Archos 605wifi hacked (604wifi too probably)

[kitsonk]

We suspect only signed modules can be insmod'ed into the kernel, though we aren't sure.

Somebody should make sure. I haven't got a 605...

I have the 605, but I am having issues building the toolchain, etc. I will also be the first to admit I am a little out of my depth in throwing together a cross compiled un-signed kernel module... I will do some tinkering this afternoon.

I just wonder with the anti-hacking developer how much he/she suspected that we would never get root. The fact that the non-signed cramfs stuff can be loaded by the OS is a good sign.

Hm, since linuxrc is used for init IIRC and it resides somewhere on the harddisk, the kernel should mount / during kernel init. Not sure whether this leaves a trace in dmesg but it probably should.

Edit: nonsense. On the PMA the linuxrc was in the cramfs which was loaded to RAM by the bootloader before the kernel init was started. So the kernel found its root device at a predefined (at compile time) place in RAM. Not sure how it is done in the 605. Perhaps the hidden second partition is used as /

The rootfs.cramfs.secure contains the exact same file structure. When you refer to the hidden second partition, what are you talking about? /dev/hda2? Everything there is accounted for.

Now looking at mount, I see that / is /dev/ram0. I did a dd of /dev/ram0. It is essentially the same exact thing as rootfs.cramfs.secure, except it is stripped of it signature. I did a cramfsck against it and the only thing it complains about is that the file extends past the end of the filesystem. The rootfs.cramfs.secure is a 16m file and the ram0.dump is a 20m file.

So again, something, somewhere is reading the rootfs.cramfs.secure into a ram disk and mounting it. Everytime I go to my dmesg, I have overwritten the startup. I am curious how the one guy got a whole dump of his startup.

[kitsonk]

Just some other information:

Code: Select all

# modinfo flashrw.ko 
filename:       flashrw.ko
alias:          char-major-10-243
license:        Proprietary
description:    Secure Flash Driver for the Archos AVx04.series
author:         Honore Sossougah
depends:        
vermagic:       2.6.10_mvl402 ARMv5 gcc-3.4

Code: Select all

# modinfo keystore.ko
filename:       keystore.ko
alias:          char-major-10-242
license:        Proprietary
description:    Keystore Driver for Archos AVx04.series
author:         Nicolas Martin
depends:        flashrw
vermagic:       2.6.10_mvl402 ARMv5 gcc-3.4

[sideways]

The toolchain does build a comprehensive python, just needed to configure the environment variables correctly. copy /usr/bin/python and the directory /usr/lib/python2.4 to /mnt/data/Data, then, in an ssh session:

Code: Select all

/ # export PATH=$PATH:/mnt/data/Data
/ # export PYTHONHOME=/mnt/data/Data/python2.4
/ # export PYTHONPATH=$PYTHONHOME:$PYTHONHOME/lib-dynload/
/ # python
Python 2.4.2 (#1, Jan  3 2008, 00:18:17) 
[GCC 3.4.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> help()

Welcome to Python 2.4!  This is the online help utility.

If this is your first time using Python, you should definitely check out
the tutorial on the Internet at http://www.python.org/doc/tut/.

Enter the name of any module, keyword, or topic to get help on writing
Python programs and using Python modules.  To quit this help utility and
return to the interpreter, just type "quit".

To get a list of available modules, keywords, or topics, type "modules",
"keywords", or "topics".  Each module also comes with a one-line summary
of what it does; to list the modules whose summaries contain a given word
such as "spam", type "modules spam".

help> modules

Please wait a moment while I gather a list of all available modules...

