for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..

Special Developer Edition Firmwares and Hacking on Archos 5 IT, 5/7 IMT, 605/705, with Android, ├àngstr├Âm and other Linux
sideways
Archos Guru
Archos Guru
Posts: 448
Joined: Wed Nov 21, 2007 6:41 pm

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..

Post by sideways »

The idea will be to trick avos into running a script or a setuid binary from /mnt/system (which is ext3), this may also be possible from an ext3 formatted usb stick attached to the mini dock, but obviously it'll be better without needing that. (ext3 allows us more options than fat32 on the hard disk)

A corrupt conf file in /mnt/system/etc (wpa_supplicant.conf or fusesmb.conf) might be an option or a pdf document or image or video file. Another avenue is to hijack the system at boot when you select to "repair filesystem" (which enables the modifed System.bin for GFT2 to get loaded for example)

GFT(2) access allows us to get a script/binary installed, and experiment.

I'm 100% confident there's an exploitable hole, but without GFT2 it would be very difficult to find it, with root access and tools like lsof, ps, top it's much easier to examine the system and hack it (I'd never have worked out how to restart avos otherwise)

Currently you need wifi access and a machine to browse the samba share, which isn't ideal, if we can remove those requirements it's almost as good as a flash hack, only difference is the kernel and init process can't be changed, so you have to run in a chroot, which isn't as flexible.
twizted25
Archos Novice
Archos Novice
Posts: 23
Joined: Mon Nov 30, 2009 10:39 pm

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..

Post by twizted25 »

Good progress. Brings me hope with updated firmware already :)
divx118
Archos Guru
Archos Guru
Posts: 595
Joined: Tue Dec 04, 2007 9:48 pm
Contact:

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..

Post by divx118 »

@sideways

If I create a gpsfs.cramfs.secure in /mnt/system by duplicating ie the rootfs.cramfs.secure it gets mounted in /gps on startup (You have to use signed files else it doesn't get mounted). You then get the gps button visible in your screen. If you press it it will try to start /gps/sygic wich offcourse isn't there and the screen blinks. If you then press a second time it will restart the device. Maybe something we can do here.
If I however restart the avos with your script before I touch the gps button my button is gone. So I assume it is an older avos from previous firmwares? I will take a look at it in my hexeditor.

Maurice 8)
generic_username
Archos Expert
Archos Expert
Posts: 194
Joined: Mon Jan 14, 2008 9:18 pm

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..

Post by generic_username »

i thought he said it was MC avos? mc'd .2 is 2.1.04 i believe
divx118
Archos Guru
Archos Guru
Posts: 595
Joined: Tue Dec 04, 2007 9:48 pm
Contact:

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..

Post by divx118 »

generic_username wrote:i thought he said it was MC avos? mc'd .2 is 2.1.04 i believe
You are right it is 2.1.04.

Maurice 8)
pandyBox
Archos User
Archos User
Posts: 57
Joined: Fri Mar 27, 2009 7:29 pm
Location: Ireland
Contact:

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..

Post by pandyBox »

divx118 wrote: The only options IMO are:

1) Archos to release a firmware update with SDE
2) Access to Jtag and write to the flash directly.

The last option would be very difficult if even possible and needs some serious hardware knowledge and skills.

Maurice 8)
Jtag needs ground, data in, data out and clock pins. An old LS TTL chip (2.7V typical "1" from a 5V supply) I found makes a good buffer from parallel port to 3.3V ARM / Flash systems. I made up my own JTAG buffer with a single 74LS244 or 74LS240. Needs +5V also. It worked to overwrite Flash so as to put Linux instead of WinCE on a Samsung SMDK6400 ARM dev board.

The HW is simple and can even be bought ready made for about $100, but free for anyone interested in Electronics with junk lying around.

The only issue is what data to transfer using the free JTAG programming SW and cheap Parallel port interface. (The USB JTAG adaptors you can buy are really USB to Parallel port adaptors with a 3.3V buffer IC for the JTAG pins.).

You need to find the JTAG pads on PCB. On a Linksys Router they are handy and on a 10pin header. One gadget I looked at the "hacker" cooked in an oven (not microwave) to get the BGA chips to fall off so he could trace from known JTAG pins on chips to find the pads. If that extreme solution is needed I'm sure someone has a broken A605?
160G 605 WiFi
divx118
Archos Guru
Archos Guru
Posts: 595
Joined: Tue Dec 04, 2007 9:48 pm
Contact:

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..

