I-Appliance BBS The Official Source for Internet Appliance Upgrades and Mods BBS Main List | Sign In | Sign Up | Search | Help | Linux-Hacker.net Reply to Thread | Printer |

Home / Other I-Appliances / MSN Companion Haxing the 'Un-haxable' New thread for IA1 BIOS project

Haxing the 'Un-haxable' (modified 0 times) shadowsunrise Profile Thought I'd start a new thread 'cause the other ones are getting so long... I found a possible ray of sunshine from the JAILBAIT site (i'm really sorry if this is a repeat, but a new thread was needed anyways), try http://jailbait.sourceforge.net/README down at the bottom of the page is a description of how to downgrade the bios. Now, there's a few things that are beyond my understanding here. I have no clue what the 'qnx' prompt is, nor how to get to it. If somebody would be so kind as to post how to get to that 'qnx' prompt it would be very welcome. I've got a 'hackable' from tiger direct, but I'm having so much fun with mine, that I'd like to do what I can to help everybody else out (with what little i know). Hope this helps! dont panic 01-07-2002 10:05:26

RE:Haxing the 'Un-haxable' (modified 0 times) shadowsunrise Profile Sorry, here's a clickable of that link... http://jailbait.sourceforge.net/README dont panic 01-07-2002 10:10:43

RE:Haxing the 'Un-haxable' (modified 0 times) shadowsunrise Profile Okay, call me stupid, that's for the i-opener, but there may still be hope throught this method... is there a 'qnx' prompt in the ia1? 01-07-2002 10:18:08

RE:Haxing the 'Un-haxable' (modified 0 times) RatBastard Profile No, I'm afraid that QNX is an OS that's installed on the IOpener. Some folks have found a way to get control of the OS and use the tools there to change things and install other software. If there were an equivalent "prompt" in CE, we might be getting somewhere... 01-07-2002 10:42:48

RE:Haxing the 'Un-haxable' (modified 0 times) shadowsunrise Profile well, i guess we're in luck... maybe? i know how to code CE and have a full SDK, so if there'd be ANY way to get just a small .exe to run from somewhere (run from the web?), i could code something that might do the trick? 01-07-2002 11:33:07

RE:Haxing the 'Un-haxable' (modified 0 times) RatBastard Profile Sounds promising... What happens if you hit an .exe from the browser on there? Will it allow you to execute one? (I don't have an MSN account, or I'd try it) 01-07-2002 12:33:12

RE:Haxing the 'Un-haxable' (modified 0 times) wireless Profile Interesting... Run or Save when the browser pops up... In IE under Windows NT it will run straight out. So Get the flash.exe, the old_bios.img, and make a batch file flash_it.bat (containing flash.exe d:\flash_it.img). Navigate over to file:\d:\flash_it.bat and _maybe_ that will execute the bios upgrade/downgrade. Giddy up! Now whoooose got a good BIOS image... or how do you get one. :) -wireless 01-07-2002 13:55:16

RE:Haxing the 'Un-haxable' (modified 0 times) Chase Profile What mail client is used??? If its some version of Outlook you might have something. -=- 01-07-2002 14:31:01

RE:Haxing the 'Un-haxable' (modified 0 times) jacob Profile Having the CE development tools sounds very useful, yes. You might want to look at the 10 meg MSN V2 update image and see if you can figure out anything about the data in there; for example, there's presumably a nk.bin in the file somehow. Or, if you can generate a new CE image that we can try downloading in the failsafe mode that just gives a command prompt or something (I don't know much about CE at all). 01-07-2002 15:41:05

RE:Haxing the 'Un-haxable' (modified 1 times) shadowsunrise Profile well, being an x86 processor, it _should_ actually run normal .exe's (ce on my mips proccesor still calls an app .exe), so maybe my sdk won't even be needed... still, the issue remains, if you get online with the MSN, does the ie and mail client in MSN companion give you an option to save/run when clicking an .exe link/attachment? (also, how many days can you use it and still cancel, if any. and can you get away with just 1 month of service, 10$ or 20$ may be worth it) anybody out there willing to surrender 10-20$ to microshaft to find out? (IF you can just sign up for 1 month, i have a feeling they'll stick ya for 6) and IF somebody does get online with MSN companion, what does clicking a .exe do? i've got a gcity acct ready to post some anon. progies set to run from the web... i just need the proggies. also, i've got a hackable so i would be happy to share a 'backup' of the bios, i've got jailbait running, just gimme a link to where i can get a proggie to rip the info. 01-07-2002 16:43:23

