When booting, the firmware erases IRAM and RAM.
However, it's easy to patch the code which erases IRAM. Then, by analyzing the firmware a little further, I noticed a safe location in IRAM to place my own code.
By digging a bit more in the firmware, I found the function that will show a messagebox, and a few other functions related to the UI (displaying bottom buttons, ...).
Using medios, I can reload the original firmware, patch it with a breakpoint (currently a very simple 8 bytes branch) and execute my code. Then, inside my code, I can show a message box with any value I want, including register values, memory, ... The only problem is that the device will crash after showing the message box because the breakpoint corrupts the stack. But it still enables to see some very interesting things.
Monday, May 17, 2010
Saturday, May 15, 2010
Gmini 402 bootloader
I'm starting to work on an Archos Gmini 402 bootloader (link to the FAQ page - the product page seems to have been removed... It is still present on the store though).
It's a pretty old device (released in 2005), but I find the challenge interesting. It has already been jailbroken, but the current exploit uses a malformed AVI file to execute arbitrary code. My goal is to replace the firmware with a bootloader, in order to allow to choose between MediOS and the original Archos firmware.
So I dumped the ROM, descrambled the firmware (the descrambling code can be found in MediOS). Let's get to work now.
It's a pretty old device (released in 2005), but I find the challenge interesting. It has already been jailbroken, but the current exploit uses a malformed AVI file to execute arbitrary code. My goal is to replace the firmware with a bootloader, in order to allow to choose between MediOS and the original Archos firmware.
So I dumped the ROM, descrambled the firmware (the descrambling code can be found in MediOS). Let's get to work now.
Subscribe to:
Posts (Atom)