Search found 627 matches

by grond
Fri Jan 04, 2008 5:54 pm
Forum: Open Development
Topic: Archos 605wifi hacked (604wifi too probably)
Replies: 848
Views: 466487

I guess the question now is what's next? I think we need to look into ioctl'ing the /dev/flashrw, right? Great work! Actually, this is the point were some people can start implementing a new environment e.g. qtopia-based which could be started on the 605 using the exploit. At the same time looking ...
by grond
Fri Jan 04, 2008 3:23 pm
Forum: Open Development
Topic: Archos 605wifi hacked (604wifi too probably)
Replies: 848
Views: 466487

Note though that /opt can't be umounted while the smbpasswd screen is active, so putting that bit in an initialising script using GFT hack may be tricky Shouldn't that be possible with a background process started from the script which will comprise a periodic check whether /opt can be umounted (i....
by grond
Fri Jan 04, 2008 12:01 pm
Forum: Open Development
Topic: Archos 605wifi hacked (604wifi too probably)
Replies: 848
Views: 466487

Re: Boot trace

Other information, the confirmation of the use of regular lock method to secure the flash. I have just disassembled the flashrw.ko module with IDA. The INTEL_FLASH_lock looks like: // 1st flash command : lock block (0x60 0x01) // 2d flash command : Read Device Identifier (0x90) According to the tab...
by grond
Fri Jan 04, 2008 1:12 am
Forum: Open Development
Topic: I have made another step towards runtime execution of Code
Replies: 8
Views: 2232

Re: I have made another step towards runtime execution of Co

!!! REMEMBER !!! It is highly likely that inserting code into the running system will make the Unit unbootable. this is due to the fact that the Archos Firmware images contain File System Containers that are digitally signed. Not sure what you are up to but you surely can't modify the contents of t...
by grond
Fri Jan 04, 2008 12:32 am
Forum: Open Development
Topic: Archos 605wifi hacked (604wifi too probably)
Replies: 848
Views: 466487

hello, i come from archoslounge and i tested that with 1.7 firmware. I put the files in root and to reboot but nothing has changed. is it all what we have to do : put the files in root? Yes. Unfortunately it appears as if this hole (which was much bigger than the one discovered by fiat) has been fi...
by grond
Thu Jan 03, 2008 11:57 pm
Forum: Open Development
Topic: Archos 605wifi hacked (604wifi too probably)
Replies: 848
Views: 466487

Coderjoe wrote:Okay. What I discovered will allow you to execute stuff on every boot, without needing the wifi.
As discussed in #x04 on freenode, Coderjoe runs an older firmware version (1.3.04). Could anyone please verify that this BIG hole exists in the recent 1.7.x firmware?
by grond
Thu Jan 03, 2008 6:01 pm
Forum: Open Development
Topic: Archos 605wifi hacked (604wifi too probably)
Replies: 848
Views: 466487

kitsonk wrote:Seems we have a winner:
Seems we have two winners. It kind of puzzles me that both modules have the logic for accessing and closing the flash, but on second thought this makes some sense.
by grond
Thu Jan 03, 2008 5:39 pm
Forum: Open Development
Topic: Archos 605wifi hacked (604wifi too probably)
Replies: 848
Views: 466487

Just some other information: # modinfo flashrw.ko filename: flashrw.ko alias: char-major-10-243 license: Proprietary description: Secure Flash Driver for the Archos AVx04.series author: Honore Sossougah depends: vermagic: 2.6.10_mvl402 ARMv5 gcc-3.4 Could you make a "strings flashrw.ko" and see if ...
by grond
Thu Jan 03, 2008 5:36 pm
Forum: Open Development
Topic: Archos 605wifi hacked (604wifi too probably)
Replies: 848
Views: 466487

Re: Boot trace

I have the 605, but I am having issues building the toolchain, etc. Didn't fiat put some modules up on the arcwelder site? I just wonder with the anti-hacking developer how much he/she suspected that we would never get root. The fact that the non-signed cramfs stuff can be loaded by the OS is a goo...
by grond
Thu Jan 03, 2008 3:20 pm
Forum: Open Development
Topic: Archos 605wifi hacked (604wifi too probably)
Replies: 848
Views: 466487

Secondly is there any reason why the sshd can't be started from inittab so we don't need to run the hack every time? Yes, there is a reason. The base system is protected by a cryptographic signature which will be checked by the bootloader prior to booting the device. If only one bit of the rootfs i...
by grond
Thu Jan 03, 2008 3:01 pm
Forum: Open Development
Topic: Archos 605wifi hacked (604wifi too probably)
Replies: 848
Views: 466487

