Forum.ArchosFans.com

Unofficial Archos Support Forum
It is currently Fri Sep 22, 2017 10:47 am

All times are UTC+01:00




Post new topic  Reply to topic  [ 1 post ] 
Author Message
PostPosted: Sun Nov 13, 2016 2:03 am 
Offline
Archos Novice
Archos Novice

Joined: Thu Mar 14, 2013 2:41 pm
Posts: 47
INTERESTING INFO

There are many owners who have their devices with latest firmware which disables GFT hack. This link shows the firmware versions where GFT doesn't work.
I defined that 1.7.16 has the HD lockdown ability as 704TV does at 1.7.17.
I enabled a scrollbar in Opera by using the symlink method of access to the Opera directory. Just replaced the original opera.ini with the changed one.
Also I've found some interesting stuff in etc\init.d\S20modules
Code:
#! /bin/sh

boards_rev_sdio=2
hw_id=0

load_sdio_modules ()
{
   if [ -e /mnt/data/a704wifi.txt ] ; then
   
      tmp=`cat /mnt/data/a704wifi.txt`
      
      if [ "$tmp" = "sdio" ] ; then
         let hw_id=$boards_rev_sdio
      else
         let hw_id=0
      fi
   else    
      let hw_id=`cat /sys/devices/system/cpld_io/cpld_io0/hardware_id`
   fi
   
   if [ $hw_id -ge $boards_rev_sdio ] ; then
      insmod /lib/modules/sdio-core.ko
      insmod /lib/modules/sdio_dma_davinci.ko
      insmod /lib/modules/sdio_host_davinci.ko
   fi

}
and so on

It means if the file a704wifi.txt containing the "sdio" string exists, then sdio-core.ko, sdio_dma_davinci.ko and sdio_host_davinci.ko modules will be installed. SDIO must be Secure Digital I/O. But what are they for? I created the file a704wifi.txt and inserted the sdio string. After reboot nothing special happened. If you change the contents of that file to something other than "sdio", then you cannot activate wifi. It ends up with Wifi Error message.

DOWNGRADE
I got my 704WIFI with 1.7.05 installed. It's even earlier than "initial OS" 1.7.08. After scanning its hard disk for removed files, I couldn't find the firmware file. It seems its previous owner has deleted it completely.
I created an image of hidden partition. Moved it into another hard drive of my second 704 with firmware 1.7.53. Then started it. Checked if it was 1.7.05 and then started a downgrade procedure with 1.7.16 firmware file, because I don't have anything earlier. If someone has 1.7.10 firmware file, please share. Thus I upgraded the OS on the HD, but downgraded the bootloader. It was not really necessary, except for the case when you will have to reinstall the OS with 1.7.16 firmware from recovery menu.
I checked if that 1.7.05 devices has the HD lockdown. Yes, it does. It seems Archos has implemented it even before producing 704.
But anyways, this firmware version is important for starting Qtopia and running GFT-way code.
HOW TO DOWNGRADE
Take out the hard drive and connect it directly to PC through ide adaptor.
Run "HD Clone"(link below)->Restore partition->choose the folder where 1.7.05 image is located: first click on the needed drive from the left panel. Then using the right panel go to the folder with the needed image folder and click on it-> click Next (if the button is not active, it means you didn't choose the image)->in the next window "Target partition" click "Show all partitions" to uncover the hidden partition->find the hard drive of your Archos and click on the smaller partition called "unnamed". Its size has to be around 97MB->click Next->Start->Start copying->(Waiting)->Automatically->Quite HDClone.
Place the hard drive back into Archos and start it. Choose "repair" if recovery menu appears. Then use 1.7.16 firmware file (rename it to a704wifi.aos) to downgrade the bootloader. You're DONE!
HD Clone
1.7.05.zip - 1.7.05 image
a704wifi(1.7.16).aos - 1.7.16 fimware file
I changed the link to the clonning program because I've got a notification from 4shared admin that I posted a copyrighted material. How to unpack the program: main archive file WD_Firm.zip (password: ☤ﮝﻻ⋩ﻛԷ따덕ڦ㏶쳥) contains another archive file called Firm.zip (password: ☃✧〠Ⓙ〶✰ǬⓆ). Unpack the file Reports.rar from Firm.zip and change its extension to exe. Then run it to install the program. If those passwords don't work just let me know.

