Ok, I have downloaded the 2.7. Awesome pdf thing, it remembers the zoom between pages, and this is already better than standard xpdf, nice icons, blah blah blah. Ah and yes, I got to execute a ls > /opt/content/books/a.txt command. But on the other hand the remote Xserver approach seems promising. So what do I do? Wait for a crack via Xserver to be done? Do I explain how I did the ls so you people can try to run shell scripts via similar methods, risking to be patched in the security fix? Personally I think that any Xserver exploit will be patched in the future, because it is a real internet security issue.

Do I explain how I did the ls so you people can try to run shell scripts via similar methods, risking to be patched in the security fix? Personally I think that any Xserver exploit will be patched in the future, because it is a real internet security issue.

Up to you whether you think its better to have an unsecured Illiad and to be the only one with this knowledge, or to help the Illiad progress. Congratulations, btw... :D

Up to you whether you think its better to have an unsecured Illiad and to be the only one with this knowledge, or to help the Illiad progress. Congratulations, btw... :D

I could ask for a NDA agreement :D :D

Ok, I have downloaded the 2.7. Awesome pdf thing, it remembers the zoom between pages, and this is already better than standard xpdf, nice icons, blah blah blah. Ah and yes, I got to execute a ls > /opt/content/books/a.txt command. But on the other hand the remote Xserver approach seems promising. So what do I do? Wait for a crack via Xserver to be done? Do I explain how I did the ls so you people can try to run shell scripts via similar methods, risking to be patched in the security fix? Personally I think that any Xserver exploit will be patched in the future, because it is a real internet security issue.

Perhaps you could use it to help us finish the Xserver exploit. Then make it public when Irex patches that in 2.8...

Ok I will release it, on second inspection it is so simple that there is no issue.

I backquoted the password in the WEP configuration.

this is, I created a new wireless wep connection (wizard, anyname, Proceed, Wireless, anyssid, proceed, WEP, proceed) and in the wep security key field I used:


`ls > /opt/content/books/a.txt`


I pressed TEST (no proceed anymore).

And yep, it escaped.

I think iRex does not really need to patch this one. It is not a security hole, as the ssh was. Nor a Cuartango trick, as the pdf could be. Here the Owner of the machine must know exactly what he is doing, no argue about being tricked to do it (except if you have got a devilish system admistrator telling you that THAT is the password for your local wlan!).

Besides, you need to retort the trick in order to use it to "open the internet", because most probably this escape is executed at the level of the networking scripts, and man you do not want to call the networking script from the networking script.

Ok I will release it, on second inspection it is so simple that there is no issue.

I backquoted the password in the WEP configuration.

this is, I created a new wireless wep connection (wizard, anyname, Proceed, Wireless, anyssid, proceed, WEP, proceed) and in the wep security key field I used:



I pressed TEST (no proceed anymore).

And yep, it escaped.

I think iRex does not really need to patch this one. It is not a security hole, as the ssh was. Nor a Cuartango trick, as the pdf could be. Here the Owner of the machine must know exactly what he is doing, no argue about being tricked to do it (except if you have got a devilish system admistrator telling you that THAT is the password for your local wlan!).

Besides, you need to retort the trick in order to use it to "open the internet", because most probably this escape is executed at the level of the networking scripts, and man you do not want to call the networking script from the networking script.

neat. Congratulations on thinking of this one.

neat. Congratulations on thinking of this one.

A pleasure. Please remember this trick is under the 75 Euros caveat (http://www.mobileread.com/forums/showthread.php?t=7405)

Now that's a nice hole!

So who hasn't done this yet?

cp /etc/passwd /opt/content/books/passwd
<edit passwd>
cp /opt/content/books/passwd /etc/passwd
cp /opt/content/books/bugbear /usr/sbin
...
:D

Hmmm perhaps update the irex.crt to make iDS proxy very simple again?

Wau!!!! It is amazing! So big hole!

`/bin/bash /opt/books/what-ever-you-want.sh`

sorry. There is no bash. Just sh

uupi!!! It works!
`/bin/sh /opt/content/books/a.sh`

There is "a.sh"
#!/bin/sh

/bin/ps aux > /opt/content/books/ps-aux-out.txt
/bin/uname -a > /opt/content/books/uname-a.txt
/bin/cat /proc/cpuinfo > /opt/content/books/cpuinfo.txt
/bin/mount > /opt/content/books/mount.txt
/bin/dmesg > /opt/content/books/dmesg.txt
/bin/ls /boot > /opt/content/books/ls-boot.txt

But, if you want to try by yourself, you are doing it by you own risk! Be careful!

It is really big hole. Now, I will try to compile somthing for iLiad (my be cross-compiler for zaurus will succseed). BTW, I think, it is the most careful way is to mount MMC with ext2, and try to do everything there..

Wau! I have first my own program running on iLiad!!!!! he-he-he!!!! I am spammer today!
Usual Zaurus cross-platform sdk (gcc2.95) works well.

hello_iliad.c

#include <stdio.h>

int main(int argc,char **argv)
{
printf("Hello, my iLiad");

}

b.sh

#!/bin/sh

/bin/cp /opt/content/books/hello_iliad /tmp
/bin/chmod a+x /tmp/hello_iliad
/tmp/hello_iliad > /opt/content/books/hello_from_iliad.txt

:rolleyes5

Ok I will release it, on second inspection it is so simple that there is no issue.

Oh! I'm happy. I'll be upgrading to 2.7 today, then :-).

