i give you: moldy cheese

[archilles]

times up. you had your chance archos.

i dub this hack: moldy cheese

so there is going to be a little change in the plans. those who are interested in the hack can just go ahead and skip to the bottom where all the files are posted. but for those who want to understand how this happens, keep reading.

this is a developer's release only. not recommended for the average user because the kernel is not quite stable yet. that should be fixed soon.

i was originally going to post a hack to just enable all the plugins. i'm no longer going to do that for reasons that may not become clear as you read this post. i changed my mind after my archos froze recording my favorite sports team. shortly after archos released the android devices and abandoned gen6. now i'm releasing this. so archos you can blame your shitty software. had you fixed it, this probably would not have happened. had you done what is right, this probably would not have happened. but you didn't, so it's happening.

this hack will still enable all the plugins, but just in a different way, and so much more. first you must understand how archos makes it so that only they can run code in the 605. then i will show you how we make it so that you can run whatever the hell you want. the rest, i leave up to the community. don't let me down guys! make me something amazing. i'm thinking rockbox is long overdue.

when you first power up the 605, execution is hardwired to start at a certain address. this certain address happens to be the beginning of flash. it is there that we find what i call boot0. the code here does basic initialization, sets up the stack and heap, initializes hardware, etc. the very last thing it does is to check the rsa signature of boot1 to see if it is archos approved code. if not, it will not jump there, will not execute the code, and just endlessly spins it wheels. but if it is shitty archos code, it will continue at boot1. this is pretty standard boot0 jobs. so what we find is something like:

main() {
...inline assembly to set up stack/heap...
...hardware initilization...
...
int archos_approved = check_boot1(x203 0000);
if(archos_approved==0) jump_boot1();
while(1);
}

an address is passed to check_boot1() and if we look at that address, we find something that looks a lot like a rsa signature. so each stage after boot1 is most likely protected by a rsa signature. notice that if check_boot1() returns anything besides 0, we are screwed. so let's just make it something like int_archos_approved=0;. that way we don't even check the signature. simple enough. and now we can change boot1 without archos private key allowing us to run our own code. success.

things we learn from boot0:
flash rom offset is x200 0000
boot1 is protected by an rsa signature.
other stuff.

so now that we can modify boot1, we need to find and disable the check_cpio() function <--i call it boot2, archos calls it cpio, others call it a kernel--> within boot1. this would probably take days, but why not take a shortcut? remember how check_boot1() passed the address of the boot1 signature? all we have to do is find the boot2/cpio/kernel signature which is easily spotted at x5 0000. so now all we need to find is a function that is getting passed address x205 000 as its arguments. interesting we find this at two spots. after further looking around i find out that there are two cpios. one in flash and one in /mnt/system/cpio.secure, they are identical. one check is at x3 7b40 and another at x3 7cc8, and they both call x3 87f4. that is the address of our check_cpio() routine. check_cpio() will return 0 if the cpio is 'archos approved'. so let's just make check_cpio() return 0 for 'archilles approved' code. now we can run any boot2/cpio/kernel!

things we learn from boot1:
thank you archos for making this easy on me
archilles probably goes too easy on the code approval process

there are similar rsa checks on rootfs.cramfs.secure, optfs.cramfs.secure, the plugins, the harddrive, etc. all which have been disabled. it's ok, your free.

so now you can run your own kernels. you can run your own modified rootfs. you can modify avos. and your 605 will do what it was made to do, run your code! all this depended on changing boot0 to disable the check_boot(). after firmware 1.7.13, it seems archos activated a flash lock. you can no longer change boot1. so those who upgraded past 1.7.13 are forever doomed to run 'archos approved' code... or are they??

things we learned this oct 1:
don't upgrade! archos is obviously more interested in closing exploits then fixing their software. so an upgrade is probably just going to keep you from being one of the cool kids,, for a while.

i'm delaying the next installment of 'archilles makes it right' by 4 days. november 5 just seems so much more appropriate, don't you think?

