Archive for the archos Category
20
An update on the Archos 5 Android rooting…
Penguin inside ;)

Penguin inside ;)

Progress has been quiet slow as of lately, albeit progress none the less though. As normal, I figured I’d attempt to document this so that anyone attempting to root devices in the future that might be similar to the Archos might have an easier time :)

Thus far when rooting phones we have been coming in contact with less protection. After gaining root we have been able to remount the partitions and edit them directly – making the changes persistent immediately. Though there is a fundamental difference with the Archos that comes into play. The Archos stores everything on a (maybe two or three?) flash chips. The partitions of the chips are like normal phones and mounted as read-only. The problem comes into play since what is mounted is not a filesystem, but a cramfs file. This cramfs file is what needs to be modified to create any changes to the system files.

So just modify the cramfs file, right? Nope – Archos caught you on this one. Simply modifying the cramfs, which is actually a “cramfs.secure” file will lead to a bad signature error. What the heck is that all about? Essentially when Archos creates a firmware update and flashes a new ‘androidroot.cramfs.secure‘ to the device. This file is signed with a signature of itself. Sadly we cannot recreate the signature for the file since it’s an RSA/MD5 signature of the contents. This means that they basically run a program after the have a androidroot.cramfs to append the signature like the following:

secure = RSA(MD5(cramfsFile)) + cramfsFile;

The RSA function uses a private key that we do not, and most likely will never have. Essentially in the bootloader there is a program called cramfschecker that does something like the following pseudo code:

if(RSADecrypt(signature) == MD5(file)) ? return goodFile : return badFile;

The RSADecrypt function uses a public key that we have found, but is no help to us.

Alright, know that we know what files need to get modified and how we are locked out of them, how do we actually get past this? This is where we have to get into modifying the kernel and boot loader. The flash memory is a little tricky but essentially is mapped out like the following:
[code]
mtd device - name ----- nickname - description
mtd0 ------- stage1 --- boot0 ---- bootloader part 1, also contains keystore
mtd1 ------- stage2 --- boot1 ---- bootloader part 2, also contains boot image
mtd2 ------- recovery - recovery - recovery kernel and recovery.cpio (filesystem)
mtd3 ------- init ----- init ----- init (main) kernel and init.cpio (filesystem)
[/code]
Now here is where the cool stuff comes into play. Stage1, among other things, checks the signature of stage2 to verify that it has not been modified. When stage2 begins it performs the same type of check on recovery and init. Inside recovery and init a program called cramfschecker is called, which checks the actual cramfs.secure files that we want to change. So the chain of trust is as follows:
Stage1 -> Stage2 -> recovery/init -> cramfs.secure
We need to modify Stage1 to accept any stage2, stage2 to accept any recovery/init and then remove the cramfschecker call so we can execute anything we’d like without worrying about if it is signed or not.

Now we know everything that needs to be done, so lets do it! Well, it’s sadly not that easy. We know how and can modify the cramfs files, that’s not hard. We can flash new a recovery/init, and even flash a new stage2. The problem is that we cannot currently flash a stage1 since it is marked as read-only after boot by the kernel. Yes, it is marked read-only, not locked – which if it where we could simply use a ‘flash_unlock‘ tool on it.

Currently I’ve been diving into the init kernel, which is at the beginning part of the init section, gzipped. This has been pretty tough trudging and I’ve enlisted the help of EiNSTeiN_. This is still pretty ugly stuff to look through though – we are basically looking for a small struct that make uses the kernel module to set the partition to read-only. The struct should look something like this:

Though this should all be GPLed code – since it is the kernel! Ah hah! That could make things so much easier. Sadly Archos has not yet posted the GPLed kernel source code for the Gen7 devices (which the Android model is).

After about two to three weeks of trying to track down someone, anyone with an Archos contact, or even just someone at Archos who isn’t outsourced technical support I finally got an answer! Prior to reaching this person I mainly got the run around, saying it will be up soon or that it is already posted. For some reason it also kept getting lost in the translation that I was requesting the GPLed *kernel* source code from the Archos 5 Android model. Someone in France apparently kept seeing “Android” and said “NO! It’s Apache, we don’t have to release that, Google hosts the source, goto them!” Finally I got a response, rather promptly I might add, from a USA Archos representative saying that Google hosts the code. After exchanging a few more emails they finally understood that I was requesting the Gen7 kernel source code, which is under the GPL license – NOT the Android source code which is under Apache. PHEW!

