Forum.ArchosFans.com
Archos 80 G9 1.5Ghz 1GB RAM ICS 8GB: Buy now (free shipping)
Archos 80 G9 1.5Ghz 1GB RAM ICS 250GB: Buy now (free shipping)
Archos 101 G9 1.5Ghz 1GB RAM ICS 8GB: Buy now (free shipping)
Archos 101 G9 1.5Ghz 1GB RAM ICS 250GB: Buy now (free shipping)
 * Register    * Login 

It is currently Mon Dec 22, 2014 6:42 pm

All times are UTC + 1 hour



Post new topic  Reply to topic  [ 161 posts ]  Go to page Previous  1 ... 5, 6, 7, 8, 9  Next
Author Message
PostPosted: Wed Jun 17, 2009 1:43 pm 
Offline
Archos Guru
Archos Guru

Joined: Mon Feb 09, 2009 4:22 pm
Posts: 536
A private key and HDD serial number are two different things. The private key just encrypts the information we see. The serial helps the firmware see the HDD, basically anyways.


Top
   
 
PostPosted: Wed Jun 17, 2009 4:13 pm 
Offline
Archos Guru
Archos Guru

Joined: Thu Nov 23, 2006 10:37 pm
Posts: 627
Location: Berlin
brdystyls wrote:
A private key and HDD serial number are two different things. The private key just encrypts the information we see.


I know what a private key is and what an hdd serial number is. The thing is that the hdd lock is based on an 1024-bit RSA keypair. If a firmware-update locks the hdd currently present in the Archos to the Archos, this means that the update can produce a valid signature which again means that the private key must be present in the firmware. Or: if a publically available firmware upgrade can lock the x04 to a given hdd, it should in theory be possible to lock the x04 to just any hdd by extracting, appropriately modifying and running the portion of code used for locking the hdd.

EDIT: the hdd lock used in the x04 could of course be different from that of the x05 which is based on RSA keypairs. I have analysed the x05 bootloader in detail but only have had a short look on that of the x04. However, the x04 bootloader appeared to be very similar to that of later devices to say the least.

_________________
openAOS


Top
   
 
PostPosted: Thu Jun 18, 2009 8:22 am 
Offline
Archos Novice
Archos Novice

Joined: Thu Nov 01, 2007 11:15 pm
Posts: 31
I think it is hidden in the aos file, encrypted somwhere. But decrypting alghoritm is not that simple to reverse, especially when it bases on the data from the flash. It's a modified AES.


Top
   
 
PostPosted: Thu Jun 18, 2009 10:36 am 
Offline
Archos Guru
Archos Guru

Joined: Fri Aug 15, 2008 12:14 pm
Posts: 274
b0hoon wrote:
I think it is hidden in the aos file, encrypted somwhere. But decrypting alghoritm is not that simple to reverse, especially when it bases on the data from the flash. It's a modified AES.

Hm... I don't see the key anywhere in the file (decrypted of course). And the decrypting algorithm isn't all that bad to reverse. But you are correct in that you need the AES key from the flash. Once you have that though, it's only a days work.


Top
   
 
PostPosted: Thu Jun 18, 2009 11:11 am 
Offline
Archos Novice
Archos Novice

Joined: Thu Nov 01, 2007 11:15 pm
Posts: 31
So... you've decrypted the aos file, maybe you could share it with us, please?

And you must have flash image too... :shock:


Top
   
 
PostPosted: Thu Jun 18, 2009 8:49 pm 
Offline
Archos Guru
Archos Guru

Joined: Fri Aug 15, 2008 12:14 pm
Posts: 274
Yes, I have the flash image. And I could post the decrypted .aos file, but what does that accomplish? The problem here is that few people have the initiative to dig in and figure things out for themselves. I've already said that reversing the encryption would only take about a days worth of work. Yet nobody steps up to the plate.


Top
   
 
PostPosted: Thu Jun 18, 2009 9:01 pm 
Offline
Archos Guru
Archos Guru

Joined: Mon Feb 09, 2009 4:22 pm
Posts: 536
How about just the process of decrypting the file.


Top
   
 
PostPosted: Thu Jun 18, 2009 9:56 pm 
Offline
Archos Guru
Archos Guru

Joined: Fri Aug 15, 2008 12:14 pm
Posts: 274
Dude, AES. I'm not going to teach a crypto class here, and again, something that you should go and figure out.


