I have made another step towards runtime execution of Code

[suRRendeR]

This has been tested on my Archos 605 but should work with all devices of the Gen5

I Cant believe what I just found out. I was trying the wireless lan and wondered wether I could do some FTP stuff. so I googled for a web FTP client and finally found www2ftp.de (its in german but there should be services in your language, too)

so I could login onto my root server(you can use a local one, on demand I will post a tutorial). as i expected the browse files button did not work. BUT:
I just entered /etc/passwd into the Upload field and hit upload. AND SURPRISE: It actually uploaded a file onto my server which had these contents(*nix users will know what this is:)

root0:0:root:/root:/bin/sh
daemon1:1:daemon:/usr/sbin:/bin/sh
bin2:2:bin:/bin:/bin/sh
sys3:3:sys:/dev:/bin/sh
sync4sync:/bin:/bin/sync
mail8:8:mail:/var/spool/mail:/bin/sh
proxy13:13:proxy:/bin:/bin/sh
www-data33:33:www-data:/var/www:/bin/sh
backup34:34:backup:/var/backups:/bin/sh
operator37:37:Operator:/var:/bin/sh
sshd103:99:Operator:/var:/bin/sh
nobody99:99:nobody:/home:/bin/sh
media66:66:media:/mnt/data:/bin/sh
default100Default non-root user:/home/default:/bin/sh

this is a generic unix passwd file, and the archos uses shadowing and is logged in as root(otherwise the permission options would have avoided opening the file for upload)

ok, what does this enable us: Up and Downloading of Files via FTP is possible. this means that scripts(especially the standby script) can be modified in runtime, and by inserting a hook that avoids standby and e.g. opens a console instead. I am yet trying to insert some code into the archos. I will keep you guys informed.




!!! REMEMBER !!! It is highly likely that inserting code into the running system will make the Unit unbootable. this is due to the fact that the Archos Firmware images contain File System Containers that are digitally signed. Hence, when editing files inside the firmware, the firmware file becomes modified and the signature does not match any more. Therefore the device could become unbootable, requiring a reinstall of firmware at next bootup. Repairing a unit with defect firmware has been discussed inside this forum(press TV-Key during Bootup) already so i will not refer to this any further. !!!

so good night and i will keep you updated

[grond]

!!! REMEMBER !!! It is highly likely that inserting code into the running system will make the Unit unbootable. this is due to the fact that the Archos Firmware images contain File System Containers that are digitally signed.

Not sure what you are up to but you surely can't modify the contents of the firmware images by simply editing the files contained therein. The firmware images contain cramfs which can only be created using mkcramfs. All files inside a cramfs are read-only.

[suRRendeR]

Code: Select all

/mnt/system/optfs.cramfs.secure /opt     cramfs  loop,noauto,rw		0       0

this is the last line of /etc/fstab
so it seems the archos can load the cramfs rw

[mrfantasy]

I'm not sure what happened here. That file is the /etc/passwd I saw on the Archos from the root shell. It was there without me putting it there. Try uploading another file to the / filesystem and see what happens.

This has been tested on my Archos 605 but should work with all devices of the Gen5

I Cant believe what I just found out. I was trying the wireless lan and wondered wether I could do some FTP stuff. so I googled for a web FTP client and finally found www2ftp.de (its in german but there should be services in your language, too)

so I could login onto my root server(you can use a local one, on demand I will post a tutorial). as i expected the browse files button did not work. BUT:
I just entered /etc/passwd into the Upload field and hit upload. AND SURPRISE: It actually uploaded a file onto my server which had these contents(*nix users will know what this is:)

root0:0:root:/root:/bin/sh
daemon1:1:daemon:/usr/sbin:/bin/sh
bin2:2:bin:/bin:/bin/sh
sys3:3:sys:/dev:/bin/sh
sync4sync:/bin:/bin/sync
mail8:8:mail:/var/spool/mail:/bin/sh
proxy13:13:proxy:/bin:/bin/sh
www-data33:33:www-data:/var/www:/bin/sh
backup34:34:backup:/var/backups:/bin/sh
operator37:37:Operator:/var:/bin/sh
sshd103:99:Operator:/var:/bin/sh
nobody99:99:nobody:/home:/bin/sh
media66:66:media:/mnt/data:/bin/sh
default100Default non-root user:/home/default:/bin/sh

this is a generic unix passwd file, and the archos uses shadowing and is logged in as root(otherwise the permission options would have avoided opening the file for upload)

ok, what does this enable us: Up and Downloading of Files via FTP is possible. this means that scripts(especially the standby script) can be modified in runtime, and by inserting a hook that avoids standby and e.g. opens a console instead. I am yet trying to insert some code into the archos. I will keep you guys informed.




!!! REMEMBER !!! It is highly likely that inserting code into the running system will make the Unit unbootable. this is due to the fact that the Archos Firmware images contain File System Containers that are digitally signed. Hence, when editing files inside the firmware, the firmware file becomes modified and the signature does not match any more. Therefore the device could become unbootable, requiring a reinstall of firmware at next bootup. Repairing a unit with defect firmware has been discussed inside this forum(press TV-Key during Bootup) already so i will not refer to this any further. !!!

so good night and i will keep you updated

[pwright8]

I voted on this before realizing what i was voting for. I'm not sure if the poll text is clear enough.. I thought it referred to Fiat's hack. I'd suggest the text should be "The ftp security hole described in the post below may be a big step in Archos HAcking".

[suRRendeR]

this is something is found put by accident
i did not have a clue by then that the fiat attack was existing
so far it is not related to it

[pwright8]

this is something is found put by accident
i did not have a clue by then that the fiat attack was existing
so far it is not related to it

Hi, I don't understand what you describe? How can you be surprised by the contents of a file that you uploaded to the archos?
Or are you saying that the archos makes a good web client for ftp?
Or am I reading this wrong?

[suRRendeR]

the only thing I found out is that you can upload files _FROM_ the Archos by using the FTP Protocol and that you can also download to the archos. the clue is that you can access protected Areas this way

[thethirdmoose]

hate to disappoint you, but fiat's hack >>>>> this