for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..
Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..
The idea will be to trick avos into running a script or a setuid binary from /mnt/system (which is ext3), this may also be possible from an ext3 formatted usb stick attached to the mini dock, but obviously it'll be better without needing that. (ext3 allows us more options than fat32 on the hard disk)
A corrupt conf file in /mnt/system/etc (wpa_supplicant.conf or fusesmb.conf) might be an option or a pdf document or image or video file. Another avenue is to hijack the system at boot when you select to "repair filesystem" (which enables the modifed System.bin for GFT2 to get loaded for example)
GFT(2) access allows us to get a script/binary installed, and experiment.
I'm 100% confident there's an exploitable hole, but without GFT2 it would be very difficult to find it, with root access and tools like lsof, ps, top it's much easier to examine the system and hack it (I'd never have worked out how to restart avos otherwise)
Currently you need wifi access and a machine to browse the samba share, which isn't ideal, if we can remove those requirements it's almost as good as a flash hack, only difference is the kernel and init process can't be changed, so you have to run in a chroot, which isn't as flexible.
A corrupt conf file in /mnt/system/etc (wpa_supplicant.conf or fusesmb.conf) might be an option or a pdf document or image or video file. Another avenue is to hijack the system at boot when you select to "repair filesystem" (which enables the modifed System.bin for GFT2 to get loaded for example)
GFT(2) access allows us to get a script/binary installed, and experiment.
I'm 100% confident there's an exploitable hole, but without GFT2 it would be very difficult to find it, with root access and tools like lsof, ps, top it's much easier to examine the system and hack it (I'd never have worked out how to restart avos otherwise)
Currently you need wifi access and a machine to browse the samba share, which isn't ideal, if we can remove those requirements it's almost as good as a flash hack, only difference is the kernel and init process can't be changed, so you have to run in a chroot, which isn't as flexible.
Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..
Good progress. Brings me hope with updated firmware already 

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..
@sideways
If I create a gpsfs.cramfs.secure in /mnt/system by duplicating ie the rootfs.cramfs.secure it gets mounted in /gps on startup (You have to use signed files else it doesn't get mounted). You then get the gps button visible in your screen. If you press it it will try to start /gps/sygic wich offcourse isn't there and the screen blinks. If you then press a second time it will restart the device. Maybe something we can do here.
If I however restart the avos with your script before I touch the gps button my button is gone. So I assume it is an older avos from previous firmwares? I will take a look at it in my hexeditor.
Maurice
If I create a gpsfs.cramfs.secure in /mnt/system by duplicating ie the rootfs.cramfs.secure it gets mounted in /gps on startup (You have to use signed files else it doesn't get mounted). You then get the gps button visible in your screen. If you press it it will try to start /gps/sygic wich offcourse isn't there and the screen blinks. If you then press a second time it will restart the device. Maybe something we can do here.
If I however restart the avos with your script before I touch the gps button my button is gone. So I assume it is an older avos from previous firmwares? I will take a look at it in my hexeditor.
Maurice

-
- Archos Expert
- Posts: 194
- Joined: Mon Jan 14, 2008 9:18 pm
Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..
i thought he said it was MC avos? mc'd .2 is 2.1.04 i believe
Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..
You are right it is 2.1.04.generic_username wrote:i thought he said it was MC avos? mc'd .2 is 2.1.04 i believe
Maurice

