Archos A605 wifi jailbreak

1 reply [Last post]
Michael Watterson
Michael Watterson's picture
Offline
Joined: 21 Sep 2009

See http://forum.archosfans.com/viewtopic.php?f=34&t=29339&st=0&sk=t&sd=a
by sideways

Quote:
Fri Jan 08, 2010 11:37 am Post GFT3 (Stable v1.0) for archos605 wifi (Software Jailbreak)
This (software) hack survives shutdown and enables all plugins on hard-disk 605 wifi devices up to latest firmware 2.1.04 (tested on 30GB model but should apply to all, plugins unlock won't work on 4G flash models), it also runs a root script which you can customise to install whatever else you want (another os can run in a chroot). It does not require wifi once installed (If you have Opera), but initial set up requires either GFT or GFT2 ssh wifi access, or a usb stick + minidock. IT IS COMPLETELY SAFE AND CAN EASILY BE DISABLED/RESET.

NB If you don't have the Opera plugin, then this requires access to a wifi point to activate each boot (via the archos content portal)

Thanks to divx118 (Maurice) for the excellent GFT2 hack which enabled this to be developed, and archilles for the avos plugins unlock from moldy cheese hack, thanks also to fiat for the original GFT (you have to install arcwelder for the sshd daemon used by GFT3) Smile

See the discussion thread for history and tech details of the development.

Download the GFT3 files [DO THIS FIRST]
=======================================

(Stable version 1.0 now available, redownload and install again if you had issues with earlier versions)

Copy the files from this gzip tar archive: gft3_v1.0.tar.gz (or gft3_v1.0.zip), to the top directory of you archos hard disk using usb (or the samba file server over wifi)

If you don't have firmware 2.1.04 installed then you'll need to get a copy of avos 2.1.04 unlocked ( see ***NOTE below ) from moldy_cheese_v0.2_stable and copy it to the top directory. (Alternatively, upgrade to firmware 2.1.04, or download the firmware and extract avos, then apply the binary edits yourself, there are 20 to apply, see my post later in this thread)

If you already have firmware 2.1.04 then the binary edits to unlock plugins will be done by the installer

You should also get arcwelder from http://code.google.com/p/arcwelder/downloads/list , this is not compulsory, but it allows an sshd daemon to run, and using this to restart avos seems to fix issues with the backlight. (As well as allowing root access via ssh)

So the top directory 'A605' (/mnt/data) contains:

avos - only required if you are not running 2.1.04 firmware or want to run your own customised avos
hack.sh
restartavos.sh
dohack.html
nohup
ssh
sys_info
jsplugins/hack.so
jsplugins/jsplugins.ini
jsplugins/libwebpipe.so

and arcwelder directory should be copied to Data

Data/arcwelder/..

Quick Install instructions for experts: 1. remove symlink /mnt/system/opera_home/jsplugins (using 'rm' not 'rm -fr'), and recreate it to point to /mnt/data/jsplugins, then start opera or 2. execute /mnt/data/hack.sh manually from an ssh session

***NOTE
To extract avos from moldy_cheese_v0.2_stable unzip the file, and (assuming you are running linux) mount the rootfs.cramfs.secure with:

mkdir /mnt/tmp
mount -o loop,offset=256 rootfs.cramfs.secure /mnt/tmp

then avos is in /mnt/tmp/usr/bin

How to Install via minidock + usb stick
========================================

1. Insert an ext3 (NOT ext2) formatted usb stick with a symlink to /mnt/system in the top directory (create it from any linux distro (including a gft ssh session) , the link create command will be 'ln -s /mnt/system /usb_mount_point/mnt_system', eg. on the archos, usb_mount_point = /mnt/msc0) DETAILED INSTRUCTIONS

2. tap on 'mnt_system' to open it in the lhs pane of the file browser window, then open opera_home, rename 'jsplugins' to 'jspluginsx' (or whatever you prefer)

