Forum.ArchosFans.com
Archos 80 G9 1.5Ghz 1GB RAM ICS 8GB: Buy now (free shipping)
Archos 80 G9 1.5Ghz 1GB RAM ICS 250GB: Buy now (free shipping)
Archos 101 G9 1.5Ghz 1GB RAM ICS 8GB: Buy now (free shipping)
Archos 101 G9 1.5Ghz 1GB RAM ICS 250GB: Buy now (free shipping)
 * Register    * Login 

It is currently Thu Jul 31, 2014 4:19 am

All times are UTC + 1 hour



Post new topic  Reply to topic  [ 54 posts ]  Go to page 1, 2, 3  Next
Author Message
PostPosted: Wed Dec 23, 2009 5:04 am 
Offline
Archos Novice
Archos Novice

Joined: Thu Oct 08, 2009 11:51 pm
Posts: 35
Hi guys,
I m sorry to post this. I have been following this hacking section closely. I was away for about a week or 2, n now when i came back, things look completely different. Looks like there is some luck for firmware >1.7.13 ( i have 1.8.07). I read thru many threads and tried several different searches, but still couldnt figure out what/how.
Could anyone please be kind enough to point out if there is something meaningful available?if yes, then please post a link to the thread with instructions on how to do it..

I will very highly appreciate that.


Top
   
 
PostPosted: Wed Dec 23, 2009 7:26 am 
Offline
Archos Expert
Archos Expert

Joined: Mon Jan 14, 2008 9:18 pm
Posts: 194
Quote:
-As of 12-07-09- It is possible to enable a hack dubbed GFT2 in archos firmware 2.1.x as dosumented by maurice: http://www.unofgadgets.com/viewtopic.php?f=44&t=965 (as of now this does nothing to bootloader however, and is reset upon device powering off)


http://wiki.archosfans.com/index.php?ti ... s_605_WiFi

essentially, we have what we have on the 605 1.7.13 a kludgy sort of root exploit, mostly only useful for the purpose of looking for/executing other arbitrary code (although i think someone said they got qtopia going?)


Top
   
 
PostPosted: Wed Dec 23, 2009 4:06 pm 
Offline
Archos Novice
Archos Novice

Joined: Thu Oct 08, 2009 11:51 pm
Posts: 35
i see. So its not like moldy cheese,a llwoing access to plug ins n stuff?


Top
   
 
PostPosted: Wed Dec 23, 2009 9:23 pm 
Offline
Archos Guru
Archos Guru

Joined: Wed Nov 21, 2007 6:41 pm
Posts: 448
The GFT2 root exploit, once set up, is easy enough to use on firmwares up to 2.1.04, just that you require the additional step of browsing the samba share from a pc to activate it.

You can then hack it from an ssh session, even shutting down avos with:

Code:
kill `pidof avos_helper.sh`


this then enables you to run whatever code you want on the device, I have a complete autoconf compliant gcc development environment (so I can build most projects with the standard ./configure, make, make install steps, (saves trouble of setting up an arm cross-compiler)) and handy tools like lsof, vim, netcat, python, perl, a fully enabled busybox etc etc . The compressed image for this is less than 30mb for this so I'll post it soon.

Main problem is no bootloader hack, so GFT2 has to be reapplied on each full power cycle.

I can even relaunch the hacked avos from moldy cheese with all plugins enabled, but wifi is disabled so most of them are useless, and the H264 video one I tested had syncing issues (picture is displayed diagonally). I'm close to working out how to reenable wifi but haven't got it yet. If anyone has an managed to restart wifi after restarting avos this way please post (NB the wifi modules are not unloaded, but two sockets in /tmp disappear (wpa_ctrl*) and avos seems to control creating them). Without restarting avos, I can shutdown wifi and reenable it with wpa_supplicant and udhcpc commands (run 'ps' to see the format used), but it's a pain to test from ssh since once you lose the connection it's hard to debug (you need to launch a process in the background to log error messages and system status)

Once (and if) the wifi issue is sorted I'll post the method since it will enable you to test all plugins on >1.7.13 units.

FWIW I think achilles was bluffing about a bootloader hack for 2.1.04 firmwares, the cryptographic checks are tried and trusted, and it's just not feasable that you could get round them (and they can't be disabled).

