Archos 605 Hacking

Special Developer Edition Firmwares and Hacking on Archos 5 IT, 5/7 IMT, 605/705, with Android, ├àngstr├Âm and other Linux
ranceramos
Archos Guru
Archos Guru
Posts: 684
Joined: Tue Oct 16, 2007 1:33 am
Location: Brooklyn, NY

Post by ranceramos »

foxenesys wrote:Some hint :
I compared two dumps and noticed the apdf package was updated.

I don't know what is the version of the first firmware, the latest is 1.7.06.

Seems like they added some functionnality or patched something...

A possible way to dig in ?


Some users are reporting faster PDF access so this may just be optimizations. However, there is a bug in the 1.7.06 where you can't open pdf files while using a 12 hr clock format. It makes the attempt to open but just returns to the main screen. Not sure if there's a hole here to crack, but a very strange bug to have somehow tied the clock to a pdf file opening.....
Nightsong91
Archos Novice
Archos Novice
Posts: 15
Joined: Thu Nov 29, 2007 2:02 am

Post by Nightsong91 »

So where does all of this put us in terms of getting the archos to do what we want? can we put our own apps on it now, or all you guys still working on cracking it?
sideways
Archos Guru
Archos Guru
Posts: 448
Joined: Wed Nov 21, 2007 6:41 pm

Post by sideways »

I doubt the gen5 series will ever be usefully hacked.

I'm gonna buy a Nokia n810, they actively support development on the maemo linux os used on that

http://www.forum.nokia.com/main/platfor ... index.html

Archos should take note
Grom06

Post by Grom06 »

Hi!
People Give, blue, which can be downloaded for archos 605 browser?
In fact, whether it can be downloaded free of charge?
Sorry me for my English:)
foxenesys
Archos User
Archos User
Posts: 57
Joined: Thu Oct 18, 2007 5:45 pm

Post by foxenesys »

(Someone ? Please ? Translation ?)

You'd better post in your native language.
Unhban
Archos User
Archos User
Posts: 57
Joined: Wed Nov 14, 2007 11:55 am
Location: Southport, W.Lancs., UK

Post by Unhban »

To Grom06: The plug-in for the web browser is here:

http://www.archos.com/products/plugins/ ... al&lang=en

Sorry, but it not free.

Please update your profile for country.

Unh.
xengren
Archos User
Archos User
Posts: 94
Joined: Wed Nov 28, 2007 5:48 am

Post by xengren »

Anyone tried grabbing the source and running Lint on it to try to find a stack overflow?

Another thing we could be do is look at the included Linux libraries and then comb the buglists for known buffer overflow bugs.

That will get us into userland. Then we need to find a way to elevate priveleges.
xengren
Archos User
Archos User
Posts: 94
Joined: Wed Nov 28, 2007 5:48 am

Post by xengren »

One more possible option. The Opera Widget engine. Any flaws in the way they implemented the Javascript interpreter?
EvilKnebl
Archos Novice
Archos Novice
Posts: 21
Joined: Thu Oct 11, 2007 4:43 pm
Contact:

Post by EvilKnebl »

on my last pmp (m:robe 500i) the alternative firmware (Opie) was booted by a svg-file.
maybe we can boot it from archos with a swf-file...

EvilKnebl
ARCHOS 605 30GB
cheve
Archos User
Archos User
Posts: 133
Joined: Tue Nov 06, 2007 6:57 pm

Post by cheve »

sideways wrote:I doubt the gen5 series will ever be usefully hacked.

I'm gonna buy a Nokia n810, they actively support development on the maemo linux os used on that

http://www.forum.nokia.com/main/platfor ... index.html

Archos should take note


too bad that it(the n810) does not have an internal h/d for data storage. I would get one if it comes with 40GB drive.
mrfantasy
Archos Novice
Archos Novice
Posts: 30
Joined: Sat Sep 29, 2007 3:24 am

Post by mrfantasy »

cheve wrote:
sideways wrote:I doubt the gen5 series will ever be usefully hacked.

I'm gonna buy a Nokia n810, they actively support development on the maemo linux os used on that

http://www.forum.nokia.com/main/platfor ... index.html

Archos should take note


too bad that it(the n810) does not have an internal h/d for data storage. I would get one if it comes with 40GB drive.


I want to get an n810, glue my Archos to the back, get a dock for the Archos and use it in host mode to the 810. Muahahaha. Thing will be the size of a brick, but except for that it would be the optimal portable device for me.
cheve
Archos User
Archos User
Posts: 133
Joined: Tue Nov 06, 2007 6:57 pm

Post by cheve »

mrfantasy wrote:
cheve wrote:
sideways wrote:I doubt the gen5 series will ever be usefully hacked.

I'm gonna buy a Nokia n810, they actively support development on the maemo linux os used on that

http://www.forum.nokia.com/main/platfor ... index.html

Archos should take note


too bad that it(the n810) does not have an internal h/d for data storage. I would get one if it comes with 40GB drive.