RE:Haxing the 'Un-haxable' (modified 0 times) Curious Profile You get 6 months free of MSN with the purchase of a MSN Companion. But I don't think you can execute a program .exe from the mail, check the instructions. 01-07-2002 17:29:18

RE:Haxing the 'Un-haxable' (modified 0 times) erroneus Profile Now if the method of downloading executable code and running it via URLs actually works, you realize what this means right? ***HUGE*** Security hole in MSN Companion. Not that it would be a surprise or anything, but consider what we're talking about here. Now, if the browser is vulnerable to any of MSIE's security failures, that would be your door to openning up the system to downloading and executing code. But you will have to find the actual vulnerabilities first. Could you imagine the havoc this method could cause if it actually worked though??? 01-07-2002 17:49:07

RE:Haxing the 'Un-haxable' (modified 0 times) RatBastard Profile Nah, happens all the time in "normal" windows. You are ASKED if you want to "open it" or "save it". If you choose open, it downloads the puppy and executes it. And that's at fairly high "Internet Security" settings. Sure, it's a security risk, but is it really any more risky than downloading an .exe and THEN running it? It's just skipping a step. NOW, if in the CE boxes, there is no such thing as "download" then you're talking. I've still never seen one running... I believe the MSN free deal expired last year, and I'll be damned if I'm giving MS money for email... I've already got DSL. 01-07-2002 18:06:15

RE:Haxing the 'Un-haxable' (modified 0 times) Curious Profile I believe the 6 months free is still good: http://msnc.msn.com/v2/companion/buyersguide_serviceplans.asp 01-07-2002 18:47:12

RE:Haxing the 'Un-haxable' (modified 0 times) shadowsunrise Profile Anybody find out what happens when you click a link to an .exe via MSIE in MSN Companion? I know a few guys mentioned that they ordered a few, kept a couple for themselves and gave 1 to a mother-in-law/spouse/etc... Any of you think you could just hop on and see what happens? here's a link to run dolly.exe, it doesn't really do anything, but if it works, we could write/adapt something to the purpose... http://www.geocities.com/linux_ia1/DOLLY/ dont panic 01-08-2002 17:45:09

RE:Haxing the 'Un-haxable' (modified 0 times) Chris3D Profile Just tried running your dolly. Unfortunately, it just says "We're sorry. The MSN Companion can't download files" 01-08-2002 20:03:33

RE:Haxing the 'Un-haxable' (modified 0 times) shadowsunrise Profile ouch. oh well, it was a good idea anywho. (i'm pulling my dolly since i had to put the file on my employer's server [geocities won't allow .exe's]) dont panic 01-09-2002 07:20:13

RE:Haxing the 'Un-haxable' (modified 0 times) jerryn Profile Have any of you with "Unhackable" boxes shorted out the top of the cmos jumper for 30 seconds? I initially shorted out the jumper to the sheild for 15 seconds, I did this twice. It was not adequate. Short out the jumper for 30 seconds to one minute! And press the Compaq key when the _ cursor drops two lines, also be sure your keyboard batteries are good. You can verify your keyboard by holding the keyboard key down at boot time, if the keyboard is good you will see a keyboard key error! If your batteries are dead you will not! My MSN companion had version 2.0 of the OS. And also my brigtness key does work! You have to press the brightness adjust, and adjust in increments. You will see it work when your turn the contrast all the way down. 01-09-2002 11:17:58

RE:Haxing the 'Un-haxable' (modified 0 times) PneumaMalestrom Profile On my unHaXable machine I do not normally have a cursor when it boots. Did the machine for which 15 seconds didnt work show the memory counting and then the "162 - " error after the 15 second shorting but before going back to the normal boot screen with no cursor? Does this unHaXable machine have "iPAQ" on the bezel below the lower right corner? 01-09-2002 19:47:35