But if anyone just want's an arm development system, then I'll post a link soon.

A little hint on hacking: get round the read-only root filesystem by copying directories to /mnt/system and do a bind mount, eg

mkdir /mnt/system/usr
cp -a /usr/bin /mnt/system/usr/
mount -o bind /mnt/system/usr/bin /usr/bin

Now everything in /usr/bin can be edited/replaced, including avos (type 'umount /usr/bin' to revert back to read-only)


Top
   
 
PostPosted: Wed Dec 23, 2009 10:53 pm 
Offline
Archos Novice
Archos Novice

Joined: Thu Oct 08, 2009 11:51 pm
Posts: 35
not being able to fully reboot is not an issue i guess. I can do with suspend only each time. BUt u r rite, wifi is main issue. I'll wait till someone figures it out..
Thanks


Top
   
 
PostPosted: Wed Dec 23, 2009 11:00 pm 
Offline
Archos Guru
Archos Guru

Joined: Thu Nov 23, 2006 10:37 pm
Posts: 627
Location: Berlin
sideways wrote:
I can even relaunch the hacked avos from moldy cheese with all plugins enabled, but wifi is disabled so most of them are useless


We hit on that problem before. I think you need to unload the wifi module before restarting avos. That and perhaps some others. Otherwise avos tries to insert it a second time and fails. Since avos doesn't expect the module to already be in place, it just assumes that something is broken (the insmod returned an error) and does not power up the wifi.

_________________
openAOS


Top
   
 
PostPosted: Thu Dec 24, 2009 7:19 pm 
Offline
Archos Guru
Archos Guru

Joined: Wed Nov 21, 2007 6:41 pm
Posts: 448
grond wrote:
sideways wrote:
I can even relaunch the hacked avos from moldy cheese with all plugins enabled, but wifi is disabled so most of them are useless


We hit on that problem before. I think you need to unload the wifi module before restarting avos. That and perhaps some others. Otherwise avos tries to insert it a second time and fails. Since avos doesn't expect the module to already be in place, it just assumes that something is broken (the insmod returned an error) and does not power up the wifi.


I tried unloading the wifi module sd8xxx.ko, in fact it won't unload unless I unload several other modules:

rmmod sd8xxx sdio af_packet sdio_host_davinci sdio_dma_davinci sdio_core

But when avos restarts it doesn't re-enable wifi (get "Wifi Error" popup), and if I try to manually reload the modules (using 'insmod /lib/modules/sdio-core.ko' etc) they all load except for sd8xxx.ko, with a dmesg error saying no helper program found (or something similar), even though helper_sd.bin and the firmware sd8686.bin are in /usr/share/fw (I even tried bind mounting /usr/lib and creating a firmware/mrvl directory for them as per official marvell docs, but doesn't help)

Note that this is on 2.1.04 firmware so things may have changed since 1.7.13. (Another big problem is that strace doesn't work in this firmware , I get ptrace(PTRACE_TRACEME, ...) Not permitted errors even from my own compiled programs, I checked /proc/sys/kernel/cap-bound but it's not disabled there)


Top
   
 
PostPosted: Mon Dec 28, 2009 10:01 am 
Offline
Archos Novice
Archos Novice

Joined: Wed Dec 16, 2009 2:48 am
Posts: 10
If I remember my sd8xxx stuff I did, you need to pass it a few command line arguments like modprobe sd8xxxx.ko helper_bin=/path/to/helper-sd.bin fw_bin=/path/to/firmware or something.

Those aren't the exact arguments (they'll be in the binary, so you can probably interrogate it to find otu what the real arguments are).


Top
   
 
PostPosted: Wed Dec 30, 2009 7:45 pm 
Offline
Archos Guru
Archos Guru

Joined: Wed Nov 21, 2007 6:41 pm
Posts: 448
ok, finally got it (enabling wifi dialogs after restarting avos), this is for archos 605 wifi with 2.1.04 firmware

Now you can run the hacked avos from moldy cheese on 2.1.04 firmware units via the GFT2 hack, which enables to you to try out all the plugins to see if they are worth paying for :p

The tricky bit was working out how to unload the wifi module and then reload sufficient modules to enable avos to restart cleanly, I also needed to bind mount /usr/bin so that I can replace /usr/bin/avos with the hacked version and ensure all child avos sessions run the hacked version.