So the latest update is that we are essentially in a holding pattern, waiting for next week to come. I’ve been promised that the GPLed source code for the kernel will be posted by the end of next week, though I shouldn’t hold my breath until Friday. If it doesn’t appear on the site by Friday evening EST then I can start calling and complaining again… This time someone can actually be help responsible though, so I feel like it will actually happen. Once we get this code, it’s only a matter of time before EiNSTeiN_ and myself track down the right code which should help us in creating a program to patch the mtd partitions into being read/writable.

If you feel like you can help us with this, feel free to post here, email me or send a reply on twitter. Also if you just want to get the most updated information, I’d recommend you follow me on twitter @timstrazz.

9
AppsLibrary Up and Running…

A Cheesy Alternative

A Cheesy Alternative


So it’s not the best thing in the world — but it’s functional… That’s more than I can say for the versions of AppsLib I’ve been able to install on my device :) I’d first like to thank Justin of nEx.Software for throwing together a design for me, since I’m horrible at html!

Anyway – I plan to add more features, such as searching, sorting methods (category, hosted by, approved) though they aren’t fully tested and I haven’t had the time to do that yet. I’ll also try to have a statistics page up, with who is hosting the most applications, app ranking, apps approved, etc. As of right now AppsLibrary (A Cheesy Alternative) will show you a listing of all applications, ten on each page sorted by the most updated/submitted application.

It will also show on the detailed page app name, developer, release notes, description, downloads (if available), version, date of last update, package name, category, if it is hosted by archos, if it is approved by archos and a download link to it.

Note that since some of the files are not hosted by archos there is no way to gadge their downloads. These links also might become dead as those hosts figure out AppsLib has been hotlinking them all this time too. So remember, this data is what AppsLib has — not something I’ve created myself, so please don’t request for me to “add more apps” :)

Feel free to post to me on twitter or on this page with requests of features, etc.

11
State of the Android Archos… And Some More

Lately I’ve been receiving a bunch of emails regarding Android Market data and the Archos 5 IT. So I figured maybe a blog post would be the most appropriate place to attempt to address all the repeat questions, and heck – maybe answer a few before they are emailed to me!

Recently I’ve been working on numerous projects, my focus has mainly been on the Archos 5 IT as it’s my new toy! If you’ve been following me on , you’ve seen my little picture showing I’ve gotten root (yay!).

Archos 5 IT Rooted

Archos 5 IT Rooted

Regarding root on the Archos 5 IT, I’m currently running the firmware 1.1.01, the root method appears to work fine on the newest 1.2.03(?) though I have not updated my device yet. No, not out of fear of loosing the root method, more from the advice of other people saying more things are broken in this new upgrade – so I’d like to keep my device running smoothly for what I do until I can fully root it. What do I mean by that? Well essentially we have root on the device, but on reboot we loose root. I’m currently working with einstein_ to modify the bootloader to accept any android img. This will allow us to modify the android image, and keep root after a reboot. It’s posing trickier than we’d hoped so, people will just have to wait. Why are we waiting? Without a changable android image, no current android programs requiring root will function properly (there is no ‘su’ command to run) – so there is no reason to release it unless we want to see people brick their devices.

AppsLibrary - a cheesy alternative

AppsLibrary - a cheesy alternative

One of the other projects I’ve been working on is a web based version of AppsLib for the Archos 5 IT. This is essential a “cyrket”/”androlib” for the Archos library. The reason I’m doing this is because the current AppsLib application is garbage, there appear to be updates just about each week, yet each release appear to only cause more crashes… Maybe just for me, but I doubt that. Anyway I’ve posted some screen shots for what it’s going to look like on some forums and I’m relatively close to releasing it. It’s almost at the process of just being migrated from my developement machine to this server. Also note that it’s never probably going to be the most functional thing in the world, but it works – more than I can say for the application version right now. The features on release will most likely be, list ten applications in the date of release, give the information available for the item and a link to download it. I’ll add searching and category sorting later on hopefully.

A word on the Android Market data. I’ve not yet had time to write up all my posts on how to collect, spoof and do what not with the data. This will come, though maybe not in the most timely fashion. I know many people are emailing me saying they want to make an open source market client that downloads stuff, well I highly doubt that will happen. Yes we can download applications, yes we can get all the data. The problem lies with some SSL chatter that we cannot and probably will not decrypt.

Lastly, I want to remind people that I do have a paying job, a loving girlfriend and other activities I love doing outside of the computer/android realm. Please hang in there while I take care of my own things first and then work on these as I see fit. People have been telling me that certain ones are more important than the others, but it comes down to this is a hobby and not my real job. I do it in spare time and I’ve been making time for it enough lately. So try not to be too hard on me when I don’t release information you want immediately, when you want it. So, thats my appology on that — and that was my little State of the Archos (Android)

1