I have made another step towards runtime execution of Code

Special Developer Edition Firmwares and Hacking on Archos 5 IT, 5/7 IMT, 605/705, with Android, ├àngstr├Âm and other Linux
Post Reply

This Post may be a big step in Archos HAcking

Yes
5
28%
Maybe
8
44%
No
3
17%
Boring
0
No votes
Too dangerous. I love my Archos and would never cause it harm
2
11%
 
Total votes: 18
suRRendeR
Archos Novice
Archos Novice
Posts: 19
Joined: Sun Nov 25, 2007 10:56 pm

I have made another step towards runtime execution of Code

Post by suRRendeR »

This has been tested on my Archos 605 but should work with all devices of the Gen5

I Cant believe what I just found out. I was trying the wireless lan and wondered wether I could do some FTP stuff. so I googled for a web FTP client and finally found www2ftp.de (its in german but there should be services in your language, too)

so I could login onto my root server(you can use a local one, on demand I will post a tutorial). as i expected the browse files button did not work. BUT:
I just entered /etc/passwd into the Upload field and hit upload. AND SURPRISE: It actually uploaded a file onto my server which had these contents(*nix users will know what this is:)

root:x:0:0:root:/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:100:sync:/bin:/bin/sync
mail:x:8:8:mail:/var/spool/mail:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
operator:x:37:37:Operator:/var:/bin/sh
sshd:x:103:99:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
media:x:66:66:media:/mnt/data:/bin/sh
default:x:100:100:Default non-root user:/home/default:/bin/sh

this is a generic unix passwd file, and the archos uses shadowing and is logged in as root(otherwise the permission options would have avoided opening the file for upload)

ok, what does this enable us: Up and Downloading of Files via FTP is possible. this means that scripts(especially the standby script) can be modified in runtime, and by inserting a hook that avoids standby and e.g. opens a console instead. I am yet trying to insert some code into the archos. I will keep you guys informed.




!!! REMEMBER !!! It is highly likely that inserting code into the running system will make the Unit unbootable. this is due to the fact that the Archos Firmware images contain File System Containers that are digitally signed. Hence, when editing files inside the firmware, the firmware file becomes modified and the signature does not match any more. Therefore the device could become unbootable, requiring a reinstall of firmware at next bootup. Repairing a unit with defect firmware has been discussed inside this forum(press TV-Key during Bootup) already so i will not refer to this any further. !!!

so good night and i will keep you updated
grond
Archos Guru
Archos Guru
Posts: 627
Joined: Thu Nov 23, 2006 10:37 pm
Location: Berlin
Contact:

Re: I have made another step towards runtime execution of Co

Post by grond »

suRRendeR wrote:!!! REMEMBER !!! It is highly likely that inserting code into the running system will make the Unit unbootable. this is due to the fact that the Archos Firmware images contain File System Containers that are digitally signed.
Not sure what you are up to but you surely can't modify the contents of the firmware images by simply editing the files contained therein. The firmware images contain cramfs which can only be created using mkcramfs. All files inside a cramfs are read-only.
suRRendeR
Archos Novice
Archos Novice
Posts: 19
Joined: Sun Nov 25, 2007 10:56 pm

Post by suRRendeR »

Code: Select all

/mnt/system/optfs.cramfs.secure /opt     cramfs  loop,noauto,rw		0       0
this is the last line of /etc/fstab
so it seems the archos can load the cramfs rw
mrfantasy
Archos Novice
Archos Novice
Posts: 30
Joined: Sat Sep 29, 2007 3:24 am

Re: I have made another step towards runtime execution of Co

Post by mrfantasy »

I'm not sure what happened here. That file is the /etc/passwd I saw on the Archos from the root shell. It was there without me putting it there. Try uploading another file to the / filesystem and see what happens.


suRRendeR wrote:This has been tested on my Archos 605 but should work with all devices of the Gen5

I Cant believe what I just found out. I was trying the wireless lan and wondered wether I could do some FTP stuff. so I googled for a web FTP client and finally found www2ftp.de (its in german but there should be services in your language, too)

so I could login onto my root server(you can use a local one, on demand I will post a tutorial). as i expected the browse files button did not work. BUT:
I just entered /etc/passwd into the Upload field and hit upload. AND SURPRISE: It actually uploaded a file onto my server which had these contents(*nix users will know what this is:)

root:x:0:0:root:/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:100:sync:/bin:/bin/sync
mail:x:8:8:mail:/var/spool/mail:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
operator:x:37:37:Operator:/var:/bin/sh
sshd:x:103:99:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
media:x:66:66:media:/mnt/data:/bin/sh
default:x:100:100:Default non-root user:/home/default:/bin/sh

this is a generic unix passwd file, and the archos uses shadowing and is logged in as root(otherwise the permission options would have avoided opening the file for upload)

ok, what does this enable us: Up and Downloading of Files via FTP is possible. this means that scripts(especially the standby script) can be modified in runtime, and by inserting a hook that avoids standby and e.g. opens a console instead. I am yet trying to insert some code into the archos. I will keep you guys informed.




!!! REMEMBER !!! It is highly likely that inserting code into the running system will make the Unit unbootable. this is due to the fact that the Archos Firmware images contain File System Containers that are digitally signed. Hence, when editing files inside the firmware, the firmware file becomes modified and the signature does not match any more. Therefore the device could become unbootable, requiring a reinstall of firmware at next bootup. Repairing a unit with defect firmware has been discussed inside this forum(press TV-Key during Bootup) already so i will not refer to this any further. !!!

so good night and i will keep you updated
pwright8
Archos Novice
Archos Novice
Posts: 48
Joined: Sat Dec 29, 2007 3:52 pm

Post by pwright8 »

I voted on this before realizing what i was voting for. I'm not sure if the poll text is clear enough.. I thought it referred to Fiat's hack. I'd suggest the text should be "The ftp security hole described in the post below may be a big step in Archos HAcking".
suRRendeR
Archos Novice
Archos Novice
Posts: 19
Joined: Sun Nov 25, 2007 10:56 pm

Post by suRRendeR »

this is something is found put by accident
i did not have a clue by then that the fiat attack was existing
so far it is not related to it
pwright8
Archos Novice
Archos Novice
Posts: 48
Joined: Sat Dec 29, 2007 3:52 pm

Post by pwright8 »

suRRendeR wrote:this is something is found put by accident
i did not have a clue by then that the fiat attack was existing
so far it is not related to it
Hi, I don't understand what you describe? How can you be surprised by the contents of a file that you uploaded to the archos?
Or are you saying that the archos makes a good web client for ftp?
Or am I reading this wrong?
suRRendeR
Archos Novice
Archos Novice
Posts: 19
Joined: Sun Nov 25, 2007 10:56 pm

Post by suRRendeR »

the only thing I found out is that you can upload files _FROM_ the Archos by using the FTP Protocol and that you can also download to the archos. the clue is that you can access protected Areas this way
thethirdmoose
Archos Guru
Archos Guru
Posts: 397
Joined: Thu Sep 06, 2007 4:12 am

Post by thethirdmoose »

hate to disappoint you, but fiat's hack >>>>> this
Post Reply

Return to “Open Development”