Archos gen8 bootloader crack (disable signature check)
- Thread starter vitalif
- Start date
as far as CWM recovery, for now couldn't we do something like they did for the Atrix? http://xdaforums.com/showthread.php?t=1019143
What happened to "ya its completely possible lets get on it" its been like a month without an update. Not that im complaining, just asking
i think sauron is the only developer with really active developing for the archos while i think he is capable of great things there could be big problems (like with the sgs) and then we have not enough manpower to pull it (cwm is another story no idea if the dev which created it could bring it to the archos)
the other thing is that i don't think sauron want to invest his time in this
Sent from my GT-I9000 using XDA Premium App
Thats it
I'm getting angry when i thinking of the fact that we have only one - others too, but only one who spend a lot of time in developement - developer!
We have one of the best android tablets (ok since tegra/dualcore no longer) , but even the oldest android device in the world has Honeycomb port! This says all...
Sadly...
Thats it
I'm getting angry when i thinking of the fact that we have only one - others too, but only one who spend a lot of time in developement - developer!
We have one of the best android tablets (ok since tegra/dualcore no longer) , but even the oldest android device in the world has Honeycomb port! This says all...
Sadly...
first, not everyone have gen8 tablet.
2nd, people need to work and eat. Develop these could not make money, only for passion. So the best thing we can do is hope.
/signed
give me enough money to live and I'll suspend my daily work and start Gen8 work only
/signed
give me enough money to live and I'll suspend my daily work and start Gen8 work only
Well, If you move to Africa, I will send you 30 dollars. I heard they live on a dollar a day over there, so that should keep you for at least a month.
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
6
Hm. I'll explain... Bootloader is the program which starts up the device, similar to bootloader on your PC signature check in bootloader prevents us installing modified Linux kernel, initial ramdisk and recovery images. So, for example, we can't have netfilter in kernel without installing SDE, we can't have ClockWorkMod recovery on Archos at all, and we can't, for example, change MMC card splitting into 512M mmcblk0 for system + remaining for "internal SD" with data.
With signature check removed, all this is possible.
The underlying idea of all this signature checking is probably protecting f**king DRM... I HATE IT !!!!!! And hate companies promoting it =) When you install SDE on previous generation archos (5it), it removes drm keys from device memory (this is the "watermarking" mentioned on Archos site). It makes device unable to play the content buyed for it anymore... Not a big deal, but unpleasant. I don't know if this is the same on gen8.
In detail: Archos 101 has OMAP3630 processor. The "0-stage" (very-very first stage) bootloader, i.e. program which gains control after processor power-up, is hard-coded into one-time programmable area on the processor itself and is named "OMAP boot ROM" (similar to PC BIOS). The boot ROM can continue device booting process from different devices including SD/MMC card, NAND flash, UART (serial port) or USB interfaces. The boot sequence is determined from physical pin connection configuration. Our Archos boots from internal eMMC card.
So, OMAP boot ROM loads primary Archos bootloader, without checking any signatures or checksums, and simply transmits control to it. Primary bootloader sets up some processor configuration and then reads secondary bootloader (avboot) from flash. Then, it checks its MD5-RSA digital signature using Archos public key. If signature is incorrect, it hangs the device (goes to infinite loop). So if we modify avboot without removing signature check from boot0, device would be bricked. If signature is correct, control is transmitted to avboot. Avboot determines what system we want to start by pressing different keys, loads it, checks signature if system is init (normal system) or recovery, sets up configuration for Linux kernel and transmit control to Linux.
Interesting facts:
* According to the code, boot0 can use rawfs or FAT filesystems for boot partition.
* During boot process, various messages are printed to serial console. avboot even has some code for receiving commands over serial connections.
* OMAP processor boot sequence can be configured via special memory area which remains unchanged after soft reset, and this configuration will override one determined by physical pin configuration. This does not give us much profit, but is also interesting...4" PWNED " :-D
As you know, Archos bootloaders check digital signatures of init and recovery kernels, so you need to install SDE to use custom kernels, and it somehow "watermarks" the device.
Good news everyone! I've disassembled both bootloaders, found the code which checks signature, and replaced it (first instructions of verify_hash function) with "return 0" which is "mov r0, #0; bx lr" in ARM assembly. It's much the same hack as on Archos 5, thanks EiNSTeiN from archos.g3nius.org for reverse engineering previous generation.
Archos gen8 boots using OMAP boot ROM from internal eMMC card. Primary bootloader ("boot0") is in 0x20000 bytes after the first sector of internal flash (i.e. at 0x200) and secondary bootloader is written into rawfs, /mnt/rawfs/avboot. boot0 contains image size and loading address in first 8 bytes.
So, here is the patch:
1) boot0: replace 8 bytes at 0x7520 from the beginning of mmcblk0 from 7F402DE9003091E5 to 0000A0E31EFF2FE1.
2) avboot: replace 8 bytes at 0x14424 in avboot from 7F402DE9003091E5 to 0000A0E31EFF2FE1 (same patch). 0x14424 from avboot beginning is usually 0x14824 from the beginning of mmcblk0p1 (avboot comes first in rawfs, just after 2 blocks of header).
Of course you need root to do it. I've done it on my Archos 101, then changed 1 byte in recovery image - it boots into recovery without problem (before the hack it didn't boot into this 1-byte changed recovery).
And of course do it with caution and at your own risk DO NOT replace the bytes if you find other original data at these offsets! Bad boot0 or avboot means bricked Archos. There must be some sort of test point (something connected to OMAP SYS_BOOT5 pin) to boot from USB, or a boot UART interface, so debricking the device must be possible, but it would require some effort to find it, find a proper bootloader and use it.
If someone wants to see IDA database, I'll send my.
P.S: I do not have enough messages to post inside Development subforum, so I'm posting here.1
dd if=/dev/block/mmcblk0 of=/sdcard/tmp bs=512 count=257
/sdcard/tmp will contain boot sector in first 512 bytes and boot0 in the rest.
then make sure bytes in /sdcard/tmp at 0x7520 are = 7F402DE9003091E5
change them to 0000A0E31EFF2FE1
and write modified boot0 with
dd if=/sdcard/tmp of=/dev/block/mmcblk0 bs=512 count=257
do it BEFORE avboot change, or archos will be bricked1
i think sauron is the only developer with really active developing for the archos while i think he is capable of great things there could be big problems (like with the sgs) and then we have not enough manpower to pull it (cwm is another story no idea if the dev which created it could bring it to the archos)
the other thing is that i don't think sauron want to invest his time in this
Sent from my GT-I9000 using XDA Premium App
New posts
-
-
[ROM] [UNOFFICIAL] [13.0] LineageOS 20- Latest: Huntersucksatroms