09-10-2009, 03:37 PM | #1 |
Member
Posts: 14
Karma: 10
Join Date: Sep 2009
Device: PRS-600
|
Hacking on the PRS-600 - can you run arbitrary code?
Is there a mechanism where I can make the device run arbitrary native compiled code?
I see references to autorun.xml and autorun.js - and I see in the PRS600 service manual it references this file (so presumably any Autorun.xml method that works on previous devices would work on this one) Can the autorun.xml / js just call xml and javascript files or can I call it and have it execute compiled code? I'm looking into poking holes in the kernel to root my device and go from there. (Well... when I say "my device" - I actually mean "my wife's device" - I got it for her birthday so tomorrow I'll have to hand it over to her and I'm not sure how much time I will get with it after that). If someone can point me to info on how to run native code on it, I will see what I can do to help hack these devices. If I can get root access on the device through a kernel exploit, I'm not at all worried about any encryption they might have on the update images since once I dump the firmware of the device I'll be able to easily extract the keys that it uses anyway. but... the first step is being able to even run any code that might make use of an exploit. |
09-10-2009, 05:07 PM | #2 |
Groupie
Posts: 164
Karma: 462
Join Date: Nov 2008
Location: Buenos Aires, Argentina
Device: PRS-700BC
|
Hello RyeBrye
As far as we know there hasn't been any updates on the hacking of Sony's new units. Try asking around the 505 Dev Corner, I believe Igorsk is the person you are looking for. Cheers |
09-10-2009, 09:42 PM | #3 | |
Fanatic
Posts: 556
Karma: 1057213
Join Date: Sep 2006
Location: North Eastern U.S.
Device: Sony Reader
|
Quote:
The best hope is to take the unit apart, find the serial port, hook up a Serial-TTL cable... |
|
09-10-2009, 10:07 PM | #4 | |
Member
Posts: 14
Karma: 10
Join Date: Sep 2009
Device: PRS-600
|
Quote:
I'd have this thing opened in a heartbeat looking for the serial console if I didn't have to give it to my wife tomorrow for her birthday. maybe I'll get another one for myself. Last edited by RyeBrye; 09-10-2009 at 10:11 PM. |
|
09-12-2009, 12:52 PM | #5 |
Groupie
Posts: 184
Karma: 300001
Join Date: May 2009
Device: 505
|
I don't think you have to solder the console on to it, I think people simply forgot to press the key sequence when inserting the SD card. Please try running one of the scripts for the older models on the 600.
|
09-14-2009, 06:52 PM | #6 |
Member
Posts: 14
Karma: 10
Join Date: Sep 2009
Device: PRS-600
|
I think there may have been pebcar before - if you hold done home + volume while inserting the SD card with an autorun.xml in the proper place it will load into test mode.
http://twitgoo.com/3bry1 I also learned that if you insert an SD Card that has ext2 partitions on it (I use the card for other things) in addition to a FAT-32 partition, the phone will just keep rebooting itself. |
09-14-2009, 11:43 PM | #7 |
Member
Posts: 14
Karma: 10
Join Date: Sep 2009
Device: PRS-600
|
It doesn't seem to do anything with the CONTENTS of said xml file.
Anyone want to provide me with a dump of the firmware of the 600? Probably will need to use a serial console. I'll need to pour over the image and see a few things. 1: what kind of encryption is used on the images. 2: what key is used to decrypt it 3: if there is something about the autorun.xml that needs to be done differently to run commands from it. My wife won't let me take hers apart. If we want to wait until october to hack these things, I suppose I could get one too. |
09-15-2009, 12:19 PM | #8 |
Member
Posts: 12
Karma: 96
Join Date: Apr 2009
Device: PRS-600
|
Hi RyeBrye I opened mine you can take a look on mainboard pictures here https://www.mobileread.com/forums/sho...d.php?p=588443
There is some kind of test connector similar or the same as on PRS-505 from Igorsk pictures but pads are so small I would be very scared to solder anything to them. But maybe you could take a look at cramfs.Rootfs.img from firmware upgrade it seams it contains whole system, second partion (or first probably) is kernel (raw.Linux.img). I'm not familiar yet with the system used by sony to update firmware but in my opinion it is just flashing those 2 files to their respective partitions. I was trying to mount cramfs file but ubuntu refused, giving me dmesg output wrong magic I compiled my own kernel with cramfs support but the effect was the same it is probably encrypted in some way. Any thoughts how to decrypt it? I tryed autorun.xml and now I was only able to get same test mode screen. |
09-15-2009, 12:34 PM | #9 |
Wizard
Posts: 3,442
Karma: 300001
Join Date: Sep 2006
Location: Belgium
Device: PRS-500/505/700, Kindle, Cybook Gen3, Words Gear
|
The images in PRS-600 updater are encrypted with unknown key (and no, they're not decrypted before sending to Reader).