RE:Haxing the 'Un-haxable' (modified 0 times) shadowsunrise Profile i think it was decided that what's on the bezel doesn't matter... what i think probly does is where you got it, it seems lower-end refurbs are better, probly been on the shelf longer. anyhow, if you get the memory counting, and a cursor on screen, you've hacked it to some level. in the default setup there's nothing but the compaq logo (at least that's how mine was out of the box). so, if ANYTHING changed after futsing around inside, you've got a start... the next level is getting to the cmos which is normally just pressing F10 at just the right time (around when the cursor 'drops'), takes a few tries. mine worked just fine like that. i've heard of some success with ctrl-u instead of F10 (fyi, the 'compaq' button in the mid/top of your kbd is F10) when F10 didn't work. if F10 AND ctrl-u doesn't work, you've got an 'un-haxable' the next step is to experiment, perhaps go nuts with a USB kbd, or figure out a way to run a bios flasher from the internet (any word on that yet?) or plug in a usb drive of some sort (cdrom, hdd, floppy, etc) and see if it'll boot off one of those. also, in other threads, we've got a good idea of the ide layout, internal cf is master on the primary ide adapter, the cf slot is master on the secondary ide adapter, so, if there's some way to swap the connections (break out your wire, soldering iron, and nerves), then you wouldn't need to get to the bios (the cf slot would now be master on primary), but you could boot off a cf with a flasher utility and reflash anyways to a hackable bios (so you don't have to re-solder everything if you decide to boot off the internal later) anywho, good luck all. 01-10-2002 08:26:21

RE:Haxing the 'Un-haxable' (modified 0 times) PneumaMalestrom Profile The behavior of the unHaXable machines is significantly different from those which are HaXable. It would be nice to be able to clearly distinguish between the unHaXable machines and the "I couldnt get into the BIOS". The most readily evident difference seems to be that before any attempts to clear the CMOS the HaXable machines boot with a blinking underscore cursor in the upper left corner and the unHaXable machines do not have any cursor at all. The machines also seem to boot with a different video mode; the HaXable machines seem to stretch the "COMPAQ" logo bitmap to have jaggies, and the unHaXable do not. 01-10-2002 12:24:46

RE:Haxing the 'Un-haxable' (modified 0 times) jerryn Profile The lack of seeing cursors isn't a major deal. I went into my BIOS on the IA-1 and there is an option for silent post. I enbabled that on mine and I do not see the cursors. I just hit F10 and I am in. You may have to short out the cmos for over one minute 01-10-2002 12:39:53

RE:Haxing the 'Un-haxable' (modified 0 times) AirMan Profile Several weeks ago, I tried all sorts of things with the jumper on my unhackable unit, which included shorting it for a minute or longer. No dice. These units are locked-up tight. Take my word for it. 01-10-2002 16:32:57

RE:Haxing the 'Un-haxable' (modified 0 times) PneumaMalestrom Profile The point with the visibility of the cursor is that it is an attribute of a HaXable machine when it comes out of the box, and invisibility of the cursor is an attribute of an unHaXable machine when it comes out of the box, not that the cursor _must_ be visible or invisible on all HaXable or unHaXable machines. 01-10-2002 20:14:36

RE:Haxing the 'Un-haxable' (modified 0 times) jerryn Profile Well I wish you luck. It took me 30 seconds shorting out the jumped pins. An easy hack, the hardest part was breaking the clamshell open, no scratches! maybe you need a real small pencil soldering iron, an exacto knife , rip out the bios and solder in a socket for the bios. You can get a working image from any of us with working units. Good Luck! 01-11-2002 09:10:55

RE:Haxing the 'Un-haxable' (modified 0 times) RatBastard Profile That seems likely. How difficult is that? I'm not an EE, but I've got reasonable manual dexterity. I've never done anything like this, though. Where would I get a socket? 01-11-2002 10:13:33