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..
Jtag needs ground, data in, data out and clock pins. An old LS TTL chip (2.7V typical "1" from a 5V supply) I found makes a good buffer from parallel port to 3.3V ARM / Flash systems. I made up my own JTAG buffer with a single 74LS244 or 74LS240. Needs +5V also. It worked to overwrite Flash so as to put Linux instead of WinCE on a Samsung SMDK6400 ARM dev board.divx118 wrote: The only options IMO are:
1) Archos to release a firmware update with SDE
2) Access to Jtag and write to the flash directly.
The last option would be very difficult if even possible and needs some serious hardware knowledge and skills.
Maurice
The HW is simple and can even be bought ready made for about $100, but free for anyone interested in Electronics with junk lying around.
The only issue is what data to transfer using the free JTAG programming SW and cheap Parallel port interface. (The USB JTAG adaptors you can buy are really USB to Parallel port adaptors with a 3.3V buffer IC for the JTAG pins.).
You need to find the JTAG pads on PCB. On a Linksys Router they are handy and on a 10pin header. One gadget I looked at the "hacker" cooked in an oven (not microwave) to get the BGA chips to fall off so he could trace from known JTAG pins on chips to find the pads. If that extreme solution is needed I'm sure someone has a broken A605?
160G 605 WiFi
Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..
I meant by saying "if even possible", are the JTAG pins accessible in your archos?You need to find the JTAG pads on PCB. On a Linksys Router they are handy and on a 10pin header. One gadget I looked at the "hacker" cooked in an oven (not microwave) to get the BGA chips to fall off so he could trace from known JTAG pins on chips to find the pads. If that extreme solution is needed I'm sure someone has a broken A605?
Also if you would find the pins, for the average user it will be a very difficult hack to perform, so it would only be for people that understand the hard/software and have the skills.
Thanks for the info on the JTAG buffer.
Maurice

-
- Archos Expert
- Posts: 194
- Joined: Mon Jan 14, 2008 9:18 pm
Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..
@pandybox i have access to pcb rework equip(in us) if anyone wants to send me broken board to trace, no need for ovens : )
i wonder has anyone tried hooking up a archos without battery attached? on some devices the battery must be removed to program the flash
presumably there are already serial communication pins on one or both of the 2 dock connections?
i wonder has anyone tried hooking up a archos without battery attached? on some devices the battery must be removed to program the flash
presumably there are already serial communication pins on one or both of the 2 dock connections?
Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..
I've asked for dead hardware before to trace lines, but nobody has ever offered to help out in that area. It would be great if somebody, _anybody_, could map out what traces are brought out so that we can figure out what kind of hard hacks are available to us.
Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..
This is amusing 
If you format a usb stick as ext3 and create a symlink to /mnt/system in its top directory, then when you plug it into the minidock you can browse (with read/write privileges!) the entire hidden system directory from the archos file browser (via the symlink).
You can create the symlink from any linux, but if you do this from a GFT ssh session, then since the usb stick gets mounted at /mnt/msc0 do
now unplug/replug the stick and the file browser will open a window showing the top directory, select mnt_system and you're in. 
btw this will allow an alternative to GFT(2) for restarting avos if you haven't got wifi access, by using opera. Since opera can open local txt/html documents without wifi, and when it opens it copies the contents of /mnt/system/opera_home to /tmp and this includes a shared library object /mnt/system/opera_home/jsplugins/libwebpipe.so, which can be overwritten with an alternative copy which runs our own code (you need to rename/delete the old jsplugins entry since it's a symlink to /usr/opera/opera_dir/jsplugins, recreate the folder and then do the copy)
It would be nice to be able to overwrite the executable file in the /gps directory with a similar trick, but that, along with most of the rest of the filesystem, is mounted readonly, so not possible afaik.
So there is an alternative way to run a script without GFT and wifi, but it requires a minidock and usb stick.
I'll post the details sometime, but I'm looking for something simpler first perhaps via the standalone flash player (/opt/visiware/libflashplayer.so version LNX 7,0,70,0) or apdf (uses libpoppler 0.5.1), there are reported vulnerabilities but they're tricky to exploit.

If you format a usb stick as ext3 and create a symlink to /mnt/system in its top directory, then when you plug it into the minidock you can browse (with read/write privileges!) the entire hidden system directory from the archos file browser (via the symlink).
You can create the symlink from any linux, but if you do this from a GFT ssh session, then since the usb stick gets mounted at /mnt/msc0 do
Code: Select all
ln -s /mnt/system /mnt/msc0/mnt_system

