Page 8 of 9

Re: Success Upgrading Archos 504 40gb to 160gb from Woot

Posted: Wed Jun 17, 2009 1:43 pm
by brdystyls
A private key and HDD serial number are two different things. The private key just encrypts the information we see. The serial helps the firmware see the HDD, basically anyways.

Re: Success Upgrading Archos 504 40gb to 160gb from Woot

Posted: Wed Jun 17, 2009 4:13 pm
by grond
brdystyls wrote:A private key and HDD serial number are two different things. The private key just encrypts the information we see.


I know what a private key is and what an hdd serial number is. The thing is that the hdd lock is based on an 1024-bit RSA keypair. If a firmware-update locks the hdd currently present in the Archos to the Archos, this means that the update can produce a valid signature which again means that the private key must be present in the firmware. Or: if a publically available firmware upgrade can lock the x04 to a given hdd, it should in theory be possible to lock the x04 to just any hdd by extracting, appropriately modifying and running the portion of code used for locking the hdd.

EDIT: the hdd lock used in the x04 could of course be different from that of the x05 which is based on RSA keypairs. I have analysed the x05 bootloader in detail but only have had a short look on that of the x04. However, the x04 bootloader appeared to be very similar to that of later devices to say the least.

Re: Success Upgrading Archos 504 40gb to 160gb from Woot

Posted: Thu Jun 18, 2009 8:22 am
by b0hoon
I think it is hidden in the aos file, encrypted somwhere. But decrypting alghoritm is not that simple to reverse, especially when it bases on the data from the flash. It's a modified AES.

Re: Success Upgrading Archos 504 40gb to 160gb from Woot

Posted: Thu Jun 18, 2009 10:36 am
by CheBuzz
b0hoon wrote:I think it is hidden in the aos file, encrypted somwhere. But decrypting alghoritm is not that simple to reverse, especially when it bases on the data from the flash. It's a modified AES.

Hm... I don't see the key anywhere in the file (decrypted of course). And the decrypting algorithm isn't all that bad to reverse. But you are correct in that you need the AES key from the flash. Once you have that though, it's only a days work.

Re: Success Upgrading Archos 504 40gb to 160gb from Woot

Posted: Thu Jun 18, 2009 11:11 am
by b0hoon
So... you've decrypted the aos file, maybe you could share it with us, please?

And you must have flash image too... :shock:

Re: Success Upgrading Archos 504 40gb to 160gb from Woot

Posted: Thu Jun 18, 2009 8:49 pm
by CheBuzz
Yes, I have the flash image. And I could post the decrypted .aos file, but what does that accomplish? The problem here is that few people have the initiative to dig in and figure things out for themselves. I've already said that reversing the encryption would only take about a days worth of work. Yet nobody steps up to the plate.

Re: Success Upgrading Archos 504 40gb to 160gb from Woot

Posted: Thu Jun 18, 2009 9:01 pm
by brdystyls
How about just the process of decrypting the file.

Re: Success Upgrading Archos 504 40gb to 160gb from Woot

Posted: Thu Jun 18, 2009 9:56 pm
by CheBuzz
Dude, AES. I'm not going to teach a crypto class here, and again, something that you should go and figure out.

Re: Success Upgrading Archos 504 40gb to 160gb from Woot

Posted: Thu Jun 18, 2009 10:04 pm
by brdystyls
Uh, just want the process you used, not a crypto class or anything such as that. Geesh. :roll:

Re: Success Upgrading Archos 504 40gb to 160gb from Woot

Posted: Thu Jun 18, 2009 10:09 pm
by pawstar
Yes, please share as much info with us as you can. My #1 priority with my 605 right now is to get a 250GB hdd I bought for it to work.

Re: Success Upgrading Archos 504 40gb to 160gb from Woot

Posted: Thu Jun 18, 2009 10:56 pm
by CheBuzz
brdystyls wrote:Uh, just want the process you used, not a crypto class or anything such as that. Geesh. :roll:

Process? The process to decrypting the file is this: take the decrypted file and use a slightly modified AES algorithm to produce an unencrypted file.

Re: Success Upgrading Archos 504 40gb to 160gb from Woot

Posted: Thu Jun 18, 2009 11:15 pm
by brdystyls
This is all I heard.

Q: How much bread do you want?
A: Buttered Toast

Re: Success Upgrading Archos 504 40gb to 160gb from Woot

Posted: Fri Jun 19, 2009 12:08 am
by brdystyls
May I also add, since he isn't talking, he's probably lying.

Re: Success Upgrading Archos 504 40gb to 160gb from Woot

Posted: Fri Jun 19, 2009 8:44 am
by b0hoon
A days of work...wow! read the flash, disasm the code, reverse the alghoritm, then write the tool and decode file. You are the god for me CheBuzz. :P

You must be very good in assembler reverse engineering - CheBuzz, so i have a very simple question that you must know (if you did what you are saying) - What exactly byte/bytes written in aos decides if the file is encrypted or not (it's always encrypted but it don't have to)? What values it can have? C'mon... it's not even connected with AES (which must be perfectly known to you).

Re: Success Upgrading Archos 504 40gb to 160gb from Woot

Posted: Fri Jun 19, 2009 9:08 am
by CheBuzz
brdystyls wrote:May I also add, since he isn't talking, he's probably lying.

Oh no! Now I have to tell everything to prove that I'm not lying. Whatever shall I do?!

