I've tried to find out where it's decided which files are required to be signed to run, and which files doesn't.
I see that the ramdisk-file itself is signed, but the programs inside (notably busybox) isn't, but I can't find where it says something like 'programs from /dos has to be signed', but not the others.
I'm not entirely sure of where to go next, but I see that the shell keyword is listed next to the BEEP, WAIT and others in 51d, so I would like to try to use the shell keyword to put a command into phatbox.ini.
QuoteI see that the ramdisk-file itself is signed, but the programs inside (notably busybox) isn't, but I can't find where it says something like 'programs from /dos has to be signed', but not the others.
Well as we can't change the ramdisk contents, do we need to care whether the files are protected after they've been loaded into RAM?
Quote
I'm not entirely sure of where to go next, but I see that the SHELL keyword is listed next to the BEEP, WAIT and others in 51d, so I would like to try to use the SHELL keyword to put a command into phatbox.ini.
Yeah, that's a good one! As it looks the SHELL keyword just takes one string parameter. Would be interesting to see which user runs this command but I guess it's root to keep it simple. On the other hand I can't think of Phatnoise being so stupid ;D Maybe the given command is also checked for a valid signature...
We'll need to check that! If that would work (which I doubt) we could easily mount AndyMan's extra HDD as /dev/hdb.
Para
Just a guess, but all the signed files might be checked in a batch at or near startup. I deleted boot.pac, boot5.pac and firmware and their corresponding sig files, assuming that once a firmware update was performed, these files wouldn't be used anymore, and my Keg wouldn't boot.
Please, can anyone try to use the SHELL command in phatbox.ini? I'd really like to see what happens...
Something like this should be sufficient:
SHELL touch /dos/Data/SHELL_OK
Para (waiting for his own PB)
SHELL touch /dos/Data/SHELL_OK
I've tried today with this line
audioid.2.13=SHELL 'touch /dos/balle.tst'
and that was no success.
I you want to try other variants of this, you should probably touch (or write) a file in /dos and not in /dos/Data as I think that this partition is mounted read only.
the other question is ... did they include touch with the system? I would be suprised if they wasted space in the ram disk for that.
cat MIGHT be there. instead you might try echoing something to a file to make it be created...
Vince might be able to help us with a shell string that would work in THEORY on the phatbox code based off commands available in the ramdisk image.
Quotethe other question is ... did they include touch with the system? I would be suprised if they wasted space in the ram disk for that.
Touch is in the same directory as mount, and they're both just symlinks to busybox, so it is not much space that is wasted on this.
Quotecat MIGHT be there. instead you might try echoing something to a file to make it be created...
I thought about redirecting first, but as we don't now much about the environment this is running in, I ended up with touch - which didn't work :-/
Maybe the problem is the command enclosing? Just try without any quotes or " " instead of ' '.
I like to bump this again as I still can't test it myself. Are we really done with this approach are there still some chances left...?
Para
QuoteI like to bump this again as I still can't test it myself. Are we really done with this approach are there still some chances left...?
Para
I have not played with this since my last post here, but I can try to play a bit more with the SHELL keyword and all the combinations of backslashing and quotes.
Don't have the DMS where I am now, so it woill be tomorrow at the earliest though.
I just tried this command
audioid.0.0=SHELL `/bin/stty > /dos/sttyout.txt` and I get a message on the head unit "line error" and the file is not created. damnit!
`` are the shell enclose execute quotes.
Ill try it with ' ' as well.
Thanks balle, I hope I get my box installed soon :'(
The following has now been tried with no success.
audioid.3.0=/dos/tts/beep3.wav
audioid.3.1=ARTIST
audioid.3.2=TITLE
audioid.3.3=ALBUM
audioid.3.4=SHELL /bin/touch /dos/balle1.tst
audioid.3.5=SHELL "/bin/touch /dos/balle2.tst"
audioid.3.6=SHELL '/bin/touch /dos/balle3.tst'
audioid.3.7=SHELL \'/bin/touch /dos/balle4.tst\'
audioid.3.8=SHELL \"/bin/touch /dos/balle5.tst\"
balle,
when you did those commands did you shut down the head unit and wait for the phatbox to shut down and spin down the drive? I realized part way through my testing that just killing power on my test bench would likely result in the files not being flushed to disk.
Quoteballe,
when you did those commands did you shut down the head unit and wait for the phatbox to shut down and spin down the drive? I realized part way through my testing that just killing power on my test bench would likely result in the files not being flushed to disk.
I did turn of the heaunit (goes with the ignition switch), and then after 10-15 seconds or so did I remove the DMS as this sits in the trunk.
okay just checking.
I might suggest doing a command without the path as well incase they have you chrooted somehow. I didn't see anything in the startup scripts on the ramdisk that call chroot but just to be sure as its included with the busybox.
I have mine on a desktop right next to me hooked up to a PC power supply for the 12v and a kenwood fm modulator and i can just cut power to it. thats why I mentioned it.
may want to try like, a really old firmware too... see if there are any bugs that have been fixed ;)
I agree with Sam. When Terry Kennedy revealed to Phatnoise his method for cracking the key, you can be sure Phatnoise made every effort to plug the hole. Older versions wouldn't have that plug.
he didn't have a method for cracking the key, he managed to find a software to change the serial number on a hard drive... and he made another DMS identical to a signed DMS
Duh, why havn't we seen this before ???
The syntax seems to be like this
menu.1.action=COMMAND1:<parameter>;COMMAND2:<parameter> etc.
This means we need a small shell script containing our tests because the SHELL command only takes one parameter. Call it like this
menu.4.action=SHELL:/dos/Data/test_script
I suggest to find a suitable menu entry which could be the one announcing the firmware/about message (example above: menu.4.audio=/dos/tts/it_about.mp3) and replace its action!
Don't forget to set the script to chmod 777 to be sure on that side...
Para
this is a fat32 file system so you cant really use chmod like that.
Erm, yes :-[
How does the PB ensure that a file might be executed? Anyway, the rest of the story is more important...