Archos 605 Hacking

Special Developer Edition Firmwares and Hacking on Archos 5 IT, 5/7 IMT, 605/705, with Android, ├àngstr├Âm and other Linux
Garmac
Archos Novice
Archos Novice
Posts: 31
Joined: Wed Nov 14, 2007 4:40 am

Post by Garmac »

Kurosan, could you give a quick how to about making the partition image from linux?. I'd like to make one of my 80gb drive, but I am ignorant when it comes to linux (besides installing the OS and the basics...). Thanks!
ranceramos
Archos Guru
Archos Guru
Posts: 684
Joined: Tue Oct 16, 2007 1:33 am
Location: Brooklyn, NY

Post by ranceramos »

Hi all, I haven't posted on this thread but was following it for quite some time. I'm wondering if anyone has tried going the opera exploit route for a buffer overflow attack? I did some snooping and found some interesting leads, but is this old news? Also, what version of Opera is on the 605? Most of the following links have been patched already, but perhaps there are easier methods of gaining access than via the HD?

http://www.dcemu.co.uk/vbulletin/showthread.php?t=48398

http://labs.idefense.com/intelligence/v ... php?id=458

http://www.opera.com/support/search/view/852/

http://www.governmentsecurity.org/archive/t4533.html

http://www.ps2-scene.org/forums/nintend ... ility.html

http://www.wilderssecurity.com/archive/ ... 11975.html

http://torrentfreak.com/critical-bittor ... a-browser/
Garmac
Archos Novice
Archos Novice
Posts: 31
Joined: Wed Nov 14, 2007 4:40 am

Post by Garmac »

In theory, the dual boot option should work but how to implement it... It sucks cause we could boot like if having the original hard drive, then suspend the Archos, Switch to the new drive and use the entire space of the drive... I tried it on mine and it worked... I wish I had a 320Gb and would never have to shut down the archos...
Gomez
Archos User
Archos User
Posts: 99
Joined: Tue Sep 18, 2007 5:49 pm
Contact:

Post by Gomez »

Garmac wrote:I tried it on mine and it worked...

i dont know if i fully understand, but did you get a dual boot to work?
did you boot into some other linux distro??
Garmac
Archos Novice
Archos Novice
Posts: 31
Joined: Wed Nov 14, 2007 4:40 am

Post by Garmac »

sorry, I should not have said "dual boot"... I did boot the archos, then I placed it in standby. Then I switched the hard drive with a bigger one and woke up my archos, I was then able to use the bigger drive and play what was on it... But of course, I could no reboot or it would fail and I would have to put back the old drive....... Instead of dual boot, I was thinking of some kind of switch that would allow 2 drives to be connected at the same time... the original that would stay external just to boot, then you place the archose in standby, flip a switch and use the internal (bigger) drive and can disconnect the original one... Not very practicle though
cajl
Archos Guru
Archos Guru
Posts: 585
Joined: Sun Aug 19, 2007 10:58 am
Location: La varenne / France
Contact:

Post by cajl »

just a question !

is it work ? and how ??
CORSE' WEB
dm8tbr
Archos Guru
Archos Guru
Posts: 524
Joined: Thu Nov 23, 2006 3:44 pm
Location: openaos.org
Contact:

Post by dm8tbr »

ranceramos wrote:Hi all, I haven't posted on this thread but was following it for quite some time. I'm wondering if anyone has tried going the opera exploit route for a buffer overflow attack? I did some snooping and found some interesting leads, but is this old news? Also, what version of Opera is on the 605? Most of the following links have been patched already, but perhaps there are easier methods of gaining access than via the HD?


I don't think using Opera is a perfect approach, from what I know exploiting directly the avos binary would be the best option. Then you'd probably inherit all the permissions of the main do-it-all-and-everything process.

just my 0,02Ôé¼

Thomas
openAOS
thethirdmoose
Archos Guru
Archos Guru
Posts: 397
Joined: Thu Sep 06, 2007 4:12 am

Post by thethirdmoose »

To the person who figured out how to swap hard drives:
You should try running a compiled version of the source code from the switched hard drive to see if it works.
layzee
Archos User
Archos User
Posts: 69
Joined: Fri Oct 12, 2007 1:47 pm

Post by layzee »

To the last poster and some others before, please: Do not post anything to this thread UNLESS YOU HAVE READ AND TO SOME EXTEND UNDERSTOOD THE ENTIRE THREAD BEFORE.
Bumbing this thread won't help hacking the box at all.

