Archos 605 WiFi Hacked

Nathan Ramella writes "The ARCwelder project has released a technique dubbed 'Go Fighting Tabby!' which exploits an unquoted system() call through the Archos UI, providing the ability to execute arbitrary code with root access on the Archos 605 WiFi. In doing so, opening the platform up for further hacking. The Archos 605 WiFi runs embedded Linux on an ARM processor, but employs a variety of anti-hack techniques to keep users from modifying its firmware and operating system. Included is a cross-compiled sshd with configuration files to allow for passwordless ssh access to the Archos when it is connected to a WiFi connection. Bricks ahoy!"

Why not Nokia N800/810?

[isaac]

Not trying to be flippant here, but I've never heard of this Archos gadget and don't, after a cursory examination, understand why I'd prefer this thing to, say, a Nokia Maemo-based doodad like the N800 or N810? Same screen resolution, wifi, etc - ok, no internal hard drive - and I don't have to jailbreak it to load custom apps.

Why wouldn't I want to support the company not going out of its way to make my life difficult if custom apps were what I were after?

-Isaac

Re:Why not Nokia N800/810?

[itsme1234]

If you are after custom apps you just don't buy this device. The prices for N800-N810 are about the same as for Archos 605 30GB-160GB. A605 is mainly a video player. If you don't care about the massive storage and you want the 256M or so you can choose the Nokia tablet - sure (or one of the other many linux/wince/palmos devices). Heck, if you don't care about size you can go for the same price with a full blown desktop PC and have a better CPU, run more apps, better screen, input devices and so on.

Speaking about "why don't you buy" I am quite disappointed by the current offerings for this market (high end PDA/video player). High-end PDA market mid-2004 (!) specs (I think there are at least 5 devices that match more or less the specs below):

- WinCE/windows mobile (yes, it's M$ but if you need GPS maps for dodgy places this might be your only option - and nobody can complain about lack of apps, need to jailbreak anything, lack of SDK and so on - Hello Apple, are you listening?)
- wifi (with WPA from day 0)
- bluetooth
- usb host (yes you can use your usb stick or external drive)
- extremely sharp 640x480 display (the devices are much smaller compared to N800)
- dual expansion slot (CF and SD with CFIO and SDIO, you can add odd peripherals like TV tuner, ethernet card). And of course you can use the existing under-100$ 16GB CF card or the announced 32GB or 64GB CF cards
- 500-600+ MHz Intel CPU (non-x86). Twice as fast as what you get in most current devices. Forget youtube, that's peanuts-you can play 99% of the divxes and xvids you get DIRECTLY on the PDA without any conversion.

Again, the above specs are for mid-2004! Of course nobody cared at the time but it seems that the market is slowly picking up. However the dream device seems to be one of the new Intel ultra-small CPUs (x86 compatible) combined with one of these 30-80-160+GB hdds. And it will eventually come (or at least I hope so).

Ditto, and more

[mbourgon]

What the parent said, but doubly so because, IIRC, the original Archos' were basically saved by the homebrew community, who came up with new, better, firmware for their products. It was a win-win... so why is the new stuff so anti-modder?

Re:Ditto, and more

Pure speculation here: that could be a requirement from some other company which makes drivers for some of its parts. They could want hackers kept out of the device in order to minimize the risk of having their drivers reverse engineered through sniffing or other methods.
Unfortunately, in the embedded market there's a still enormous load of companies that can't make money if they can't be the only one entity on this planet to be able to sell a driver for some piece of hardware.

Re:Ditto, and more

[mboverload]

I never understood why companies wanted to make their gadgets unhackable until I read your theory. For some reason it makes me pretty irritated.

These devices are mini COMPUTERS! If your MP3 player has screen or WiFi then it's obvious it can do more. It's more common that embedded devices just use a processing chip to do all their functions - no more paying for an MP3 decoder chip, MPEG decoder chip, etc. This makes it "easy" to do so much more with them. SO LET US DAMN IT.

Example: The DS. It should have come with a browser from day one. It's freaking obvious with the two screens. Top screen is for reading and the bottom is to move the magnifying glass around the page.

If someone who you don't have to pay wants to expand the market for your device why the hell would you stop them?

The only reason I bought an Xbox 1 was to play videos over my LAN. Of course, I can also play pirated games on it. This is a legit reason a company would want to lock down their hardward. However that is of no concern to Archos -

they don't SHOULDN'T care what the heck people do with their products as long as they buy them.

Re:Ditto, and more

[mboverload]

Sorry, this was not the final draft - I was playing with the HTML tags and hit submit instead.