3. copy directory /mnt/data/jsplugins to /mnt/system/opera_home/' (/mnt/data/jsplugins should be visible in the rhs pane, just tap on it and select copy, it will automatically copy to opera_home in the lhs pane)

4. Remove the usb stick and start Opera. (eg tap the 'dohack.html' file, which won't require wifi)

(Once the usb stick is set up, this method takes ~10secs to apply)

How to Install via Wifi using GFT(2)
======================================

1. Connect via GFT (for 1.7.13 firmware) or GFT2 for later firmware ( up to 2.1.04 ) then in the ssh session execute '/mnt/data/hack.sh'

NB: If the hack ever gets disabled (unlikely, except due to a system crash when the hack.sh executes for example) you will need to reapply one of the two methods above (the usb stick is handy to have since it's very quick to apply)

divx118 has install instructions for windows users viewtopic.php?p=191400#p191400

How to apply the hack (at any time, but needs to be applied at least once after reboot)
===================================================================

1. Tap the "Files" icon
2. Select folder jspluginsx (single tap) and rename to jsplugins (via rename/delete icon on the rhs)
3. Start Opera (eg tap the dohack.html file, which opens a text page and doesn't require wifi)
(If you haven't got opera then open the archos content portal instead - this requires access to a wifi point)

NB: jsplugins is renamed back to jspluginsx after each application of the hack, so to rerun the hack just repeat these steps (This ensures the hack is ALWAYS available, even after a sudden power loss Smile )

If you just want sshd but no avos restart, then rename reastartavos.sh to restartavos.shx

If /mnt/data/avos exists then restartavos.sh will use it and rename it to /mnt/data/avosx, this allows you to load your own customised versions of avos if you wish.

To Disable GFT3
===============

1. The hack will not run unless you rename the jspluginsx folder each time you start opera, so there is no need to disable it. However, if you want the archos content portal then rename hack.sh to hack.shx (or edit jsplugins/jsplugins.ini and remove the hack.so line) and jspluginsx to jsplugins before accessing the portal (this re-enables libwebpipe.so) (You will have to manually rename jsplugins back to jspluginsx afterwards otherwise the hack will be disabled on next reboot and will have to be reinstalled)

2. To permanently disable and return the device to normal, reboot the machine, then before doing anything else, rename /mnt/data/jspluginsx to /mnt/data/jsplugins and immediately reboot again. (You'll have to reinstall the hack to re-enable it)

To completely remove all associated files, delete the files in /mnt/data/ directory and (via ssh or usb symlink) delete /mnt/system/hack. If reinstalling then don't forget to rename /mnt/data/avosx back to /mnt/data/avos if applicable.

Issues
============
The hack disables the libwebpipe.so plugin in Opera, divx118 pointed out that the libwebpipe.so plugin is only needed for the archos content portal, knowing this means we don't have to worry too much about disabling it, but see above for how to re-enable the archos portal if you need it.

Currently, the avos restart script relaunches the sshd daemon afterwards, if it is not required then delete or comment the line in restartavos.sh that restarts it (it's near the bottom).

If you choose not to restart avos when running the hack (by renaming restartavos.sh to restartavos.shx) then afterwards the file browser window will need refreshing by changing to another directory and back again.

HOW IT WORKS
==================

For the technical development of this see the discussion thread

When Opera starts it loads plugins listed in /mnt/system/opera_home/jsplugins/jsplugins.ini, these are just shared object libraries, so we would like to add our own (hack.so) which does nothing except execute a system call when loaded

Code:
# cat hack.c
// compile with gcc -nostartfiles -fpic -shared -lc -o hack.so hack.c

void _init()
{
system("/mnt/data/hack.sh &");
}

This executes with root privileges (which is nice) and you can put anything you like in the hack script hack.sh.

Now, jsplugins is a symlink to the read-only /usr/opt/opera_dir/jsplugins directory, but we can rename it and put our own directory/symlink there.

