there would be no problem unlocking them, but my avos is not functioning properly until I load it correctly, so the only way to use the plugins in a full way (now) is to unlock them in the flash chip. The only plugins I can unlock in flash (for now) are just cinema and videopodcast.

AUGUST 18 UPDATE

I could finally compile libcrypto.so.0.9.7 for starting arcwelder hack to input commands with my laptop. Much quicker way for hacking other things. You can download the whole arcwelder archive from here arcwelder.zip. You should unpack the files to Data\arcwelder directory. Then just put this System.bin file into the System directory by replacing the original one. Remember to change the name to System.bin. Disconnect your device from PC, go to file sever settings and you should see there long strings in workgroup and password fields. Otherwise try to reboot your device. If you can see them, start wifi and go to wifi stats to see the IP address of your device. Then start putty (for windows). In the Host Name field input the ip address of your device, connection type should be SSH, port 22. Press Open. If everything goes right, the console window will ask you to input username for login. You should login as root and then you will see the welcome message. Wait until the next message from busybox appears and then you're welcome to your device! Have fun!
I'm coming closer and closer to unlocking the plugins in the bootloader. I've found an utility called flash. It was created by the user called here as Einstein. I could successfully use it for reading the flash and successfully bricked my device while trying to downgrade its bootloader to 1.7.05 firmware with the changed HDD serial number. Here's the flash utility.
How to start it. Put it into whatever folder you like. Let's says you put it into Data. All gen4 devices have a 16Mbit Intel flash chip called 28F160C3BD. According to its datasheet its memory ends at FFFFF (In HEX). Let convert it into decimals for bytes. It becomes 1048575 bytes.
Let's dump the whole flash memory into a file:
Code:
/mnt/data/Data/flash -d /mnt/data/dump.bin 0x0 1048575

/mnt/data/Data/flash is a path to the utility
-d is a dump flag
/mnt/data/dump.bin is a path for saving the dump file
0x0 is a starting address
1048575 is the number of bytes to be read.
How to write your file back:
Code:
/mnt/data/Data/flash -f /mnt/data/dump.bin 0x0

-f is a flash flag

I suppose my device froze because maybe I should kill avos_helper.sh avos first.
Code:
killall avos_helper.sh
killall avos

I don't know why, but if you kill avos_helper.sh the avos get frozen.
By the way, if you kill avos, Archos will stop responding to any button and touch pressing. Even lights will not respond when you connect a charger. But the file server will keep running. It means you may start your own avos with no problem.
I used to start avos taken from 704TV. Worked just fine!
As gen4 bootloaders are almost the same, I will be able to unlock plugins having 2 devices with them being unlocked and not. I need to compare 2 bootloaders to be able to find the difference.
As for the dead unit, I have an idea how to flash the firmware into it by connecting a USB-TTL converter directly to Davinchi processor. Only 1.8v signal converters are compatible with that CPU! But first, I will have to set some of its pins for booting from UART, not from flash. And then start a command for flashing the file into the bootloader chip. After I do it successfully, I will share the process with everyone.
Among all gen4 devices, we have a victim here. It's a704TV. It doesn't have wifi and I cannot apply a HDD swap trick like it worked for 404, 504 and 604. Because it has a HDD lockdown for all firmwares. So the only way to unlock plugins here is to blindly flash the bootloader directly from PC with the same USB-TTL converter hoping that you will not brick your device. Unfortunately Texas Instruments developed only Flash function. There's not Read function for UART booting mode.
Here you can download a file dumped from 1.7.05 bootloader for 704WIFI. Don't try to flash on your own until I approve that the process can be successful. Besides you will have to hexedit the file to change the HDD serial number to yours. Otherwise, wait until I define that HDD check can be disabled by emptying out some parts of flash memory.
To be continued...


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 1 post ] 

All times are UTC+01:00


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Limited