Get the hacked avos binary from moldy_cheese_v.0.2_stable: http://archos-liberation-front.googleco ... stable.zip (check for updates http://code.google.com/p/archos-liberation-front/ ), unzip the file, and (assuming you are running linux) mount the rootfs.cramfs.secure with:

mkdir /mnt/tmp
mount -o loop,offset=256 rootfs.cramfs.secure /mnt/tmp

then avos is in /mnt/tmp/usr/bin (windoze users will have to do something else, like not use windoze)
UPDATE: see my 2nd post below for a direct link to avos binary

create a textfile called restartavos.sh (or download it http://www.jbg.f2s.com/archos605/restartavos.sh ):

Code:
#!/bin/sh
# redirect all output to restartavos.log
exec > /mnt/system/restartavos.log 2>&1

echo "killing network services..."
killall smbd
killall nmbd
killall downloadd
killall upnpd
killall sshd

rm -f /tmp/smbd.pid
rm -f /tmp/nmbd.pid
rm -fr /tmp/download*
rm -f /tmp/upnpd.pid
rm -fr /tmp/upnpd
rm -f /tmp/sshd.pid

echo "killing udhcpc..."
killall udhcpc
rm -f /tmp/resolv.conf
rm -f /tmp/udhcpc.vars
rm -f /tmp/udhcpc.pid

echo "killing wpa_supplicant..."
killall wpa_supplicant
rm -f /tmp/wpa_supplicant/eth0
rm -f /tmp/wpa_ctrl*

echo "bringing eth0 down..."
ifconfig eth0 down

echo "removing modules..."
rmmod sd8xxx sdio af_packet sdio_host_davinci sdio_dma_davinci sdio_core

echo "killing avos..."
kill `pidof avos_helper.sh`

echo "inserting modules..."
insmod /lib/modules/sdio-core.ko
insmod /lib/modules/sdio_dma_davinci.ko
insmod /lib/modules/sdio_host_davinci.ko
insmod /lib/modules/af_packet.ko

echo "restarting avos (2.1.04 unlocked)..."
mount -o bind /mnt/system/bin /usr/bin
/usr/bin/avos &

echo "restarting sshd..."
/tmp/ssh/sshd -f /tmp/ssh/sshd_config
#/mnt/data/arcwelder/install



copy avos and restartavos.sh to top directory on your archos samba share (or from usb), then from a GFT2 ( http://bit.ly/8lSFiC ) ssh session do:

cp -a /usr/bin /mnt/system
cp /mnt/data/avos /mnt/system/bin/
cp /mnt/data/restartavos.sh /mnt/system
chmod +x /mnt/system/restartavos.sh


Then, the only line you have to type in future to launch the hacked avos is:

/mnt/system/restartavos.sh &

(don't forget the ampersand)

Now try the plugins, eg
Video -> WebTV
Music -> Web Radio

==========================================================================

I also put together a gcc development environment, plus some extras like lsof, bc, SDL, sed (full version), gawk (full version) , python, microperl, vim (with syntax highlighting etc), full (static compiled) busybox

http://www.jbg.f2s.com/archos605/armx.ext3.gz (~29mb)
http://www.jbg.f2s.com/archos605/setpaths.sh

(unzip armx.ext3 first) and copy both files to /mnt/data on the archos, run '. /mnt/data/setpaths.sh' (don't forget the dot) from an ssh session to enable the environment, home dir will be /mnt/system/armx, which is loop mounted on the ext3 image. (you can copy everything to /mnt/system instead of using a loop mount, but it'll use ~80mb which doesn't leave much space for compiling projects etc)

python can do cool stuff like control the volume and share current directory over http using 'python -m SimpleHTTPServer' so you can copy files from a remote machine with http://<ip_of_archos>:8000/filename. (I added two functions in the setpaths.sh script for these)

Most C projects will compile using the sequence:

tar xvf project.src.gz
cd project
./configure --prefix=/mnt/system/armx/usr
make
make install

(complex projects with ncurses based 'make menuconfig' will also work) it saves using a cross-compiler but is slower (obviously), using 'time make' I got the following performance on an archos 605 30GB:

SDL ~17 mins, SDL_Mixer ~7 mins, lsof ~2 mins, vim ~17 mins, bc 1m40secs, sed ~3mins

