Penguin inside 
Progress has been quiet slow as of lately, albeit progress none the less though. As normal, I figured I’d attempt to document this so that anyone attempting to root devices in the future that might be similar to the Archos might have an easier time 
Thus far when rooting phones we have been coming in contact with less protection. After gaining root we have been able to remount the partitions and edit them directly – making the changes persistent immediately. Though there is a fundamental difference with the Archos that comes into play. The Archos stores everything on a (maybe two or three?) flash chips. The partitions of the chips are like normal phones and mounted as read-only. The problem comes into play since what is mounted is not a filesystem, but a cramfs file. This cramfs file is what needs to be modified to create any changes to the system files.
So just modify the cramfs file, right? Nope – Archos caught you on this one. Simply modifying the cramfs, which is actually a “cramfs.secure” file will lead to a bad signature error. What the heck is that all about? Essentially when Archos creates a firmware update and flashes a new ‘androidroot.cramfs.secure‘ to the device. This file is signed with a signature of itself. Sadly we cannot recreate the signature for the file since it’s an RSA/MD5 signature of the contents. This means that they basically run a program after the have a androidroot.cramfs to append the signature like the following:
secure = RSA(MD5(cramfsFile)) + cramfsFile;
The RSA function uses a private key that we do not, and most likely will never have. Essentially in the bootloader there is a program called cramfschecker that does something like the following pseudo code:
if(RSADecrypt(signature) == MD5(file)) ? return goodFile : return badFile;
The RSADecrypt function uses a public key that we have found, but is no help to us.
Alright, know that we know what files need to get modified and how we are locked out of them, how do we actually get past this? This is where we have to get into modifying the kernel and boot loader. The flash memory is a little tricky but essentially is mapped out like the following:
[code]
mtd device - name ----- nickname - description
mtd0 ------- stage1 --- boot0 ---- bootloader part 1, also contains keystore
mtd1 ------- stage2 --- boot1 ---- bootloader part 2, also contains boot image
mtd2 ------- recovery - recovery - recovery kernel and recovery.cpio (filesystem)
mtd3 ------- init ----- init ----- init (main) kernel and init.cpio (filesystem)
[/code]
Now here is where the cool stuff comes into play. Stage1, among other things, checks the signature of stage2 to verify that it has not been modified. When stage2 begins it performs the same type of check on recovery and init. Inside recovery and init a program called cramfschecker is called, which checks the actual cramfs.secure files that we want to change. So the chain of trust is as follows:
Stage1 -> Stage2 -> recovery/init -> cramfs.secure
We need to modify Stage1 to accept any stage2, stage2 to accept any recovery/init and then remove the cramfschecker call so we can execute anything we’d like without worrying about if it is signed or not.
Now we know everything that needs to be done, so lets do it! Well, it’s sadly not that easy. We know how and can modify the cramfs files, that’s not hard. We can flash new a recovery/init, and even flash a new stage2. The problem is that we cannot currently flash a stage1 since it is marked as read-only after boot by the kernel. Yes, it is marked read-only, not locked – which if it where we could simply use a ‘flash_unlock‘ tool on it.
Currently I’ve been diving into the init kernel, which is at the beginning part of the init section, gzipped. This has been pretty tough trudging and I’ve enlisted the help of EiNSTeiN_. This is still pretty ugly stuff to look through though – we are basically looking for a small struct that make uses the kernel module to set the partition to read-only. The struct should look something like this:
|
1 2 3 4 5 6 7 8 |
struct mtd_partition { char name; /* identifier string */ uint64_t size; /* partition size */ uint64_t offset; /* offset within the master MTD space */ // Probably set to MTD_WRITEABLE (0x0400), since it is MASKING this flag uint32_t mask_flags; /* master MTD flags to mask out for this partition */ struct nand_ecclayout *ecclayout; /* out of band layout for this partition (NAND only)*/ }; |
Though this should all be GPLed code – since it is the kernel! Ah hah! That could make things so much easier. Sadly Archos has not yet posted the GPLed kernel source code for the Gen7 devices (which the Android model is).
After about two to three weeks of trying to track down someone, anyone with an Archos contact, or even just someone at Archos who isn’t outsourced technical support I finally got an answer! Prior to reaching this person I mainly got the run around, saying it will be up soon or that it is already posted. For some reason it also kept getting lost in the translation that I was requesting the GPLed *kernel* source code from the Archos 5 Android model. Someone in France apparently kept seeing “Android” and said “NO! It’s Apache, we don’t have to release that, Google hosts the source, goto them!” Finally I got a response, rather promptly I might add, from a USA Archos representative saying that Google hosts the code. After exchanging a few more emails they finally understood that I was requesting the Gen7 kernel source code, which is under the GPL license – NOT the Android source code which is under Apache. PHEW!