I want to get an n810, glue my Archos to the back, get a dock for the Archos and use it in host mode to the 810. Muahahaha. Thing will be the size of a brick, but except for that it would be the optimal portable device for me.


hm.... that is an excellent suggestion...you are really thinking out-side-of-the-box :lol: This is a lot easlier than asking Archos to open up the 605/705.
lkmg
Archos Guru
Archos Guru
Posts: 252
Joined: Wed Nov 28, 2007 3:53 am

Post by lkmg »

mrfantasy wrote:I want to get an n810, glue my Archos to the back, get a dock for the Archos and use it in host mode to the 810. Muahahaha. Thing will be the size of a brick, but except for that it would be the optimal portable device for me.


optimal device, but don't think i will ever wanna use it. i had a nokia n80 and i sold it away after using it for 4 months, too heavy. your optimal device would be a non-portable one. NMP - non-portable media player.... :lol:
Last edited by lkmg on Sat Dec 15, 2007 1:01 am, edited 1 time in total.
foxenesys
Archos User
Archos User
Posts: 57
Joined: Thu Oct 18, 2007 5:45 pm

Post by foxenesys »

Maybe an N810 related thread would be best...

BTW, interested souls should look at this
BloodyIron
Archos Expert
Archos Expert
Posts: 152
Joined: Tue Nov 27, 2007 11:30 am
Location: Calgary
Contact:

Post by BloodyIron »

Any progress on this project? Who is working on what right now?
foxenesys
Archos User
Archos User
Posts: 57
Joined: Thu Oct 18, 2007 5:45 pm

Post by foxenesys »

Current status :

Firmware update files (aos) are encoded with a combination of RSA and AES. This type of encryption is actually known to be hard (almost impossible) to crack. This option has been thus left behind.

An hidden partition was found onto the disk. Most data has been extracted and method is actually clear on how to access. Those data can't be modified as there is a signature (Hash) that ensure those data haven't been modified. We can assume this signature is some kind of RSA hash, and so canno't be derived without the private key.

No way to flash. Not much to modify.

The actual research are made on finding a security breach.
The actual main targets are :
- Image decoding libraries
- PDF engine
- Opera engine

Finding a way to execute some code would give us a way to extract some real interresting stuff for example (private key).

Unfortunately, we seem to lake of some good ARM coders.
Larrikin
Archos Novice
Archos Novice
Posts: 3
Joined: Tue Dec 25, 2007 7:31 pm

Post by Larrikin »

foxenesys wrote:
BloodyIron wrote:...crack the encrypted mechanism for plugins...


Let's get something clear : the goal isn't to crack down the way to activate plugins or download free games. (I know this isn't what you meant)

We're trying to get a bare Linux system, or add functionnalities to the AVOS.

Cracking the added value would lead us to being totally locked by Archos with a patched firmware update.


Don't Apple and Sony do this already with the iPhone and PSP. I don't see why this can't be an added benefit of the project, by having user coded versions of these really expensive plugins. Is this forum run by Archos or something?
foxenesys
Archos User
Archos User
Posts: 57
Joined: Thu Oct 18, 2007 5:45 pm

Post by foxenesys »

Question of ethic (and more).

Apple nor Sony get their device cracked.
Users cracks the device because they wan't more features.

iPhone and iPod are cracked because peoples want to use their own network or run their own apps. Apple is fighting against those type of actions because those devices are not meant to be open (this is their business model).

PSP are hacked because people want to run their own code. A side effect is people are running also cracked games. Sony is fighting against this with updates (with not much success...), modchip fighting, DMCAA...

In both case, companies lose money because of the use of those hacks.

When talking of Archos, hack the way they make money, I mean the way they sell Archos branded plugins , and you can be sure that they will both lock this and also make this site closed.

To sum up, It's less dangerous of creating our own plugins than stolling the existent.

Also, Archos isn't as large as Sony or Apple in terms of revenue. Crack the plugins, crack the revenue, and you will kill the business. At the end, you will be the proud owner of a nolongername player.

I could bla bla for hours... This is just about ethic. (Piracy is bad, bla bla bla...)
slmq
Archos Novice
Archos Novice
Posts: 3
Joined: Thu Dec 27, 2007 5:20 am

Just a note...

Post by slmq »

fiat
Archos User
Archos User
Posts: 65
Joined: Sat Dec 29, 2007 9:41 am

I'll throw a log on the fire..

Post by fiat »

So, this may or may not be of use however in looking around at the Archos source code I found a buffer overflow that may still exist. Let me preface this by saying I can't confirm it, just spent a little time tonight seeing what I could find.

I should note, while the exploit is for xpdf, poppler is an off-shoot project that forked xpdf's code, if the tar file of GPL code from Archos is 'current', then the poppler bug will work.

Here's the patch in question: ftp://ftp.kde.org/pub/kde/security_patc ... -3387.diff

Here's the advisory: http://www.securityfocus.com/bid/25124/info
More advisory with better details: http://www.securityfocus.com/archive/1/483372

In poppler-dev/poppler/Stream.cc line 424, from AX05_GPL.tar

Code: Select all

 if (width <= 0 || nComps <= 0 || nBits <0>= INT_MAX/nBits ||
      width >= INT_MAX/nComps/nBits ||
      nVals * nBits + 7 < 0) {
    return;
  }


has been updated in non-vulnerable code to:

Code: Select all

   nVals = width * nComps;
    if (width <= 0 || nComps <= 0 || nBits <0>= 4 || nBits > 16 ||
      width >= INT_MAX / nComps ||
      nVals >= (INT_MAX - 7) / nBits)
     return;
 


Essentially from what the exploit says, if you craft the right type of hostile PDF, you can execute arbitrary (assembly) code. I'll continue to look at it and see what I can come up with, but figured I'd post here and if someone else beats me to it, more power to them.
Post Reply

Return to “Open Development”