(NB to stop avos use 'kill `pidof avos_helper.sh`, see the restartavos.sh script for how to restart it cleanly)



EDIT (fyi):

If you search the avos binary for strings then you find how it loads sd8xxx.ko, which is something like:
if [ ! -f /tmp/sd8686.bin ]; then cp /usr/share/fw/* /tmp/; fi
insmod /lib/modules/sd8xxx.ko mfgmode=0 helper_name=/tmp/helper_sd.bin fw_name=/tmp/sd8686.bin

for some reason the firmware has to be in /tmp, doesn't work otherwise. But you must let avos do this, if you do it manually avos throws errors.


Last edited by sideways on Thu Dec 31, 2009 12:29 am, edited 6 times in total.

Top
   
 
PostPosted: Wed Dec 30, 2009 10:05 pm 
Offline
Archos Guru
Archos Guru

Joined: Tue Dec 04, 2007 9:48 pm
Posts: 595
Great work sideways,

I will try it tomorrow, my wife is now watching some sweet comedy on my 605 :D
I wished we would find a way to survive a reboot, but I think with the current firmware it is not possible.
But who knows, maybe archos will be so kind to release a SDE version for the 605 also.
Thanks for your hard work :)

Maurice 8)


Top
   
 
PostPosted: Wed Dec 30, 2009 11:26 pm 
Offline
Archos Guru
Archos Guru

Joined: Wed Nov 21, 2007 6:41 pm
Posts: 448
cheers :)

This method is completely safe, since everything is reset after a full power cycle (but plugins do remain active after suspend/resume), so it may be of interest for people who don't want to risk a flashmod with the full moldy cheese hack on 1.7.13 firmware units.

Even though the initial setup is quite involved (Apply GFT2, then copy across the hacked avos binary and the restartavos.sh script) afterwards it's quite quick to reapply (start wifi + file server, browse the samba share from a pc, then from an ssh session run '/mnt/system/restartavos.sh &')

I may replace my dead a605 battery now, atm I run from ac power anyway, so never need a full power cycle


Top
   
 
PostPosted: Thu Dec 31, 2009 12:09 am 
Offline
Archos Novice
Archos Novice

Joined: Wed Sep 17, 2008 7:30 pm
Posts: 38
Location: Russia
Thanks!
This is an excellent gift for the New Year!
Happy New Year!

But I can't do
Quote:
and (assuming you are running linux) mount the rootfs.cramfs.secure with:

mkdir /mnt/tmp
mount -o loop,offset=256 rootfs.cramfs.secure /mnt/tmp

then avos is in /mnt/tmp/usr/bin (windoze users will have to do something else, like not use windoze)

Becouse I have Windoze)) XP
Maybe there is some other way from it?
I can install virtual machine (Vmware with linux), but it long and hard way...
:)
Thanks!!!


Top
   
 
PostPosted: Thu Dec 31, 2009 12:22 am 
Offline
Archos Guru
Archos Guru

Joined: Wed Nov 21, 2007 6:41 pm
Posts: 448
ok, since you asked nicely...

LINK REMOVED since GFT3 unlocks avos during the install provided you have 2.1.04 firmware (if you don't you may as well use moldy cheese flashrom hack for 1.7.13 firmwares, or upgrade to 2.1.04 for later firmwares)

(gzipped 2.1.04 avos (hacked), may not be a permanent link so get it while it's fresh ;) )


Last edited by sideways on Tue Jan 12, 2010 3:31 pm, edited 1 time in total.

Top
   
 
PostPosted: Thu Dec 31, 2009 1:01 am 
Offline
Archos Novice
Archos Novice

Joined: Wed Sep 17, 2008 7:30 pm
Posts: 38
Location: Russia
Thanks!!! It's works great! :D I waited for this for almost two years)


Top
   
 
PostPosted: Thu Dec 31, 2009 8:10 am 
Offline
Archos Expert
Archos Expert

Joined: Mon Jan 14, 2008 9:18 pm
Posts: 194
hey thanks sideways! im gunna look at the hacked avos to understand the checks that have been disabled for the 4gb

i know its only two command lines but i've been lazy :D

does anyone have any suggestions for bypassing bootflash lock on >1.7? maybe im wrong but seems like there has to be some way to write to it if a firmware update can(which i may be wrongly assuming?)