Top
   
 
PostPosted: Thu Jun 18, 2009 10:04 pm 
Offline
Archos Guru
Archos Guru

Joined: Mon Feb 09, 2009 4:22 pm
Posts: 536
Uh, just want the process you used, not a crypto class or anything such as that. Geesh. :roll:


Top
   
 
PostPosted: Thu Jun 18, 2009 10:09 pm 
Offline
Archos Novice
Archos Novice

Joined: Tue Jan 01, 2008 10:02 am
Posts: 18
Yes, please share as much info with us as you can. My #1 priority with my 605 right now is to get a 250GB hdd I bought for it to work.


Top
   
 
PostPosted: Thu Jun 18, 2009 10:56 pm 
Offline
Archos Guru
Archos Guru

Joined: Fri Aug 15, 2008 12:14 pm
Posts: 274
brdystyls wrote:
Uh, just want the process you used, not a crypto class or anything such as that. Geesh. :roll:

Process? The process to decrypting the file is this: take the decrypted file and use a slightly modified AES algorithm to produce an unencrypted file.


Top
   
 
PostPosted: Thu Jun 18, 2009 11:15 pm 
Offline
Archos Guru
Archos Guru

Joined: Mon Feb 09, 2009 4:22 pm
Posts: 536
This is all I heard.

Q: How much bread do you want?
A: Buttered Toast


Top
   
 
PostPosted: Fri Jun 19, 2009 12:08 am 
Offline
Archos Guru
Archos Guru

Joined: Mon Feb 09, 2009 4:22 pm
Posts: 536
May I also add, since he isn't talking, he's probably lying.


Top
   
 
PostPosted: Fri Jun 19, 2009 8:44 am 
Offline
Archos Novice
Archos Novice

Joined: Thu Nov 01, 2007 11:15 pm
Posts: 31
A days of work...wow! read the flash, disasm the code, reverse the alghoritm, then write the tool and decode file. You are the god for me CheBuzz. :P

You must be very good in assembler reverse engineering - CheBuzz, so i have a very simple question that you must know (if you did what you are saying) - What exactly byte/bytes written in aos decides if the file is encrypted or not (it's always encrypted but it don't have to)? What values it can have? C'mon... it's not even connected with AES (which must be perfectly known to you).


Top
   
 
PostPosted: Fri Jun 19, 2009 9:08 am 
Offline
Archos Guru
Archos Guru

Joined: Fri Aug 15, 2008 12:14 pm
Posts: 274
brdystyls wrote:
May I also add, since he isn't talking, he's probably lying.

Oh no! Now I have to tell everything to prove that I'm not lying. Whatever shall I do?!

First thing, I have nothing to prove to you. But just for the sake of letting you know that it is possible:
Sig verified with A604 MPK

CIPH found.
MAGIC: 000BF959
IV: EFE02650CC5A198889AA831B9D2EC23F
UNIT size:48 intended unit: a604wifi
VERS size:32 version: 1.6.53
TIME size:416
FLSH size:32784 offset:0
FLSH size:69296 offset:196608
FLSH size:8208 offset:32768
FLSH size:1437792 offset:327680
FLSH size:12448 offset:1835008
COPY size:8290832 filename:rootfs.cramfs.secure
COPY size:16318736 filename:optfs.cramfs.secure
DLET size:272 filename:opt.cramfs
DLET size:272 filename:System/LANG_CS.ALZ
DLET size:272 filename:System/LANG_ES.ALZ
DLET size:272 filename:System/LANG_HE.ALZ
DLET size:272 filename:System/LANG_HU.ALZ
DLET size:272 filename:System/LANG_IT.ALZ
DLET size:272 filename:System/LANG_NL.ALZ
DLET size:272 filename:System/LANG_PT.ALZ
DLET size:272 filename:System/LANG_RU.ALZ
DLET size:272 filename:System/LANG_SC.ALZ
DLET size:272 filename:System/LANG_TC.ALZ
DLET size:272 filename:System/LANG_SV.ALZ
DLET size:272 filename:System/LANG_DA.ALZ
DLET size:272 filename:System/LANG_FI.ALZ
DLET size:272 filename:System/LANG_NO.ALZ
COPY size:70704 filename:System/lang_cs.alz
COPY size:74224 filename:System/lang_es.alz
COPY size:74096 filename:System/lang_he.alz
COPY size:72912 filename:System/lang_hu.alz
COPY size:72240 filename:System/lang_it.alz
COPY size:72000 filename:System/lang_nl.alz
COPY size:71872 filename:System/lang_pt.alz
COPY size:94928 filename:System/lang_ru.alz
COPY size:66160 filename:System/lang_sc.alz
COPY size:66720 filename:System/lang_tc.alz
DLET size:272 filename:System/lang_sv.alz
DLET size:272 filename:System/lang_da.alz
DLET size:272 filename:System/lang_fi.alz
DLET size:272 filename:System/lang_no.alz
DLET size:272 filename:opera_home/op_config.conf
DLET size:272 filename:opera_home/opera.ini
ADEL size:16 value:1

