Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book Readers > Sony Reader

Notices

Reply
 
Thread Tools Search this Thread
Old 09-10-2009, 03:37 PM   #1
RyeBrye
Member
RyeBrye began at the beginning.
 
Posts: 14
Karma: 10
Join Date: Sep 2009
Device: PRS-600
Hacking on the PRS-600 - can you run arbitrary code?

Is there a mechanism where I can make the device run arbitrary native compiled code?

I see references to autorun.xml and autorun.js - and I see in the PRS600 service manual it references this file (so presumably any Autorun.xml method that works on previous devices would work on this one)

Can the autorun.xml / js just call xml and javascript files or can I call it and have it execute compiled code?

I'm looking into poking holes in the kernel to root my device and go from there. (Well... when I say "my device" - I actually mean "my wife's device" - I got it for her birthday so tomorrow I'll have to hand it over to her and I'm not sure how much time I will get with it after that).

If someone can point me to info on how to run native code on it, I will see what I can do to help hack these devices. If I can get root access on the device through a kernel exploit, I'm not at all worried about any encryption they might have on the update images since once I dump the firmware of the device I'll be able to easily extract the keys that it uses anyway.

but... the first step is being able to even run any code that might make use of an exploit.
RyeBrye is offline   Reply With Quote
Old 09-10-2009, 05:07 PM   #2
el.astrologo
Groupie
el.astrologo has a complete set of Star Wars action figures.el.astrologo has a complete set of Star Wars action figures.el.astrologo has a complete set of Star Wars action figures.el.astrologo has a complete set of Star Wars action figures.el.astrologo has a complete set of Star Wars action figures.
 
el.astrologo's Avatar
 
Posts: 164
Karma: 462
Join Date: Nov 2008
Location: Buenos Aires, Argentina
Device: PRS-700BC
Hello RyeBrye

As far as we know there hasn't been any updates on the hacking of Sony's new units. Try asking around the 505 Dev Corner, I believe Igorsk is the person you are looking for.

Cheers
el.astrologo is offline   Reply With Quote
Old 09-10-2009, 09:42 PM   #3
porkupan
Fanatic
porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.
 
porkupan's Avatar
 
Posts: 556
Karma: 1057213
Join Date: Sep 2006
Location: North Eastern U.S.
Device: Sony Reader
Quote:
Originally Posted by RyeBrye View Post
I see references to autorun.xml and autorun.js - and I see in the PRS600 service manual it references this file (so presumably any Autorun.xml method that works on previous devices would work on this one)

Can the autorun.xml / js just call xml and javascript files or can I call it and have it execute compiled code?
So far the autorun doesn't appear to work at all on PRS-600. The device ignores autorun.xml. Perhaps some signature or some other means of identification is required to enable the autorun to execute. We just don't know at this point.

The best hope is to take the unit apart, find the serial port, hook up a Serial-TTL cable...
porkupan is offline   Reply With Quote
Old 09-10-2009, 10:07 PM   #4
RyeBrye
Member
RyeBrye began at the beginning.
 
Posts: 14
Karma: 10
Join Date: Sep 2009
Device: PRS-600
Quote:
Originally Posted by porkupan View Post
So far the autorun doesn't appear to work at all on PRS-600. The device ignores autorun.xml. Perhaps some signature or some other means of identification is required to enable the autorun to execute. We just don't know at this point.

The best hope is to take the unit apart, find the serial port, hook up a Serial-TTL cable...
The service manual definitely mentions using an Autorun.xml to get at it. But apparently the contents of it have changed. There is also a sequence of buttons you have to press while loading thatit mentions.

I'd have this thing opened in a heartbeat looking for the serial console if I didn't have to give it to my wife tomorrow for her birthday. maybe I'll get another one for myself.

Last edited by RyeBrye; 09-10-2009 at 10:11 PM.
RyeBrye is offline   Reply With Quote
Old 09-12-2009, 12:52 PM   #5
Who are you?
Groupie
Who are you? ought to be getting tired of karma fortunes by now.Who are you? ought to be getting tired of karma fortunes by now.Who are you? ought to be getting tired of karma fortunes by now.Who are you? ought to be getting tired of karma fortunes by now.Who are you? ought to be getting tired of karma fortunes by now.Who are you? ought to be getting tired of karma fortunes by now.Who are you? ought to be getting tired of karma fortunes by now.Who are you? ought to be getting tired of karma fortunes by now.Who are you? ought to be getting tired of karma fortunes by now.Who are you? ought to be getting tired of karma fortunes by now.Who are you? ought to be getting tired of karma fortunes by now.
 
