Archos 605wifi hacked (604wifi too probably)

Special Developer Edition Firmwares and Hacking on Archos 5 IT, 5/7 IMT, 605/705, with Android, ├àngstr├Âm and other Linux
grond
Archos Guru
Archos Guru
Posts: 627
Joined: Thu Nov 23, 2006 10:37 pm
Location: Berlin
Contact:

Post by grond »

Valrose ^_^ wrote:hello, i come from archoslounge and i tested that with 1.7 firmware.
I put the files in root and to reboot but nothing has changed.
is it all what we have to do : put the files in root?
Yes. Unfortunately it appears as if this hole (which was much bigger than the one discovered by fiat) has been fixed in 1.3.53. People running 1.7.x cannot downgrade to the older firmware... :(
fiat
Archos User
Archos User
Posts: 65
Joined: Sat Dec 29, 2007 9:41 am

Post by fiat »

New buildroot build that includes gdb

http://www.remix.net/ax05_rootfs.tar.bz2
arcwelder
sideways
Archos Guru
Archos Guru
Posts: 448
Joined: Wed Nov 21, 2007 6:41 pm

Post by sideways »

kitsonk wrote:Ok, I think I have a way forward in part...

I am going to bed, but this is where I have gotten and will pick up tomorrow.

I compiled the "buildroot".
I modified the busybox config to contain a couple of things not present in the build right now. First was "vi" just because I can't do without it, second is "chroot" which must have been 'accidentally' left out by Archos.
I then copied the new rootfs.cramfs to the device.
I then did a pivot_root. This is where things sort of locked up, probably because not everything in the rootfs was in the buildroot version. I had to do a hardware reboot at this point.

Tomorrow, I will make a modified version of the rootfs.cramfs with the signed modules and other missing information from it. That should allow us to swing over to a new root and umount the old one. I will then provide an install script and the new cramfs that can either be used from GFT method or invoked via arcwelder to replace the rootfs with a new one.
Wouldn't it be better to convert to ext3, cramfs is read-only.

What edit did you apply to the busybox config to get vi?
Last edited by sideways on Fri Jan 04, 2008 3:07 am, edited 1 time in total.
sideways
Archos Guru
Archos Guru
Posts: 448
Joined: Wed Nov 21, 2007 6:41 pm

Post by sideways »

Fiat, thanks for the vi binary in your kitchensink release :)

How did you get the full version to compile independently of busybox?

EDIT

oops, ignore this nonsense post, I was confusing ssh sessions between the archos and a linux box .
Last edited by sideways on Fri Jan 04, 2008 3:06 am, edited 1 time in total.
thethirdmoose
Archos Guru
Archos Guru
Posts: 397
Joined: Thu Sep 06, 2007 4:12 am

Post by thethirdmoose »

So it looks like a downgrader could help... what if someone with a firmware with CoderJoe's hole could post a dump of /
then we could just dd it to the archos, right?
Or is the fw stored on the flash?
Coderjoe
Archos Novice
Archos Novice
Posts: 15
Joined: Thu Jan 03, 2008 4:35 am

Post by Coderjoe »

I think a possible reason that you can't downgrade from 1.7 is that they could have upgraded to a newer linux kernel, which would be stored in flash. A newer kernel would not be able to use the old kernel modules that would be on the hard drive. Or they changed keys and the newer flash portions would not be able to correctly verify the signatures of the cramfs files on disk.

I've just been holding off upgrading because I didn't want to be stuck on a newer firmware just yet.
phut
Archos Novice
Archos Novice
Posts: 24
Joined: Tue Feb 06, 2007 1:52 pm

Post by phut »

Bugger, my 604 non wifi is at 1.6.13 and it would appear CoderJoe's method has been patched or never existed in that form on the x04 devices.

Hmm, have you found any scripts or files which would hint at how the .aos update files are parsed? IIRC people who looked at the .aos files concluded that they were encrypted in some way, but it seemed likely that there would be associated scripts in the patching file if they weren't on the player's hidden directories.
fiat
Archos User
Archos User
Posts: 65
Joined: Sat Dec 29, 2007 9:41 am

Post by fiat »

phut wrote:Bugger, my 604 non wifi is at 1.6.13 and it would appear CoderJoe's method has been patched or never existed in that form on the x04 devices.

Hmm, have you found any scripts or files which would hint at how the .aos update files are parsed? IIRC people who looked at the .aos files concluded that they were encrypted in some way, but it seemed likely that there would be associated scripts in the patching file if they weren't on the player's hidden directories.
I predict a race condition.
arcwelder
CourtD
Archos Novice
Archos Novice
Posts: 3
Joined: Wed Dec 05, 2007 6:28 am

Post by CourtD »

Hey Guys, Keep up the Good Work!

Seeing what you guys have done in under a week, I have high hopes on what the future holds (Applying a new OS would be Awesome!)