Previous hacks have not survived reboots, but thanks to archos fumbling the logic in /etc/init.d/S30Opera for recreating the jsplugins link (to /usr/opera/opera_dir/jsplugins) we can create a link to a nonexistent directory, and then it is not changed on reboot. After reboot we just rename a directory so the link is valid each time we want to run the hack (so you rename /mnt/data/jspluginsx to /mnt/data/jsplugins). IF the link is valid at boot it WILL BE RESET, so at power off we need to ensure /mnt/data/jsplugins does not exist, I have used a bind mount on /sbin to edit /sbin/reboot and /sbin/poweroff to do the check.

To restart avos from a script requires some care, since wifi is disabled if you do it wrong, see the restartavos.sh script for details on which modules to unload/reload (I changed it from the one posted in the discussion thread). Also, since the process doing the restart is a child of the avos process, we need to detach it or use nohup to run it, 'ssh -f' enables us to detach it.

Development Environment
=======================

Anyone who wants a full gcc toolset and linux tools including vim/nano editors for working on the archos can get it here
http://www.jbg.f2s.com/archos605/armx.ext3.gz (29MB)
http://www.jbg.f2s.com/archos605/setpaths.sh

Copy to /mnt/data (unzip the ext3 image, it's a 100MB filesystem image), and execute this to activate the tools in an ssh session (press tab tab to see commands available afterwards)

Code:
. /mnt/data/setpaths.sh

Do not forget the initial dot (followed by a space)

NB this uses the spare loop device, so if you have gps you need to create extra loop devices

UPDATE: you can create extra loop devices by adding this code to the top of the setpaths script
# create a second spare loop device
if [ ! -d /mnt/system/dev ]; then cp -a /dev/ /mnt/system/; fi
mount -o bind /mnt/system/dev /dev
if [ ! -b /dev/loop2 ]; then mknod /dev/loop2 b 7 2; fi

Most C projects can be built in /mnt/system and will compile using the sequence:

tar xvf project.src.gz
cd project
./configure --prefix=/mnt/system/armx/usr
make
make install

The armx.ext3 partition in 100mb, if you need more space, create a bigger ext3 file with 'dd if=/dev/zero of=armx.ext3 bs=1M count=200' and 'mke2fs -j -m0 armx.ext3' (Then copy all the contents from the original armx.ext3 to a temp dir on your linux box, and then transfer them to the new armx.ext3 by loop mounting it and using 'cp -a')

Afterword
==========

I don't have any moral qualms about this, the archos605 is unsupported now, and my battery died last year so it's only right I should get some compensation in the form of free plugins now. I have admiration for the technology though, the TI chip allows the device to play H264 movies with only 10% arm cpu usage (but dvd quality not 720p), that's compared to 20-30% cpu usage playing plain old mp3s! With the podcast plugin you can now download all those you tube videos in "HD"
http://tinyurl.com/ydqeclf Smile

It's amusing that archos' content portal software creates this hole, especially since the content portal is available even if the Opera plugin isn't purchased. There are many security holes exploited here that should be a good lesson for the hapless archos developers:

1. Remember to test for the existence of a dangling symlink (/etc/init.d/S30Opera)
2. Don't allow adhoc shared object libraries to be listed in you config files (jsplugins.ini)
3. Don't execute lame javascript plugin code with root privileges
4. If you're gonna hide a partition (/mnt/system) don't allow access via a symlink on a usb stick
5. Don't allow media plugins to be enabled by simple alteration to the binary code (lock the plugin list at boot for example)
6. Don't allow avos to be restarted without a reboot. (/usr/bin/avos_helper.sh is mostly helpful to hackers)

And add to that the samba holes exploited by GFT2.

Quite a bit to think about there guys Wink

Last edited by sideways on Fri Jan 22, 2010 2:18 pm, edited 22 times in total.

Mirror downloads (Warning may be out of date) if above links fail.
http://techtir.com/files/gft3_v1.0.zip
http://techtir.com/files/arcwelder-10.0.zip
http://techtir.com/files/avos.gz
http://techtir.com/files/armx.ext3.gz