b0hoon:
1) that answers your question about the magic I believe?
2) a days work was referring to figuring out the AES part. Reading the flash took me about a week and before that I knew absolutely nothing about ARM assembly. So believe me when I say it is possible, but almost nobody ever shows the initiative to get off their ass and do it.


Top
   
 
PostPosted: Fri Jun 19, 2009 9:37 am 
Offline
Archos Novice
Archos Novice

Joined: Thu Nov 01, 2007 11:15 pm
Posts: 31
CheBuzz wrote:
1) that answers your question about the magic I believe?

That's correct.

You are really very good in reverse engineering and you are very tallented man then.

CheBuzz is not lying, the UNIT, VERS, TIME, etc. blocks on the listing are real blocks after decryption.
Ok then, you don't want to share your work with us, i understand it :).

But i have a question, how did you read the flash? Ssh and some selfmade tool?


Top
   
 
PostPosted: Fri Jun 19, 2009 11:55 am 
Offline
Archos Guru
Archos Guru

Joined: Fri Aug 15, 2008 12:14 pm
Posts: 274
b0hoon wrote:
Ok then, you don't want to share your work with us, i understand it :).

But i have a question, how did you read the flash? Ssh and some selfmade tool?

1) It's not that I don't want to share my work. I would love to make everything open. But until things can be cracked wide open in the latest generation (hint hint), I don't want to give anything away to Archos.

2) Reading the flash is really easy. Once I spent the week learning to read ARM assembly, and figured out what format things needed to be in, writing the tool seriously only took 20 minutes. But you do need execute access on the Archos (ie a la GFT).

And finally, I'm not a master hacker. Just better than grond ;)


Top
   
 
PostPosted: Fri Jun 19, 2009 1:02 pm 
Offline
Archos Guru
Archos Guru

Joined: Thu Nov 23, 2006 10:37 pm
Posts: 627
Location: Berlin
CheBuzz wrote:
And finally, I'm not a master hacker. Just better than grond ;)


Haha, now I know what joke you were talking about when you said you hoped I could take a joke. Haha. You f*cker.

;)

_________________
openAOS


Top
   
 
PostPosted: Sat Jun 20, 2009 4:23 am 
Offline
Archos Guru
Archos Guru

Joined: Thu Sep 06, 2007 4:12 am
Posts: 397
CheBuzz if this is real (and I think it is), you're a beast.

Can you PM me with more details about the hack, or at least answer two questions?

Did you need to use a hardware hack to read the flash, or was it accessible through hardware?

Is the flash writeable through the same method?


Top
   
 
PostPosted: Sat Jun 20, 2009 9:48 am 
Offline
Archos Guru
Archos Guru

Joined: Fri Aug 15, 2008 12:14 pm
Posts: 274
Tell you what, I'll do half the work for you. Since I don't have a 604 and don't plan on working on it, here is the 604wifi's AES and RSA keys, respectively:

0649c342b772684134391f2a62448062
7f7a90c1581c29bfc5567ca75b892d1520658024f85f60fd6433cdaee3b7c512f57e8b1467f35c4ff635de91e50e6d26a9d070fd9be8455e09f52f58b27b2649e39b50c85dcea11385831559f8d2dcc9a4d232d20519b6d94053a77c1bf5b8dc8ce97254dd6348acb0429e9a743cd4475d4d8a52726fc7865ecfa32840a47abd

There you go. Now you have everything you need to decrypt the AES files (even verify it if you want) and start hacking away at it.


Top
   
 
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 161 posts ]  Go to page Previous  1 ... 5, 6, 7, 8, 9  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group
Hosted by Forumatic™