btw this will allow an alternative to GFT(2) for restarting avos if you haven't got wifi access, by using opera. Since opera can open local txt/html documents without wifi, and when it opens it copies the contents of /mnt/system/opera_home to /tmp and this includes a shared library object /mnt/system/opera_home/jsplugins/libwebpipe.so, which can be overwritten with an alternative copy which runs our own code (you need to rename/delete the old jsplugins entry since it's a symlink to /usr/opera/opera_dir/jsplugins, recreate the folder and then do the copy)
It would be nice to be able to overwrite the executable file in the /gps directory with a similar trick, but that, along with most of the rest of the filesystem, is mounted readonly, so not possible afaik.
So there is an alternative way to run a script without GFT and wifi, but it requires a minidock and usb stick.
I'll post the details sometime, but I'm looking for something simpler first perhaps via the standalone flash player (/opt/visiware/libflashplayer.so version LNX 7,0,70,0) or apdf (uses libpoppler 0.5.1), there are reported vulnerabilities but they're tricky to exploit.
Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..
I think that was already reported some time ago. It is also very useful for downgrading the firmware to 1.7.13 which would give back the original GFT exploit. The opera bit sounds even more exciting...sideways wrote:This is amusing
If you format a usb stick as ext3 and create a symlink to /mnt/system in its top directory, then when you plug it into the minidock you can browse (with read/write privileges!) the entire hidden system directory from the archos file browser (via the symlink).

openAOS
Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..
Well... seems like theres a lot going on now...
I almost buried my hope that there ll be a useful JB for my A605, which is unfortunately updated to 2.1.0.4
Since im new to Linux and not willing to brick my device, I hereby humbly beg
for a step-by-step
instruction on how to use the GFT(2) (at best without WiFi, since i paid 30 Ôé¼ for that crappy USB-Mini-Dock and still i am eagerly awaiting the first real use it might have;) ) on my A605.
Hopefully some one is willing to let me join the ranks
Aye
PS: Windoze possible?
I almost buried my hope that there ll be a useful JB for my A605, which is unfortunately updated to 2.1.0.4
Since im new to Linux and not willing to brick my device, I hereby humbly beg

instruction on how to use the GFT(2) (at best without WiFi, since i paid 30 Ôé¼ for that crappy USB-Mini-Dock and still i am eagerly awaiting the first real use it might have;) ) on my A605.
Hopefully some one is willing to let me join the ranks


PS: Windoze possible?
Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..
You can install EXTFS tools on XP.
The USB on Archos seems to be a USB2GO, you can't "host" and "slave" at the same time and the data pins on the host and client connectors seem to be in parallel. You have to peel off the metal cover to get at screws on the mini battery/USB dock
It's marginally possible that a USB host back to back socket (possibly with a local +5V) connected to "normal" USB cable will allow a USB stick to be mounted without the mini-dock. If I get bored I'll have a look.
The USB on Archos seems to be a USB2GO, you can't "host" and "slave" at the same time and the data pins on the host and client connectors seem to be in parallel. You have to peel off the metal cover to get at screws on the mini battery/USB dock
It's marginally possible that a USB host back to back socket (possibly with a local +5V) connected to "normal" USB cable will allow a USB stick to be mounted without the mini-dock. If I get bored I'll have a look.
160G 605 WiFi
Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..
@sideways Thanks for the tip on the USB-stick.
I was thinking the same, only I didn't have a way to copy the libwebpipe.so
after a reboot. On a reboot the link get's recreated in the S30opera script in /ect/init.d see below.
I think a hack based on apdf could be the way. If you let it crash it doesn't interfere with avos, so it wouldn't have the problem that if avos crashes you get a reboot.
Maurice

I was thinking the same, only I didn't have a way to copy the libwebpipe.so

Code: Select all
SYSTEM_DIR="/mnt/system"
OPERA_HOME_TEMPLATE="/usr/opera/opera_home"
OPERA_DIR_TEMPLATE="/usr/opera/opera_dir"
OPERA_HOME="$SYSTEM_DIR/opera_home"
if [ ! -d "$OPERA_HOME" ]; then
mkdir "$OPERA_HOME"
fi
if [ -d "$OPERA_HOME/jsplugins" ]; then
rm -rf "$OPERA_HOME/jsplugins"
fi
if [ ! -L "$OPERA_HOME/jsplugins" ]; then
ln -s "$OPERA_DIR_TEMPLATE/jsplugins/" "$OPERA_HOME/jsplugins"
fi
if [ ! -f "$OPERA_HOME/.killroy" ]; then
cp -r $OPERA_HOME_TEMPLATE $SYSTEM_DIR
touch "$OPERA_HOME/.killroy"
fi
cp "$OPERA_HOME_TEMPLATE/input.ini" $OPERA_HOME
# this file can cause opera to crash | gen4 cargo cult
rm -f $OPERA_HOME/vlink4.dat
I think a hack based on apdf could be the way. If you let it crash it doesn't interfere with avos, so it wouldn't have the problem that if avos crashes you get a reboot.
Maurice