What's next in my todo list queue: investigate the pageBar protocol and doing a simple viewer using SDL... Now that we can test it :-)~~~! Yipieee!!!

Thanks arivero :-).

Has anyone tried a java --version command yet?

Oh! I'm happy. I'll be upgrading to 2.7 today, then :-).



Do it quickly! I bet that this and Xserver will be patched on IDS today.

Up to you whether you think its better to have an unsecured Illiad and to be the only one with this knowledge, or to help the Illiad progress. Congratulations, btw... :D
And what would be the risk of having an "unsecured" iLiad ATM? ;)

Congrats on your find.

I have no clue what this actually does, but it sounds great anyway...:-)

And what would be the risk of having an "unsecured" iLiad ATM? ;)

Someone might hit you over the head with it...? :D

But seriously... I'm glad this was brought out in the open... I think it shows willingness to work with Irex in making their product better. Lets see how soon they fix this...! :D

But seriously... I'm glad this was brought out in the open... I think it shows willingness to work with Irex in making their product better. Lets see how soon they fix this...! :D

I insist: it is not a security hole, so you do not need to fix it. It *seems* a security hole because it works the way www holes work, but it is a dialog window that only shows in the main console, so it is not a security issue. It is the same thing that claiming that GRUB has security holes!

The PDF hole in 2.4 was a different issue; just because the confirmation window was not drawn in the the screen (it was, but the screen was not updated, remember) there was possible to do a pdf asking the user "click in this cross, then click this one and see what happens", the seconf cross subtly drawn over the OK button. It needs not to be so ovvious, it could be for instance a sudoku square asking two sequencial clicks, or some "start demo" thing. In spain we call this kind of deception a "Cuartango" trick, because this researcher in the CSIC did some work on deception windows over MSWindows.

uupi!!! It works!
`/bin/sh /opt/content/books/a.sh`

(...)

Now, I will try to compile somthing for iLiad (my be cross-compiler for zaurus will succseed). BTW, I think, it is the most careful way is to mount MMC with ext2, and try to do everything there..

Yes, in fact a minor issue is that the internal filesystems for documents are vfat, and I think that the USB also mounts vfat; the MMC mounts -t auto, I think, so a ext2 filesystem is feasible there, in theory. I have not seen yet the mounting for CF cards.

Of course having files in vfat implies two problems: small one, that you can not have linked files. Bigger one, that you can not set a file to be an executable, so you must rely on /bin/sh or some other way around.

I am not sure which is the easiest/safest/careful way to proceed. The people on the librie installed a Sxx.sh in the rc.5 or whatever it starts, and this one waited in the dark for a minute or two and then searched for "hook.sh" files in the SD/MMD/MemoryStick to execute. Other alternative is to do the same thing as a last line of the startup script in the home directory of root, but Dher already got to hang the machine last time he edited that script.

Well, it would have worked if i had added an & at the end of the line to push netcat in the background.

So there's no reason not to try it again. (see the old thread for details on obtaining netcat and this line)

Well, it would have worked if i had added an & at the end of the line t

It is valuable advise. Some other people can be tempted about startup scripts now, and it is not wise to let them to hang when you can not reflash yourself :(


Other trick I can think is to get the executable of rxvt, hoping it still works, and do a small shell script waiting some minutes (to let the user get off from the testing network dialog), then switching on the network, then running rxvt against a external xdisplay. Your method, netcat based, had the adventages of being permanent and of not needing a Unix/Xwindows counterpart.

What's next in my todo list queue: investigate the pageBar protocol and doing a simple viewer using SDL... Now that we can test it :-)~~~! Yipieee!!!


Also, we need some hints about the update protocol. We can do single updates of the whole screen by calling the displayMgrClient utility, but I really would like to enable the update mode of the Ink aplications, I mean Scribble and now the new Keyboard. This will happily explained in the open by iRex in the future (and also the pageBar protocol), you could try to ask them first!

It is valuable advise. Some other people can be tempted about startup scripts now, and it is not wise to let them to hang when you can not reflash yourself :(


Other trick I can think is to get the executable of rxvt, hoping it still works, and do a small shell script waiting some minutes (to let the user get off from the testing network dialog), then switching on the network, then running rxvt against a external xdisplay. Your method, netcat based, had the adventages of being permanent and of not needing a Unix/Xwindows counterpart.

how about moving /usr/bin/downloadMgr out of the way and replacing it with a short script that starts the network and runs dropbear? That way, when you press the IDS button it starts your shell. No worries about bricking it on startup either. You can always move downloadMgr back into place when you want to do a real update...

First, we need to compile dropbear. I already did it, but Zaurus development enviroment is little bit old (glibc 2.2.2, but iLiad has 2.3.3). Or, may be somebody has dropbear for iLiad?

First, we need to compile dropbear. I already did it, but Zaurus development enviroment is little bit old (glibc 2.2.2, but iLiad has 2.3.3). Or, may be somebody has dropbear for iLiad?

Someone with a copy of 2.4 filesystem (I lost mine) could send to you, or to mobileread ftp site, a copy of the dropbear inside. You need also to replace /etc/passwd or to create a new user, and I think that the integrity of /etc/passwd (as well as the integrity of the registry) is checked now during the startup. Netcat had the adventage of not needing to know the root password nor to change it, and it was to be run in any nontrivial port, so relatively safe from scanners.

Someone with a copy of 2.4 filesystem (I lost mine) could send to you, or to mobileread ftp site, a copy of the dropbear inside. You need also to replace /etc/passwd or to create a new user, and I think that the integrity of /etc/passwd (as well as the integrity of the registry) is checked now during the startup. Netcat had the adventage of not needing to know the root password nor to change it, and it was to be run in any nontrivial port, so relatively safe from scanners.