-some notes:
i don't have a 604 so it doesn't work on that, yet possible
i don't have a 605 flash so it doesn't work on that either, yet possible
source is included and i could help somebody make it work on those
cpio.secure on the harddrive seems to be loaded if available and ok, otherwise load from flash. very useful for testing. just copy 'test cpio' to /mnt/system/cpio.secure and see if it boots. if it can't, you can just load the copy in flash by pressing the tv button on power up.
cpio.secure from harddrive will not load on 160gb units. don't know why. works fine in flash. this hack will not work 'out of the box' for 160gb units. that will be coming very shortly.


and finally, the hack:
download moldy cheese here
md5: 635b5f97d2bfd69c307c5c0cf21dc07f

instructions:
make sure you are running 1.7.13 for 605, and not the 605 flash version or 160gb! this will probably brick you in the face if you don't obey this.
download and unzip the hack, plugin archos, copy to the base folder, and use gft technique to run "1;/bin/sh -x /mnt/data/FREEDOM"
cross your fingers and reboot.
now get to work on making me a custom awesome 605 distro.

you are at fault for everything that you screw up. you can blame me, blame archos, or blame your dog, but everything is your fault. using this hack will probably brick your vendor-abandoned media player.

it works for me but that's no guarantee it will work for you. who's the brave soul that want to try it first?

and finally, live free!

[soviet123]

Praise the Lord, the Lord be praised.
Although he is not a Gen6 Lord, this is info good enough for me to start doing somethin'.
Last chance, Archos. I own your product...and you owe me everything beyond that.

[strangerbynight]

wow you've done it, too bad i had ran out of patience, bought the plugins, bored with the unit, sold it and bought 32Gigs ipod touch...wish i still have it so i can mess around even tho i don't own the 605 no more, i've been reading this forum ever since, and today i've come atlease 7 times just to find out if you keep your promises...good job..sorry for my english...

[pawstar]

Congratulations !!!

Thanks for doing this. Now, a quick question - did you by any chance disable the hard drive lock in the firmware? (This is the one thing that Archos did that really pissed me off! I bought a larger hard drive along side the 605 to swap in and was absolutely horrified that they deliberately disabled 3rd party hardware)

[serag]

running it now...system booted up fine(after watching the nice blue initialization screen)
and it seems to work as promised...lot's of new plugins listed
Thank you very much for releasing this for the few of us that held off upgrading for so long

Editting to add pic
sorry for the fuzzy pic, used my iPhone


and the new start up screen

http://www.youtube.com/watch?v=_ROEHgVQejE

[LInkAge]

Hey,

First of all, let me tell you, nice job !
It's good to see freedom being brought to the archos units finally.

I have just one question, what about >1.7.13 ?

From your post it seems you can hack >1.7.13 , why not let us enjoy the freedom too?

I don't think acrhos gonna open willingly their units, if only because most of the users already went past 1.7.13.

I'm asking you, can you post your hack for >1.7.13 now and save us the long wait?

[eagle1]

Whoaaa!

Thanks for sharing your knowledge with us!
I'll probably wont run it yet, but I'm saving the file and thread just in case!!!

Keep it going man, we need people like you on the community!

[grond]

those who upgraded past 1.7.13 are forever doomed to run 'archos approved' code... or are they??

This is the far more interesting part. The crypto code doesn't seem perfect but I didn't find any vulnerability nonetheless (perhaps I just haven't got the amount of time and skill required to find one). All you have showed so far was known to be possible and relatively easy. I'm not saying that it would be impossible to hack firmware versions after 1.7.13 but this requires two far more difficult things:

a) find a new root exploit
b) find a way to circumvent the flash lock

I'm not saying that it is impossible but again hacking 1.7.13 is probably just 5% of hacking 1.8.* If you can do it, well, where were you one and a half years ago?

BTW, did you compile your own kernel or did you modify the archos one?

[Logik]

if this hack could be implemented on the 604WiFi i would be installing it right away,
i heard that the 604WiFi could brick easier.

now i want to get hold of another archos 605WiFi with 17.x firmware!

[cyclonezephyrxz7]

Can anyone confirm that this works (besides the guy who already posted a screenshot)?

Grond can you confirm that this code is "safe" enough to not have a high brick rate?

