Quote:
Originally Posted by igorsk
The hash is not new, it was already used in the first firmware update for PRS-500. It's an RSA signature checked at device side against a hardcoded public key. However, the firmware images themselves (cramfs.Rootfs.img) were not encrypted; you could see "Compressed ROMFS" text in the binary.
We don't know what they use for PRS-600, I suspect some AES variant.
The firmware updater code is Sony's own, not GPL, so it's not included in the public sources.
|
Interesting.
I just bought one of these (PRS-600) for my wife. I'm not sure how much face time I will get with it once I give it to her for her birthday tomorrow, but I'm definitely motivated to hack this baby just on principle alone.
Is there a place to go to discuss hacking these things? I see there is a lightly trafficed #mobileread chan on freenode - is that a good place to go talk specifics and start banging on this thing?
I'm mostly interested in getting an understanding of what is known about this device and then figuring out a plan of attack. If the updates have been signed with a key and verified with on the device before, I'm interested in how that was worked around before (did you find a way to replace the public key it was checking against on the device?) - also interested if you have any way to execute arbitrary code on these things.
One more question - there are "updates" but how about "downgrades" to these devices?
I'm guessing that the recent patch probably contains a fix to the null pointer dereference bug discovered in august - but if we have a way to execute unprivileged code on the device and a way to downgrade to a version with a kernel produced prior to august 11th or so, we might be able to poke a hole in the security layer on the device very easily by running whatever we want as root. (although I guess this kernel might be stripped down and not have any of the vulnerable options in it - since I know we are using the bluetooth module on the android one to poke through it... not sure which other modules might be vulnerable but there is at least one or two more)
I'm definitely new to these devices, my most recent forays have been in the Android world where we just used that same kernel bug to create a "one click root" app to 'root' or 'jailbreak' the phone in one click.
I don't know what kernel version it is running (is there a way to check?) - but I see that after the update it has 1.0.01.08040 as a prefix - perhaps for August 4th being the date of the software that it is running?? (I don't know their version numbering strategies, 08040 could just be a build number).
If you pop onto freenode, drop me a pm and we can discuss a plan of attack - I go by RyeBrye there.