Post by divx118 »

You need to find the JTAG pads on PCB. On a Linksys Router they are handy and on a 10pin header. One gadget I looked at the "hacker" cooked in an oven (not microwave) to get the BGA chips to fall off so he could trace from known JTAG pins on chips to find the pads. If that extreme solution is needed I'm sure someone has a broken A605?
I meant by saying "if even possible", are the JTAG pins accessible in your archos?
Also if you would find the pins, for the average user it will be a very difficult hack to perform, so it would only be for people that understand the hard/software and have the skills.
Thanks for the info on the JTAG buffer.

Maurice 8)
generic_username
Archos Expert
Archos Expert
Posts: 194
Joined: Mon Jan 14, 2008 9:18 pm

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..

Post by generic_username »

@pandybox i have access to pcb rework equip(in us) if anyone wants to send me broken board to trace, no need for ovens : )

i wonder has anyone tried hooking up a archos without battery attached? on some devices the battery must be removed to program the flash

presumably there are already serial communication pins on one or both of the 2 dock connections?
CheBuzz
Archos Guru
Archos Guru
Posts: 274
Joined: Fri Aug 15, 2008 12:14 pm

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..

Post by CheBuzz »

I've asked for dead hardware before to trace lines, but nobody has ever offered to help out in that area. It would be great if somebody, _anybody_, could map out what traces are brought out so that we can figure out what kind of hard hacks are available to us.
sideways
Archos Guru
Archos Guru
Posts: 448
Joined: Wed Nov 21, 2007 6:41 pm

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..

Post by sideways »

This is amusing :)

If you format a usb stick as ext3 and create a symlink to /mnt/system in its top directory, then when you plug it into the minidock you can browse (with read/write privileges!) the entire hidden system directory from the archos file browser (via the symlink).

You can create the symlink from any linux, but if you do this from a GFT ssh session, then since the usb stick gets mounted at /mnt/msc0 do

Code: Select all

ln -s /mnt/system /mnt/msc0/mnt_system
now unplug/replug the stick and the file browser will open a window showing the top directory, select mnt_system and you're in. :)

btw this will allow an alternative to GFT(2) for restarting avos if you haven't got wifi access, by using opera. Since opera can open local txt/html documents without wifi, and when it opens it copies the contents of /mnt/system/opera_home to /tmp and this includes a shared library object /mnt/system/opera_home/jsplugins/libwebpipe.so, which can be overwritten with an alternative copy which runs our own code (you need to rename/delete the old jsplugins entry since it's a symlink to /usr/opera/opera_dir/jsplugins, recreate the folder and then do the copy)

It would be nice to be able to overwrite the executable file in the /gps directory with a similar trick, but that, along with most of the rest of the filesystem, is mounted readonly, so not possible afaik.

So there is an alternative way to run a script without GFT and wifi, but it requires a minidock and usb stick.

I'll post the details sometime, but I'm looking for something simpler first perhaps via the standalone flash player (/opt/visiware/libflashplayer.so version LNX 7,0,70,0) or apdf (uses libpoppler 0.5.1), there are reported vulnerabilities but they're tricky to exploit.
grond
Archos Guru
Archos Guru
Posts: 627
Joined: Thu Nov 23, 2006 10:37 pm
Location: Berlin
Contact:

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..

Post by grond »

sideways wrote:This is amusing :)

If you format a usb stick as ext3 and create a symlink to /mnt/system in its top directory, then when you plug it into the minidock you can browse (with read/write privileges!) the entire hidden system directory from the archos file browser (via the symlink).
I think that was already reported some time ago. It is also very useful for downgrading the firmware to 1.7.13 which would give back the original GFT exploit. The opera bit sounds even more exciting... :)
openAOS
Buster
Archos Novice
Archos Novice
Posts: 20
Joined: Sat Oct 03, 2009 11:23 pm

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..

Post by Buster »

Well... seems like theres a lot going on now...

I almost buried my hope that there ll be a useful JB for my A605, which is unfortunately updated to 2.1.0.4

Since im new to Linux and not willing to brick my device, I hereby humbly beg ;) for a step-by-step
instruction on how to use the GFT(2) (at best without WiFi, since i paid 30 Ôé¼ for that crappy USB-Mini-Dock and still i am eagerly awaiting the first real use it might have;) ) on my A605.


Hopefully some one is willing to let me join the ranks :cry:

:D Aye

PS: Windoze possible?
pandyBox
Archos User
Archos User
Posts: 57
Joined: Fri Mar 27, 2009 7:29 pm
Location: Ireland
Contact:

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..