First thing, I have nothing to prove to you. But just for the sake of letting you know that it is possible:
Sig verified with A604 MPK

CIPH found.
MAGIC: 000BF959
IV: EFE02650CC5A198889AA831B9D2EC23F
UNIT size:48 intended unit: a604wifi
VERS size:32 version: 1.6.53
TIME size:416
FLSH size:32784 offset:0
FLSH size:69296 offset:196608
FLSH size:8208 offset:32768
FLSH size:1437792 offset:327680
FLSH size:12448 offset:1835008
COPY size:8290832 filename:rootfs.cramfs.secure
COPY size:16318736 filename:optfs.cramfs.secure
DLET size:272 filename:opt.cramfs
DLET size:272 filename:System/LANG_CS.ALZ
DLET size:272 filename:System/LANG_ES.ALZ
DLET size:272 filename:System/LANG_HE.ALZ
DLET size:272 filename:System/LANG_HU.ALZ
DLET size:272 filename:System/LANG_IT.ALZ
DLET size:272 filename:System/LANG_NL.ALZ
DLET size:272 filename:System/LANG_PT.ALZ
DLET size:272 filename:System/LANG_RU.ALZ
DLET size:272 filename:System/LANG_SC.ALZ
DLET size:272 filename:System/LANG_TC.ALZ
DLET size:272 filename:System/LANG_SV.ALZ
DLET size:272 filename:System/LANG_DA.ALZ
DLET size:272 filename:System/LANG_FI.ALZ
DLET size:272 filename:System/LANG_NO.ALZ
COPY size:70704 filename:System/lang_cs.alz
COPY size:74224 filename:System/lang_es.alz
COPY size:74096 filename:System/lang_he.alz
COPY size:72912 filename:System/lang_hu.alz
COPY size:72240 filename:System/lang_it.alz
COPY size:72000 filename:System/lang_nl.alz
COPY size:71872 filename:System/lang_pt.alz
COPY size:94928 filename:System/lang_ru.alz
COPY size:66160 filename:System/lang_sc.alz
COPY size:66720 filename:System/lang_tc.alz
DLET size:272 filename:System/lang_sv.alz
DLET size:272 filename:System/lang_da.alz
DLET size:272 filename:System/lang_fi.alz
DLET size:272 filename:System/lang_no.alz
DLET size:272 filename:opera_home/op_config.conf
DLET size:272 filename:opera_home/opera.ini
ADEL size:16 value:1

b0hoon:
1) that answers your question about the magic I believe?
2) a days work was referring to figuring out the AES part. Reading the flash took me about a week and before that I knew absolutely nothing about ARM assembly. So believe me when I say it is possible, but almost nobody ever shows the initiative to get off their ass and do it.

Re: Success Upgrading Archos 504 40gb to 160gb from Woot

Posted: Fri Jun 19, 2009 9:37 am
by b0hoon
CheBuzz wrote:1) that answers your question about the magic I believe?

That's correct.

You are really very good in reverse engineering and you are very tallented man then.

CheBuzz is not lying, the UNIT, VERS, TIME, etc. blocks on the listing are real blocks after decryption.
Ok then, you don't want to share your work with us, i understand it :).

But i have a question, how did you read the flash? Ssh and some selfmade tool?

Re: Success Upgrading Archos 504 40gb to 160gb from Woot

Posted: Fri Jun 19, 2009 11:55 am
by CheBuzz
b0hoon wrote:Ok then, you don't want to share your work with us, i understand it :).

But i have a question, how did you read the flash? Ssh and some selfmade tool?

1) It's not that I don't want to share my work. I would love to make everything open. But until things can be cracked wide open in the latest generation (hint hint), I don't want to give anything away to Archos.

2) Reading the flash is really easy. Once I spent the week learning to read ARM assembly, and figured out what format things needed to be in, writing the tool seriously only took 20 minutes. But you do need execute access on the Archos (ie a la GFT).

And finally, I'm not a master hacker. Just better than grond ;)

Re: Success Upgrading Archos 504 40gb to 160gb from Woot

Posted: Fri Jun 19, 2009 1:02 pm
by grond
CheBuzz wrote:And finally, I'm not a master hacker. Just better than grond ;)


Haha, now I know what joke you were talking about when you said you hoped I could take a joke. Haha. You f*cker.

;)

Re: Success Upgrading Archos 504 40gb to 160gb from Woot

Posted: Sat Jun 20, 2009 4:23 am
by thethirdmoose
CheBuzz if this is real (and I think it is), you're a beast.

Can you PM me with more details about the hack, or at least answer two questions?

Did you need to use a hardware hack to read the flash, or was it accessible through hardware?

Is the flash writeable through the same method?

Re: Success Upgrading Archos 504 40gb to 160gb from Woot

Posted: Sat Jun 20, 2009 9:48 am
by CheBuzz
Tell you what, I'll do half the work for you. Since I don't have a 604 and don't plan on working on it, here is the 604wifi's AES and RSA keys, respectively:

0649c342b772684134391f2a62448062
7f7a90c1581c29bfc5567ca75b892d1520658024f85f60fd6433cdaee3b7c512f57e8b1467f35c4ff635de91e50e6d26a9d070fd9be8455e09f52f58b27b2649e39b50c85dcea11385831559f8d2dcc9a4d232d20519b6d94053a77c1bf5b8dc8ce97254dd6348acb0429e9a743cd4475d4d8a52726fc7865ecfa32840a47abd

There you go. Now you have everything you need to decrypt the AES files (even verify it if you want) and start hacking away at it.