Archos 605 Hacking

Special Developer Edition Firmwares and Hacking on Archos 5 IT, 5/7 IMT, 605/705, with Android, ├àngstr├Âm and other Linux
foxenesys
Archos User
Archos User
Posts: 57
Joined: Thu Oct 18, 2007 5:45 pm

Post by foxenesys »

So far you touched something maybe good ranceramos. Is anyone enough knowledged with ARM coding to dig this ?
We'll know.

The main problem with hacking isn't the knowledge. It's mainly to deal with who do what.

Linux hacking abilities would be good, but as there is no telnet, ssh, any sort of server, for the moment my be useless.

We need a way to breakthrough.

Actually, some are working onto the filesystem dump.
Others (like me) are interested in the update system as it is the easiest way to go in (dreaming...)

Anyone don't hesitate to publish (and keep the noise down).
ranceramos
Archos Guru
Archos Guru
Posts: 684
Joined: Tue Oct 16, 2007 1:33 am
Location: Brooklyn, NY

Post by ranceramos »

foxenesys wrote:So far you touched something maybe good ranceramos. Is anyone enough knowledged with ARM coding to dig this ?
We'll know.

The main problem with hacking isn't the knowledge. It's mainly to deal with who do what.

Linux hacking abilities would be good, but as there is no telnet, ssh, any sort of server, for the moment my be useless.

We need a way to breakthrough.

Actually, some are working onto the filesystem dump.
Others (like me) are interested in the update system as it is the easiest way to go in (dreaming...)

Anyone don't hesitate to publish (and keep the noise down).


Thanks for hearing me out. Like I said, we're all pursuing the same goal, let's just try to get there.

There are a few modified JPG files in the Wii forum post that I listed before which are apparently crashing the Wii in a big way:

Wii forum wrote:It looks like the first picture made my Wii crash, nothing responds anymore, not even the pointer. Had to reset my console.

Edit: Reset won't work either. Had to completley shut the console down via the Power button
Edit: Same for the second picture
Edit: The third picture seems to have no effect, the browser just comes back to this site

Seems like these exploit (still) work on the Wiis Opera. Is this a point we can work on? Also noone knows if Opera is working in a sandbox with limited rights and if we could break out of it with an exploit.



Perhaps some brave soul would like to venture a try at these same pics? Here are the links:
http://psx-scene.com/forums/attachments ... 1168349446
http://psx-scene.com/forums/attachments ... 1168349456
http://psx-scene.com/forums/attachments ... 1168349468

Apparently they can also be found at this site:
milw0rm.com/exploits/3101

Here is a link from the Security Page that I posted which describes how heap overflows work (unfortunately, I've never coded one of these and can barely even remember my Assembly programming, so I don't know how much help I can provide here):
http://www.heise-security.co.uk/articles/74634/1

This is a simplistic example of how heap overflows work, but the key point to take away is this:

'Here, an important distinction between a buffer overflow on the stack and one on the heap becomes clear: attackers have to know which heap implementation the program is currently using in order to prepare management information with the right manipulated values. In contrast, the stack layout is more or less the same no matter what program is running, and it basically does not matter which values are overwritten aside from the return address.

Another difference makes life harder for attackers: unlike the stack, no memory areas can be overwritten on the heap that the program uses directly as a jump address. He may only manipulate data for heap management -- in other words, the pointers next and prev as well as the fields size and used. "

I believe that the open sourced portion of the Archos OS should provide this information. Now all we need is for someone to create a binary file (ie. jpg through a weblink) that will cause a heap overflow to vomit up embedded shell code. Anyone know how to do this on ARM architecture?
thethirdmoose
Archos Guru
Archos Guru
Posts: 397
Joined: Thu Sep 06, 2007 4:12 am

Post by thethirdmoose »

The Archos photo viewer won't see those files, and says their resolution is 0x0
lloyd877
Archos Guru
Archos Guru
Posts: 344
Joined: Thu Nov 01, 2007 3:51 pm
Location: Beaverton, Oregon U.S.
Contact:

Post by lloyd877 »

It would be cool to get some kind of Linux onto the Archos that would be the coolest thing and then have it dual boot.
Archos 5 60GB
layzee
Archos User
Archos User
Posts: 69
Joined: Fri Oct 12, 2007 1:47 pm

Post by layzee »

Maybe something is going on under cover of darkness. ;)
And maybe we should refrain from publically helping Archos to fix their box.
Conspire!
foxenesys
Archos User
Archos User
Posts: 57
Joined: Thu Oct 18, 2007 5:45 pm

Post by foxenesys »

thethirdmoose wrote:The Archos photo viewer won't see those files, and says their resolution is 0x0


It was meant to be tested directly in Opera.