Post by pandyBox »

You can install EXTFS tools on XP.

The USB on Archos seems to be a USB2GO, you can't "host" and "slave" at the same time and the data pins on the host and client connectors seem to be in parallel. You have to peel off the metal cover to get at screws on the mini battery/USB dock

It's marginally possible that a USB host back to back socket (possibly with a local +5V) connected to "normal" USB cable will allow a USB stick to be mounted without the mini-dock. If I get bored I'll have a look.
160G 605 WiFi
divx118
Archos Guru
Archos Guru
Posts: 595
Joined: Tue Dec 04, 2007 9:48 pm
Contact:

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..

Post by divx118 »

@sideways Thanks for the tip on the USB-stick. :D

I was thinking the same, only I didn't have a way to copy the libwebpipe.so :) after a reboot. On a reboot the link get's recreated in the S30opera script in /ect/init.d see below.

Code: Select all

SYSTEM_DIR="/mnt/system"
OPERA_HOME_TEMPLATE="/usr/opera/opera_home"
OPERA_DIR_TEMPLATE="/usr/opera/opera_dir"
OPERA_HOME="$SYSTEM_DIR/opera_home"

if [ ! -d "$OPERA_HOME" ]; then
    mkdir "$OPERA_HOME"
fi

if [ -d "$OPERA_HOME/jsplugins" ]; then
    rm -rf "$OPERA_HOME/jsplugins"
fi

if [ ! -L "$OPERA_HOME/jsplugins" ]; then
    ln -s "$OPERA_DIR_TEMPLATE/jsplugins/" "$OPERA_HOME/jsplugins"
fi

if [ ! -f "$OPERA_HOME/.killroy" ]; then
    cp -r $OPERA_HOME_TEMPLATE $SYSTEM_DIR
    touch "$OPERA_HOME/.killroy"
fi

cp "$OPERA_HOME_TEMPLATE/input.ini" $OPERA_HOME

# this file can cause opera to crash | gen4 cargo cult
rm -f $OPERA_HOME/vlink4.dat

I think a hack based on apdf could be the way. If you let it crash it doesn't interfere with avos, so it wouldn't have the problem that if avos crashes you get a reboot.

Maurice 8)
sideways
Archos Guru
Archos Guru
Posts: 448
Joined: Wed Nov 21, 2007 6:41 pm

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..

Post by sideways »

Yes, unfortunately it doesn't look possible to prevent the jsplugins link being recreated on boot, so the usb stick+minidock hack has to be applied each reboot. However, it only takes me ~10 secs to do the rename of jsplugins (to jspluginsx) and then copy my own jsplugins directory from /mnt/data, it's less than 10 taps on the touchscreen interface, all in the same file browser display. It's an alternative to GFT and GFT2 if you haven't got wifi access.

libwebpipe.so gets loaded by avos as soon as opera opens (you can check with lsof), even if you just open a local txt or html file (so no wifi required), and the initial branch call is at offset 0xad0

Code: Select all

/mnt/system/opera_home/jsplugins # objdump -d libwebpipe.so | less

libwebpipe.so:     file format elf32-littlearm

Disassembly of section .init:

000008d4 <_init>:
 8d4:   e52de004        str     lr, [sp, #-4]!
 8d8:   eb00007c        bl      ad0 <_init+0x1fc>
 8dc:   eb0005fe        bl      20dc <jsplugin_capabilities+0x1104>
 8e0:   e49df004        ldr     pc, [sp], #4
Disassembly of section .plt:

000008e4 <.plt>:
 8e4:   e52de004        str     lr, [sp, #-4]!
 8e8:   e59fe004        ldr     lr, [pc, #4]    ; 8f4 <_init+0x20>
 8ec:   e08fe00e        add     lr, pc, lr
...
...
...
     ad0:       e92d4400        stmdb   sp!, {sl, lr}
     ad4:       e59fa054        ldr     sl, [pc, #84]   ; b30 <_init+0x25c>
     ad8:       e59f3054        ldr     r3, [pc, #84]   ; b34 <_init+0x260>
     adc:       e08fa00a        add     sl, pc, sl
     ae0:       e79ac003        ldr     ip, [sl, r3]
     ae4:       e35c0000        cmp     ip, #0  ; 0x0
     ae8:       0a000005        beq     b04 <_init+0x230>
     aec:       e59f3044        ldr     r3, [pc, #68]   ; b38 <_init+0x264>
     af0:       e59f2044        ldr     r2, [pc, #68]   ; b3c <_init+0x268>
so you just need to stick in arm assembler code for an execve (or maybe fork) call to run script /mnt/data/myscript.sh.