BaseHTTPServer      codeop              mailcap             signal
Bastion             collections         markupbase          site
CGIHTTPServer       colorsys            marshal             smtpd
ConfigParser        commands            math                smtplib
Cookie              compileall          md5                 sndhdr
DocXMLRPCServer     compiler (package)  mhlib               socket
HTMLParser          cookielib           mimetools           sre
MimeWriter          copy                mimetypes           sre_compile
Queue               copy_reg            mimify              sre_constants
SimpleHTTPServer    crypt               mmap                sre_parse
SimpleXMLRPCServer  csv                 modulefinder        stat
SocketServer        curses (package)    multifile           statcache
StringIO            datetime            mutex               statvfs
UserDict            dbhash              netrc               string
UserList            decimal             new                 stringold
UserString          difflib             nntplib             stringprep
_LWPCookieJar       dircache            ntpath              strop
_MozillaCookieJar   dis                 nturl2path          struct
__builtin__         distutils (package) opcode              subprocess
__future__          dl                  operator            sunau
_bisect             doctest             optparse            sunaudio
_codecs             dumbdbm             os                  symbol
_codecs_cn          dummy_thread        os2emxpath          symtable
_codecs_hk          dummy_threading     ossaudiodev         sys
_codecs_iso2022     email (package)     parser              syslog
_codecs_jp          encodings (package) pdb                 tabnanny
_codecs_kr          errno               pickle              tarfile
_codecs_tw          exceptions          pickletools         telnetlib
_csv                fcntl               pipes               tempfile
_heapq              filecmp             pkgutil             termios
_hotshot            fileinput           platform            textwrap
_locale             fnmatch             popen2              this
_multibytecodec     formatter           poplib              thread
_random             fpformat            posix               threading
_socket             ftplib              posixfile           time
_sre                gc                  posixpath           timeit
_ssl                getopt              pprint              timing
_strptime           getpass             profile             toaiff
_symtable           gettext             pstats              token
_testcapi           glob                pty                 tokenize
_threading_local    gopherlib           pwd                 trace
_weakref            grp                 py_compile          traceback
aifc                gzip                pyclbr              tty
anydbm              heapq               pydoc               types
array               hmac                quopri              tzparse
asynchat            hotshot (package)   random              unicodedata
asyncore            htmlentitydefs      re                  unittest
atexit              htmllib             reconvert           urllib
audiodev            httplib             regex               urllib2
audioop             idlelib (package)   regex_syntax        urlparse
base64              ihooks              regsub              user
bdb                 imageop             repr                uu
binascii            imaplib             resource            warnings
binhex              imghdr              rexec               wave
bisect              imp                 rfc822              weakref
bsddb (package)     imputil             rgbimg              webbrowser
cPickle             inspect             rlcompleter         whichdb
cStringIO           itertools           robotparser         whrandom
calendar            keyword             sched               xdrlib
cgi                 linecache           select              xml (package)
cgitb               linuxaudiodev       sets                xmllib
chunk               locale              sgmllib             xmlrpclib
cmath               logging (package)   sha                 xxsubtype
cmd                 macpath             shelve              zipfile
code                macurl2path         shlex               zipimport
codecs              mailbox             shutil              zlib

Enter any module name to get more help.  Or, type "modules spam" to search
for modules whose descriptions contain the word "spam".

help> 
You are now leaving help and returning to the Python interpreter.
If you want to ask for help on a particular object directly from the
interpreter, you can type "help(object)".  Executing "help('string')"
has the same effect as typing a particular string at the help> prompt.
>>> 

And a non-interactive command (10 non-repeating random numbers between 1 and 100):

Code: Select all

/ # python -c "from random import sample, seed; seed(); print sample(xrange(1,101),10)"
[10, 75, 70, 88, 57, 69, 2, 19, 73, 82]
/ # 

So we have some pretty powerful tools available. I still can't get vi compiled into Busybox, in the config file we have

Code: Select all

#
# Editors
#
# CONFIG_AWK is not set
# CONFIG_PATCH is not set
CONFIG_SED=y
CONFIG_VI=y

But no vi link is created?? ANy ideas anyone

[grond]

I have the 605, but I am having issues building the toolchain, etc.

Didn't fiat put some modules up on the arcwelder site?

I just wonder with the anti-hacking developer how much he/she suspected that we would never get root. The fact that the non-signed cramfs stuff can be loaded by the OS is a good sign.

It could be a good sign of them not worrying about it... :p

The rootfs.cramfs.secure contains the exact same file structure. When you refer to the hidden second partition, what are you talking about? /dev/hda2? Everything there is accounted for.