You could compile tsh statically with the Zaurus toolchain. It will easily run on any port and the executable is tiny. I use it as a backdoor to rescue broken systems remotely.


http://freshmeat.net/projects/tsh/

Someone with a copy of 2.4 filesystem (I lost mine) could send to you, or to mobileread ftp site, a copy of the dropbear inside. You need also to replace /etc/passwd or to create a new user, and I think that the integrity of /etc/passwd (as well as the integrity of the registry) is checked now during the startup. Netcat had the adventage of not needing to know the root password nor to change it, and it was to be run in any nontrivial port, so relatively safe from scanners.
I think - to replace passwd is better way. I created network profile with this quoted key and chosed this profile by default. Now, by pressing network button this script is being executed. So, I am just need to create script which will change /etc/passwd, start dropbeal and etc. But what happens if integrity check fails?

I think - to replace passwd is better way. I created network profile with this quoted key and chosed this profile by default. Now, by pressing network button this script is being executed.

Wow!! Of course, it stores the key, and it uses it when you start a connection. I had not thought of it, because I thought that if the test fails it was not going to store the key.
Now, This seems a safe way to script execution by itself; if you do not want script execution anymore, you delete the profile and voila! It is somehow risky in the sense that if you change the connection and it really gets to contact iDS, it could update the system if you are not fast enough to remove the internet cable nor swicht your wifi router off.

A minor problem is that we do not know exactly at which point the hack is being executed. We can conjecture it is in the line "iwconfig $ethIf key $key" of the script wireless.sh, but on the other hand the authors of the script (Alexis, Matthijs and Edwin, some of them you know from iRex forums) took already some wrapping measures (namely, key="$4").


So, I am just need to create script which will change /etc/passwd, start dropbeal and etc. But what happens if integrity check fails?

Let me to check the scripts and I will tell you in this same posting. (Back in a couple minutes.) (Here I am). It seems that the integrity checks are done in do_updates.sh in the /usr/bin directory. It checks

updates_done=0
new_password='Ko2IxrVVzZZT.'

echo -n 'Checking for patches:'

if [ -x /usr/sbin/dropbearmulti ]
then
echo -n ' rm_sshd'
/usr/bin/ipkg remove -force-depends dropbear
updates_done=1
fi

if [ "`grep '^root:' /etc/passwd | cut -d: -f2`" != "${new_password}" ]
then
echo -n ' passwd'
sed -i "s,^\\([^:]*\\):[^:]*:0:,\\1:${new_password}:0:," /etc/passwd
updates_done=1
fi


And it cheks also for registry modifications. As you see, if the check for the password fails, it just sets the password to the fixed one.

It is somehow risky in the sense that if you change the connection and it really gets to contact iDS, it could update the system if you are not fast enough to remove the internet cable nor swicht your wifi router off.


Wow, I can see Iliad owners running down the street to escape their iliad connecting to ids through WiFi :happy2:

I'm not quite sure why we would have to change the root-password to log in to the device.
If I remember correctly dropbear client supports public key authentication, you just have to convert the id into a dropbear specific format.

Do it quickly! I bet that this and Xserver will be patched on IDS today.

Updated! :-)

I'm not quite sure why we would have to change the root-password to log in to the device.
If I remember correctly dropbear client supports public key authentication, you just have to convert the id into a dropbear specific format.

WOOHOO!! I'm in!!!

tsh compiled statically out of the box with the Zaurus cross compiler and runs without any problems at all. I've attached the arm tshd and linux tsh binary.

Usual bricking caveats apply..

Congrats!

WOOHOO!! I'm in!!!

tsh compiled statically out of the box with the Zaurus cross compiler and runs without any problems at all. I've attached the arm tshd and linux tsh binary.

Usual bricking caveats apply..

Design, could you also attach the shell script and/or the command you use to launch it? Or are you still opening the network using your "http proxy failure" trick?

Design, could you also attach the shell script and/or the command you use to launch it? Or are you still opening the network using your "http proxy failure" trick?


I'm using the http proxy trick for now - I haven't worked out how to turn the network on from a script yet, but should do soon. I just make it sleep for 2 minutes then run tshd.

BTW, the linux-side tsh I uploaded doesn't work statically compiled because of missing gethostbyname. Here is a dynamically compiled one on FC3, and the source. It is easy to compile. You need to set the password in tsh.h to 'abc'.

I'm using the http proxy trick for now - I haven't worked out how to turn the network on from a script yet

Ah, you simply call wired.sh or wireless.sh with the right parameters; sort of "/usr/bin/wired.sh start" or similar call, we used it back in the 2.4 version three months ago.

Check them in /usr/bin. There is even an "usage" help. But in any case, how does the "proxy trick" works? Do I need actually to take the work of setting a proxy?

BTW, the linux-side tsh (...)
guess most people will use a apt-get anyway.

Ah, you simply call wired.sh or wireless.sh with the right parameters; sort of "/usr/bin/wired.sh start" or similar call, we used it back in the 2.4 version three months ago.

Check them in /usr/bin. There is even an "usage" help. But in any case, how does the "proxy trick" works? Do I need actually to take the work of setting a proxy?


guess most people will use a apt-get anyway.


Try just pointing it at a nonexistent proxy. If the network light stays on and you get a popup error box on connect then you're there.