You can use two needles to connect wires: On PRS-500 and 505 Tx was pin 6 (third in the top row) and Rx was pin 7 (fourth in the bottom row). |
09-15-2009, 12:43 PM | #10 | |
Fanatic
Posts: 556
Karma: 1057213
Join Date: Sep 2006
Location: North Eastern U.S.
Device: Sony Reader
|
Quote:
The images are encrypted by some algorithm, probably a Cypher Block Chaining AES or DES. It would be possible to decode if we had access to the unencrypted images, and could pull the encryption keys out of them. Our best hope for any solution right now is that someone will find a way to dump the image out of flash - hopefully via serial port entry, by command line tools; if that doesn't work - by unsoldering the flash chip off the board and reading its contents with a flash burner. I don't think there is an easy autorun entry to be found. Perhaps someone will find it - that will be great. Otherwise we will wait for some new information. |
|
09-15-2009, 03:12 PM | #11 |
Member
Posts: 12
Karma: 96
Join Date: Apr 2009
Device: PRS-600
|
You confirm what I thought about those files, I can try to connect to serial lines using Igorsk method but I don't have serial to usb cable at the moment, I'll need to buy one. Probably cable for connecting mobile phone will do fine, I was checking what I have at home but all I have is ordinary usb cables without any converters inside. Do you know for what make or model should I be looking for? About the connection is is simple 8N1 115200 or something exotic? Finally is copying contents of system partition simple cp * or requires different approach? What commands are built in, is busybox inside?
|
09-15-2009, 04:25 PM | #12 |
Fanatic
Posts: 556
Karma: 1057213
Join Date: Sep 2006
Location: North Eastern U.S.
Device: Sony Reader
|
|
09-15-2009, 04:49 PM | #13 |
Member
Posts: 12
Karma: 96
Join Date: Apr 2009
Device: PRS-600
|
I need something on usb, sadly I don't have a computer with rs-232 anymore I still have somewhere similar ttl module I made myself using max2323 years ago but it wont be helpful this time.
|
09-15-2009, 05:04 PM | #14 |
Wizard
Posts: 3,442
Karma: 300001
Join Date: Sep 2006
Location: Belgium
Device: PRS-500/505/700, Kindle, Cybook Gen3, Words Gear
|
There are many USB-TTL converters on ebay. A phone cable will likely work, as long as it's not one of the new phones with a mini-USB socket.
|
09-15-2009, 08:41 PM | #15 | |
Member
Posts: 14
Karma: 10
Join Date: Sep 2009
Device: PRS-600
|
Quote:
/bin/cp /dev/mtd0 your-sd-card/mtd0.img /bin/cp /dev/mtd2 your-sd-card/mtd1.img busybox appears to be inside. if for some reason cp doesn't work, you can use dd (if dd is there) |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Hacking PRS-505... | SeNS | Sony Reader Dev Corner | 25 | 12-20-2011 11:12 PM |
PRS-600 Any news about hacking the new sony readers (600/300)?? | pikoman | Sony Reader | 5 | 10-07-2009 09:18 AM |
PRS-505 Hacking Guides | SurgE | Sony Reader Dev Corner | 2 | 08-13-2008 08:54 PM |