Much Love,

Court
sideways
Archos Guru
Archos Guru
Posts: 448
Joined: Wed Nov 21, 2007 6:41 pm

Re: Boot trace

Post by sideways »

s0crate wrote:
kitsonk wrote:I am curious how the one guy got a whole dump of his startup.
Simply :)

I've just made a complete dump of the whole partition (hda1) and search deleted files... It seems that at the first time you boot your system or after firmware update, a file is created that log the complete boot process (without the bootloader).
That's pretty impressive, but can you explain in more detail.

Did you dd copy to a linux pc and then do a grep search on the raw partition for keywords like 'Kernel', or did you use hexdump perhaps?

ie. explain so that we can replicate your results

Thanks :)
EvilKnebl
Archos Novice
Archos Novice
Posts: 21
Joined: Thu Oct 11, 2007 4:43 pm
Contact:

Post by EvilKnebl »

fiat wrote:New buildroot build that includes gdb

http://www.remix.net/ax05_rootfs.tar.bz2
what is it good for, what is gdb and how can i use it...? =P :? :?:


thx
EvilKnebl
ARCHOS 605 30GB
sideways
Archos Guru
Archos Guru
Posts: 448
Joined: Wed Nov 21, 2007 6:41 pm

Post by sideways »

EvilKnebl wrote:
fiat wrote:New buildroot build that includes gdb

http://www.remix.net/ax05_rootfs.tar.bz2
what is it good for, what is gdb and how can i use it...? =P :? :?:


thx
EvilKnebl
It's the gnu debugger, if you don't know that then you really don't need to use it.

Perhaps people who don't have a huge knowledge of linux or Archos hardware specs should start a new thread called something like 'Fiat's Archos hack for dummies' (After the famous book series) or similar, where these questions can be asked. I would contribute answers to such a thread. eg a really simple guide to the toolchain compile environment would be something I could contribute (I'm not gonna post it in in this thread).
fischju
Archos Guru
Archos Guru
Posts: 440
Joined: Tue Dec 25, 2007 4:33 pm

Post by fischju »

Bah, just get a wiki and update it often.
fiat
Archos User
Archos User
Posts: 65
Joined: Sat Dec 29, 2007 9:41 am

Re: Boot trace

Post by fiat »

sideways wrote:
s0crate wrote:
kitsonk wrote:I am curious how the one guy got a whole dump of his startup.
Simply :)

I've just made a complete dump of the whole partition (hda1) and search deleted files... It seems that at the first time you boot your system or after firmware update, a file is created that log the complete boot process (without the bootloader).
That's pretty impressive, but can you explain in more detail.

Did you dd copy to a linux pc and then do a grep search on the raw partition for keywords like 'Kernel', or did you use hexdump perhaps?

ie. explain so that we can replicate your results

Thanks :)
I'm not sure how he did it, but basically filesystems track files by inodes, when you delete a file you only delete references to the inodes, you don't actually zero out the disk (unless you use a wipe utility)

You can dd the slice of disk then run debugfs or unrm or something similar and it'll reconstruct files, it has to be done before the inodes and space between them are reused for newer files though.
arcwelder
kitsonk
Archos Novice
Archos Novice
Posts: 35
Joined: Wed Jan 02, 2008 11:53 am
Location: London
Contact:

Post by kitsonk »

sideways wrote:
Wouldn't it be better to convert to ext3, cramfs is read-only.

What edit did you apply to the busybox config to get vi?
Ok, I don't know how (yet) to mount an ext3 from a file. We don't have a spare partition and don't have sufficient free RAM to create another ram disk. I will look into some way of doing it.

As far as busybox... I don't *know* if it is the right way, but after my first build, I removed the cramfs files and decended into build_arm_nofpu/busybox-1.01 from the buildroot and did a make menuconfig. There I got all the rules I needed. Then I rm'ed my busybox binary, went back up to the buildroot and make'd again. I also needed a rout point which I changed by going into build_arm_nofpu/root.
Coderjoe
Archos Novice
Archos Novice
Posts: 15
Joined: Thu Jan 03, 2008 4:35 am

Post by Coderjoe »

kitsonk wrote:
sideways wrote:
Wouldn't it be better to convert to ext3, cramfs is read-only.

What edit did you apply to the busybox config to get vi?
Ok, I don't know how (yet) to mount an ext3 from a file. We don't have a spare partition and don't have sufficient free RAM to create another ram disk. I will look into some way of doing it.
You should be able to loop mount it. The 605 (at least in my ancient 1.3.04) has support for 8 loop mounts.

Code: Select all

mount -o loop /path/to/file /path/to/mountpoint
kitsonk
Archos Novice
Archos Novice
Posts: 35
Joined: Wed Jan 02, 2008 11:53 am
Location: London
Contact:

Post by kitsonk »

Coderjoe wrote:
You should be able to loop mount it. The 605 (at least in my ancient 1.3.04) has support for 8 loop mounts.

Code: Select all

mount -o loop /path/to/file /path/to/mountpoint
Btw, that is something else they seem to be cleaning up. I noticed it yesterday when trying to re-root myself, there is only loop0 and loop1 in /dev now. :shock:
Coderjoe
Archos Novice
Archos Novice
Posts: 15
Joined: Thu Jan 03, 2008 4:35 am

Post by Coderjoe »

kitsonk wrote:
Coderjoe wrote:
You should be able to loop mount it. The 605 (at least in my ancient 1.3.04) has support for 8 loop mounts.