Who are you?'s Avatar
 
Posts: 184
Karma: 300001
Join Date: May 2009
Device: 505
I don't think you have to solder the console on to it, I think people simply forgot to press the key sequence when inserting the SD card. Please try running one of the scripts for the older models on the 600.
Who are you? is offline   Reply With Quote
Old 09-14-2009, 06:52 PM   #6
RyeBrye
Member
RyeBrye began at the beginning.
 
Posts: 14
Karma: 10
Join Date: Sep 2009
Device: PRS-600
I think there may have been pebcar before - if you hold done home + volume while inserting the SD card with an autorun.xml in the proper place it will load into test mode.

http://twitgoo.com/3bry1

I also learned that if you insert an SD Card that has ext2 partitions on it (I use the card for other things) in addition to a FAT-32 partition, the phone will just keep rebooting itself.
RyeBrye is offline   Reply With Quote
Old 09-14-2009, 11:43 PM   #7
RyeBrye
Member
RyeBrye began at the beginning.
 
Posts: 14
Karma: 10
Join Date: Sep 2009
Device: PRS-600
It doesn't seem to do anything with the CONTENTS of said xml file.

Anyone want to provide me with a dump of the firmware of the 600? Probably will need to use a serial console.

I'll need to pour over the image and see a few things. 1: what kind of encryption is used on the images. 2: what key is used to decrypt it 3: if there is something about the autorun.xml that needs to be done differently to run commands from it.

My wife won't let me take hers apart. If we want to wait until october to hack these things, I suppose I could get one too.
RyeBrye is offline   Reply With Quote
Old 09-15-2009, 12:19 PM   #8
nrg
Member
nrg has learned how to buy an e-book online
 
Posts: 12
Karma: 96
Join Date: Apr 2009
Device: PRS-600
Hi RyeBrye I opened mine you can take a look on mainboard pictures here https://www.mobileread.com/forums/sho...d.php?p=588443
There is some kind of test connector similar or the same as on PRS-505 from Igorsk pictures but pads are so small I would be very scared to solder anything to them. But maybe you could take a look at cramfs.Rootfs.img from firmware upgrade it seams it contains whole system, second partion (or first probably) is kernel (raw.Linux.img). I'm not familiar yet with the system used by sony to update firmware but in my opinion it is just flashing those 2 files to their respective partitions. I was trying to mount cramfs file but ubuntu refused, giving me dmesg output wrong magic I compiled my own kernel with cramfs support but the effect was the same it is probably encrypted in some way. Any thoughts how to decrypt it?

I tryed autorun.xml and now I was only able to get same test mode screen.
nrg is offline   Reply With Quote
Old 09-15-2009, 12:34 PM   #9
igorsk
Wizard
igorsk ought to be getting tired of karma fortunes by now.igorsk ought to be getting tired of karma fortunes by now.igorsk ought to be getting tired of karma fortunes by now.igorsk ought to be getting tired of karma fortunes by now.igorsk ought to be getting tired of karma fortunes by now.igorsk ought to be getting tired of karma fortunes by now.igorsk ought to be getting tired of karma fortunes by now.igorsk ought to be getting tired of karma fortunes by now.igorsk ought to be getting tired of karma fortunes by now.igorsk ought to be getting tired of karma fortunes by now.igorsk ought to be getting tired of karma fortunes by now.
 
Posts: 3,442
Karma: 300001
Join Date: Sep 2006
Location: Belgium
Device: PRS-500/505/700, Kindle, Cybook Gen3, Words Gear
The images in PRS-600 updater are encrypted with unknown key (and no, they're not decrypted before sending to Reader).
You can use two needles to connect wires:

On PRS-500 and 505 Tx was pin 6 (third in the top row) and Rx was pin 7 (fourth in the bottom row).
igorsk is offline   Reply With Quote
Old 09-15-2009, 12:43 PM   #10
porkupan
Fanatic
porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.
 
porkupan's Avatar
 
Posts: 556
Karma: 1057213
Join Date: Sep 2006
Location: North Eastern U.S.
Device: Sony Reader
Quote:
Originally Posted by nrg View Post
I was trying to mount cramfs file but ubuntu refused, giving me dmesg output wrong magic I compiled my own kernel with cramfs support but the effect was the same it is probably encrypted in some way. Any thoughts how to decrypt it?

I tryed autorun.xml and now I was only able to get same test mode screen.
These are NOT cramfs images - these are encrypted cramfs images. Before you try to mount them on your system (or just open them with cramfsck) you need to decrypt them. And that's where the crux of the matter is.