The file should be hosted somewhere and tested trough.

I don't have/use the plugin.
thinkfat
Archos User
Archos User
Posts: 138
Joined: Wed Dec 06, 2006 10:31 pm

been there, done that ...

Post by thinkfat »

doesn't crash.

pity that.
all software sucks equally, but some software is more equal than other software
ranceramos
Archos Guru
Archos Guru
Posts: 684
Joined: Tue Oct 16, 2007 1:33 am
Location: Brooklyn, NY

Post by ranceramos »

I didnt have a chance to try this yesterday, but looking at the URL, I wonder if the fact that the JPG is part of a forum thread has anything to do with it. Here is another link that supposedly crashed the Wii Opera browser:

http://www.psx-scene.com/wii/crash.svg


This site apparently is the originator of the three jpg files that I posted links for. It has a lot more detailed info and perhaps other possibilities for testing:

http://milw0rm.com/exploits/3101

Today I will try this when I have access to wifi.
Fuse314
Archos User
Archos User
Posts: 84
Joined: Wed Aug 01, 2007 11:40 am
Location: Switzerland

no love with svg exploit for the wii

Post by Fuse314 »

It just displays a blue image - so no luck there either.
I was looking through the avos binary off the partition image and noticed that there are lots of procedures named opera... I suspect that the opera executable is integrated into the avos executable. This means that maybe these exploits apply in different ways that on the Wii ?.
Anyway I will finally update my firmware to the newest one tonight.

If anyone is interested in the avos executable to peek in with a disassembler, give me a shout and I will upload it somewhere.

G.
Gomez
Archos User
Archos User
Posts: 99
Joined: Tue Sep 18, 2007 5:49 pm
Contact:

Post by Gomez »

take a look at this:
http://www.gnucitizen.org/blog/firebug-goes-evil

perhaps some "widget" or plugin could be made for the purpose of exploiting to place files inside the system? maybe we would be able to set up a dual boot this way, or a terminal or i dont know, you guys are the hackers.

I just want to design things and make my archos 100% custom (as i do with my computer and my bikes and just about everything i own) :D

like always, i have no idea how to execute the ideas, maybe this is useful, maybe not. :lol:
BloodyIron
Archos Expert
Archos Expert
Posts: 152
Joined: Tue Nov 27, 2007 11:30 am
Location: Calgary
Contact:

Post by BloodyIron »

Even if we dont crack the encrypted mechanism for plugins, I would gladly help in developing better control over the OS itself, things such as terminal tools, and actually being able to execute other linux-based applications. This could effectively turn into a pocket-pc, with a lot of storage! (and wifi)
thethirdmoose
Archos Guru
Archos Guru
Posts: 397
Joined: Thu Sep 06, 2007 4:12 am

Post by thethirdmoose »

I think the best way to do this is to post everything everyone has downloaded somewhere, so we can look for a key.
foxenesys
Archos User
Archos User
Posts: 57
Joined: Thu Oct 18, 2007 5:45 pm

Post by foxenesys »

BloodyIron wrote:...crack the encrypted mechanism for plugins...


Let's get something clear : the goal isn't to crack down the way to activate plugins or download free games. (I know this isn't what you meant)

We're trying to get a bare Linux system, or add functionnalities to the AVOS.

Cracking the added value would lead us to being totally locked by Archos with a patched firmware update.
foxenesys
Archos User
Archos User
Posts: 57
Joined: Thu Oct 18, 2007 5:45 pm

Post by foxenesys »

thethirdmoose wrote:I think the best way to do this is to post everything everyone has downloaded somewhere, so we can look for a key.


The key isn't stored on the disk as far as we can tell. We looked all ways through the system and nothing appeared.