Code: Select all

mount -o loop /path/to/file /path/to/mountpoint
Btw, that is something else they seem to be cleaning up. I noticed it yesterday when trying to re-root myself, there is only loop0 and loop1 in /dev now. :shock:
hmm... mine only has those as well. however, looking under /sys/block shows that the kernel has support for 8 devices, so you only need to find a way to make device nodes for them. It appears that my firmware's busybox also has the mknod entrypoint, which is what you would use to make a new loop device:

Code: Select all

mknod /tmp/loop2 b 7 2
then just change the options on your mount command to:

Code: Select all

mount -o loop=/tmp/loop2 /path/to/image /path/to/mountpoint
and you should be all set.

to find how many loop devices your device supports, check under /sys/block. The loop devices should all have a major of 7 and a minor equal to the loop number, but check /sys/block/loopn/dev to be sure.

for example, /sys/block/loop3/dev has "7:3" in it. this means that the major number is 7 and the minor number is 3. so you then use "mknod /path/to/new/device/file b 7 3", where that b tells it to make a block device.

update
*sigh* apparently, the busybox mount command doesn't support the "loop=/path/to/loopdevice" option... If someone can get a copy of the losetup command to run on the device, you could bind the image to the loop device using that, and then just mount the loop device directly.
s0crate
Archos Novice
Archos Novice
Posts: 6
Joined: Thu Jan 03, 2008 11:24 am
Location: France

Re: Boot trace

Post by s0crate »

sideways wrote: That's pretty impressive, but can you explain in more detail.

Did you dd copy to a linux pc and then do a grep search on the raw partition for keywords like 'Kernel', or did you use hexdump perhaps?

ie. explain so that we can replicate your results

Thanks :)
Few ways can be used to search deleted files on the hda1/hda2 partitions.
The easiest way is to connect your archos via usb like an usb storage device and use a tools like Photorec on this. Others method can be used like dd + Encase ...

Other information, the confirmation of the use of regular lock method to secure the flash. I have just disassembled the flashrw.ko module with IDA.
The INTEL_FLASH_lock looks like:

Code: Select all

.text:00000C54                 MOV     R12, SP
.text:00000C58                 STMFD   SP!, {R4-R6,R11,R12,LR,PC}
.text:00000C5C                 SUB     R11, R12, #4
.text:00000C60                 MOV     R6, #0xA
.text:00000C64                 MOV     R4, R0
.text:00000C68                 BL      davinci_emif_lock
.text:00000C6C
.text:00000C6C loc_C6C                                 ; CODE XREF: INTEL_FLASH_Lock+4Cj
.text:00000C6C                 MOV     R2, #0xE2000000

// 1st flash command : lock block (0x60 0x01)
.text:00000C70                 MOV     R3, #0x60 ; '`'
.text:00000C74                 STRH    R3, [R4,R2]
.text:00000C78                 MOV     R3, #1
.text:00000C7C                 STRH    R3, [R4,R2]

// 2d flash command : Read Device Identifier (0x90)
.text:00000C80                 MOV     R3, #0x90 ; 'É'
.text:00000C84                 STRH    R3, [R4,R2]
.text:00000C88                 LDR     R3, =0xE2000004
.text:00000C8C                 SUBS    R6, R6, #1
.text:00000C90                 LDRH    R3, [R4,R3]
.text:00000C94                 MOV     R5, R3
.text:00000C98                 BEQ     loc_CA4
.text:00000C9C                 TST     R3, #1
.text:00000CA0                 BEQ     loc_C6C
.text:00000CA4
.text:00000CA4 loc_CA4                                 ; CODE XREF: INTEL_FLASH_Lock+44j
.text:00000CA4                 MOV     R3, #0xFF
.text:00000CA8                 STRH    R3, [R4,R2]
.text:00000CAC                 BL      davinci_emif_unlock
.text:00000CB0                 EOR     R0, R5, #1
.text:00000CB4                 ANDS    R0, R0, #1
.text:00000CB8                 MOVLNE  R0, 0xFFFFFFFB
.text:00000CBC                 LDMFD   SP, {R4-R6,R11,SP,PC}
Take a look at the flashrw.ko module. We can used the device /dev/flashrw and make ioctl on it to use flashrw.ko function...
kitsonk
Archos Novice
Archos Novice
Posts: 35
Joined: Wed Jan 02, 2008 11:53 am
Location: London
Contact:

Post by kitsonk »

Ok... I have gotten a little bit further, but doing this through ssh is a bit of a pain, because things don't quite move over right with pivot_root. I am going to have to do this through a shell script that "hopefully" will keep running after the pivot_root to finish off everything. Right now sshd seems to hang after returning the new "/" prompt and avos complains that the disk is RO and should be checked.
Post Reply

Return to “Open Development”