RE:Haxing the 'Un-haxable' (modified 0 times) shadowsunrise Profile you can pick up the socket at radio shack, and i think they might have some solder and a soldering iron there too (although i dunno if it'd be precise enough). be careful though, it's really easy to mess it up and end up w/ a $99 paper weight! also, somebody would have to install a socket on their haxed ia1 in order to flash the good bios onto the unhaxable IC module (bios 'chip'). would that even work? you'd have to boot up with the haxable bios, then swap ICs while running, wouldn't you? that could get a bit hairy... it sounds like its worth a shot, but between the solder and sending ICs to eachother (remember, snail mail is still getting irradiated, so there's a chance the chip'd be whipped) i think we should still look for a paperclip/software way to do it... good luck dont panic 01-11-2002 10:42:11

RE:Haxing the 'Un-haxable' (modified 0 times) Curious Profile You should contact Badflash, he is the expert. 01-11-2002 13:51:16

RE: Badflash (modified 0 times) RatBastard Profile I have been in contact with him. I believe that he has ordered a couple of units, and is doing some research. If he comes up with a solution, I'm sure that he'll chime in, and we can all order it! 01-11-2002 13:56:29

RE:Haxing the 'Un-haxable' (modified 0 times) foresto Profile I just remembered something from my early days of building ibm-pc clones. Some systems will reset the BIOS values to their defaults if you hold down the Insert key while booting up. If any of you has a USB keyboard and a not-yet-hackable IA-1, you might want to try that. 01-12-2002 02:01:36

RE:Haxing the 'Un-haxable' (modified 0 times) Tricky Profile Maybe there is another way to take us to the bios setup mode. The reason the bios boots to setup with the paper clip method is because we have dumped the stored values, an error condition. A trick I often use to get into the bios of many laptops is to hold down a key in order to cause an error, bringing up the bios setup. Perhaps someone that knows hardware a little bit better can find a way to "gently" cause an error with the hard drive controller, creating the condition we have all seen when you try to boot without a HD controller installed. This might bring us to bios setup 01-12-2002 07:42:04

RE:Haxing the 'Un-haxable' (modified 0 times) Beach Profile I was able to get into the bios simply by pressing the Compaq key at the flashing cursor without opening the case. It does not have the iPaq on the bezel and it was in the brown box as described earlier. I just received the unit last week from Tiger. Was I was just incredibly lucky or will I still need to ground the bios with a paper clip? I need to get all of the other required parts to complete the hack - are some CF's better than others? Beach 01-12-2002 08:05:15

RE:Haxing the 'Un-haxable' (modified 1 times) shadowsunrise Profile beach: yes, you were lucky like me. if you want 16mb jailbait on your internal, i just put a post on the 'Bootable CF Problems (anyone want to sell one?)' thread. the parts for the way i did it only ran me $40 and the CF i got was twice the size i needed (it doubles as mp3 storage for my pocketpc). i picked up a 64MB SanDisk CF for $32 and a CF->ATA pcmcia adapter for $7 used (you'll find it for $14 at bestbuy, staples, etc). as far as some CF being better than others, i'm pretty ignorant, but i have 3 theories: 1) SanDisk has been around from the start (or close to it, and that's what's soldered to the underside of the motherboard), 2) Fuji makes lame, overpriced film, so don't expect good CF from them, 3) Film makers in general should be avoided because their CF cards were _probably_ designed with digital cameras in mind, being occasional, contiguous reads and writes, not the random access that running as a harddrive requires. of course, i'm just guessing, but my sandisk is working great. anywho, best of luck to ya! hope that info helps some. dont panic 01-14-2002 09:49:47

RE:Haxing the 'Un-haxable' (modified 0 times) shadowsunrise Profile on another note, i noticed a lot of talk about paperclips... i have 2 points to bring to mind... 1) i didn't do the paperclip hack, i actually dissassembled mine, switched the jumper to 'reset' and powered up for 10 seconds. then i powered down, put the jumper back to 'normal', powered up again and there was my memcheck, etc. so... perhaps the paperclip doesn't work? 2) i know everybody here has a fair amount of intelligence, so i really hesitate to bring this up for fear of insulting anybody, but when doing the hack, whether paperclip or jumper style, is _everybody_ powering on for a few seconds, then powering down, removing and restarting? the metal case inside was a pain to pull off, so i can see wanting to do the paperclip hack, but the jumper i believe was the way the oem intended for the the cmos to be reset. just a few ideas... dont panic 01-14-2002 09:55:44