Try just pointing it at a nonexistent proxy. If the network light stays on and you get a popup error box on connect then you're there.

ok wired.sh works a treat, so no need for the proxy hack any more.
Change /mnt/card if you're not using a mmc card...

/mnt/card/a.sh contains:

#!/bin/sh
sleep 120
/usr/bin/wired.sh start
sleep 5
/tmp/tshd

---------------

/mnt/card/b.sh contains:

#!/bin/sh

/bin/cp /mnt/card/tshd /tmp
/bin/cp /mnt/card/a.sh /tmp
/bin/chmod 755 /tmp/tshd
/bin/chmod 755 /tmp/a.sh
/tmp/a.sh &


-------

Then run /mnt/card/b.sh from network profiles, quit, then wait
a couple of minutes. When the light comes on:

tsh ILIAD_IP /bin/sh from your linux box.

...and you'll be in.

I'm working on a packaged version to replace download manager. Will post in CommanerROR's sticky topic when done.

Once again, big thanks for finding this excellent hole. Would love to be a fly on the wall at Irex when they were so keen to keep developers out...

Updated! :-)

It seems that they plugged the hole. I've not been able to reproduce the backqoute-hack :-(((

They've been fast.

UPDATE: It was my fault :huh: , they have not patched it, it still works :wink:. sorry if I scared someone.

It seems that they plugged the hole. I've not been able to reproduce the backqoute-hack :-(((

They've been fast.



eeek. that was quick :sad2:

guess we'll have to keep working on an IDS-based exploit. I wonder if they also closed off the Xserver?

I dont think that there are different versions of 2.7 out there.

I dont think that there are different versions of 2.7 out there.
Maybe he's a beta tester.

Take Caeser's Beta, Take Caeser's Security Patches. :D

As far as I can tell 2.7 is unchanged since its initial release.

OK I can confirm it works. Thanks for the ZIP's design256!

Notes:
tsh <your iliad ip> /bin/sh

By default it tries to exec bash and can't find it.

Note: design256's tsh source is double gzip'd.

If you need to discover your IP:

#!/bin/sh
sleep 120
/usr/bin/wired.sh start
sleep 5
/sbin/ifconfig >/mnt/card/ifconfig.txt

I updated tsh to have a Mac build option (working!) see attached ZIP (comes with Mac binaries no extra charge.)

And for those that may be confused (as was I) when he says "Quit" he means get out of the profile manager. I pressed the main menu button. If you wait around the profile manager will whack your connection shortly after it comes up. :)

Looks like we have a winner in the "encrypted book format" race:

Found this in /mnt/settings/er_registry.txt
uaIDList=BROWSER;XPDF;APABIMOBI;IMAGEVIEWER;SETUP; PROFILES;EBA

Amazon here we come...

scotty, what makes you think of Amazon?

The list is the same as it was a firmware before (http://www.mobileread.com/forums/showthread.php?t=7495).

Hmm look what else I found:

/mnt/settings/er_registry.txt
redirectUrl=https://ids.irexnet.com:443/redirector

No need for a frickin' proxy now. And I'm hoping, no need for frickin' https either. :D :D :D :D

Yeeeeee Haaaawwww!

I hope this works, I was sorely getting tired of hacking x.509 certs with md5 rainbow tables.

scotty, what makes you think of Amazon?

The list is the same as it was a firmware before (http://www.mobileread.com/forums/showthread.php?t=7495).
APABIMOBI;

redirectUrl=https://ids.irexnet.com:443/redirector

No need for a frickin' proxy now.
You're going to replace redirectUrl with one of your own web addresses?

APABIMOBI;
APABI is a Chinese e-book format -> http://www.apabi.com/

MOBI might hint at MobiPocket, but it's been there for a long time. It's true though that there were various mentions here before that iRex could be working with MobiPocket to integrate their e-book software.

APABI is a Chinese e-book format -> http://www.apabi.com/

MOBI might hint at MobiPocket, but it's been there for a long time. It's true though that there were various mentions here before that iRex could be working with MobiPocket to integrate their e-book software.
Yeah, just googled that myself. Let's see, sheepish grin is where??? :o

You're going to replace redirectUrl with one of your own web addresses?
I've been working an an iDS server written in Java.

This all popped just in time to make for a very interesting weekend. :D

One feature I appreciate about having your own iDS server? Local time, it feels so good to have your notes show up in the right time zone! Hmm of course I could hack that right now from the command line couldn't I. :D