Top
   
 
PostPosted: Thu Dec 31, 2009 11:33 am 
Offline
Archos Guru
Archos Guru

Joined: Tue Dec 04, 2007 9:48 pm
Posts: 595
@ sideways it works perfect, like I already suspected the Web TV/radio isn't worth paying for. It is however nice to have the realmedia, my wife has some asian dramas that are in this format.
Since the hack doesn't survive a reboot I think this is the only usefull option we can get out of the GFT2 hack. Besides ofcourse playing around with the linux build.
I just wanted some nice little programs like an e-book reader, text editor, commandline access, but without surviving a reboot these will be useless, because I wanted to use them on the go.

Quote:
does anyone have any suggestions for bypassing bootflash lock on >1.7? maybe im wrong but seems like there has to be some way to write to it if a firmware update can(which i may be wrongly assuming?)


Offcourse a firmwareupdate is able to write to the flash, one big problem those files are signed so it is not possible to create our own.
Before someone begins again yelling about brute force:
Like many times said before you can't just use brute force attack to get the signatures. It will take a life time and more. If you don't believe it try it yourself on a simple password.

With firmwares 1.7.13 and below you can write to the flash when you have access to the commandline. In firmwares bigger then 1.7.13 this feature is locked.

The only options IMO are:

1) Archos to release a firmware update with SDE
2) Access to Jtag and write to the flash directly.

The last option would be very difficult if even possible and needs some serious hardware knowledge and skills.

Maurice 8)


Top
   
 
PostPosted: Thu Dec 31, 2009 3:10 pm 
Offline
Archos Novice
Archos Novice

Joined: Wed Sep 17, 2008 7:30 pm
Posts: 38
Location: Russia
Maybe we can change archos serial number?
And install plugins for it with new sn. :?:
Perhaps then it will work after reboot ...


Top
   
 
PostPosted: Thu Dec 31, 2009 9:38 pm 
Offline
Archos Guru
Archos Guru

Joined: Wed Nov 21, 2007 6:41 pm
Posts: 448
we don't need a flash hack, we just need to be able to run a shell script from the avos interface without the GFT2 hack. GFT2 gives us root access which is pretty powerful, as demonstrated, we can launch any program we want including hacked avos or any other compatible os

Problem is , people don't want the hassle of applying GFT(2) everytime, we just need to find a weakness in avos (or anywhere else) which will enable a script to be run from /mnt/system simply by tapping an icon on the interface (hopefully without needing to activate wifi either).

This should not be too difficult to find now that root access is available to assist investigation, I reckon I'll manage something early in the new year, watch this space :)

(If Archos release an SDE firmware update I'll keep quiet(ish) )

EDIT: btw, to avoid using ssh everytime to relaunch avos, you can put the '/mnt/system/restartavos.sh &' command at the end of the arcwelder install script, then avos will restart as soon as you browse the samba share from a pc (or wherever).


Top
   
 
PostPosted: Fri Jan 01, 2010 11:31 am 
Offline
Archos Expert
Archos Expert

Joined: Mon Jan 14, 2008 9:18 pm
Posts: 194
you cant create a pdf launcher as demonstrated previously??


Top
   
 
PostPosted: Fri Jan 01, 2010 12:23 pm 
Offline
Archos Guru
Archos Guru

Joined: Tue Dec 04, 2007 9:48 pm
Posts: 595
Quote:
you cant create a pdf launcher as demonstrated previously??


Yes you can, but after a reboot it has to be recreated just like with the earlier GFT hack.
To clarify my answer: It is possible to install the Qtopia release from the openpma guys, but like before after a reboot you still had to run the GFT hack to enable it again. This will be the same with the GFT2 exploit.

I forgot indeed the third option for running a script on startup, or another exploit that doesn't need wifi. I have however searched alot to accomplish this, but I couldn't find one. I will take a look at it again.
Problem is however most of the system files are in the cramfs files who are signed and can't be changed.
I hope sideways got some ideas he has alot more knowledge about linux then I do. :)

Maurice 8)

btw happy new year to all.


Top
   
 
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 54 posts ]  Go to page 1, 2, 3  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group
Hosted by Forumatic™