Lets please keep the noise down in this thread (I'm no moderator but I hope others agree).
foxenesys
Archos User
Archos User
Posts: 57
Joined: Thu Oct 18, 2007 5:45 pm

Post by foxenesys »

I made a binary comparison of two version from the update files (1.3.08 and 1.3.53).

So far, what b0hoon discovered can be easily checked.

BTW I noticed there are much similarities between files that are in theory different. More than 100 KB identical.


Also, as a reminder, someone as made a good work with AOS files onto the Gemini. This could help.
http://www.donat.org/archos/wiki/doku.p ... ile_format
suRRendeR
Archos Novice
Archos Novice
Posts: 19
Joined: Sun Nov 25, 2007 10:56 pm

Post by suRRendeR »

hi guys. Ive bought the archos 605 wifi just 4 days ago. So far im (sry for the word) pissed about the fact that i cannot buy the archos browser problem due to the fact that i do not possess a credit card. after doing some research on cracks I found that there is no way yet to crack the plugin but that the archos has a linux system running. This is where I found this thread. So far ive downloaded the sources that are linked somewhere ^^. Unfortunately Ive not been able to compile the image as i do not have a suitable build environment here with me. But ive come up with an idea that should work. as stated above the archos puts a digital signing technology on their products (at least a few important modules). but the linux kernel can┬┤t practically be signed, because it is the starting point. so what i am starting with is the thought that it would be possible to develop a frontend backend communication module for the linux kernel. it is obvious that there is some kind of X environment started on systems bootup-process, which loads the qt interface the user sees. so for me there are two way to intrude: a) insert code into the x-communication module for the kernel. b) create a patched qt version that allows us to start a console with a virtual keyboard. c) insert some freeware browser into the system and use one of a) or b) to start it. Im working on this and i will keep you guys informed. btw this would be one step further to making the system compatible with bigger harddrives. maybe its some env var that tells the 605 which size its hdd has. this could be reset.
thethirdmoose
Archos Guru
Archos Guru
Posts: 397
Joined: Thu Sep 06, 2007 4:12 am

Post by thethirdmoose »

Actually, the starting point is probably the BIOS or the filesystem, which ensures that the OS is signed.
albokay
Archos Expert
Archos Expert
Posts: 155
Joined: Fri Sep 14, 2007 4:39 am

Post by albokay »

suRRendeR wrote:hi guys. Ive bought the archos 605 wifi just 4 days ago. So far im (sry for the word) pissed about the fact that i cannot buy the archos browser problem due to the fact that i do not possess a credit card. after doing some research on cracks I found that there is no way yet to crack the plugin but that the archos has a linux system running. This is where I found this thread. So far ive downloaded the sources that are linked somewhere ^^. Unfortunately Ive not been able to compile the image as i do not have a suitable build environment here with me. But ive come up with an idea that should work. as stated above the archos puts a digital signing technology on their products (at least a few important modules). but the linux kernel can┬┤t practically be signed, because it is the starting point. so what i am starting with is the thought that it would be possible to develop a frontend backend communication module for the linux kernel. it is obvious that there is some kind of X environment started on systems bootup-process, which loads the qt interface the user sees. so for me there are two way to intrude: a) insert code into the x-communication module for the kernel. b) create a patched qt version that allows us to start a console with a virtual keyboard. c) insert some freeware browser into the system and use one of a) or b) to start it. Im working on this and i will keep you guys informed. btw this would be one step further to making the system compatible with bigger harddrives. maybe its some env var that tells the 605 which size its hdd has. this could be reset.


Maybe its just me, but wouldnt it be just easier to get a credit card, buy the plug in pay it off and then cancel the card if you dont want it?
suRRendeR
Archos Novice
Archos Novice
Posts: 19
Joined: Sun Nov 25, 2007 10:56 pm

Post by suRRendeR »

I guess it would take far longer and i know its way more expensive.
It would take about two weeks for me to get the card, cost 15Ôé¼ setup fee, and I would have the stress to cancel it. sry, but thats no way for me
Charbax
Site Admin
Site Admin
Posts: 7055
Joined: Sun Nov 27, 2005 2:40 am
Location: Copenhagen
Contact:

Post by Charbax »

Maybe your bank provides somekind of instant temporary limited amount credit card number service. Some banks provide that, where you for example set it up with $100 and it expires when the funds are used or after a few days.
ranceramos
Archos Guru
Archos Guru
Posts: 684
Joined: Tue Oct 16, 2007 1:33 am
Location: Brooklyn, NY

Post by ranceramos »

As far as credit cards are concerned, here in the US they now offer something of an over-the-counter credit card. It works like a gift card where you pay cash and basically get a pre-paid credit card which will expire in a certain amount of time that has all the qualities of a bank issued credit card. These can be purchased in many varying amounts and I'm pretty sure there isn't much overhead in the price....perhaps you can get one of these (I can imagine online retailers selling these like phone cards where all the card details can be emailed to you).