I've got an ugly hack working just to restart avos but need to make it cleaner, then I'll post details.

It's a reasonably nice exercise for anyone wanting to practice hacking arm assembler, grond might like it :)

http://www.phrack.com/issues.html?issue=58&id=10
http://www.hack3r.com/content/introduct ... ding-bliss
http://lxr.kelp.or.kr/source/include/as ... td.h?a=arm
http://vx.netlux.org/lib/vsc06.html
http://vx.netlux.org/lib/static/vdat/tuunix02.htm
http://www.linuxforums.org/articles/und ... p_125.html
sideways
Archos Guru
Archos Guru
Posts: 448
Joined: Wed Nov 21, 2007 6:41 pm

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..

Post by sideways »

After posting I just realised you can set it up so you don't need the minidock either!

Thanks to divx18 pointing out the logic for recreating the jsplugins link, I realised you can create a symlink to a nonexistent directory in /mnt/data, then the init.d S30opera script doesn't recreate it, and now you can just rename the real jsplugins directory in /mnt/data so the symlink is valid.

This does require you to remember to rename the /mnt/data directory back to the nonvalid name before power off though (otherwise minidoc+usb will be required again)

I suggest

ln -s /mnt/data/jsplugins /mnt/system/opera_home/jsplugins

and then name the hacked jsplugins directory /mnt/data/jspluginsx (/mnt/data/jsplugins MUST NOT EXIST before power off)

Now after reboot rename it back to /mnt/data/jsplugins (from the filebrowser interface)

(It should also be possible to include a shutdown script which does the rename)

UPDATE. I'll put all this together for GFT3 later this week, wanted to do it for twelfth night and get a cool sounding name for the hack, but didn't have time (if you don't have a minidock+usb stick then GFT3 will require a one time use of wifi and GFT(2) to set up)
twizted25
Archos Novice
Archos Novice
Posts: 23
Joined: Mon Nov 30, 2009 10:39 pm

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..

Post by twizted25 »

sounds good sideways. keep it up.
nokiae50
Archos Guru
Archos Guru
Posts: 427
Joined: Sun Feb 03, 2008 6:07 pm
Location: Bangalore, India
Contact:

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..

Post by nokiae50 »

Congrats KEEP IT UP!!!! =D> =D> =D> =D> =D> =D>
openAOS ROCKS!!
divx118
Archos Guru
Archos Guru
Posts: 595
Joined: Tue Dec 04, 2007 9:48 pm
Contact:

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..

Post by divx118 »

Thanks to divx18 pointing out the logic for recreating the jsplugins link, I realised you can create a symlink to a nonexistent directory in /mnt/data
Off course how could I overlooked that :oops: . The renaming of the link back to the nonexisting directory could be done by a script on shutdown.
Congrats on your progress sideways.

Maurice 8)
sideways
Archos Guru
Archos Guru
Posts: 448
Joined: Wed Nov 21, 2007 6:41 pm

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..

Post by sideways »

just an update to say no complex hacking is required (in case anyone's attempting it), you can just create a file hack.c, with a single function:

Code: Select all

void _init()
{
        system("/mnt/data/hack.sh &"); 
} 
and compile it with:

gcc -nostartfiles -fpic -shared -lc -o hack.so hack.c

UPDATE: (if no crosscompiler available,download hack.so)

then copy hack.so to /mnt/data/jsplugins/ and edit /mnt/data/jsplugins/jsplugins.ini so it contains a second line

Code: Select all

libwebpipe.so: CALLBACK
hack.so: CALLBACK
Then create an executable script /mnt/data/hack.sh, and as soon as you open Opera (you can create an empty file '/mnt/data/hack.html' to tap so it open without wifi acces) the script is executed with root privileges (as a background process, so it doesn't block opera, and you can kill opera/avos from the script :) (if it doesn't work, ensure /mnt/system/opera_home/jsplugins is a symlink to /mnt/data/jsplugins)

(This is nice, since it doesn't break libwebpipe.so)

all the pieces for gft3 are there, just fiddly stuff like ensuring the shutdown renames /mnt/data/jsplugins back to jspluginsx. Also, I don't want to rely on a download version of hacked avos, so need to script the binary edits on the fly.

soon...
Last edited by sideways on Wed Jan 06, 2010 7:00 pm, edited 1 time in total.
Post Reply

Return to “Open Development”