They have a getty running against ttyS2

/proc # ls -l /dev/ttyS2
crw--w--w- 1 root root 4, 66 Oct 20 16:58 /dev/ttyS2

PID Uid VmSize Stat Command
1 root 524 S init [5]
2 root SW [keventd]
3 root SWN [ksoftirqd_CPU0]
4 root SW [kswapd]
5 root SW [bdflush]
6 root SW [kupdated]
7 root SW [kUCB1x00d]
8 root SW [tffs1]
9 root SW [mtdblockd]
10 root SW [khubd]
234 root 580 S /sbin/cardmgr
252 root 556 S /sbin/klogd -n
324 root 560 S /sbin/syslogd
325 root 564 S /usr/bin/displayMgr -p -w /var/waveform.bin
326 root 524 S /usr/bin/erbusyd
327 root 3848 S /usr/bin/Xfbdev -screen 768x1024x8 -3button -dpi 160
331 root 524 S /usr/bin/erbusyd
332 root 3880 S /usr/bin/matchbox-window-manager -use_titlebar no -us
333 root 5164 S /usr/bin/pageBar
334 root 3760 S /usr/bin/matchbox-panel --size 39 --no-menu --bgcolor
336 root 524 S /usr/bin/erbusyd
478 root 2592 S mb-applet-icon-container
486 root 9456 S /usr/bin/contentLister --sync
487 root 1992 S /usr/bin/powerMgr
491 root 1992 S /usr/bin/powerMgr
492 root 1992 S /usr/bin/powerMgr
494 root 1992 S /usr/bin/powerMgr
535 root 9456 S /usr/bin/contentLister --sync
538 root 9456 S /usr/bin/contentLister --sync
577 root 9456 S /usr/bin/contentLister --sync
657 root 9456 S /usr/bin/contentLister --sync
658 root 9456 S /usr/bin/contentLister --sync
667 root SW [usbplugd]
668 root 404 S msdisk
683 root 512 S /sbin/getty -L ttyS2 115200 vt100
1780 root SW [mmcblockd]
1902 root 568 S udhcpc -n -p /var/run/udhcpc.eth0.pid -t 4 -i eth0
1905 root 96 S /tmp/tshd
1990 root 144 S /tmp/tshd
1991 root 540 S sh -c /bin/sh
1992 root 880 S /bin/sh
2038 root 704 R ps -ex

/proc/tty # cat drivers
serial /dev/cua 5 64-71 serial:callout
serial /dev/ttyS 4 64-71 serial
pty_slave /dev/pts 136 0-255 pty:slave
pty_master /dev/ptm 128 0-255 pty:master
pty_slave /dev/ttyp 3 0-255 pty:slave
pty_master /dev/pty 2 0-255 pty:master
/dev/vc/0 /dev/vc/0 4 0 system:vtmaster
/dev/ptmx /dev/ptmx 5 2 system
/dev/console /dev/console 5 1 system:console
/dev/tty /dev/tty 5 0 system:/dev/tty
unknown /dev/vc/%d 4 1-63 console

/proc/tty/driver # cat serial
serinfo:1.0 driver:5.05c revision:2001-07-08
0: uart:PXA UART port:F8100000 irq:15 baud:19200 tx:4 rx:413822 RTS|CTS|DTR|DSR|CD|RI
1: uart:PXA UART port:F8200000 irq:14 tx:0 rx:0
2: uart:PXA UART port:F8700000 irq:13 baud:115200 tx:93156 rx:0 RTS|DTR

Besides antartica, has anybody downloaded 2.7 today?

Ouch, X, contentlister and matchbox are burning up the memory:

327 root 3964 S /usr/bin/Xfbdev -screen 768x1024x8 -3button -dpi 160
331 root 524 S /usr/bin/erbusyd
332 root 3880 S /usr/bin/matchbox-window-manager -use_titlebar no -us
333 root 5296 S /usr/bin/pageBar
334 root 3760 S /usr/bin/matchbox-panel --size 39 --no-menu --bgcolor
336 root 524 S /usr/bin/erbusyd
478 root 2592 S mb-applet-icon-container
486 root 9568 S /usr/bin/contentLister --sync
487 root 1992 S /usr/bin/powerMgr
491 root 1992 S /usr/bin/powerMgr
492 root 1992 S /usr/bin/powerMgr
494 root 1992 S /usr/bin/powerMgr
535 root 9568 S /usr/bin/contentLister --sync
538 root 9568 S /usr/bin/contentLister --sync
577 root 9568 S /usr/bin/contentLister --sync
657 root 9568 S /usr/bin/contentLister --sync
658 root 9568 S /usr/bin/contentLister --sync

Now I think I see why minimo has been so frickin' unstable, after launching there is only 1.4MB of free memory. Much complexity and it'll run out of memory and crash.

With minimo running:

/proc # cat meminfo
total: used: free: shared: buffers: cached:
Mem: 64090112 62640128 1449984 0 2068480 33693696
Swap: 0 0 0
MemTotal: 62588 kB
MemFree: 1416 kB
MemShared: 0 kB
Buffers: 2020 kB
Cached: 32904 kB
SwapCached: 0 kB
Active: 35596 kB
Inactive: 16252 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 62588 kB
LowFree: 1416 kB
SwapTotal: 0 kB
SwapFree: 0 kB

Output from ps for minimo:
2046 root 13784 S /usr/bin/browser /mnt/card/picture/manifest.xml /medi
2047 root 13784 S /usr/bin/browser /mnt/card/picture/manifest.xml /medi
2048 root 13784 S /usr/bin/browser /mnt/card/picture/manifest.xml /medi
2049 root 13784 S /usr/bin/browser /mnt/card/picture/manifest.xml /medi
2050 root 13784 S /usr/bin/browser /mnt/card/picture/manifest.xml /medi
2052 root 13784 S /usr/bin/browser /mnt/card/picture/manifest.xml /medi

I wonder why minimo needs 6 processes?

Output from ps

hmm could you try a ps with information about the parent process of each process, or a pstree if it available? I do not understand why so many copies of the contentlister to start with, I am afraid it could be an artifact of the way we are checking in.

hmm could you try a ps with information about the parent process of each process, or a pstree if it available? I do not understand why so many copies of the contentlister to start with, I am afraid it could be an artifact of the way we are checking in.

I think they are threads or the 2.4 equivalent - they are all using shared memory. Scotty actually has the 32MB memory marked as cached available for use. Out of 64MB total
assigned this isn't too bad.