It's more than possible that the keys table is stored in flash.
i64X
Archos Novice
Archos Novice
Posts: 45
Joined: Fri Nov 30, 2007 2:40 pm
Contact:

Post by i64X »

Or encrypted on the disk somewhere.
serag
Archos User
Archos User
Posts: 70
Joined: Wed Oct 17, 2007 7:21 pm
Location: Canuckistan

Post by serag »

foxenesys wrote:
thethirdmoose wrote:I think the best way to do this is to post everything everyone has downloaded somewhere, so we can look for a key.


The key isn't stored on the disk as far as we can tell. We looked all ways through the system and nothing appeared.

It's more than possible that the keys table is stored in flash.

Has anyone found a jtag port, or pins that could be used to jtag on the main board?
foxenesys
Archos User
Archos User
Posts: 57
Joined: Thu Oct 18, 2007 5:45 pm

Post by foxenesys »

i64X wrote:Or encrypted on the disk somewhere.


I think it would have been a mistake.
Dumps are available and you can check by yourself.

For the Jtag thing, It's a possible way to go through. However, the system board is attached a strange way.

It seems like there is some bolt under the buttons, and it's hard to access.

Any courageous soul ?
b0hoon
Archos Novice
Archos Novice
Posts: 31
Joined: Thu Nov 01, 2007 11:15 pm

Post by b0hoon »

From my latest researching:

After the CIPH block data is encrypted with very... very freaky AES algorithm mixed with data from flash of the Archos.
Even if i'm able to bruteforce it and replicate in c++, there is no sense because:

system files are signed with RSA - 1024 bit key. It's a bullet proof alg... Again i can find out how it is checked, but
without a private key we cannot sign any sysfile. Public keys for different types of AOS (SIG0,SIG1,etc) are taken from flash too.

foxenesys wrote:Also, as a reminder, someone as made a good work with AOS files onto the Gemini. This could help.
http://www.donat.org/archos/wiki/doku.p ... ile_format


Yeah, i've seen it before, but it's an old format AOS v1 - not AOS2, they are different. Again without public key it's
useless.

About exploits - hmmm... for a short period of time it's good idea, but what after powercycle the unit? Bios has built in
function checking RSA sign too, so it must be disabled in some way, next - in avos file too. In my opinion it's
not impossible to make such exploit, or it could be much faster and easier to write your own system for this dev :lol:

I think that the only way is to:
a) read flash memory from Davinci, disasm it, disable checking signs of the files, write it back
b) disable checking signs in avos and maybe avos_helper file (don't remember)

Only in this case we are able to modify filesystem, or then we can use AOS files (after reverse engineering) to update.

So i give up unless someone will find a way to dump and write back flash memory.
sideways
Archos Guru
Archos Guru
Posts: 448
Joined: Wed Nov 21, 2007 6:41 pm

Post by sideways »

How about settling on modding the os once the unit is booted - then I assume you could restart from standyby mode without a key check.

To make this manageable it would need to be scripted.

1. Boot up the unit and connect the usb cable
2. mount the hardive from linux and use the dd tool to copy the hidden ext2 partition - keep an original copy and make a separate one which we will mount and alter
3. mount the filesystems on the second copy as described in above posts, then try adding txt files and simple gtk executables to a directory in /mnt/data and the system directory
4. umount and repack this modded image then copy back to the hidden area on the 605 (linux thinks this is not a partition so should work)
5. disconnect usb and browse to /mnt/data directory where you copied files
- txt/pdf files should open, executables probably not (may have noexec set on the fs by archos)

then need to examine archos os code to see how to launch an app from a window icon, attempt something simple like xclock or gtk hello world. apps will need recoding to use virtual keyboard and sylus and archos buttons.

6. to reset connect usb and copy back the original image using linux dd


edit

the point of doing this via dd rather than directly by usb copy is that we will then know that we can alter system files and mod directores other than /mnt/data
stretch

Post by stretch »

I should be getting my 605 in the next few days. I downloaded and played around with the GPL build kit, but obviously a lot was left out.

Is there any centralized effort to port Linux to the 605 yet?
Post Reply

Return to “Open Development”