Which files are signed?

balle · March 27, 2005, 04:36:00 PM

I've tried to find out where it's decided which files are required to be signed to run, and which files doesn't.

I see that the ramdisk-file itself is signed, but the programs inside (notably busybox) isn't, but I can't find where it says something like 'programs from /dos has to be signed', but not the others.

I'm not entirely sure of where to go next, but I see that the shell keyword is listed next to the BEEP, WAIT and others in 51d, so I would like to try to use the shell keyword to put a command into phatbox.ini.

para · March 27, 2005, 10:54:31 PM

QuoteI see that the ramdisk-file itself is signed, but the programs inside (notably busybox) isn't, but I can't find where it says something like 'programs from /dos has to be signed', but not the others.

Well as we can't change the ramdisk contents, do we need to care whether the files are protected after they've been loaded into RAM?

Quote
I'm not entirely sure of where to go next, but I see that the SHELL keyword is listed next to the BEEP, WAIT and others in 51d, so I would like to try to use the SHELL keyword to put a command into phatbox.ini.

Yeah, that's a good one! As it looks the SHELL keyword just takes one string parameter. Would be interesting to see which user runs this command but I guess it's root to keep it simple. On the other hand I can't think of Phatnoise being so stupid

Maybe the given command is also checked for a valid signature...

We'll need to check that! If that would work (which I doubt) we could easily mount AndyMan's extra HDD as /dev/hdb.

Para

A543 · March 28, 2005, 07:47:11 AM

Just a guess, but all the signed files might be checked in a batch at or near startup. I deleted boot.pac, boot5.pac and firmware and their corresponding sig files, assuming that once a firmware update was performed, these files wouldn't be used anymore, and my Keg wouldn't boot.

para · March 28, 2005, 07:56:27 PM

Please, can anyone try to use the SHELL command in phatbox.ini? I'd really like to see what happens...

Something like this should be sufficient:

Code Select

SHELL touch /dos/Data/SHELL_OK
Para (waiting for his own PB)

balle · March 28, 2005, 11:28:39 PM

Code Select

SHELL touch /dos/Data/SHELL_OK
I've tried today with this line
audioid.2.13=SHELL 'touch /dos/balle.tst'
and that was no success.

I you want to try other variants of this, you should probably touch (or write) a file in /dos and not in /dos/Data as I think that this partition is mounted read only.

judb · March 28, 2005, 11:55:48 PM

the other question is ... did they include touch with the system? I would be suprised if they wasted space in the ram disk for that.

cat MIGHT be there. instead you might try echoing something to a file to make it be created...

Vince might be able to help us with a shell string that would work in THEORY on the phatbox code based off commands available in the ramdisk image.

balle · March 29, 2005, 12:14:22 AM

Quotethe other question is ... did they include touch with the system? I would be suprised if they wasted space in the ram disk for that.

Touch is in the same directory as mount, and they're both just symlinks to busybox, so it is not much space that is wasted on this.

Quotecat MIGHT be there. instead you might try echoing something to a file to make it be created...

I thought about redirecting first, but as we don't now much about the environment this is running in, I ended up with touch - which didn't work :-/

para · March 29, 2005, 08:09:07 AM

Maybe the problem is the command enclosing? Just try without any quotes or " " instead of ' '.

para · April 03, 2005, 07:29:34 PM

I like to bump this again as I still can't test it myself. Are we really done with this approach are there still some chances left...?

Para

balle · April 03, 2005, 07:37:25 PM

QuoteI like to bump this again as I still can't test it myself. Are we really done with this approach are there still some chances left...?
Para

I have not played with this since my last post here, but I can try to play a bit more with the SHELL keyword and all the combinations of backslashing and quotes.

Don't have the DMS where I am now, so it woill be tomorrow at the earliest though.

judb · April 03, 2005, 07:41:09 PM

I just tried this command

audioid.0.0=SHELL `/bin/stty > /dos/sttyout.txt` and I get a message on the head unit "line error" and the file is not created. damnit!

`` are the shell enclose execute quotes.

Ill try it with ' ' as well.

para · April 03, 2005, 07:41:12 PM

Thanks balle, I hope I get my box installed soon

balle · April 05, 2005, 03:38:40 PM

The following has now been tried with no success.

Code Select

audioid.3.0=/dos/tts/beep3.wav
audioid.3.1=ARTIST
audioid.3.2=TITLE
audioid.3.3=ALBUM
audioid.3.4=SHELL /bin/touch /dos/balle1.tst
audioid.3.5=SHELL "/bin/touch /dos/balle2.tst"
audioid.3.6=SHELL '/bin/touch /dos/balle3.tst'
audioid.3.7=SHELL \'/bin/touch /dos/balle4.tst\'
audioid.3.8=SHELL \"/bin/touch /dos/balle5.tst\"

judb · April 05, 2005, 03:48:58 PM

balle,

when you did those commands did you shut down the head unit and wait for the phatbox to shut down and spin down the drive? I realized part way through my testing that just killing power on my test bench would likely result in the files not being flushed to disk.

balle · April 05, 2005, 03:51:09 PM

Quoteballe,

when you did those commands did you shut down the head unit and wait for the phatbox to shut down and spin down the drive? I realized part way through my testing that just killing power on my test bench would likely result in the files not being flushed to disk.

I did turn of the heaunit (goes with the ignition switch), and then after 10-15 seconds or so did I remove the DMS as this sits in the trunk.

judb · April 05, 2005, 04:06:24 PM

okay just checking.

I might suggest doing a command without the path as well incase they have you chrooted somehow. I didn't see anything in the startup scripts on the ramdisk that call chroot but just to be sure as its included with the busybox.

I have mine on a desktop right next to me hooked up to a PC power supply for the 12v and a kenwood fm modulator and i can just cut power to it. thats why I mentioned it.

sbingner · April 06, 2005, 10:01:47 AM

may want to try like, a really old firmware too... see if there are any bugs that have been fixed

A543 · April 07, 2005, 04:13:08 PM

I agree with Sam. When Terry Kennedy revealed to Phatnoise his method for cracking the key, you can be sure Phatnoise made every effort to plug the hole. Older versions wouldn't have that plug.

sbingner · April 07, 2005, 09:01:17 PM

he didn't have a method for cracking the key, he managed to find a software to change the serial number on a hard drive... and he made another DMS identical to a signed DMS

para · April 09, 2005, 06:49:34 PM

Duh, why havn't we seen this before

The syntax seems to be like this

Code Select

menu.1.action=COMMAND1:<parameter>;COMMAND2:<parameter>  etc.

This means we need a small shell script containing our tests because the SHELL command only takes one parameter. Call it like this

Code Select

menu.4.action=SHELL:/dos/Data/test_script

I suggest to find a suitable menu entry which could be the one announcing the firmware/about message (example above: menu.4.audio=/dos/tts/it_about.mp3) and replace its action!

Don't forget to set the script to chmod 777 to be sure on that side...

Para

News:

Which files are signed?