So the latest update is that we are essentially in a holding pattern, waiting for next week to come. I’ve been promised that the GPLed source code for the kernel will be posted by the end of next week, though I shouldn’t hold my breath until Friday. If it doesn’t appear on the site by Friday evening EST then I can start calling and complaining again… This time someone can actually be help responsible though, so I feel like it will actually happen. Once we get this code, it’s only a matter of time before EiNSTeiN_ and myself track down the right code which should help us in creating a program to patch the mtd partitions into being read/writable.
If you feel like you can help us with this, feel free to post here, email me or send a reply on twitter. Also if you just want to get the most updated information, I’d recommend you follow me on twitter @timstrazz.
A Cheesy Alternative
So it’s not the best thing in the world — but it’s functional… That’s more than I can say for the versions of AppsLib I’ve been able to install on my device
I’d first like to thank Justin of nEx.Software for throwing together a design for me, since I’m horrible at html!
Anyway – I plan to add more features, such as searching, sorting methods (category, hosted by, approved) though they aren’t fully tested and I haven’t had the time to do that yet. I’ll also try to have a statistics page up, with who is hosting the most applications, app ranking, apps approved, etc. As of right now AppsLibrary (A Cheesy Alternative) will show you a listing of all applications, ten on each page sorted by the most updated/submitted application.
It will also show on the detailed page app name, developer, release notes, description, downloads (if available), version, date of last update, package name, category, if it is hosted by archos, if it is approved by archos and a download link to it.
Note that since some of the files are not hosted by archos there is no way to gadge their downloads. These links also might become dead as those hosts figure out AppsLib has been hotlinking them all this time too. So remember, this data is what AppsLib has — not something I’ve created myself, so please don’t request for me to “add more apps”
Feel free to post to me on twitter or on this page with requests of features, etc.
Finding the assetId...
So recently I’ve been having quiet an experience with downloading apk files from the android market and through the ADC2 review application. The ADC2 application actually just uses the same downloader that the market does — so that’s a quick reason as to why so many other people are also having this trouble.
Anyway the fix that I have been using is the downloading snippet I posted previously in conjunction with the authtoken snippet.
The one thing I needed to find was the assetId, which conviently was located in an xml file of the currently being reviewed application. This makes it so you don’t have to fire up wireshark or tcpdump to grab the assetId.
Simple load up adb or the terminal on your phone and navigate to, /data/data/com.google.android.challenge/shared_prefs and view the file com.google.android.challenge.xml, the contents will look something like this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
<?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <int name="adc.status" value="1" /> <boolean name="accepted.tos" value="true" /> <string name="current.developer.name">United Swe</string> <string name="current.size">430k</string> <string name="current.description">Send money to a friend with just their phone number. Get money too. Or create an IOU. Same as cash but with phone numbers and phone messages. Easy to track. Convenient. And rewarding too! Test mode allows working with "play money" to try out all the features. Even works with legacy text messaging phones. Feedback?</string> <string name="install.target.packagename">com.fonepays</string> <string name="current.package.name">com.fonepays</string> <string name="current.asset.id">-7878887740798669019</string> <long name="last.nag.time" value="1254261597127" /> <string name="current.permissions">android.permission.ACCESS_WIFI_STATE|android.permission.ACCESS_NETWORK_STATE|android.permission.CHANGE_NETWORK_STATE|android.permission.INTERNET|android.permission.STATUS_BAR|android.permission.VIBRATE|android.permission.READ_CONTACTS|android.permission.READ_PHONE_STATE|android.permission.RECEIVE_SMS|android.permission.SEND_SMS|android.permission.TELEPHONY_SERVICE</string> <string name="current.label">FonaPays - The Easy Way to Pay</string> </map> |
We can easily see above that the string value of current.asset.id is the assetId we need. This will let you easily download the apk files to your computer and install them to your phone in no time Hopefully this will help some people who are having the same trouble I was!
Also, just a little note – this will let you obviously save the apk files opposed to not retaining them after submitting a review. This could also be accomplished by doing the old method of a pull from /data/app used for backing up normal applications – since the ADC2 apps are saved to the same location. Enjoy!
