Archos 605 Hacking

Special Developer Edition Firmwares and Hacking on Archos 5 IT, 5/7 IMT, 605/705, with Android, ├àngstr├Âm and other Linux
sideways
Archos Guru
Archos Guru
Posts: 448
Joined: Wed Nov 21, 2007 6:41 pm

Post by sideways »

A DaVInci cpu cross-compiler for linux is available from
http://wiki.davincidsp.com/index.php?ti ... _Toolchain
(this will be needed to compile any apps for the 605)

but if the hidden partition isn't modifiable via the usb cable and dd then the situation is hopeless (without archos help), also if the resume from standby does a security check it's also hopeless since reloading the modded os from a pc running a linux script everytime you resume or boot up is unusable
Garmac
Archos Novice
Archos Novice
Posts: 31
Joined: Wed Nov 14, 2007 4:40 am

Post by Garmac »

sideways wrote:but if the hidden partition isn't modifiable via the usb cable and dd then the situation is hopeless (without archos help), also if the resume from standby does a security check it's also hopeless since reloading the modded os from a pc running a linux script everytime you resume or boot up is unusable


I don't think it does a check from standbye. I have switched drives between that and was able to use a drive without the hidden partition after and the archos was still working great...
sideways
Archos Guru
Archos Guru
Posts: 448
Joined: Wed Nov 21, 2007 6:41 pm

Post by sideways »

Garmac wrote:
sideways wrote:but if the hidden partition isn't modifiable via the usb cable and dd then the situation is hopeless (without archos help), also if the resume from standby does a security check it's also hopeless since reloading the modded os from a pc running a linux script everytime you resume or boot up is unusable


I don't think it does a check from standbye. I have switched drives between that and was able to use a drive without the hidden partition after and the archos was still working great...


ok I think that's tolerable then, only having to reload the modded os after a reboot (or crash :( ) especially if it's scripted and just a case of connecting the usb cable and running the script. I won't be able to test until monday, but a huge problem will be writing apps that do anything useful on the 605, the virtual terminal is not gpl as far as I know
foxenesys
Archos User
Archos User
Posts: 57
Joined: Thu Oct 18, 2007 5:45 pm

Post by foxenesys »

AVOS is loaded once at boot time.

The file /etc/inittab in rootfs.cramfs.secure is responsible of the initialisation of AVOS.

There are good assumptions that the .secure files are RSA signed and checked at boot time.

Modifying those files would leave the unit unbootable (backups are premium).

One could test the following : Leave the unit in standby, modifying inittab and making a soft reset in AVOS. It's possible that there is no signature check at this moment.

Also, I agree trying to directly hack the aos update files is nonsense. Noone here has enough knowledge to hack both RSA and AES.

Concentrating our effort on possible security flaws should be more interresting. The targets are image-video-pictures libraries, Avos and Opera flaws, Apdf also.
Unhban
Archos User
Archos User
Posts: 57
Joined: Wed Nov 14, 2007 11:55 am
Location: Southport, W.Lancs., UK

Post by Unhban »

I've been following this thread with interest. I had an iRiver H340 until three weeks ago, when I managed to pour a glass of red wine into it. It didn't like it. I now have the 605 80GB. Loaded on to the 340 I had the alternative firmware of Rockbox which was superb. Not particularly intuitive to drive but there were many great features and all well thought out. MP3 quality was top notch!

Now, this thread seems to me to be progressing nicely, but, and in some quarters this could be a sore point, is it worth somehow trying to collaborate with Rockbox? Have a look at this:

http://forums.rockbox.org/index.php?topic=13505.0

I'm not a programmer (except Quick Basic a few years ago :D ), but I'm glad that I was able to somehow help the H340 port in one way - have a look at Reply #10, here:

http://forums.rockbox.org/index.php?top ... 278#msg278

(the link within the post doesn't work now, but if anyone does wish to see inside a H340, mail me!).

So I hope I haven't 'put my foot in it' but perhaps started linear thoughts....

Unh.
chabayo

Post by chabayo »

...hm. Maybe its the wrong thread for that statement...but it seems all right:

I read the whole thread hoping to find a cool, open Touchscreen-Device with wifi support, maybe Stereo Bluetooth capability aso.

But it looks like Archos's economical tactics suck!

I dont like Nokia, but have a look at the n770 Platform which has become obsolete by the n800, which has its successor n810 fighting in the iPhone league...hm...bad english, but for sure understandable.


cheers folks .. archos did not earn guys make themselves that strive

chab
foxenesys
Archos User
Archos User
Posts: 57
Joined: Thu Oct 18, 2007 5:45 pm

Post by foxenesys »

chabayo wrote:...hm. Maybe its the wrong thread for that statement...


True. This isn't the good thread... :roll:
Cowon iAudio Q5
Nokia N810
UMPC
foxenesys
Archos User
Archos User
Posts: 57
Joined: Thu Oct 18, 2007 5:45 pm

Post by foxenesys »

Unhban wrote:...trying to collaborate with Rockbox?...


Oh. We'd love to.
In fact Rockbox was originnaly developped for an Archos player (True ! you can check this).

As Rockbox is mainly an audio oriented system, not much as been made on A/V devices for long time now and there is not much developpers there interested in this.

Take a look at the ipod branch. Audio support is real good. Video support is far from complete.