RE:Haxing the 'Un-haxable' (modified 0 times) caderoux Profile | Email I grounded the jumper with a paperclip through the hole, partially reassembled, then powered on and got straight into the BIOS. Boot order required several reboots and inserting a CF to see the D: drive. Cade Roux 01-14-2002 17:52:44

RE:Haxing the 'Un-haxable' (modified 0 times) playerx Profile | Email I dis-assembled mine, and just shorted the pin using the jumper. I didn't have to power mine on while the jumper was set to clear, when I powered the unit back on, I had forgot to hold down the compaq/f10 key, so the bios then loaded its defaults. I then had to re-short the jumper again, and powered on the unit, and made sure to hold the compaq key. 01-14-2002 18:31:40

RE:Haxing the 'Un-haxable' (modified 0 times) alinuxuser Profile Thinking in 'their shoes' my guess is that the 'unhackable' boxes have a slightly modified BIOS that simply changes the key to press to get into the BIOS to a key other than the F10 'compaq' key. So that would mean any other key, or any key combined with one or more of the modifiers (shift, control, alt) may be 'open sesamy' we're looking for. Now for patient people with an unhackable... 01-19-2002 19:03:27

RE:Haxing the 'Un-haxable' (modified 0 times) Linny Profile Garfield, I saw that you upgrade to the latest OS version. Where you able to use a usb network card. email at gaetanlord dot com 01-20-2002 16:10:52

RE:Haxing the 'Un-haxable' (modified 0 times) Garfield Profile Linny, with v2.0 a usb network adapter is supported... i have yet to buy one though. see the compaq tech support thread for more info... 01-20-2002 16:24:06

RE:Haxing the 'Un-haxable' (modified 0 times) heitjer Profile | Email did anyone of you ever tried 'Ctrl' + 'u' to get into this thing.... I bought one for my wife and she managed to crash the thing so badly that it would not boot up - locked up on the Compaq screen....called Compaq (no luck) and MSN tech support and after an hour I had someone on the phone who was able to help me. He said that when the cursor blinks press the combination. It took me a couple of hard boots but at the fourth attempt I was able to get into some kind of BIOS. In there the Tech told me to enter an https:\ address that was missing and he also told me to enter a default telephone number. Next reboot the thing dialed in and sucked it's operating system over the telephone line. It took approx. 1 hour 15 minutes to do that. I assume this was the 16 MB it needs to run. Next reboot it went through the "sign up for MSN" screens and I had to enter her MSN account data. Wife is happy - I am not (cause of MSN). Since then I developed an interest now in this thing and started reading in here. I am absolutely new to Linux and on most postings I have no clue what you are talking about but I keep on reading. If you develop something that has the same functionallity as the MSN I would be happy to do all this to save the 10 bucks for MSN. But I figure as long as this is not the case I have to keep my wife happy. So keep up the good work. *heitjer* 05-01-2002 20:46:02

RE:Haxing the 'Un-haxable' (modified 0 times) AndyW Profile "He said that when the cursor blinks press the combination" On the unhackable boxes there is no 'blink'. 05-07-2002 04:38:32

RE:Haxing the 'Un-haxable' (modified 0 times) heitjer Profile | Email OK - we did it again. Opened an email in MSN and boom - total freeze on the Companion. This time I have written down what is in the blue screen. When the cursor drops the three lines press "ctrl" and "u". The blue screen come up with the following entry fields, brackets indicate entries and the default: User Name: [ ] Password: [ ] Phone Number: [5958780] Tone Dialing: [X] Wait for Dialtone: [X] Dial Audibly: [ ] Dial Quickly: [ ] Post Data: [CurrentVersion=0&Component=Mariner;Compaq-1-1;409&SSN=1] URL: [https://webcdownload.msn.com/clientman/clientman.dll?DownLoadImage] Now - bear in mind that I am not the hacker nor experienced in programming - but I think that this might be a way in. If an image is out there on the internet (or on my local network), shouldn't this thing suck anything in that is under that specific address and name? *heitjer* 05-28-2002 19:30:59

