I managed to root my Vox with the June firmware without opening the case. It's actually easier to just open the case and make changes to the internal card, which is what I did the first time, but I decided to figure this out after it factory reset on me and removed my root.
Here are the important bits:
- The factory reset file, recovery_backup_signed.zip, is in fact, not signed.
- The factory reset firmware version is vulnerable to Gingerbreak
- The same version of firmware downloaded from Kobo appears to give ADB root access, anyway
- The initial firmware version check is vulnerable to spoofing
- A factory reset can be forced by causing five failed boots in a row
First, the Vox retrieves the firmwares in 1MB chunks from http://download.kobobooks.com/vox/images/<build id>/xnnn
is a three-digit number from 000 to the highest chunk (166, in the case of the June firmware). So the first chunk of the current firmware is at http://download.kobobooks.com/vox/im...04.161216/x000
and the last one is at x166.
When you have them all downloaded, they can be concatenated into a signed update.zip that can be sideloaded.
For the moment, a firmware from November, 2011 can be retrieved from http://download.kobobooks.com/vox/im...539.40022/x000
through x122. This firmware can be sideloaded as well and seems to allow root access with ADB, so you probably won't even need Gingerbreak. If you plan on downloading this, I'd recommend doing it soon. People from Kobo read this forum and I wouldn't expect it to remain available for too long.
The setup and firmware update apps check the version by retrieving http://download.kobobooks.com/vox/im...ackageinfo.txt
. If you can cause the setup app to retrieve a file with the same version as what's running, it won't force the download.
Reverting to an older firmware by sideloading (putting "update.zip" on a memory card and powering on the Vox) causes the book animation to keep looping rather than completing the boot. This appears intentional. I've found that to go to an older version, you have to force a factory reset and then insert the memory card with the update before the reset completes. It will do the factory reset and then immediately do the update from the memory card.
Here's a brief rundown of the steps I took:
Set up a wireless access point with a web server that serves a modified packageinfo.txt. Recent versions of Windows make this (relatively) easy. I downloaded Apache and set it up with vox/images/packageinfo.txt in htdocs. Change the version in packageinfo.txt to eng.CAN.20111117.182539.40022 and start the web server. Then I added an entry to Windows\system32\drivers\etc\hosts to point download.kobobooks.com to my computer's IP address. Follow the directions here
to create a virtual access point.
Put the update.zip for the old firmware on a memory card (but don't put it into your Vox yet). Force a factory reset by aborting the boot five times: turn on your Vox and when the book-flipping animation starts (accompanied by the terrible boot audio), hold down the power button until the power flips off. Repeat. On the sixth boot, you'll get the "something's wrong" message and it will start the update. Put the memory card in now. Let it complete both updates.
When the Vox reboots, go through the "get started" bit, selecting your virtual AP. If the hosts file and web server are set up correctly, the Vox should check the version and immediately go to setting up your Kobo account. After doing that, turn on USB debug access in "Manage Applications".
To get your new factory update, take the recent firmware update.zip and unzip it. Use Linux to mount system.img read/write as ext4. Download "su" and "Superuser.apk" from here
. Put "su" in bin and do a "chmod u+s su". Put Superuser.apk in app. While you're at it, you might want to remove some of the bloatware, but be careful about chopping too much (I had to do this a few times because I got overzealous). Unmount the image and then zip the update directory back up. This will be your recovery file. Copy it to your memory card as recovery_backup_signed.zip.
Connect the USB cable and run an ADB shell. You should see the "#" prompt, but if you don't for some reason, you can run Gingerbreak. Create a directory to mount the recovery partition. I made one at /data/temp. "mount -t ext4 /dev/block/mmcblk0p2 /data/temp"
cat /mnt/extsd/recovery_backup_signed.zip > ./recovery_backup_signed.zip
If the update.zip file is still on the memory card, either delete or rename it.
Now exit the shell. Power down the Vox, force the factory reset again and let it complete. After going through the startup process again, you should have the superuser app listed in your apps. Furthermore, from here on out, any factory reset should put you back here.
As a final caveat, if you screw up too badly, you may still have to remove the internal card and restore your backup. You made a backup first, right? You could also skip most of the above by opening your vox and just putting the new recovery image in the recovery partition on the memory card, knowing that you'll only have to open it once.