I have a 605 WiFi 30GB...

[serag]

it seems to work for me(but i'm the guy that posted the screen shot)..only thing that doesn't seem to work now is mounting the partition in Linux...archos locks up. Other than that everything else seems to work fine
dmesg

Code: Select all

usb 1-2.4: new high speed USB device using ehci_hcd and address 6
usb 1-2.4: New USB device found, idVendor=0e79, idProduct=1312
usb 1-2.4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-2.4: Product: a605
usb 1-2.4: Manufacturer: ARCHOS
usb 1-2.4: SerialNumber: xxxxxxxxxxxxx
usb 1-2.4: configuration #1 chosen from 1 choice
scsi7 : SCSI emulation for USB Mass Storage devices
usb-storage: device found at 6
usb-storage: waiting for device to settle before scanning
usb-storage: device scan complete
scsi 7:0:0:0: Direct-Access     Archos   PC Hard Drive    0316 PQ: 0 ANSI: 2
sd 7:0:0:0: [sdc] 58203495 512-byte hardware sectors: (29.8 GB/27.7 GiB)
sd 7:0:0:0: [sdc] Write Protect is off
sd 7:0:0:0: [sdc] Mode Sense: 0f 00 00 00
sd 7:0:0:0: [sdc] Assuming drive cache: write through
sd 7:0:0:0: [sdc] 58203495 512-byte hardware sectors: (29.8 GB/27.7 GiB)
sd 7:0:0:0: [sdc] Write Protect is off
sd 7:0:0:0: [sdc] Mode Sense: 0f 00 00 00
sd 7:0:0:0: [sdc] Assuming drive cache: write through
 sdc:<6>usb 1-2.4: reset high speed USB device using ehci_hcd and address 6
usb 1-2.4: device descriptor read/64, error -110
usb 1-2.4: device descriptor read/64, error -110
usb 1-2.4: reset high speed USB device using ehci_hcd and address 6
usb 1-2.4: device descriptor read/64, error -110
usb 1-2.4: device descriptor read/64, error -110
usb 1-2.4: reset high speed USB device using ehci_hcd and address 6
usb 1-2.4: device not accepting address 6, error -110
usb 1-2.4: reset high speed USB device using ehci_hcd and address 6
usb 1-2.4: device not accepting address 6, error -110
sd 7:0:0:0: Device offlined - not ready after error recovery
sd 7:0:0:0: [sdc] Unhandled error code
sd 7:0:0:0: [sdc] Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK,SUGGEST_OK
end_request: I/O error, dev sdc, sector 0
Buffer I/O error on device sdc, logical block 0
Buffer I/O error on device sdc, logical block 1

doing the same thing on a WinXP system also...system see's it then it locks up the archos

[grond]

Grond can you confirm that this code is "safe" enough to not have a high brick rate?

Me, the guy who only makes useless comments? I haven't got the time to look at the code but the addresses and all technical explanations archilles gave are correct.

I have a 605 WiFi 30GB...

The harddisk models are all the same. The problem with the 160G is true, we also hit on that. I don't know whether he inserted checking code for the 605F to not run the code because the hack won't work on the 605F. Don't try because I know that the 605F's bootloader is different (hacking it is as easy as hacking the 605-hdd but you really only have one try so it is easier to brick) and the above-mentioned addresses are different. So if the hack applies the patch in a blind-folded manner, it will break the bootloader and brick your precious 605F 1.7.13 device...

[archilles]

to answer a few questions:
the hdd_lock is removed. this was simple once the initramfs was extracted from the kernel. there are a few archos programs and scripts and the init script calls two programs hdd_lock and cramfschecker. they both return 0 upon success, so i just replaced them with echo, which returns 0. interesting to note that archos is violating the gpl by not releasing the source for these <-- at least i couldn't find it --> that are included in the kernel binary. shame shame archos.

i run some simple checks, and don't just blindly write flash. do i look like nintendo to you? see the latest wii fiasco to see what i mean. the checks make sure they replace the right instruction and will fail on different firmwares. but i should do something better. i think the next version of henripalooza will include crc checks to be absolutely sure.