The images are encrypted by some algorithm, probably a Cypher Block Chaining AES or DES. It would be possible to decode if we had access to the unencrypted images, and could pull the encryption keys out of them.

Our best hope for any solution right now is that someone will find a way to dump the image out of flash - hopefully via serial port entry, by command line tools; if that doesn't work - by unsoldering the flash chip off the board and reading its contents with a flash burner.

I don't think there is an easy autorun entry to be found. Perhaps someone will find it - that will be great. Otherwise we will wait for some new information.
porkupan is offline   Reply With Quote
Old 09-15-2009, 03:12 PM   #11
nrg
Member
nrg has learned how to buy an e-book online
 
Posts: 12
Karma: 96
Join Date: Apr 2009
Device: PRS-600
You confirm what I thought about those files, I can try to connect to serial lines using Igorsk method but I don't have serial to usb cable at the moment, I'll need to buy one. Probably cable for connecting mobile phone will do fine, I was checking what I have at home but all I have is ordinary usb cables without any converters inside. Do you know for what make or model should I be looking for? About the connection is is simple 8N1 115200 or something exotic? Finally is copying contents of system partition simple cp * or requires different approach? What commands are built in, is busybox inside?
nrg is offline   Reply With Quote
Old 09-15-2009, 04:25 PM   #12
porkupan
Fanatic
porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.
 
porkupan's Avatar
 
Posts: 556
Karma: 1057213
Join Date: Sep 2006
Location: North Eastern U.S.
Device: Sony Reader
I think it may be easier to get something like this.

115200, 8, 1, N, None
porkupan is offline   Reply With Quote
Old 09-15-2009, 04:49 PM   #13
nrg
Member
nrg has learned how to buy an e-book online
 
Posts: 12
Karma: 96
Join Date: Apr 2009
Device: PRS-600
I need something on usb, sadly I don't have a computer with rs-232 anymore I still have somewhere similar ttl module I made myself using max2323 years ago but it wont be helpful this time.
nrg is offline   Reply With Quote
Old 09-15-2009, 05:04 PM   #14
igorsk
Wizard
igorsk ought to be getting tired of karma fortunes by now.igorsk ought to be getting tired of karma fortunes by now.igorsk ought to be getting tired of karma fortunes by now.igorsk ought to be getting tired of karma fortunes by now.igorsk ought to be getting tired of karma fortunes by now.igorsk ought to be getting tired of karma fortunes by now.igorsk ought to be getting tired of karma fortunes by now.igorsk ought to be getting tired of karma fortunes by now.igorsk ought to be getting tired of karma fortunes by now.igorsk ought to be getting tired of karma fortunes by now.igorsk ought to be getting tired of karma fortunes by now.
 
Posts: 3,442
Karma: 300001
Join Date: Sep 2006
Location: Belgium
Device: PRS-500/505/700, Kindle, Cybook Gen3, Words Gear
There are many USB-TTL converters on ebay. A phone cable will likely work, as long as it's not one of the new phones with a mini-USB socket.
igorsk is offline   Reply With Quote
Old 09-15-2009, 08:41 PM   #15
RyeBrye
Member
RyeBrye began at the beginning.
 
Posts: 14
Karma: 10
Join Date: Sep 2009
Device: PRS-600
Quote:
Originally Posted by nrg View Post
You confirm what I thought about those files, I can try to connect to serial lines using Igorsk method but I don't have serial to usb cable at the moment, I'll need to buy one. Probably cable for connecting mobile phone will do fine, I was checking what I have at home but all I have is ordinary usb cables without any converters inside. Do you know for what make or model should I be looking for? About the connection is is simple 8N1 115200 or something exotic? Finally is copying contents of system partition simple cp * or requires different approach? What commands are built in, is busybox inside?
if the flash layout matches what I've seen for other devices,

/bin/cp /dev/mtd0 your-sd-card/mtd0.img
/bin/cp /dev/mtd2 your-sd-card/mtd1.img

busybox appears to be inside.

if for some reason cp doesn't work, you can use dd (if dd is there)
RyeBrye is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Hacking PRS-505... SeNS Sony Reader Dev Corner 25 12-20-2011 11:12 PM
PRS-600 Any news about hacking the new sony readers (600/300)?? pikoman Sony Reader 5 10-07-2009 09:18 AM
PRS-505 Hacking Guides SurgE Sony Reader Dev Corner 2 08-13-2008 08:54 PM


All times are GMT -4. The time now is 10:09 PM.


MobileRead.com is a privately owned, operated and funded community.