Glad to see people are helping out for posting the values for other markets. This is post is essentially just a rehash of the values posted on xda for the German and Switzerland.
Posted by rac2030 on this thread.
Sunrise Switzerland // Market has not yet started but anyway
o2 Germany – thanxs to t4c
“It works, with the o2 values i have RadAlert in the market thats only available in german market and not in US
So you can use these values and my previous post to manually change your market values to these.
Easier than baking a cake!
Currently working on some random things on the Android OS source – which of course if I can get my little, “additions”, to work properly I’ll be releasing them. Though I was having a few problems getting the code to compile – so I figured I’d throw together this post just in case anyone else is having similar trouble.
Essentially in the post I was originally reading here, stated the following;
At the time of writing, the Android Dream build was broken. I needed to do the following to make it work:
* Several (relatively minor) changes in the Dream audio driver code to fix compilation issues.
* Copied libOmxCore.so to mydroid/out/target/product/dream/system/lib (this was a missing step in the Building for Dream documentation, and something that should be in the HTC provided script)
Well that wasn’t the problem I was getting though — the erorr I had been getting was actually:
In file included from frameworks/base/libs/audioflinger/AudioResamplerCubic.cpp:20:
system/core/include/cutils/log.h:68:1: warning: this is the location of the previous definition
target thumb C++: libaudioflinger <= frameworks/base/libs/audioflinger/AudioFlinger.cpp
make: *** No rule to make targetout/target/product/dream/obj/lib/libaudio.so’, needed byout/target/product/dream/obj/SHARED_LIBRARIES/libaudioflinger_intermediates/LINKED/libaudioflinger.so'. Stop.
...
make: *** No rule to make target/tmp/dream/target/product/dream/obj/lib/libcamera.so', needed by/tmp/dream/target/product/dream/obj/SHARED_LIBRARIES/libcameraservice_intermediates/LINKED/libcameraservice.so'. Stop.
...
make: *** No rule to make target/tmp/dream/target/product/dream/obj/lib/libOmxCore.so', needed by/tmp/dream/target/product/dream/obj/SHARED_LIBRARIES/libopencorecommon_intermediates/LINKED/libopencorecommon.so'. Stop.
...
/media/other-storage/mydroid/prebuilt/linux-x86/toolchain/arm-eabi-4.2.1/bin/../lib/gcc/arm-eabi/4.2.1/../../../../arm-eabi/bin/ld: warning: librpc.so, needed by /tmp/dream/target/product/dream/obj/lib/libaudio.so, not found (try using -rpath or -rpath-link)
...
make: *** No rule to make target/tmp/dream/target/product/dream/system/lib/libaudio.so', needed by/tmp/dream/target/product/dream/system/lib/libaudioflinger.so'. Stop.
...
make: *** No rule to make target/tmp/dream/target/product/dream/system/lib/libcamera.so', needed by/tmp/dream/target/product/dream/system/lib/libcameraservice.so'. Stop.
...
make: *** No rule to make target/tmp/dream/target/product/dream/system/lib/libOmxCore.so', needed by/tmp/dream/target/product/dream/system/lib/libopencorecommon.so'. Stop.
(This list was compiled over multiple re-runs of make)
The simple fix was essentially what was stated in the original post, though it just took me a few minutes to figure this out. After running the locate command like a mad man and not finding anything on my developer machine, I finally reread *everything* and checked the device for the file - and there it was!
I just ended up throwing this into my extract-files.sh;
adb pull /system/lib/libaudio.so proprietary/libaudio.so
adb pull /system/lib/libcamera.so proprietary/libcamera.so
adb pull /system/lib/libOmxCore.so proprietary/libOmxCore.so
adb pull /system/lib/librpc.so proprietary/librpc.so
So my resulting file looked like this;
[code]
#!/bin/sh
mkdir -p proprietary
adb pull /system/etc/AudioFilter.csv proprietary/AudioFilter.csv
adb pull /system/etc/AudioPara4.csv proprietary/AudioPara4.csv
adb pull /system/etc/gps.conf proprietary/gps.conf
adb pull /system/bin/akmd proprietary/akmd
adb pull /system/lib/libhtc_ril.so proprietary/libhtc_ril.so
adb pull /system/lib/libaudioeq.so proprietary/libaudioeq.so
adb pull /system/lib/libqcamera.so proprietary/libqcamera.so
adb pull /system/lib/libaudio.so proprietary/libaudio.so
adb pull /system/lib/libcameraservice.so proprietary/libcameraservice.so
adb pull /system/lib/libcamera.so proprietary/libcamera.so
adb pull /system/lib/libOmxCore.so proprietary/libOmxCore.so
adb pull /system/lib/librpc.so proprietary/librpc.so
chmod 755 proprietary/akmd
adb pull /system/etc/wifi/Fw1251r1c.bin proprietary/Fw1251r1c.bin
adb pull /system/etc/wifi/tiwlan.ini proprietary/tiwlan.ini
[/code]
libaudio.so, libcameraservice.so, libcamera.so, libOmxCore.so, librpc.so then needed to be copied over to TARGET/dream/target/product/dream/obj/lib/ and also to the locked folder TARGET/dream/target/product/dream/system/lib/
Ta-da! After approximately 10 runs, it finally compiled for me... Hopefully this helps anyone who ran into the same problems as me.
