Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book Readers > Sony Reader > Sony Reader Dev Corner

Notices

Reply
 
Thread Tools Search this Thread
Old 07-03-2012, 10:42 AM   #1
peter64
Member
peter64 began at the beginning.
 
Posts: 11
Karma: 10
Join Date: Jul 2012
Device: PRS-G1
Smile Sony PRS-G1

Hello,

I have purchased a PRS-G1 which is the newer PRS-T1 model that supports mobile internet in Japan. I was hopping to root it but I have read a number of threads and it appears this may not be possible.

A number of dead ends it would seem.
1) One user seems unable to dump the firmware and receives errors.
https://www.mobileread.com/forums/sho...154285&page=13

2) I thought I might be able to dump the firmware using the method described as part of the rescue and full backup restore described here.
http://translate.google.com/translat...hp%3Ft%3D23354

Then from the backups I might be able to get help from porkupan to make a hacked firmware as he said he might be able to do for the Japanese T1 version here. The problem is I don't think you can do a backup until you already have rooted the unit... And to root the unit you need to be able to connect with ebook_msc or be able to use an sd recover (which doesn't appear to be working for the trs-g1, but please correct me if I'm wrong)
https://www.mobileread.com/forums/sho...&postcount=159

But upon further reading it appears that the T1 (both us and japanese) do not use encryption whilst the T1 (russian) and the G1 (japanese) both use encryption. Perhaps even signed by a private key which I have no idea how to break. Although people seem to have rooted the russian reader (does this imply the private key is not necessary to root the unit?)
https://www.mobileread.com/forums/sho...g1#post1950758

This left me altogether confused. I haven't yet unpackaged the unit from the box as I wanted to get all the files ready incase it turned out it wasn't possible to root the G1. It looks like only afew people have tried and they gave up or their questions were left unanswered. Anyways I'm happy to try any technique that's available to root the G1 if someone who has successfully rooted the russian T1 is willing to guide me through the process of dumping the software contents, extracting encryption keys (should it be required), and building a recovery sd package.

I'm very new to all of this and willing to have a go at this if the odds of success are relatively high (say above 70%). If I don't hear back from anyone who can guide me through the process in the next week I will just take the unit back to the store and exchange it for a T1, as that seems to be a pretty solid and tested rootable device. The T1 meets all my requirements but if there's interest out there to try and root the G1 and people think its possible I'm happy to have a go at it.

any feedback, suggestions or links to other threads you think may help would be appreciated.

Thanks!

EDIT: I also did some hunting around on another forum and found the following back and forth between oloo and boroda. It appears that oloo was unable to get "ebook_msc.exe name "PRS-G1" get /init.rc" to work and never replied to boroda. I wonder if the reason it doesn't work is because of the encryption?
http://www.the-ebook.org/forum/viewt...fded57e#795224

EDIT2: I'm really keen to have a go at this I just wonder if I can get it to boot the rupor-rescue.7z on the prs-g1 as that seems to be the thing that needs to be done to make a backup of the partitions according to.
http://www.the-ebook.org/forum/viewtopic.php?t=23354
I wanted to know if putting rupor-rescue.7z on an sd card and booting it could potentially brick my device or not. As long as it doesn't brick the device I can always sell it used for a small loss so I'de be willing to try.

Last edited by peter64; 07-03-2012 at 05:57 PM.
peter64 is offline   Reply With Quote
Old 07-03-2012, 06:40 PM   #2
peter64
Member
peter64 began at the beginning.
 
Posts: 11
Karma: 10
Join Date: Jul 2012
Device: PRS-G1
So I managed to get access to the port without removing the opaque screen protector
Which I'm pretty sure is the only sealed aspect of the packaging so I decided to have a go and see if I could get any further than others.

Quote:
C:\Downloads\Firefox\Sony Reader\rupor-minimal>ebook_msc.exe name PRS-G1 info
Sony Reader MSC utility 1.06 (c) 2009 Igor Skochinsky, Vladimir Boroda
avail: 0
openDrive [\\.\H:]: 1
usbInitCheck: 0
USB protocol versions:0 (?): 01000000
1 (Device): 01000010
2 (Updater):00000000
3 (?): 01000000
UsbGetDevProperty: 0
Device name: Reader
Device model: PRS-G1
Device version: 1.0.00.11010
Device locked: no

C:\Downloads\Firefox\Sony Reader\rupor-minimal>ebook_msc.exe name PRS-G1 fulldmp

Sony Reader MSC utility 1.06 (c) 2009 Igor Skochinsky, Vladimir Boroda
avail: 0
openDrive [\\.\H:]: 1
usbInitCheck: 0
Error: no such file? [/dev/mtdblock1]
Error: no such file? [/dev/mtdblock2]
Error: no such file? [/dev/mtdblock3]
Error: no such file? [/dev/mtdblock4]
Error: no such file? [/dev/mtdblock5]
Error: no such file? [/dev/mtdblock6]
Error: no such file? [/dev/mtdblock7]
Error: no such file? [/dev/mtdblock8]
Error: no such file? [/dev/mtdblock9]
Error: no such file? [/dev/mtdblock10]
Error: no such file? [/dev/mtdblock11]
Error: no such file? [/dev/mtdblock12]
Error: no such file? [/dev/mtdblock13]
Error: no such file? [/dev/mtdblock14]
Error: no such file? [/dev/mtdblock15]
Error: no such file? [/dev/mtdblock16]
Error: no such file? [/dev/mtdblock17]
Error: no such file? [/dev/mtdblock18]
Error: no such file? [/dev/mtdblock19]

C:\Downloads\Firefox\Sony Reader\rupor-minimal>ebook_msc.exe name "PRS-G1" get /
init.rc
Sony Reader MSC utility 1.06 (c) 2009 Igor Skochinsky, Vladimir Boroda
avail: 0
openDrive [\\.\H:]: 1
usbInitCheck: 0
Error: no such file? [/init.rc]