Ah, okay. I don't have an x04/x05 and only heard that there is a hidden second partition which is amusing to me because we implemented that first for openPMA... :)

Now looking at mount, I see that / is /dev/ram0. I did a dd of /dev/ram0. It is essentially the same exact thing as rootfs.cramfs.secure, except it is stripped of it signature.

...

So again, something, somewhere is reading the rootfs.cramfs.secure into a ram disk and mounting it.

Well, then it is the same mechanism as in the PMA: the bootloader locates the rootfs.cramfs.secure on the harddisk, checks the signature, loads the image to RAM and branches into the kernel init.

[grond]

Just some other information:

Code: Select all

# modinfo flashrw.ko 
filename:       flashrw.ko
alias:          char-major-10-243
license:        Proprietary
description:    Secure Flash Driver for the Archos AVx04.series
author:         Honore Sossougah
depends:        
vermagic:       2.6.10_mvl402 ARMv5 gcc-3.4

Could you make a "strings flashrw.ko" and see if this module is responsible for the output in dmesg about the locked sectors?

[kitsonk]

Just some other information:

Code: Select all

# modinfo flashrw.ko 
filename:       flashrw.ko
alias:          char-major-10-243
license:        Proprietary
description:    Secure Flash Driver for the Archos AVx04.series
author:         Honore Sossougah
depends:        
vermagic:       2.6.10_mvl402 ARMv5 gcc-3.4

Could you make a "strings flashrw.ko" and see if this module is responsible for the output in dmesg about the locked sectors?

Seems we have a winner:

Code: Select all

# strings flashrw.ko
28F160C3B
alias=char-major-10-243
license=Proprietary
description=Secure Flash Driver for the Archos AVx04.series
author=Honore Sossougah
depends=
vermagic=2.6.10_mvl402 ARMv5 gcc-3.4
flashrw_write
flashrw_read
flashrw
<4>INTEL_FLASH_CheckLockdown %d locked 
<7>INTEL_FLASH_CheckLockdown %d not locked 
<4>INTEL_FLASH_GetInfos NULL pointer (p_ident)
<4>INTEL_FLASH_Read NULL pointer (p_buffer) 
<7>INTEL_FLASH_EraseSector add %08x
<7>writelock add %08x size %08x
<4>Address value must be even (%d) 
<4>Length value must be even (%d) 
<4> INTEL_FLASH_Erase NULL pointer (p_struct) 
<4>INTEL_FLASH_Write NULL pointer (p_struct) 
<4>INTEL_FLASH_Write NULL pointer (p_buffer) 
flashrw
GCC: (GNU) 3.4.3
GCC: (GNU) 3.4.3
GCC: (GNU) 3.4.3
AjqoX
'A}P
.symtab
.strtab
.shstrtab
.rel.text
.rel.init.text
.rel.exit.text
.rodata
.modinfo
.rel__ksymtab
__ksymtab_strings
.rodata.str1.4
.rel.data
.rel.gnu.linkonce.this_module
.bss
.comment
module_sig
main_flash.c
flashrw_init
flashrw_exit
__mod_alias668
__mod_license667
__mod_description666
__mod_author665
__ksymtab_flashrw_write
flashrw_write
__kstrtab_flashrw_write
__ksymtab_flashrw_read
flashrw_read
__kstrtab_flashrw_read
flash_lock
flash_dev
flashrw_miscdev
flashrw_fops
flashrw_ioctl
flashrw_open
flashrw_release
flashrw_check_address
flashrw_check_sectors
intel_flash_cmd.c
INTEL_FLASH_WriteUnlock
flashrw.mod.c
__module_depends
__mod_vermagic5
misc_deregister
davinci_emif_lock
__this_module
SectorImage
INTEL_FLASH_Write
__compat_up_wakeup
cleanup_module
memcpy
davinci_emif_unlock
__release_region
init_module
INTEL_FLASH_EraseSector
__arch_copy_to_user
INTEL_FLASH_Read
INTEL_FLASH_Erase
flash_struct
printk
INTEL_FLASH_GetInfos
__compat_down_failed
memset
__memzero
misc_register
INTEL_FLASH_CheckLockdown
vfree
__arch_copy_from_user
no_llseek
iomem_resource
vmalloc
INTEL_FLASH_Lock
__request_region