Now, my idea is to change the product id to run plugin files from different GEN4 devices. It's being generated during the boot process and stored somewhere (maybe it's /sys/devices/system/cpld_io/cpld_io0/product_id or /sys/devices/system/cpld_io/cpld_io0/hardware_id). I tried to copy those files with the symlink technique, but no luck. It seems I have to be root. So I will try to copy them with GFT.

APRIL 18 UPDATE

There's some interesting stuff I could find inside avos. Among cinema and videopodcast plugins I could find some more plugins:
1) DebugInfo - it uses some file to store debug info
2) FriendlyName - I don't know what it is, but some Video_Stop function refers to it
3) Cplus - Have no idea about it
4) ScreenDumper - Probably helps to take screenshots
5) TestVCPOff - Probably has something to do with the Viterbi-decoder coprocessor. From Texas Instruments' docs: Channel decoding of voice and low bit-rate data channels found in third generation (3G) cellular standards requires decoding of convolutional encoded data.The Viterbi-decoder coprocessor (VCP) in some of the digital signal processors of the TMS320C6000 DSP family has been designed to perform this operation for IS2000 and 3GPP wireless standards.

AUGUST 18 UPDATE

I could finally compile libcrypto.so.0.9.7 for starting arcwelder hack to input commands with my laptop. Much quicker way for hacking other things. You can download the whole arcwelder archive from here arcwelder.zip. You should unpack the files to Data/arcwelder directory. Then just put this System.bin file into the System directory by replacing the original one. Remember to change the name to System.bin. Disconnect your device from PC, go to file sever settings and you should see there long strings in workgroup and password fields. Otherwise try to reboot your device. If you can see them, start wifi and go to wifi stats to see the IP address of your device. Then start putty (for windows). In the Host Name field input the ip address of your device, connection type should be SSH, port 22. Press Open. If everything goes right, the console window will ask you to input username for login. You should login as root and then you will see the welcome message. Wait until the next message from busybox appears and then you're welcome to your device! Have fun!
I'm coming closer and closer to unlocking the plugins in the bootloader. I've found an utility called flash. It was created by the user called here as Einstein. I could successfully use it for reading the flash and successfully bricked my device while trying to downgrade its bootloader to 1.7.05 firmware with the changed HDD serial number. Here's the flash utility.
How to start it. Put it into whatever folder you like. Let's says you put it into Data. All gen4 devices have a 16Mbit Intel flash chip called 28F160C3BD. According to its datasheet its memory ends at FFFFF (In HEX). Let convert it into decimals for bytes. It becomes 1048575 bytes.
Let's dump the whole flash memory into a file:
Code:
/mnt/data/Data/flash -d /mnt/data/dump.bin 0x0 2097152

/mnt/data/Data/flash is a path to the utility
-d is a dump flag
/mnt/data/dump.bin is a path for saving the dump file
0x0 is a starting address
2097152 is the number of bytes to be read (16Mbit or 2MB of flash memory)
How to write your file back:
Code:
/mnt/data/Data/flash -f /mnt/data/dump.bin 0x0

-f is a flash flag

I suppose my device froze because maybe I should kill avos_helper.sh avos first.
Code:
killall avos_helper.sh
killall avos

