Forum.ArchosFans.com

They do this with a USB-stick connected to the USB-host. The USB-stick comprises a signed cramfs from which a program will be run that signs the new harddisk (i.e. encrypts the harddisk serial to a 1024bit signature). All this is already present in the bootloader or rather the init scripts of the kernel. No JTAG involved.

_________________
openAOS

And does anybody have an image of that usbstick? Format: img/bin/raw/dmg/somethingelse. Does it encrypt the serial number of the HDD or the Archos's bootloader using the serial of hdd or the serial number of the 605?

I suppose the people doing repairs for Archos in the different countries have such a usb stick.




Yes. The encrypted serial number will be decrypted during the boot process using a locally stored public key. The decrypted serial number will be compared to that of the actual hdd.

_________________
openAOS

Archos company?

Image of that stick won't help without special USB storage with specific VENDOR_ID and PRODUCT_ID (V_ID of course is Archos).

Yes, that's true, the IDs are checked before running the re-encryption. How do you know that?

I'm not sure how difficult it would be to modify the IDs or to get an Archos usb-stick. However, it appears that some of those usb-sticks are out in the wild, at least somebody told me that somebody replaced his 2.5" hdd by a 250G model.

_________________
openAOS

It is possible to spoof USB VID/PID. That would definitely be a project of interest for anyone capable.

You and a few other people with "power" are not the only one who know such things You know reverse engineering of the file cpio.secure.
I don't want to boast but i was the first person who have discovered some small things :->, it was before GFT, see my posts:

viewtopic.php?f=34&t=7296&st=0&sk=t&sd=a&start=130
viewtopic.php?f=34&t=7296&st=0&sk=t&sd=a&start=177

In some parts i was wrong but basically i was going in good direction.


By the way this file on the USB stick is signed with RSA too so i don't think so.
Edit: Unless you have it in original version from Archos or whoever.

I didn't even get a 605 before the GFT-exploit was published...

So are you still actively looking into all this?




Indeed.

_________________
openAOS

Unfortunately, no. Sometimes i look here too see if something happened, but i'm not in Archos community now i think. Simply it's not worth my time (i dont have it much). I've bought OQO and i can install whatever i want, i do with it many many things and the policy of archos really pisses me of, and a few people on this forum, who always say how cool this or that model of archos is, no matter what (someone here gets the money from archos?). As i look on the A5 subforum i can say that it is ridicule, in that state of firmware, i will never ever buy an Archos product . But that is my opinion. Logout.

I can provide some more information about the ICs from the pictures :

6CA1KHJ WF245
is a level translator, 16 bits
SN74AVC16T245DGVR

WE245 68K A2HY
is another level translator, 8 bits
SN74AVC8T245

7ED22 D9GKW c788
is sRam memory :
Micron 1GB
PC2-4200 (DDR2-533)
model 7ED22-D9GMH
chip MT16HTF12864HY-53ED3 1.8V

WM8985G
is the audio codec and amplifier

LC4032ZC 75MN6
Probably a Lattice programmable logic device.
No perfect match, but close.

BBO 6AW M420
TPS62040DRC step down converter

(Intel) F160C3
Advanced Boot Block Flash Memory
--->Flash 16Mbits
http://www.olimex.com/dev/pdf/Intel_C3.pdf
This is probably where the bootloaders sit !

LC6Y J829 611
No clue ...
It is probably a larger NAND Flash used for the system base storage and os.
Maybe similar to K9K1G08

There are some other sot23-5 chips that seems to be DC-DC Converters, but nothing interresting there. (also extremely hard to identify)

Ok, now the good and the bads...
There's 99% chances the bootloader(s) are stored in the intel flash.
(The other is much smaller in size and probably NAND - similar to the EVM schematic actually.
NAND is nice because it is much denser, but not so good for a bootloader because it is slower and can contain errors)

The bad side is that it is a BGA package (Ball grid array) requiring very special and expensive equipment to unsolder/reball/resolder. (not even talking about experience required)

I can see two things that can be done to write to the flash (and get rid of that nasty bootloader)
-Either peek into the address/data lines of the flash, hoping they are all accessible somewhere on the right when going into the davinci chip.
I can already see many of them are available, but if one is missing and going into an inner layer, that's dead.
Knowing that we need to tap into 22 address lines, 8 data lines and a few other control ... to be honest it is unlikely to happen.
-The other way might be using software to unlock the flash and write a new bootloader.
Knowing the IC used and commands (from http://www.olimex.com/dev/pdf/Intel_C3.pdf) it might be possible to unlock the bootloader blocks and modify them.
The flash seems to have some protection modes, but I haven't read anything about definitive irreversible protection. (except for the 128 bits protection register which is like a serial number)

That's pretty much all I can do at this stage.
Hoping this will help software guys to hack it further...

I also want to point out there's no such thing as a RS232 converter.
Archos has never advertised any form of communication other than usb and wifi.
So there's little point in adding a rs232 converter that no one will ever use.
It will take board space, power, and increase the cost of the device.
If there's a serial communication somewhere, it is using logic level voltages. (Either 1.8V or 3.3V)
Now is it active or not ?
It is indeed tempting to enable a serial debug communication line if you have one available.
Or it could also be a SPI line, or any other protocol.
But I'm not sure anything interresting can be done with it.

I also don't think there's a JTag connector somewhere.
I haven't seen that Davinci IC has JTag pins (maybe missed them) and the other chips in the system don't have jtag functionnality either.

To go further, I would need to have the orientation of the davinci IC, identify each pin and try to locate the serial and flash pins if they are available on the back of the davinci.

Now a good indication that the serial line is used is if it is configured/present in the os.
Can someone check this ?

I'm also a bit puzzled by the Lattice IC.
Nowadays it is not very common to use those devices, specially if you have a such powerfull IC as the davinci.
Maybe it is used for on the fly encryption / decryption of the disk content or part of it.
Clearly if it is there, it means it performs something the davinci can't do fast enough...

Correction - the lattice and davinci both have a JTag port.
The intel flash doesn't.
Maybe through the jtag of the davinci it is possible to access the flash ?
I never played with jtag and don't have the tools to do it.

There are some gold plated "connectors" on the back of the davinci, they are probably the jtag pins.

I'll try to identify them in case some one who has the right equipment want to give a try.

I tried to place the davinci IC over the back of the board, but seems no luck... no Jtag connector on this side.