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..
Yes, unfortunately it doesn't look possible to prevent the jsplugins link being recreated on boot, so the usb stick+minidock hack has to be applied each reboot. However, it only takes me ~10 secs to do the rename of jsplugins (to jspluginsx) and then copy my own jsplugins directory from /mnt/data, it's less than 10 taps on the touchscreen interface, all in the same file browser display. It's an alternative to GFT and GFT2 if you haven't got wifi access.
libwebpipe.so gets loaded by avos as soon as opera opens (you can check with lsof), even if you just open a local txt or html file (so no wifi required), and the initial branch call is at offset 0xad0
so you just need to stick in arm assembler code for an execve (or maybe fork) call to run script /mnt/data/myscript.sh.
I've got an ugly hack working just to restart avos but need to make it cleaner, then I'll post details.
It's a reasonably nice exercise for anyone wanting to practice hacking arm assembler, grond might like it
http://www.phrack.com/issues.html?issue=58&id=10
http://www.hack3r.com/content/introduct ... ding-bliss
http://lxr.kelp.or.kr/source/include/as ... td.h?a=arm
http://vx.netlux.org/lib/vsc06.html
http://vx.netlux.org/lib/static/vdat/tuunix02.htm
http://www.linuxforums.org/articles/und ... p_125.html
libwebpipe.so gets loaded by avos as soon as opera opens (you can check with lsof), even if you just open a local txt or html file (so no wifi required), and the initial branch call is at offset 0xad0
Code: Select all
/mnt/system/opera_home/jsplugins # objdump -d libwebpipe.so | less
libwebpipe.so: file format elf32-littlearm
Disassembly of section .init:
000008d4 <_init>:
8d4: e52de004 str lr, [sp, #-4]!
8d8: eb00007c bl ad0 <_init+0x1fc>
8dc: eb0005fe bl 20dc <jsplugin_capabilities+0x1104>
8e0: e49df004 ldr pc, [sp], #4
Disassembly of section .plt:
000008e4 <.plt>:
8e4: e52de004 str lr, [sp, #-4]!
8e8: e59fe004 ldr lr, [pc, #4] ; 8f4 <_init+0x20>
8ec: e08fe00e add lr, pc, lr
...
...
...
ad0: e92d4400 stmdb sp!, {sl, lr}
ad4: e59fa054 ldr sl, [pc, #84] ; b30 <_init+0x25c>
ad8: e59f3054 ldr r3, [pc, #84] ; b34 <_init+0x260>
adc: e08fa00a add sl, pc, sl
ae0: e79ac003 ldr ip, [sl, r3]
ae4: e35c0000 cmp ip, #0 ; 0x0
ae8: 0a000005 beq b04 <_init+0x230>
aec: e59f3044 ldr r3, [pc, #68] ; b38 <_init+0x264>
af0: e59f2044 ldr r2, [pc, #68] ; b3c <_init+0x268>
I've got an ugly hack working just to restart avos but need to make it cleaner, then I'll post details.
It's a reasonably nice exercise for anyone wanting to practice hacking arm assembler, grond might like it