RE:Haxing the 'Un-haxable' (modified 0 times) Wiz_ Profile Here is html code that will cause this site to download a 10.3 meg file to your machine. Question is, what format is the file it's downloading? It must be some form of image file and there has to be code in the IA-1 CE OS that knows what to do with this file. While looking around the IA-1's CE image after booting to a DOS prompt it appears that there are two partitions, it's possible that one knows how to download and image the other one then reboot to the new partition. Also note that this is only avaliable as dial-up. The screen your seeing only knows how to dial up an ISP and download an image. I don't think ethernet works at this point so you couldn't pull the image of a local LAN server. By the way, if you click OK here and it doesn't download an image, it will corrupt your flash disk. Here's the HTML... <html> <head> <title>Mariner DownLoad</title> </head> <body> <form method="POST" action="https://webcdownload.msn.com/clientman/clientman.dll?DownloadImage"> SSN:<input type="text" name="SSN" value="1"> <p>Component<input type="text" name="Component" value="Mariner;Compaq-1-1;409"> </p> <p>CurrentVersion:<input type="text" name="CurrentVersion" value="0"> </p> <p><input type="submit" value="Post" name="DL"></p></form> </body> </html> 05-29-2002 20:21:11

RE:Haxing the 'Un-haxable' (modified 0 times) Shane Profile If you paste in your regular desktop browser: https://webcdownload.msn.com/clientman/clientman.dll?DownloadImage&CurrentVersion=0&Component=Mariner;Compaq-1-1;409&SSN=1 You're prompted for a clientman. file... no extension. Seems to me this is just a bin dump of the flash... so all you have to do is get a page setup to download a clientman. file that's actually an image of a linux flash partition. You can even cheat and use your free month of MSN to do it ;) Those that have the "unhackable" wait about 1-2 seconds when you first see the compaq screen (this is the approx delay while the cursor drops from the boot check) then press ctrl-u ONCE a second... wait till the screen turns black, should pop up a text screen with the info heitjer pointed out. 08-26-2002 10:52:28

RE:Haxing the 'Un-haxable' (modified 0 times) Linny Profile As shane said, I was able to download the msn image. I could probable hack a machine to simulate the webcdownload.msn.com (DNS etc) Is the midori image an equivalent of the micro$oft image, or something different I'd like to transform my door holder to something more useful 10-24-2002 21:45:22

Reply to Thread | Printer | All times are PST Powered by UltraBoard v1.62

I-Appliance BBS General - NEWS, Breaking NEWS - linux-hacker.net BBS on CD Questions - User Groups in Your Town - E-Bay, Yahoo Auction LINKS ONLY (MODERATED) - Jokes & Humor - usdtv box I-Opener Areas - I-Opener General Posts - I-Opener Technical Stuff - I-Opener Technical Info Reference (MODERATED) WebSurfer Areas - WebSurfer General Posts - WebSurfer Technical Stuff - WebSurfer Technical Info Reference (MODERATED) Other I-Appliances - Virgin Webplayer - WebPal - MailStation - 3Com Audrey - ThinkNIC / Oracle NIC - Gateway/AOL Connected Touch Pad - Philips/AOL-TV - ACER NT-150 STB - MSN Companion - Compaq IA - Emachines IA - IBM NetVista IA - Intel dot.station - MSNTV2 Network Computers - Fujitsu-Siemens Scovery Linux Net Computers - GallantWeb Server Consoles - Dreamcast - xbox hacking Web Pads - Epods One General Post - Panasonic CF-01 - Fujitsu Stylistic 1200 - Cybiko Thin Clients - Thin Clients DigitalVideoRecorders - DTV Recorders, Replay, TiVo, Etc... - Tivo Hacks Linux - Midori Linux General Board - ITX MotherBoards Single Board Computers - Earth Computers mARMalade Elite Member Area MISC Areas - The Swap Meet WE TAKE NO RESPONSIBILITY FOR ANY TRANSACTION HERE AND NO COMMERCIAL POST PERIOD !!! - Wireless Net - Cameras - Robotics - Routers/Gateways - Mattel JuiceBox