and

Code: Select all

# strings keystore.ko
28F160C3B
<4>INTEL_FLASH_CheckLockdown %d locked 
<7>INTEL_FLASH_CheckLockdown %d not locked 
<4>INTEL_FLASH_GetInfos NULL pointer (p_ident)
<4>INTEL_FLASH_Read NULL pointer (p_buffer) 
<7>INTEL_FLASH_EraseSector add %08x
<7>writelock add %08x size %08x
<4>Address value must be even (%d) 
<4>Length value must be even (%d) 
<4> INTEL_FLASH_Erase NULL pointer (p_struct) 
<4>INTEL_FLASH_Write NULL pointer (p_struct) 
<4>INTEL_FLASH_Write NULL pointer (p_buffer) 
<3>keystore: flash mapping failed
<3>keystore: no supported flash type found
<6>Secure keystore support initialized
<6>Secure keystore support released
alias=char-major-10-242
license=Proprietary
description=Keystore Driver for Archos AVx04.series
author=Nicolas Martin
depends=flashrw
vermagic=2.6.10_mvl402 ARMv5 gcc-3.4
keystore
GCC: (GNU) 3.4.3
GCC: (GNU) 3.4.3
GCC: (GNU) 3.4.3
.symtab
.strtab
.shstrtab
.rel.text
.rel.init.text
.rel.exit.text
.rodata
.rodata.str1.4
.modinfo
.rel.data
.rel.gnu.linkonce.this_module
.bss
.comment
module_sig
intel_flash_cmd.c
INTEL_FLASH_WriteUnlock
main_keystore.c
keystore_init
keystore_exit
__mod_alias199
__mod_license198
__mod_description197
__mod_author196
keystore_flash_virt_base
keystore_miscdev
keystore_fops
keystore_ioctl
keystore_open
keystore_release
keystore_use_count
keystore_dev
keystore.mod.c
__module_depends
__mod_vermagic5
misc_deregister
davinci_emif_lock
__this_module
flashrw_read
__iounmap
SectorImage
INTEL_FLASH_Write
cleanup_module
flashrw_write
memcpy
davinci_emif_unlock
__release_region
init_module
INTEL_FLASH_EraseSector
INTEL_FLASH_Read
INTEL_FLASH_Erase
__ioremap
flash_struct
printk
INTEL_FLASH_GetInfos
memset
misc_register
INTEL_FLASH_CheckLockdown
no_llseek
iomem_resource
INTEL_FLASH_Lock

Also, one of the strings 28F160C3B comes back to the Intel Chipset they are probably using... There are some tools out there for manipulating this chipsets.

[grond]

Seems we have a winner:

Seems we have two winners. It kind of puzzles me that both modules have the logic for accessing and closing the flash, but on second thought this makes some sense.

[kitsonk]

Ok... Got my buildroot to compile, mounted the cramfs and tried to insert one of the modules:

Code: Select all

 # insmod /mnt/data/Data/new_root/lib/modules/msp430cam.ko
insmod: error inserting '/mnt/data/Data/new_root/lib/modules/msp430cam.ko': -1 Operation not permitted

And I got the following in dmesg:

Code: Select all

An attempt to load unsigned module was rejected

So no way to load unsigned modules.

Also here is what is missing from the GPL release of modules:

• flashrw.ko
  hdpwrd.ko
  keystore.ko
  ocvc.ko
  pcf8575.ko
  radio-tea5766.ko
  remotefm.ko
  sd8xxx.ko
  sdio-core.ko
  sdio.ko
  sdio-dma-davinci.ko
  tea576x.ko

[s0crate]

I am curious how the one guy got a whole dump of his startup.