Re:Ditto, and more

[mboverload]

I WISH TO RETRACT THE ABOVE POST
IN RELATION TO THIS STORY

Reason: Unbeknownst to me, Archos has a content portal where you can rent movies and other content. This changes the environment of my post since I was under the assumption they just made MP3 players and did nothing else. With this licensed content they are probably under contract to protect it.

However, I still believe my post stands on its own when talking about other consumer devices. If anyone has any comments please post

Re:Ditto, and more

[Pandamonium]

If anyone has any comments please post

No no, wouldn't dream to interrupt your flow as you seem to be doing just fine all by yourself :-)

Oh no!

This is terrible! Literally dozens of users are now at risk!

Possible counter-attacks to myminicity link-spam

[Mathinker]

> a vain attempt at slashdoting the minicities which encourages them even more

I would think that it would be possible to try to DDoS the servers themselves by accessing URLs which seem OK but actually don't exist (e.g., take a link to a real myminicity and change the name of the city to a different random string each time). Of course, if the company running the servers is unscrupulous, it could always return ads for what should be 404's. But at the very least, attacking in this way doesn't encourage link spamming from people running the cities. And eventually one could hope that the people paying them for serving the ads would rebel.

This is of course just academic speculation, actually making such an application, or even encouraging people to access such URLs, might be against the law in the jurisdiction where you live, and I am not recommending that anyone break the law..... of course!

I'd ask that someone should work up an application like that (anonymously, of course) and post a link to it here, but then a clever myminicity geek could just spoof us with an application that actually accesses his real myminicity. Actually I'd guess it could be worked up in a few lines in Python which most knowledgeable Slashdot users could verify for themselves...

A totally different way to try to combat would be to choose a random city, access it to obtain the ads, and then click on each ad to find out who is paying for this c**p and then send them email explaining that they are financing link spammers and you are adding them to a list of companies to boycott for financing link spamming by advertising at myminicity.com. To be effective, the list should actually exist and be as widely published as possible.

Windows media DRM

[garagumu]

One reason could be windows media DRM: http://en.wikipedia.org/wiki/Janus_(DRM)

AFAIK, if a device supports "protected windows media", they must comply to some drm security specs from microsoft. One requirement for example, is secure time (user should not be able to reset the device time or change to an earlier time), or that the rng/random seed used to generate keys is "good enough".

The sad thing is that this device uses linux, but archos is trying to "close" the system, because of a microsoft requirement.

I don't understand why companies _need_ to support drm'ed media. The Nokia N800 series is very, very open. I suppose it doesn't play drm'ed media, but who wants protected media, anyway? It can play all my mp3's, videos fine.

Why they are so anti-modder . . .

[Cyberllama]

IIRC, they have previously announced plans to sell added codec support (for instance, I have one of their earlier models and I can play almost any divx/xvid file I download off the internet -- provided they have mp3 audio -- those with AAC audio give me no sound) and that sort of thing. If people start implementing new codecs and making this thing compatabile with more types of media files than it already is, that's one less revenue stream for archos.

While I don't like this approach, it is understandable and I love my archos quite a bit so I'm willing to overlook it. Heck, if they'd give me the option of playing AAC on *my* model I'd shell out the extra cash for it.

The only reason for keeping my Archos 605

[pawstar]

I am so glad this happened - Archos should be happy too! I bought an Archos 605 during the boxing week specials since I heard that it runs linux under the hood. I was EXTREMELY disappointed when I found out that I could not run any third party apps, especially my own and I was about to return the device ASAP (no returns allowed during boxing week). However, now that the device has been opened up, I am definitely NOT returning it! I am suddenly thrilled with my purchase and I am thinking about BUYING ONE MORE UNIT if I can find another good deal on it! Thats right! I want another one - one as a media player, and another as a linux PDA! What a great little toy it will be! So Archos ... if you want more people like me to support you - don't close the unit up. Open it up and allow for modding. You will loose nothing but gain a wider customer base. (As a side note, a compromise could have easily have been accomplished by Archos by giving an unsupported firmware that opens up the unit but wipes out all the DRM support so no loss there for anyone who wants an open device and does not want to use it for buying/renting media. But honestly, when it comes to DRM, as we all know it doesn't deter the pirates but hurts legitimate users.)

Re:The only reason for keeping my Archos 605

[corsec67]

Sometimes companies have a key they sign the firmware with, and will not update to an un-signed key. That is valid with the GPL v2, and I think one of the biggest changes with the GPL v3.

Vs the N810

[MrCopilot]

Hmm, fork over my cash to a company doing all they can to stifle open source contributions to their device OR Support the open company to community atmosphere of the Maemo project with my $300.