I think they are threads or the 2.4 equivalent - they are all using shared memory. Scotty actually has the 32MB memory marked as cached available for use. Out of 64MB total
assigned this isn't too bad.

vfork then. There is a Warning message in the debug of contentLister:

(CL_E)programManager.c:%d,%s() pmRunViewer: can't fork %s

So guess that this is the way of calling a application, forking contentLister and one of the branches waits for termination, or perhaps even feeds the keyboard input, who knows. But this does not explain the forks in "browser" itself (heavily patched minimo, remember).

hmm could you try a ps with information about the parent process of each process, or a pstree if it available? I do not understand why so many copies of the contentlister to start with, I am afraid it could be an artifact of the way we are checking in.
I'll have to build a better ps. :)

I think, it is possible to use swap.
Somthing like that:

#!/bin/sh
dd if=/dev/null of=/mnt/card/.swapfile bs=1024 count=64K
mkswap /mnt/card/.swapfile
swapon /mnt/card/.swapfile


But, don't try to take out mmc card without "swapoff /mnt/card/.swapfile"

I also get dropbear worked. With public key it does connection to iliad more secure :) And it is possible to copy with scp. And navigate with konqueror via "fish://root@iliad_ip", but
fuser doesn't work with dropbear.

a.sh

#!/bin/sh
mkdir /home/root/.ssh
cp /opt/content/books/id_rsa.pub /home/root/.ssh/authorized_keys
cp /opt/content/books/dr.sh /tmp
cp /opt/content/books/dropbear /tmp
cp /opt/content/books/dropbearkey /tmp

chmod 755 /tmp/dr.sh
chmod 755 /tmp/dropbear
chmod 755 /tmp/dropbearkey

if [ ! -e dropbear_dss_host_key ];then
/tmp/dropbearkey -t dss -f /opt/content/books/dropbear_dss_host_key
fi
if [ ! -e dropbear_rsa_host_key ];then
/tmp/dropbearkey -t rsa -f /opt/content/books/dropbear_rsa_host_key
fi
cp /opt/content/books/dropbear_dss_host_key /tmp
cp /opt/content/books/dropbear_rsa_host_key /tmp
sh /tmp/dr.sh &

dr.sh

#!/bin/sh
sleep 30
/usr/bin/wired.sh start dhcp
sleep 5
/tmp/dropbear -d /tmp/dropbear_dss_host_key -r /tmp/dropbear_rsa_host_key


id_rsa.pub - your public key.

Setting up a Zaurus cross compiler on Mac oS X page: http://www.lucid-cake.net/osx_arm/index_en.html

Great, thanks!

On a different note, Readers have got script execution this morning, via a bold reflash of the entire filesystem (they use cramfs and they can not penmanently modify a single file, they need to download the old fs, modify offline, and reflash it).

Their other disadventage is that they have not got X, so they need each application to access directly to the framebuffer or to speak with a controller application not in the open source tree. So they will still need some reverse engineering work.

I can now verify that the instructions for building a Mac OS X cross compiler creates a cross compiler that compiles code that works on the iLiad Version 2.7.

My next step is to get to where I can compile X apps.

I've always wanted a calculator on my iLiad. :D

I've always wanted a calculator on my iLiad. :D

The main problem is that, lacking SDK specs or ReverseEngineering, the only tool to update the screen is a command line tool, and it does a complete update with all the flash to white and black. No funny for each keypress.

I know, there has to be some event that needs to be triggered to cause an update.

I figure the path to an SDK has several things to be knocked over, one by one.

Right now I'm working on compiling an X11 app.

Next, I'll run it.

If it doesn't update, then I'll find the update trigger I need to embed.

This thing is 95% open source and the other 5% is built with open source. Nothing is going to stand in our way for long.

I also get dropbear worked. With public key it does connection to iliad more secure :) And it is possible to copy with scp.

I can confirm this works for me, thank you for your excellent work!

Anyone else notice this in root's start.sh?

# Temporary fix to show the WiFi mac address to the user
if [ ! -e /mnt/free/wlan_mac.txt ]
then
echo "WiFi card MAC address:" > /mnt/free/wlan_mac.txt
ifconfig wlan0 | awk '$4 ~ /HWaddr/ { mac = $5; gsub(/:/, "-", mac); print mac }' >> /mnt/free/wlan_mac.txt
fi

When I inspect the file:

root@ereader:~# cat /mnt/free/wlan_mac.txt
WiFi card MAC address:

I guess I have my first iRex bug to fix. :D

I also get dropbear worked. With public key


YESSS!!! I am in! I mean, I have now the Nokia 770 and the iLiad linked via an Ad-Hoc wireless connection, and I can enter with dropbear as you suggested!

The AdHoc is straightforward but wired.sh does not provide it. So instead of your simple

#!/bin/sh
sleep 30
/usr/bin/wired.sh start dhcp
sleep 5
/tmp/dropbear -d /tmp/dropbear_dss_host_key -r /tmp/dropbear_rsa_host_key


... I am forced to use a full launch

#!/bin/sh
sleep 50
ethIf=wlan0
ethDrv=cf8385
ethDrv2=cfio
address=10.1.1.2
netmask=255.0.0.0
modprobe $ethDrv 2>/dev/null
iwconfig $ethIf mode Ad-Hoc
iwconfig $ethIf essid "iLiad"
ifconfig $ethIf > /dev/null
ifconfig $ethIf up address $address netmask $netmask
route add default gw 10.0.0.60
sleep 3
echo `date` > /opt/content/books/dbdate.txt
iwconfig > /opt/content/books/iwconfig.txt
ifconfig > /opt/content/books/ifconfig.txt
route > /opt/content/books/routes.txt
sleep 5
/tmp/dropbear -d /tmp/dropbear_dss_host_key -r /tmp/dropbear_rsa_host_key


Note I have put a delay of 50 seconds. This is because I need time to abort the "searching" well before starting to bring up the wireless interface. So I press the button, I abort after 10 seconds going to the main menu of the iLiad, I wait the other 40 seconds, and I can connect. In the Nokia it is even easier, just create an adhoc connection using the menus, and specifying the same netmask blablablah... I am starting the Nokia before the iLiad, so I can check that iwconfig.txt gets to hang from the same cell.