Simply

I've just made a complete dump of the whole partition (hda1) and search deleted files... It seems that at the first time you boot your system or after firmware update, a file is created that log the complete boot process (without the bootloader).

[arisgardelis]

Info, tools and schematics about DaVinci DM644x

http://c6000.spectrumdigital.com/davincievm/revf/

Booting and Flashing via the DaVinci
TMS320DM644x Serial Interface
Application Report

http://focus.ti.com/lit/an/spraai4/spraai4.pdf

[RayBee]

Hi there,

first of all - thanks fiat - nice work. Thanks for making life more fun and exciting(since trying to figure this out is a lot of fun and really exciting - amazing how much fun learning can be ) .
As we say here : der Weg ist das Ziel... (the way is the goal).

Yesterday I was trying hard to cross-compile openssl for my 704 without using the buildroot(since I did not understand the purpose completely).
So I downloaded binutils and gcc and newlib.
Installed a ubuntu in a virtual machine. Made binutils and gcc. I failed making openssl since I did not have a compiled uClibc (which I finally realized) and I had to give up late at night.

Today I read about the buildroot and had new hope to make the missing lib. By providing the kitchensink-archive(on page2) you saved me the extra work for that.

From the archive I took the libcrypto.so.0.9.7 (in the archive in /usr/lib) and stored it in the arcwelder dir <ARCHOS>/Data/arcwelder.

I have now changed my install script to:

#!/bin/bash

mkdir /tmp/ssh/
mkdir /tmp/empty
chmod 755 /tmp/empty
cp /mnt/data/Data/arcwelder/* /tmp/ssh/
cd /tmp/ssh
chmod 755 *
chmod 4711 ssh-keysign
chmod 600 /tmp/ssh/*_key
chmod 600 /tmp/ssh/authorized_keys
chmod 644 /tmp/ssh/*.pub
export LD_LIBRARY_PATH=/tmp/ssh:${LD_LIBRARY_PATH}
/tmp/ssh/sshd -f /tmp/ssh/sshd_config

This brings up sshd on my 704 and I can use putty (as described on your page) to login. Cool.

If this is already known and old - sorry - did not check all threads...

Cheers,
RayBee

[xengren]

This worries me! As I said, the Intel flash chip has a security feature: the firmware can lock sectors of the flash until next cold-boot. It is impossible to write-access the sectors once the door has been slammed shut because this is a hardware protection mechanism. The above is a clear indication that some sectors of the bootflash are protected by the kernel during initialisation:

"8192 (=0x2000) not locked... writelock add 00002000 (=dec 8192)". So even if we read out the flash, find the place to hack the check of rootfs prior to booting, we couldn't write a modified bootloader back to the flash (at least to the listed sectors).

I was poking through http://download.intel.com/design/flcomp ... 474904.pdf

and there's two lock modes. They might just be doing a regular lock there instead of a lock down. Is the source available to read?

[kitsonk]

I was poking through http://download.intel.com/design/flcomp ... 474904.pdf

and there's two lock modes. They might just be doing a regular lock there instead of a lock down. Is the source available to read?

Sorry, no... It is part of the proprietary modules that are not released under the GPL source.

There would be no good reason for them not to use the lock down, the main reason they are locking the flash is specifically to keep us from manipulating it. Our biggest hope would be to be able to read it, understand the init process better, in hopes of finding some sort of gap that would allow us to hijack something.

[s0crate]

I was poking through http://download.intel.com/design/flcomp ... 474904.pdf

and there's two lock modes. They might just be doing a regular lock there instead of a lock down. Is the source available to read?

It's seems that the lock mode used is the regular lock ...

Software-controlled security is implemented using the Block Lock and Block Unlock commands. Hardware-controlled security can be implemented using the Block Lock-Down command along with asserting WP#.

[Coderjoe]

hmm. poking around on my 1.3 device (holding off on upgrading for the time being), I see that S78epromtool script in /etc/init.d, which would allow you to at least hook in during the boot process, as long as the two named files exist.