the kernel is a bit unstable in this release, which is probably the problem with usb-store. easy enough to fix. i will post the extracted initramfs or instruction on how to extract it. then building your own kernel becomes very easy.

grond, do you know why the 160gb models don't work? their code is exactly the same. i just never cared enough to dig down into the code to find out why and the 160gb model is not mine.

i was in school one and half years ago and never would have had time to find this. i guess we can also thank the economy crisis for this hack, as not having a job frees up a lot of time to work on stuff like this.

now about the > 1.7.13 firmwares, i have a predicament which is why i must wait to release what i have. the gen6 boot0 rsa code has the same bug as the gen5 code. so if i release it, they can update the gen6 firmware and lock everybody out with fixed boot0 rsa code. so here's the plan. next month november 5 i will release a root exploit for gen6 and a freedom hack like this one. if archos releases a firmware update to lock the flash and doesn't fix the bug, then they can never close it. they will have to find it on their own, no 'free work' from me otherwise i will give everybody a couple months to get a stable hack release and then release the boot0 rsa hack. what i don't have yet is a root exploit for gen5, so i may have to find one or have the community help out. like i said, you are going to have to miss out on being the cool kid with a hacked archos for a while. you should not have upgraded.

be patient gen6 owners, freedom is coming to you too. until then, do not upgrade.

[soviet123]

Gen6 don't upgrade? I have 1.6.54 (un-downgradable) running and...
...will your liberation work on this version?

[raverx3m]

is it possible to modify the 1.7.13 firmware file so that archos player will see it as an upgrade and will accept it for install?

[niasork]

This is definitely good. I'm gonna try it right now.

EDIT: God! I'm only 1.3.53 ! Will it work? (I think it will, because it's < 1.7.13 but isn't there a problem with addresses or stg like that ?)

EDIT┬▓: After an update to 1.7.13 I tried it and IT WORKS indeed! Thank you very much archilles!!

[whye]

Confirmed! I'll post pics and video shortly.

[grond]

the kernel is a bit unstable in this release, which is probably the problem with usb-store. easy enough to fix. i will post the extracted initramfs or instruction on how to extract it. then building your own kernel becomes very easy.

At first I used the archos kernels with the module signature stuff removed. I just packed the modified cpio back into the kernel. At the time of the uname thread we had custom kernels running for the first time. We just didn't test this before but it was surprisingly simple to do.

grond, do you know why the 160gb models don't work?

I think the bootloader simply cannot access the second partition when the disk volume is that large. I'm not sure that Archos was aware of this.

now about the > 1.7.13 firmwares, i have a predicament which is why i must wait to release what i have. the gen6 boot0 rsa code has the same bug as the gen5 code.

The archos bootloader hasn't really changed over the generations. The x04 can be hacked just as easily as the x05 but the problem is that there seems to be only one kernel and therefore you only have one try to get a running kernel. In the A5/7 both kernels are in the bootflash as you will have found out by now. And yes, we have hacked the A5/7 already.

if archos releases a firmware update to lock the flash and doesn't fix the bug, then they can never close it.

I digged into the rsa code quite deeply and thought that there were several things to try to make it fail (or rather succeed) but I never had the time to do so. If you can disable the check even with the locked-down flash, then kudos.

what i don't have yet is a root exploit for gen5, so i may have to find one or have the community help out.

No luck so far. If you really want to look seriously, gdb and a modified 2.1.04 on a hacked device seem to be a good platform for searching exploits. And don't expect anything from a "community"...

[rusty]

Is there a version of Moldy Cheese in the works for the 605F? I have an hackable one. Happy to see progress, thanks Archilles.

[swec]

awesome archilles.

I am thinking.... if you have 1.7.13 and older version. run this to have it shows all the plugins and then update the firmware. would it stay?

Normally when upgrading firmware, all plugins will stay. using this method, would it possibly stay?

I will donate a pack of cheese to first one who wants to try it.

1.7.3 with archilles' hack, then update to 1.8.3+. If cheese pack is missing, then I will donate the pack to the first who tried it.

anyone.