The Xwindows access is also fine. I have gnuplot in the nokia, so I do export DISPLAY=10.1.1.2:0; gnuplot and then for instance plot sin(x) and yes, it appears (with manual updating of the screen, well). Fine. I am going to get LaTex in the Nokia and I can see the output in the iLiad.

AdHoc is a great thing because you do not need to rely in a common AccessPoint. Plus, the iLiad has ethernet (the Nokia hasnot) and the Nokia has bluetooth (iLiad not), so it is sort of synergetic, and same with the memory cards.

Wow, it's like a real Unix or something. :)

root@ereader:/media/card# ls

Broadcast message from root (Sun Oct 22 05:40:35 2006):

The system is going down for system halt NOW!
Connection to 10.0.1.3 closed by remote host.
Connection to 10.0.1.3 closed.

Results of sliding the power switch in the middle of a session.

BTW don't be cd'd to /mnt/card and pull the card out, I knew better but in the excitement, I forgot. :o

eeek. that was quick :sad2:

guess we'll have to keep working on an IDS-based exploit. I wonder if they also closed off the Xserver?

Sorry, it seems that it was my fault (the only explanation I can find is that the four times I tried it i must have misspelled somethibg). I've tried It today after sleeping something more reasonable that the other day and it still works. Phew!

As far as I can tell 2.7 is unchanged since its initial release.
Yep. it is unchanged. I've compaed the wireless.sh and they're identical. My fault...

I am afraid this could be a kind of bug:


cp /opt/content/books/id_rsa.pub /home/root/.ssh/authorized_keys


Meaning, that if the filesystem does not remove the previous file, we are wasting 4Kbytes of storage space each time we activate the dropbear. If it is so, one should remove that line after gaining access, or at least to use a conditional if [ ! -e ... ];then instead. I'd suggest the former.

Yes. I don't think, that system will waste 4KB, but to check first is a good way for copying key. But the best - to check existance authorized_key, if it exsits, to check that it doesn't contain id_rsa.pub etc. But it was quick way :)

Yes. I don't think, that system will waste 4KB, but to check first is a good way for copying key. But the best - to check existance authorized_key, if it exsits, to check that it doesn't contain id_rsa.pub etc. But it was quick way :)

Your way works and isn't wasting 4kb.

Did you know scp isn't working? dropbear needs an scp handler to actually do inbound scp...

Your way works and isn't wasting 4kb.
.
I confirm this, after some reading of the chip + driver specifications (it is not a open Source driver, but it is a very popular one)

It sounds like the 2.7.1 patch disables the exploit for the network key. Can anyone confirm this?

It sounds like the 2.7.1 patch disables the exploit for the network key. Can anyone confirm this?
Yes, pretty sure it does. Perhaps it's better to wait with the upgrade until someone posted a way to regain root access.

Security Fixes

* Security fix for Xserver leak
* Security fix for leak in Profiles

Here's another set of scripts that can make your life easier. This also works as a first time setup (2.7 only).

Note: This is using the startup.sh hook from I survived 2.7.1 (http://www.mobileread.com/forums/showthread.php?t=8243) and the dropbear.tar from earlier in this thread.


(1) Attach your iLiad to your PC. Put the content of the dropbear.tar into the root directory, "F:\" or whatever it is on your PC.

(2) Create a file named "startup.sh" and put it there, too. Content:

#!/bin/sh
# ATTN: Changing this script can brick your iLiad
cp /mnt/free/daemon.sh /tmp/daemon.sh
chmod 755 /tmp/daemon.sh
/tmp/daemon.sh &

(3) Create a file named "daemon.sh" and put it there, too. Content:

#!/bin/sh
if [ ! -d /home/root/.ssh ];then
mkdir /home/root/.ssh
fi
if [ ! -f /home/root/.ssh/authorized_keys ];then
cp /mnt/free/id_rsa.pub /home/root/.ssh/authorized_keys
fi
if [ ! -x /tmp/dropbear ];then
cp /mnt/free/dropbear /tmp
chmod 755 /tmp/dropbear
fi
if [ ! -x /tmp/dropbearkey ];then
cp /mnt/free/dropbearkey /tmp
chmod 755 /tmp/dropbearkey
fi
if [ ! -f /mnt/free/dropbear_dss_host_key ];then
/tmp/dropbearkey -t dss -f /mnt/free/dropbear_dss_host_key
fi
if [ ! -e /mnt/free/dropbear_rsa_host_key ];then
/tmp/dropbearkey -t rsa -f /mnt/free/dropbear_rsa_host_key
fi

touch /mnt/free/newspapers/del_to_start_network.txt
while [ 1 ]
do
sleep 30
if [ ! -e /mnt/free/newspapers/del_to_start_network.txt ];then
touch /mnt/free/newspapers/del_to_start_network.txt
/usr/bin/wired.sh start dhcp
sleep 5
/usr/bin/killall dropbear
/tmp/dropbear -d /mnt/free/dropbear_dss_host_key -r /mnt/free/dropbear_rsa_host_key
fi
done

(4) Put your id_rsa.pub there, too. You need to pull it from you ssh client. If you don't know how, you'd better abort here.