Decisions, decisions.

Yeah, I'm gonna have to go Nokia on this one. $299.00 n800

Security through obscurity isn't secure

[davidwr]

How many closed-source routers and similar devices have similar vulnerabilities?

How many of these vulnerabilities are known only to black-hats?

The nice thing about open source is that both black- and white-hats will find the bugs sooner, and the time interval that the bug is exploitable and unpatched is likely to be shorter.

Active your TinyUrl preview!

[K.+S.+Kyosuke]

Go to http://tinyurl.com/preview.php and (with cookies enabled for this site) click "Click here to enable previews". Et voilà - the next time you click the tinyurl, you'll be able to check were you're actually heading. It's not that difficult, is it? It also protects you from shock sites, at least in the case of a notorious full address of the site.

(Maybe a checker could be integrated into Slashdot itself - it takes but a single HTTP connection to tinyurl.com to fetch the full address and you could cache it locally and instead of [tinyurl.com] display something like [myminicity.com @ tinyurl.com] next to the link. But you can check it yourself right now, no excuses!)

Archos HW == Low Quality, Software Equally So

[tlhIngan]

Archos have made some very nice PMPs, but all their PMPs from the AV500 & AV700 onwards have been locked in regards to replacing the harddrive, if you try to replace the harddrive with a different or identical size (even model/make) it refuses to use it.

They are a bunch of wankers. The harddrive in my AV500 has developed a few errors, the only way I can use the unit is to leave 'dead' files covering the bad blocks and never delete or read them, I've contacted Archos about getting a new drive but they don't want to seem to know - they're too busy peddling their newer units with the same harddrive locking shit.

I'm glad someone managed to hack the 605, please can someone write an app that can allow anyone to upgrade/replace the harddrive so people can give the middle finger to Archos (and save themselves a fortune for an over-priced harddrive).

Ditto.

I have an AV420, which I bought after work bought the AV300. That was a really nice unit.

I bought a 704Wifi, which is nice because of its large screen, but I had to take it back twice because the LCD screen had dead pixels on it. Irritating ones, at that. Good thing I bought the damn thing on sale - when they were at their original price, a defect like that would be inexcusable. Spend half a grand, get a screen with dots all over it. And Archos RMA won't touch it because you need at least *4* pixels. 2 sub-pixels don't count, they have to be 4 discrete pixels. Granted, it's an 800x480 screen, but still.

I bought a 605, and that thing has been a disaster. The first unit was Dead on Arrival, and because local stores didn't have it, I bought it online. It took a month to arrive! (Dead). It took two more months to get it exchanged. And the replacement unit died after two days (I sorta expected it - the replacement unit's hard drive buzzed ever so horribly). I did the RMA and its replacement arrived just before Christmas, when I placed the order ... September 3rd. In November, I bought one at the local store because I was fed up with the whole thing. Funny thing, the first replacement and the one I got from the store had dead pixels. Luckily, its replacement and the exchange I did in store were dead pixel free.

Awful, just awful quality. And it looks like you have to "baby" the unit just to avoid breaking the hard disk. And the LCD isn't as vibrant or rich as even the iPod. Or Zune. The touchscreen doesn't help but as we see from the iPod Touch, iPhone, Samsung's touchscreen ones, it's possible to have a nice display with a touchscreen. And yes, you still need 4 pixels nonfunctional to get an RMA based on the screen.

Archos also managed to put in a bunch of ads in the 605. First time you plug in USB, if you click "Charge only", it prompts you to buy the DVR Dock where it can charge faster. If you access the Web icon, it says you need to buy the Web plug-in. Ditto with videos or audio encoded with MPEG2, H.264 (MPEG-4 AVC), AAC, or AC-3. It'll bug you to buy another plug in. (Total cost for plugins - $70). Click "Recorder", and you get another ad for either the DVR dock, or portable dock (with necessary "buy" links). To their credit, they include a "Never bug me about this again". But still... rather than disable the functionality, they just use to to eke a few more dollars from you.

And yes, I have two of those things. The one I bought retail, and the RMA'd one. Only thing I can say, is the RMA was a brand new unit. Maybe I'll have some fun with this hack.

Also, the hard drive is locked by the bootloader - unless you can JTAG it, there's no way to fix it.

Recommendations - buy it retail - not online. Or you'll regret it as there's a very good chance your expensive purchase has defects that you can't exchange or RMA. Also, buy the extended warranty - if you so much as move it when it's spinning, it may start clicking and die spontaneously. Treating it like an iPod, you won't - jerk it around and your hard disk will die from bad sectors. (Unlike