http://www.phrack.com/issues.html?issue=58&id=10
http://www.hack3r.com/content/introduct ... ding-bliss
http://lxr.kelp.or.kr/source/include/as ... td.h?a=arm
http://vx.netlux.org/lib/vsc06.html
http://vx.netlux.org/lib/static/vdat/tuunix02.htm
http://www.linuxforums.org/articles/und ... p_125.html
Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..
After posting I just realised you can set it up so you don't need the minidock either!
Thanks to divx18 pointing out the logic for recreating the jsplugins link, I realised you can create a symlink to a nonexistent directory in /mnt/data, then the init.d S30opera script doesn't recreate it, and now you can just rename the real jsplugins directory in /mnt/data so the symlink is valid.
This does require you to remember to rename the /mnt/data directory back to the nonvalid name before power off though (otherwise minidoc+usb will be required again)
I suggest
ln -s /mnt/data/jsplugins /mnt/system/opera_home/jsplugins
and then name the hacked jsplugins directory /mnt/data/jspluginsx (/mnt/data/jsplugins MUST NOT EXIST before power off)
Now after reboot rename it back to /mnt/data/jsplugins (from the filebrowser interface)
(It should also be possible to include a shutdown script which does the rename)
UPDATE. I'll put all this together for GFT3 later this week, wanted to do it for twelfth night and get a cool sounding name for the hack, but didn't have time (if you don't have a minidock+usb stick then GFT3 will require a one time use of wifi and GFT(2) to set up)
Thanks to divx18 pointing out the logic for recreating the jsplugins link, I realised you can create a symlink to a nonexistent directory in /mnt/data, then the init.d S30opera script doesn't recreate it, and now you can just rename the real jsplugins directory in /mnt/data so the symlink is valid.
This does require you to remember to rename the /mnt/data directory back to the nonvalid name before power off though (otherwise minidoc+usb will be required again)
I suggest
ln -s /mnt/data/jsplugins /mnt/system/opera_home/jsplugins
and then name the hacked jsplugins directory /mnt/data/jspluginsx (/mnt/data/jsplugins MUST NOT EXIST before power off)
Now after reboot rename it back to /mnt/data/jsplugins (from the filebrowser interface)
(It should also be possible to include a shutdown script which does the rename)
UPDATE. I'll put all this together for GFT3 later this week, wanted to do it for twelfth night and get a cool sounding name for the hack, but didn't have time (if you don't have a minidock+usb stick then GFT3 will require a one time use of wifi and GFT(2) to set up)
Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..
sounds good sideways. keep it up.
-
- Archos Guru
- Posts: 427
- Joined: Sun Feb 03, 2008 6:07 pm
- Location: Bangalore, India
- Contact:
Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..
Congrats KEEP IT UP!!!!







openAOS ROCKS!!
Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..
Off course how could I overlooked thatThanks to divx18 pointing out the logic for recreating the jsplugins link, I realised you can create a symlink to a nonexistent directory in /mnt/data

Congrats on your progress sideways.
Maurice

Re: for archos 605wifi firmware 1.8.07 (or anything >1.7.13)..
just an update to say no complex hacking is required (in case anyone's attempting it), you can just create a file hack.c, with a single function:
and compile it with:
gcc -nostartfiles -fpic -shared -lc -o hack.so hack.c
UPDATE: (if no crosscompiler available,download hack.so)
then copy hack.so to /mnt/data/jsplugins/ and edit /mnt/data/jsplugins/jsplugins.ini so it contains a second line
Then create an executable script /mnt/data/hack.sh, and as soon as you open Opera (you can create an empty file '/mnt/data/hack.html' to tap so it open without wifi acces) the script is executed with root privileges (as a background process, so it doesn't block opera, and you can kill opera/avos from the script
(if it doesn't work, ensure /mnt/system/opera_home/jsplugins is a symlink to /mnt/data/jsplugins)
(This is nice, since it doesn't break libwebpipe.so)
all the pieces for gft3 are there, just fiddly stuff like ensuring the shutdown renames /mnt/data/jsplugins back to jspluginsx. Also, I don't want to rely on a download version of hacked avos, so need to script the binary edits on the fly.
soon...
Code: Select all
void _init()
{
system("/mnt/data/hack.sh &");
}
gcc -nostartfiles -fpic -shared -lc -o hack.so hack.c
UPDATE: (if no crosscompiler available,download hack.so)
then copy hack.so to /mnt/data/jsplugins/ and edit /mnt/data/jsplugins/jsplugins.ini so it contains a second line
Code: Select all
libwebpipe.so: CALLBACK
hack.so: CALLBACK

(This is nice, since it doesn't break libwebpipe.so)
all the pieces for gft3 are there, just fiddly stuff like ensuring the shutdown renames /mnt/data/jsplugins back to jspluginsx. Also, I don't want to rely on a download version of hacked avos, so need to script the binary edits on the fly.
soon...
Last edited by sideways on Wed Jan 06, 2010 7:00 pm, edited 1 time in total.