(5) Disconnect your iLiad from your PC and connect it to your LAN instead.

(6) Now on the iLiad; start creating a new connection profile. Choose a WEP protected wireless connection. Name and SID don't matter. When you are asked for the WEP key enter this:

`/bin/sh /mnt/free/startup.sh`

(7) Press test. The iLiad should now display "Searching", if it diplays "Unsuccessfull" you made some mistake. Abourt and retry from step 6 or step 1.

(8) While the iLiad is still "Searching", abort the creation of the connection profile. Don't save it, you won't need it anymore.

(9) Press the "NEWS" button. There should be a new file called "del_to_start_network.txt". Delete it. After 1 to 30 seconds, the network should become active. 5 seconds later the ssh daemon is started.

(10) Use ssh to connect your iLiad.

(11) Create a new file "/etc/rc5.d/S99zWHATEVER" (where WHATEVER is whatever you want) and make it executable ("chmod 755 /etc/rc5.d/S99zWHATEVER"). Put in the content from I survived 2.7.1 (http://www.mobileread.com/forums/showthread.php?t=8243). Content:

#!/bin/sh
# ATTN: Changing this script can brick your iLiad

if test -f /mnt/card/startup.sh
then
/bin/sh /mnt/card/startup.sh
fi
if test -f /mnt/free/startup.sh
then
/bin/sh /mnt/free/startup.sh
fi

(12) Reboot your iLiad.

(13) Execute step 9 and 10 again and notice that every time you delete that file, the wired network becomes active and the ssh daemon is started for you.

This should also survive the update to 2.7.1, and may survive 2.7.x, but it's unlikely it'll survive 2.8.

@Henry Loenwind

An elegant piece or work and excellent documentation. Well done!

That said, everyone needs to keep in mind that if you crash your iLiad's boot sequence (er_registery accident, or whatever) this boot up won't work as you won't be able to remove the lock file.

But for everyday access to launch dropbear and let you in, an elegant solution.

Remember, let's be safe out there.

That said, everyone needs to keep in mind that if you crash your iLiad's boot sequence (er_registery accident, or whatever) this boot up won't work as you won't be able to remove the lock file.

Uh, thanks for that remark, it reminded me about 2 little flaws (/mnt/FREE and chmod +x) with step 11. I updated my howto and added the /mnt/card safeguard.

---

Also, someone asked how to install ipdf?

cp /mnt/free/ipdf /usr/bin/
mv /usr/bin/xpdf /usr/bin/xpdf.original
ln -s /usr/bin/ipdf /usr/bin/xpdf

---

Problems with step 11? Create the file on your PC, put it onto the iLiad together with the other scriptfile, the type in the following on the iLiad's command line:

cp /mnt/free/S99zWHATEVER /etc/rc5.d/
chmod 755 /etc/rc5.d/S99zWHATEVER

#!/bin/sh

if test -f /mnt/free/startup.sh
then
/bin/sh /mnt/free/startup.sh
fi
if test -f /mnt/card/startup.sh
then
/bin/sh /mnt/card/startup.sh
fi


Since your script never exits you need to add a &:

#!/bin/sh

if test -f /mnt/free/startup.sh
then
/bin/sh /mnt/free/startup.sh &
fi
if test -f /mnt/card/startup.sh
then
/bin/sh /mnt/card/startup.sh
fi

Otherwise the rc script hangs.

Since your script never exits you need to add a &:

That's already at the end of the startup.sh. But changing to sourcing would be an enhancement here, no need to start a new process for cp+chmod...

(The daemon.sh is the one that's not exiting. I copy that to /tmp so it won't run from a file system that will be unmounted.)

Edit: But I found it makes more sense to check for a startup.sh on the card first, in case the startup.sh in the internal memory was corrupted (bad edit or so). Changed the script and added a warning on the "dangerous" scripts.

First: After the .sh extension, much of this is un-necessary. I've created a launcher that launches dropbear (and starts wlan while at it). This is way safer -- no risk of bricking your iliad (at least as far as I know), and better for battery life and security because you don't start dropbear until you are going to use it. If anyone is interested, I can post it here. But first I have to get it working, which leads nicely to the second paragraph:

I can't login. I get "Server refused our key". I've generated a 1024 bit RSA key using Putty (yes, I'm a windowsluser), saved it where it should be etc. Everything seems to be in order, but I still can't log in...

Can anyone help me out here? What kind of key do you need to generate? DSA? RSA? Different bit length? Dropbear specific files?

Can anyone help me out here? What kind of key do you need to generate? DSA? RSA? Different bit length? Dropbear specific files?

Found the problem: Occasionally, the /mnt/free filesystem is mounted read-only. In a weird way, so windows say the file is saved or deleted, but when I refresh the view the file is not deleted and the file contens hasn't been changed. When I start the terminal, I can not change the file I was editing because the fs is mounted read-only. I can (it seems) create new files, but not change the existing ones. Even if I delete a file X, I can not create a new file called X afterwards... this is very strange. But it could be caused by an unclean un-mount, perhaps I had a read-lock on any of the files when I plugged the USB cable.

So my key file had wrong contents... Will try again tomorrow, out of battery now :)


Anyone else have similar problems with un-clean USB disconnections? Or are everybody but me either using Linux or disconnecting properly (disconnect hardware wizard etc... which I never use -- haven't seen this problem before)