I agree with a previous poster on keeping this thread related to hacking and not restating what has been already posted. I think a lot of people (myself included) are really hoping that this setup can be hacked and open the door to all the powers of linux, so let's be efficient about it!

P.S. From the looks of it, a direct kernel hack may be close to impossible without finding a way to hook into the validation process on start up. I think buffer overflow/privilege escalation would be a key step, if not directly providing a solution, then at least giving the ability to access more information. There has to be some sort of opera/flash exploit out there to do this.
BloodyIron
Archos Expert
Archos Expert
Posts: 152
Joined: Tue Nov 27, 2007 11:30 am
Location: Calgary
Contact:

Post by BloodyIron »

I have not quite read everything, but is there any way at this time to get a terminal program in the 605 environment?

Does anyone know if the virtual keyboard is isolated to the browser, does it come installed after the browser, or is it system-wide?
foxenesys
Archos User
Archos User
Posts: 57
Joined: Thu Oct 18, 2007 5:45 pm

Post by foxenesys »

BloodyIron wrote:I have not quite read everything, but is there any way at this time to get a terminal program in the 605 environment?

Does anyone know if the virtual keyboard is isolated to the browser, does it come installed after the browser, or is it system-wide?


No terminal available. This would have been too easy.

For the virtual keyboard, it's implemented system-wide as you can use it in both Opera, file browser, 802.11 setup...

And please everyone, stop trolling all the ways out. We're talking of hacking.
ranceramos
Archos Guru
Archos Guru
Posts: 684
Joined: Tue Oct 16, 2007 1:33 am
Location: Brooklyn, NY

Post by ranceramos »

Well, I think it's silly to say things like "stop bumping this thread, it's for hacking only." Obviously, this was attempted from the gen 4 series and earlier and still no real headway has been made. Frankly, I think a lot of the hackers here are letting their egos get in the way when they're bumping up against an obvious encryption schema yet still trying to create outside kernel compiles to load on the 605.

Anyone who has ever hacked anything knows that there are usually a number of different ways to skin a cat. This can be something complex like hooking into a process via an exploit to simply phishing for information. If something doesn't work look elsewhere. You may be looking way too deep when an easier opportunity is available. I very much applaud any and all efforts from those who have posted on this thread, but lets not let it go to waste by all piling into the same bottleneck.

That being said, I noticed that rob0t was able to elicit the opera version (9.02). It seems that at least as of June 07, this version of Opera has a very real heap overflow exploit. Yes, this may not be the answer to all, but it could pave the way to shell access of some sort (which to me would be more useful than trying to bruteforce a private key). Even if Opera is run under a restricted user, privilege escalation might still be possible. It seems like users are trying this same exploit on the Wii, so that alone can increase the chances that a Proof of Concept exploit can be used. Either way, I think this is worth looking into and will try to pursue this different avenue. Additionally, judging from the bugginess of the Archos software, I would bet that there are plenty of places where other overflow attempts could be made (ie. video/audio file info, filenames, urls, etc).

Again, I'm not trying to flame or take away anything from what has been said or done. I'm just trying to be proactive. Afterall, this thread gets like 10 posts a month, so it's not like people are flooding through the doors to post new developments.

Opera Exploit Info:
http://www.heise-security.co.uk/news/83279

Wii Forum Discussion of opera exploit:
http://www.ps2-scene.org/forums/nintend ... ility.html
davgonzalez1
Archos User
Archos User
Posts: 88
Joined: Fri Oct 26, 2007 6:03 pm
Location: orlando
Contact:

Post by davgonzalez1 »

Has anyone tried to search in linux forums for hackers that may be able to hack the archos. I'm looking and asking around in someone in other linux forums to search for a highly skilled linux hacker to take on the challenge. I might even pay him
Post Reply

Return to “Open Development”