(sure, insmod and rmmod will fail, but there is no error checking, so it will happily run your epromtool script. you just need to make it so the customer_eprom_file either is recreated after it is removed, or make it so it can't be removed by the script)

This probably won't help for writing to the flash, when the time comes, though...

Update: it appears that it will run, as my customer_eprom_file file has been deleted. Now to make a script that re-creates the file, and add a hook...

Update 2: it works! with the right script, we can still get in even after the password hole is closed! And this one would just require dropping some files onto the /mnt/data dir, which is the root directory when in hard drive mode on the USB. Right now, I have it set up to be able to run my hook every boot, and my current hook just dumps dmesg to a file.

[kitsonk]

Ok, I think I have a way forward in part...

I am going to bed, but this is where I have gotten and will pick up tomorrow.

I compiled the "buildroot".
I modified the busybox config to contain a couple of things not present in the build right now. First was "vi" just because I can't do without it, second is "chroot" which must have been 'accidentally' left out by Archos.
I then copied the new rootfs.cramfs to the device.
I then did a pivot_root. This is where things sort of locked up, probably because not everything in the rootfs was in the buildroot version. I had to do a hardware reboot at this point.

Tomorrow, I will make a modified version of the rootfs.cramfs with the signed modules and other missing information from it. That should allow us to swing over to a new root and umount the old one. I will then provide an install script and the new cramfs that can either be used from GFT method or invoked via arcwelder to replace the rootfs with a new one.

[Coderjoe]

Okay. What I discovered will allow you to execute stuff on every boot, without needing the wifi. First off, what I did:

http://irule.net/~tward/605epromhook.zip

if you drop those files into the root of the drive that shows up via the USB hard drive mode or the wireless file server mode (the directory above Data), the contents of the "hook" script are run every boot. My test script there just does a dmesg dump into Data/dmeg.txt

How this works:

during boot, the 605 runs /etc/init.d/S78epromtool, which checks to see if /mnt/data/epromtool and /mnt/data/customer_eprom_file exist. if they do, it will then run /mnt/data/epromtool. my epromtool script then runs hook, and starts a copy of protect_eprom_file in the background and continues with the boot. S78epromtool then will delete /mnt/data/customer_eprom_file and goes on to boot the device the rest of the way. however, protect_eprom_file is still running, waiting for customer_eprom_file to be deleted, so it can then re-create it and exit.

Have fun!

Update

here is why it works:

Code: Select all

#! /bin/sh

boards_rev_sdio=5

case "$1" in
        start|"")
                if [ -x /mnt/data/epromtool ] ; then
                        if [ -e /mnt/data/customer_eprom_file ] ; then

                                hw_id=`cat /sys/devices/system/cpld_io/cpld_io0/hardware_id`
                                module_name=ga_linuxdrv

                                if [ $hw_id -ge $boards_rev_sdio ]; then
                                        module_name=ga_linuxdrv_sdio
                                fi

                                insmod /lib/modules/$module_name.ko giFWType=1
                                /mnt/data/epromtool eth0 -s /mnt/data/customer_eprom_file
                                rmmod $module_name.ko
                                rm /mnt/data/customer_eprom_file
                        fi
                fi
                ;;

        stop)
                ;;
esac

The 605 runs this during bootup. the insmod and rmmod will silently fail, as no such kernel module exists. so as long as /mnt/data/epromtool is executable (always will be on fat filesystems) and /mnt/data/customer_eprom_file exists, this init script will happily execute the /mnt/data/epromtool file, which is stored on the vfat partition that everyone can access.

Of course, this will only work as long as archos does not remove this file. once they do, it won't work anymore.

[grond]

Okay. What I discovered will allow you to execute stuff on every boot, without needing the wifi.

As discussed in #x04 on freenode, Coderjoe runs an older firmware version (1.3.04). Could anyone please verify that this BIG hole exists in the recent 1.7.x firmware?

[fiat]

Okay. What I discovered will allow you to execute stuff on every boot, without needing the wifi. First off, what I did:

Cool!

-fiat

[FLORIAN37]

We test on the archoslounge's forum ! :
http://www.archoslounge.net/forum/showt ... #post28506

Great work !