I’ve been extremely busy working and trying to finish up some project so the news from me is coming a little slow. However there seems to be some great strides in G1 hacking, as announced over at the g1 hacking mail list, the G1 has had it’s NAND memory dumped. This allows us to look at the code that Google has not fully released, and opens the door to hacking a new boot loader onto it. As taken from xda-developers (courtesy Nikropht);
T-Moobile [sic] G1 Nand dumped.
Some guys over in the g1-hackers list managed to code a kernel hack that allows you to dump the nand flash.So here is the nand flash file…
http://www.2shared.com/file/4394944/b791a62e/nand.html
Have Fun!
-Nikropht
So current mirrors for the download (37 mb file) are 2shared.com and mediafire.
Figured I’d give a shout out to the father for his QA Blog, as he did a recent short blurb on the Android bug that we’ve used to gain root on the G1′s with.
While I believe some of the quotes:
“I was in the middle of a text conversation with my girl when she asked why I hadn’t responded. I had just rebooted my phone and the first thing I typed was a response to her text which simply stated “Reboot” – which, to my surprise, rebooted my phone.”
“Google hurried to repair the problem, which causes the phone to interpret any text entered just after the phone was turned on as a command.”
“Linux and Unix users are advised to use their systems with “root” privileges reserved only for administrators, but Android was actually giving anybody that privilege.”
“The Android bug has to rate as one of the great software bloopers of all time.”
“We tried really hard to secure Android. This is definitely a big bug.”
Though some of the quotes are definitely media hype… Someone texting their girl and typed reboot? Ok well that’s a straight up lie, they would of had to type reboot into the main part of their home screen, which in turn would search the contacts and then execute the command. So yes, there is truth they could have rebooted it, but I sure how he doesn’t text his “girl” from the contacts like that normally… She might be mad for not have receiving any messages lately?
Oh well, I guess with ever blunder, ever mishap and every bug – someone has to blow it out of proportion. I mean – I know I was sending a text message and typed ^c and it broke me into the terminal! Next think you know someone will say how they left open safe mode, and they where turning on their phone to contacts (yes contacts, not text) their girlfriend and where shocked to see safe mode in their bottom left corner! Oh wait… You can get in safe mode by holding down menu on boot up…. Silly google… Silly media…
Another great release by JesusFreke over at xda-developers has come out. After modifying the recovery image her has managed to edit the RC30 for the phone and resigned it. It includes some great features that make it even easier for non-linux people to get up to speed with everything.
RC30 originally patched the things we’ve done in the past, such as a modified su command, removed the telnetd command and would also flash over busybox if you had added it. Have no fear though, JesesFreke has become our savoir again! (Wait, is that too weird?)
Ok, I’m back in business. I bought a new phone that still had RC28 on it. Anyone wanna buy my non-rooted RC30 phone? lol. I’ll probably just throw it on ebay.
I couldn’t seem to get a modified “patch” version of the update to install, but once I was able to get the full update, I modified it and it installed onto the phone without a problem. The full update should be *much* less troublesome for everyone. You should be able to apply it no matter what RC you are on. But you must have the modified recovery image installed, of course.
Without further ado, Here is the update.
The modifications include:
-resigned with test keys (obviously)
-added a setuid “su” command
-added back in the telnetd command from RC29
-replaced recovery.img file with my modified recovery image
-modified boot.img so that ro.secure=0, ro.debugable=1, and persist.service.adb.enable=1 (so that adb runs as root)
-added the busybox binary to /system/bin (Note: I didn’t create any links for any of it’s “subprograms”)
Best of luck with this, and don’t brick you phone – make sure you have a working recovery image before trying this!
Recent Comments