Re: Boot trace

You are just being too realistic... ;) Sorry, I just know that archos r&d invested quite some work into making the x04/x05 pretty hard to hack. They even hired a new developer just for the task. Last summer, dm8tbr, me and some guys from the archopen project spent some time analysing the x04 and co...
by grond
Thu Jan 03, 2008 2:25 pm
Forum: Open Development
Topic: Archos 605wifi hacked (604wifi too probably)
Replies: 848
Views: 466487

Re: Boot trace

It appears that they are using David Howells MODSIGN. In theory replacing the kernel would alleviate this. Replacing the kernel would require breaking the bootloader first. Which is probably locked by the kernel during kernel init... :( Also, this interesting bit: If CONFIG_MODULE_SIG_FORCE is enab...
by grond
Thu Jan 03, 2008 1:31 pm
Forum: Open Development
Topic: Archos 605wifi hacked (604wifi too probably)
Replies: 848
Views: 466487

Re: Boot trace

excuse me.... isnt that the public key, and the hdd check????!!! Yes, probably. Initializing Cryptographic API ksign: Installing public key data Loading keyring - Added public key 2916424E660B08AA[/quote] This is a 128bit key. So we might be able to crack it (i.e. find the corresponding private key...
by grond
Thu Jan 03, 2008 1:19 pm
Forum: Open Development
Topic: Archos 605wifi hacked (604wifi too probably)
Replies: 848
Views: 466487

Re: Boot trace

INTEL_FLASH_CheckLockdown 8192 not locked INTEL_FLASH_EraseSector add 00002000 writelock add 00002000 size 00002000 This worries me! As I said, the Intel flash chip has a security feature: the firmware can lock sectors of the flash until next cold-boot. It is impossible to write-access the sectors ...
by grond
Wed Jan 02, 2008 11:09 pm
Forum: Open Development
Topic: Archos 605wifi hacked (604wifi too probably)
Replies: 848
Views: 466487

We've got root access, therefor full access to ring 0. There's no privilege separation or security stuff from what I can see. Flash is just another storage area in the device. You can write to it if you know how. Hm, I know that the PMA was hacked by inserting a kernel module which copied the flash...
by grond
Wed Jan 02, 2008 10:49 pm
Forum: Open Development
Topic: Archos 605wifi hacked (604wifi too probably)
Replies: 848
Views: 466487

Re: Keys are in flash, not disk, maybe so, but you can rewrite flash just the same. Will that be possible with a kernel which we can't take over (at least not by inserting custom-made and therefore unsigned kernel modules)? I assume that in order to write to flash you will have to get access to the...
by grond
Wed Jan 02, 2008 10:34 pm
Forum: Open Development
Topic: Archos 605wifi hacked (604wifi too probably)
Replies: 848
Views: 466487

meaning that since the GPG keys are on the disk, it could be possible to just replace them and sign your own cramfs filesystems Why should the keys be on the disk? I'd rather expect them to reside in the flash... 2) There's a lot of good information in the linux/davinci usenet forums, people who do...
by grond
Wed Jan 02, 2008 9:25 pm
Forum: Open Development
Topic: Archos 605wifi hacked (604wifi too probably)
Replies: 848
Views: 466487

Re: avos does the testing of the cramfs.secure

Hmmmm... It seems like it might not have remounted properly on cold restart. I had to flash the whole firmware again with the .aos file. That rewrote the cramfs.secure files and now they match the originals. This is very interesting and during our first thoughts about hacking the x04 we decided tha...
by grond
Wed Jan 02, 2008 7:51 pm
Forum: Open Development
Topic: Archos 605wifi hacked (604wifi too probably)
Replies: 848
Views: 466487

Re: avos does the testing of the cramfs.secure

In the avos binary, there are functions hinting the check of the cramfs files. I believe that avos checks the mounted cramfs files when it is being executed and it displays the error dialog if the signatures do not match. AVOS itself resides in the rootfs, right? Since we can't change that, we coul...
by grond
Wed Jan 02, 2008 7:04 pm
Forum: Open Development
Topic: Archos 605wifi hacked (604wifi too probably)
Replies: 848
Views: 466487

kitsonk wrote:I will also do a hard reset on the system.
Good luck...

Go to advanced search