Messages

1

Zaurus - pdaXrom / Archospma-430 Bootflash-signature Check' Removed!

« on: January 05, 2006, 05:16:01 am »

Here is the Archos PMA 400/430 flash hack which is avoid the bootloader checksum.

You are my hero!!! Thank you so much, I just followed your instructions and it works. I overwrote the signature with "Hello, Archos, seems like your bootloader isn't as secure as you said!" and my PMA still boots...  

I hope that those other bootroms can soon be hacked too...  

2

Zaurus - pdaXrom / Archos

« on: November 10, 2005, 12:31:38 pm »

Yesterday I had a brief look at the bootrom binary and the Archos aimage file. I noticed the sections denoted with the strings "CYV1" and "CYV2" in the header of the aimage file and found those same two strings in the bootrom just before the highly interesting string "aimage not v2 type". Interesting enough, the space behind "CYV1" is empty in the aimage while behind "CYV2" there are 96 bytes of what seems to be a hash or checksum. I guess, all of this was already known.

When I looked at the disassembled code of the bootrom, I found an interesting portion of code with some EOR-shift-operations inside a loop around address 0x2400 (don´t remember exactly) that reads some data bytewise and shifts it bitwise into a register that gets exored with the content of some other register shifted by one. EOR-shift-operations are often used in checksum algorithms. When I have time, I will try and find out whether this portion of code could have anything to do with the check of the aimage on boot.

3

Zaurus - pdaXrom / Archos

« on: November 03, 2005, 06:02:02 am »

BTW: there is an ARM disassembler that seems to be quite good. It is called "komodo" or "kmd" and was written by a guy from the University of Manchester (I mention that because I spend a year there...  with whom I had a chat. You can download it from his web-site <http://www.cs.man.ac.uk/~brejc8/kmd/>

I couldn´t compile kmd in my setup (most recent Mandriva) so I looked out for a binary package. There is one for Debian that you can find by searching for "kmd":

<http://www.debian.org/distrib/packages#search_packages>

If you haven´t got Debian running, you can unpack the .deb by doing "ar -x .deb" and untarring the data.tar.gz. Copy the files to /usr and you are done. You can then start the ARM debugger by typing "kmd -e -i". I haven´t got into the bootrom.bin yet but I thought some people might want to have a look for themselves...

4

Zaurus - pdaXrom / Archos

« on: October 26, 2005, 11:26:27 am »

sorry for delay, i still work with bootrom disassembling:)

Very nice, you have done exactly what I thought was the way to hack the PMA. I´ll have some look at the bootrom code, too, perhaps I find out something about the checksum routine.

BTW: there is an ARM disassembler that seems to be quite good. It is called "komodo" or "kmd" and was written by a guy from the University of Manchester (I mention that because I spend a year there...  with whom I had a chat. You can download it from his web-site <http://www.cs.man.ac.uk/~brejc8/kmd/>

And all this when I had almost given up about the idea of having a real open source operating system running on the PMA...