BTW, It's good for the one who doesn't know it to take a look at the project, just to see how they managed to get it work in the various implementations.
foxenesys
Archos User
Archos User
Posts: 57
Joined: Thu Oct 18, 2007 5:45 pm

Post by foxenesys »

Good news : I found a way to downgrade to whatever firmware you want.

For more details look at this thread
sideways
Archos Guru
Archos Guru
Posts: 448
Joined: Wed Nov 21, 2007 6:41 pm

Post by sideways »

Unfortunately it seems impossible to access the hidden partition without removing the drive. I was able to alter the partition table using sfdisk to increase the number of cylinders and create an ext3 partiton which fdisk says it sees but dd still won't copy from beyond the fat32 partition, and mount don't work because of the 512 byte header (which I can't remove because I can't access it)

I wonder if it's similar technology to thinkpad's hidden protected area, which has a bios setting to disable access.
http://www.thinkwiki.org/wiki/Hidden_Protected_Area

I ended up borking the partition table and had to reformat to recover, so I think I'll give it a rest for now.
foxenesys
Archos User
Archos User
Posts: 57
Joined: Thu Oct 18, 2007 5:45 pm

Post by foxenesys »

sideways wrote:Unfortunately it seems impossible to access the hidden partition without removing the drive...


You won't be able to directly access anything but the FAT32 partition.
This is due to the fact that the FAT32 partition is presented by the AVOS. In fact it is emulated.

The only ones that managed to access the extra data are the ones who pulled out the drive and used an 1.8 to 3.5 IDE adapter.
lloyd877
Archos Guru
Archos Guru
Posts: 344
Joined: Thu Nov 01, 2007 3:51 pm
Location: Beaverton, Oregon U.S.
Contact:

Post by lloyd877 »

Would iPod linux work on it?
Archos 5 60GB
sideways
Archos Guru
Archos Guru
Posts: 448
Joined: Wed Nov 21, 2007 6:41 pm

Post by sideways »

foxenesys wrote:
sideways wrote:Unfortunately it seems impossible to access the hidden partition without removing the drive...


You won't be able to directly access anything but the FAT32 partition.
This is due to the fact that the FAT32 partition is presented by the AVOS. In fact it is emulated.

The only ones that managed to access the extra data are the ones who pulled out the drive and used an 1.8 to 3.5 IDE adapter.


Yes, but it's still an ext3 fs structure, I was hoping the partition table could be manipulated to force visibility after the fat32 partition.

lloyd877 wrote:[Would iPod linux work on it?


Nothing will work unless the bootup security checks are cracked. Another possibility is to load an os after bootup and hope the system doesn't crash for a while and you can recover from standby without security checks, unfortunately not even this seems possible as the drive must be removed to access the hidden area
foxenesys
Archos User
Archos User
Posts: 57
Joined: Thu Oct 18, 2007 5:45 pm

Post by foxenesys »

sideways wrote:...I was hoping the partition table could be manipulated to force visibility after the fat32 partition...


Missed :roll:
lloyd877
Archos Guru
Archos Guru
Posts: 344
Joined: Thu Nov 01, 2007 3:51 pm
Location: Beaverton, Oregon U.S.
Contact:

Post by lloyd877 »

Sound like a lot of work that I would not want to do.
Archos 5 60GB
chabayo

Post by chabayo »

I dont know if that "hidden" partition is addressable directly by its devicefile if putted the harddisk on a Linux-Box by adapter, but if it should be mountable with the "offset" option like this:

Code: Select all

mount -o offset=<offset> /dev/<devicefile> <mountpoint>
where offset may be 255 or so...that could override that 255 Bytes at the beginngin.
foxenesys
Archos User
Archos User
Posts: 57
Joined: Thu Oct 18, 2007 5:45 pm

Post by foxenesys »

chabayo wrote:I dont know if that "hidden" partition is addressable directly by its devicefile if putted the harddisk on a Linux-Box by adapter, but if it should be mountable with the "offset" option like this:

Code: Select all

mount -o offset=<offset> /dev/<devicefile> <mountpoint>
where offset may be 255 or so...that could override that 255 Bytes at the beginngin.


Nope. I tried direct edition of the disk in fact and it's locked by the system.

Btw, I missed the -o option and it's good to mount the .secure files.
BloodyIron
Archos Expert
Archos Expert
Posts: 152
Joined: Tue Nov 27, 2007 11:30 am
Location: Calgary
Contact:

Post by BloodyIron »

Has anyone tried to break in through the wifi connection?

(get the 605 to connect to a WAP, then user connects to 605...)
foxenesys
Archos User
Archos User
Posts: 57
Joined: Thu Oct 18, 2007 5:45 pm

Post by foxenesys »

With firmware 1.3.08, a TCP port scanning shows that the only port exposed is the 21.
Don't get excited : there is a server behind, btw it isn't FTP.

With newer releases, this blackhole diseapeared.

Nothing more (as far as I know)
foxenesys
Archos User
Archos User
Posts: 57
Joined: Thu Oct 18, 2007 5:45 pm

Post by foxenesys »

Some hint :
I compared two dumps and noticed the apdf package was updated.

I don't know what is the version of the first firmware, the latest is 1.7.06.

Seems like they added some functionnality or patched something...

A possible way to dig in ?
Post Reply

Return to “Open Development”