times up. you had your chance archos.
i dub this hack: moldy cheese
so there is going to be a little change in the plans. those who are interested in the hack can just go ahead and skip to the bottom where all the files are posted. but for those who want to understand how this happens, keep reading.
this is a developer's release only. not recommended for the average user because the kernel is not quite stable yet. that should be fixed soon.
i was originally going to post a hack to just enable all the plugins. i'm no longer going to do that for reasons that may not become clear as you read this post. i changed my mind after my archos froze recording my favorite sports team. shortly after archos released the android devices and abandoned gen6. now i'm releasing this. so archos you can blame your shitty software. had you fixed it, this probably would not have happened. had you done what is right, this probably would not have happened. but you didn't, so it's happening.
this hack will still enable all the plugins, but just in a different way, and so much more. first you must understand how archos makes it so that only they can run code in the 605. then i will show you how we make it so that you can run whatever the hell you want. the rest, i leave up to the community. don't let me down guys! make me something amazing. i'm thinking rockbox is long overdue.
when you first power up the 605, execution is hardwired to start at a certain address. this certain address happens to be the beginning of flash. it is there that we find what i call boot0. the code here does basic initialization, sets up the stack and heap, initializes hardware, etc. the very last thing it does is to check the rsa signature of boot1 to see if it is archos approved code. if not, it will not jump there, will not execute the code, and just endlessly spins it wheels. but if it is shitty archos code, it will continue at boot1. this is pretty standard boot0 jobs. so what we find is something like:
...inline assembly to set up stack/heap...
int archos_approved = check_boot1(x203 0000);
an address is passed to check_boot1() and if we look at that address, we find something that looks a lot like a rsa signature. so each stage after boot1 is most likely protected by a rsa signature. notice that if check_boot1() returns anything besides 0, we are screwed. so let's just make it something like int_archos_approved=0;. that way we don't even check the signature. simple enough. and now we can change boot1 without archos private key allowing us to run our own code. success.
things we learn from boot0:
flash rom offset is x200 0000
boot1 is protected by an rsa signature.
so now that we can modify boot1, we need to find and disable the check_cpio() function <--i call it boot2, archos calls it cpio, others call it a kernel--> within boot1. this would probably take days, but why not take a shortcut? remember how check_boot1() passed the address of the boot1 signature? all we have to do is find the boot2/cpio/kernel signature which is easily spotted at x5 0000. so now all we need to find is a function that is getting passed address x205 000 as its arguments. interesting we find this at two spots. after further looking around i find out that there are two cpios. one in flash and one in /mnt/system/cpio.secure, they are identical. one check is at x3 7b40 and another at x3 7cc8, and they both call x3 87f4. that is the address of our check_cpio() routine. check_cpio() will return 0 if the cpio is 'archos approved'. so let's just make check_cpio() return 0 for 'archilles approved' code. now we can run any boot2/cpio/kernel!
things we learn from boot1:
thank you archos for making this easy on me
archilles probably goes too easy on the code approval process
there are similar rsa checks on rootfs.cramfs.secure, optfs.cramfs.secure, the plugins, the harddrive, etc. all which have been disabled. it's ok, your free.
so now you can run your own kernels. you can run your own modified rootfs. you can modify avos. and your 605 will do what it was made to do, run your code! all this depended on changing boot0 to disable the check_boot(). after firmware 1.7.13, it seems archos activated a flash lock. you can no longer change boot1. so those who upgraded past 1.7.13 are forever doomed to run 'archos approved' code... or are they??
things we learned this oct 1:
don't upgrade! archos is obviously more interested in closing exploits then fixing their software. so an upgrade is probably just going to keep you from being one of the cool kids,, for a while.
i'm delaying the next installment of 'archilles makes it right' by 4 days. november 5 just seems so much more appropriate, don't you think?
i don't have a 604 so it doesn't work on that, yet possible
i don't have a 605 flash so it doesn't work on that either, yet possible
source is included and i could help somebody make it work on those
cpio.secure on the harddrive seems to be loaded if available and ok, otherwise load from flash. very useful for testing. just copy 'test cpio' to /mnt/system/cpio.secure and see if it boots. if it can't, you can just load the copy in flash by pressing the tv button on power up.
cpio.secure from harddrive will not load on 160gb units. don't know why. works fine in flash. this hack will not work 'out of the box' for 160gb units. that will be coming very shortly.
and finally, the hack:download moldy cheese here
make sure you are running 1.7.13 for 605, and not the 605 flash version or 160gb! this will probably brick you in the face if you don't obey this.
download and unzip the hack, plugin archos, copy to the base folder, and use gft technique to run "1;/bin/sh -x /mnt/data/FREEDOM"
cross your fingers and reboot.
now get to work on making me a custom awesome 605 distro.
you are at fault for everything that you screw up. you can blame me, blame archos, or blame your dog, but everything is your fault. using this hack will probably brick your vendor-abandoned media player.
it works for me but that's no guarantee it will work for you. who's the brave soul that want to try it first?
and finally, live free!