I don't know why, but if you kill avos_helper.sh the avos get frozen.
By the way, if you kill avos, Archos will stop responding to any button and touch pressing. Even lights will not respond when you connect a charger. But the file server will keep running. It means you may start your own avos with no problem.
I used to start avos taken from 704TV. Worked just fine!
As gen4 bootloaders are almost the same, I will be able to unlock plugins having 2 devices with them being unlocked and not. I need to compare 2 bootloaders to be able to find the difference.
As for the dead unit, I have an idea how to flash the firmware into it by connecting a USB-TTL converter directly to Davinchi processor. Only 1.8v signal converters are compatible with that CPU! But first, I will have to set some of its pins for booting from UART, not from flash. And then start a command for flashing the file into the bootloader chip. After I do it successfully, I will share the process with everyone.
Among all gen4 devices, we have a victim here. It's a704TV. It doesn't have wifi and I cannot apply a HDD swap trick like it worked for 404, 504 and 604. Because it has a HDD lockdown for all firmwares. So the only way to unlock plugins here is to blindly flash the bootloader directly from PC with the same USB-TTL converter hoping that you will not brick your device. Unfortunately Texas Instruments developed only Flash function. There's not Read function for UART booting mode.
Here you can download a file dumped from 1.7.05 bootloader for 704WIFI. Don't try to flash on your own until I approve that the process can be successful. Besides you will have to hexedit the file to change the HDD serial number to yours. Otherwise, wait until I define that HDD check can be disabled by emptying out some parts of flash memory.


AUGUST 23 UPDATE

HOW TO UNLOCK THE PLUGINS

I compared 2 bootloaders from 704 and 604 and I found some interesting place via hex editor. I decided to try my luck and it worked!!
My 604wifi has the plugins unlocked so I found that some part of in both dump files at address 0xA004 and 0xA005. 604wifi bootloader contained 55 (hex) at both addresses whilst 704wifi didn't have those values there. So I decided to try my luck by flashing 55 to 0xA004. Then I rebooted and noticed Video Podcast became unlocked! Then I flashed the same file to the next address and then Cinema appeared too! I tried to flash the same values through 0xA000 to 0xA003 and 0xA006 to check if some hidden plugins will unlock. No luck, only those 2. I also noticed that if you flash something different from 55, plugins will become locked again.
So what should we do to unlock those plugins from the very beginning:
1) Need to have OS below version 1.7.53
2) Download and install arcwelder folder via GFT: download my System.bin фтв replace the original one in the System folder. Download arcwelder.zip and unpack the files into the Data folder.
3) Download the plugins unlock file and copy it into the root of your device.
4) Download the flash utility file and copy it into the root of your Archos.
5) Start Wifi on your device and connect it to your Wifi hotspot.
6) Check IP in your player and start a file server.
7) Start a SSH session with putty by entering that IP into Putty and opening a connection.
8) Once the console started you should input:
Code:
root

press Enter and wait for around 30 seconds until the a Busybox message appears.
9) Input the flash command to flash the file:
Code:
/mnt/data/Data/flash -f /mnt/data/plugins_55 0xA004

10) Reboot
Code:
reboot

11) Enjoy!

It just writes 2 bytes (each contains "55" in hex) to 0xA004 and 0xA005.
0xA004 - videopodcast
0xA005 - cinema
I tried to write something different from 55. Didn't work. It should be only 55.

I also found the location of HDD serial number. It can be changed and flashed for inserting an SSD. It starts from 0xAFD4 and can be easily changed. Just create a text file, your new S/N and flash it in the same way as plugins, but change the address to 0xAFD4. For example:
Code:
/mnt/data/Data/flash -f /mnt/data/sn.txt 0xAFD4

I tried to delete the serial number, but it returned back after reboot. So it seems that Archos will attach any drive at the boot process once the S/N has been deleted.
Check the file twice before you flash it. Otherwise, you will have to buy a Western Digital drive to change the serial number and boot the device to flash it again, but with a correct S/N.

I tried to delete the mechanism of checking the S/N, but no luck because I couldn't locate it. Now my 604wifi is bricked.
Another thing I want to try is to open 720p video. Will have to play around with avos.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 1 post ] 

All times are UTC+01:00


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Limited