C:\Downloads\Firefox\Sony Reader\rupor-minimal>ebook_msc.exe name "PRS-G1" get i
nit.rc
Sony Reader MSC utility 1.06 (c) 2009 Igor Skochinsky, Vladimir Boroda
avail: 0
openDrive [\\.\H:]: 1
usbInitCheck: 0
Error: no such file? [init.rc]
Next up I tried the rupor-rescue.7z sd card
Along with "um recovery" the unit did restart and spun around for a while then just booted back up as normal. Does this mean that it the recovery firmware had a bad checksum/encryption and couldn't be launched or something? It should also be noted that without the sd card even inserted it did the exact same thing on the screen. I believe it was supposed to attempt to connect to the computer and install serial comms devices along with other usb storage devices.

Quote:
C:\Downloads\Firefox\Sony Reader\rupor-minimal>ebook_msc.exe name "PRS-G1" um re
covery
Sony Reader MSC utility 1.06 (c) 2009 Igor Skochinsky, Vladimir Boroda
avail: 0
openDrive [\\.\H:]: 1
usbInitCheck: 0

C:\Downloads\Firefox\Sony Reader\rupor-minimal>ebook_msc.exe name "PRS-G1" info
Sony Reader MSC utility 1.06 (c) 2009 Igor Skochinsky, Vladimir Boroda
Device is not connected to PC

C:\Downloads\Firefox\Sony Reader\rupor-minimal>ebook_msc.exe name "PRS-G1" info
Sony Reader MSC utility 1.06 (c) 2009 Igor Skochinsky, Vladimir Boroda
Device is not connected to PC

C:\Downloads\Firefox\Sony Reader\rupor-minimal>ebook_msc.exe name "PRS-G1" info
Sony Reader MSC utility 1.06 (c) 2009 Igor Skochinsky, Vladimir Boroda
avail: 0
openDrive [\\.\H:]: 1
usbInitCheck: 0
USB protocol versions:0 (?): 01000000
1 (Device): 01000010
2 (Updater):00000000
3 (?): 01000000
UsbGetDevProperty: 0
Device name: Reader
Device model: PRS-G1
Device version: 1.0.00.11010
Device locked: no

C:\Downloads\Firefox\Sony Reader\rupor-minimal>ebook_msc.exe listdrv
D;TSSTCORP;CD/DVDW;SB00;Z;
E;MNGPY;81EZSTI;1.03;;
G;MATSHITA;BD-MLT;1.00;10012200;
H;SONY;PRS-G1;2081;;
I;SONY;PRS-G1;2081;;
J;SONY;PRS-G1;2081;;
As one might expect based on the above output and the fact windows didn't try to install any devices, this unit doesn't know what to do with the rupor-rescue image. I'm going to box the unit back up for now. But if anyone has any ideas to try I'll try again in a couple of days. One final idea I had was I would be willing to pay for shipping the unit to and from Boroda if he would be interested in having a go at rooting it. Otherwise I'll try and return it some time next week.

Last edited by peter64; 07-03-2012 at 08:23 PM.
peter64 is offline   Reply With Quote
Old 07-04-2012, 02:52 AM   #3
peter64
Member
peter64 began at the beginning.
 
Posts: 11
Karma: 10
Join Date: Jul 2012
Device: PRS-G1
I tried one more thing today which was to just start the unit in recovery mode without anything microsd or anything. I tried three different ways and they all resulted in windows not detecting any new devices.

1) connect usb then hold menu + home and press power it started up and i kept holding until it had completed the progress bar, I then kept holding for good measure but the computer didn't detect anything.

2) while holding menu + home after pressing power quickly attaching the usb same no effect

3) as mentioned before running um recovery from ebook_msc.exe which didn't work.

I had thought if I could build the telnet connection I could backup the disks to sd card but it wouldn't ever build the connection.

As such I think I'm done trying things now unless someone can tell me what I'm doing wrong and how to do it properly.
peter64 is offline   Reply With Quote
Old 07-04-2012, 05:44 AM   #4
uboot
Evangelist
uboot seems famous, but is in fact legendary.uboot seems famous, but is in fact legendary.uboot seems famous, but is in fact legendary.uboot seems famous, but is in fact legendary.uboot seems famous, but is in fact legendary.uboot seems famous, but is in fact legendary.uboot seems famous, but is in fact legendary.uboot seems famous, but is in fact legendary.uboot seems famous, but is in fact legendary.uboot seems famous, but is in fact legendary.uboot seems famous, but is in fact legendary.
 
Posts: 425
Karma: 75216
Join Date: Nov 2011
Location: old europe
Device: Kobo Mini, Tolino Epos 2
Hm... I suspect recovery mode will only work if enable adb package has been installed...

But here is an sd boot image that just runs recovery console and serial gadget driver but does not flash your device:

https://www.mobileread.com/forums/sho...7&postcount=20
uboot is offline   Reply With Quote
Old 07-04-2012, 07:34 AM   #5
peter64
Member
peter64 began at the beginning.
 
Posts: 11
Karma: 10
Join Date: Jul 2012
Device: PRS-G1
Hey uboot,

Thanks so much for the reply. That's the one I attempted to run from the sd card but it didn't appear to do anything. I tried both using "mu recovery" with the card inserted to reset the device into recovery mode. I also tried by holding the home and menu button. At no point did the computer detect the device which is supposed to require the Gadget Serial driver. Do you have any idea if special tweaks need to be made to the update.img included in the rupor-rescue.7z? Perhaps it needs some specific information relevant to the g1 in order to recognize the file as a valid firmware update. I presume rupor made this file originally so he would probably be the one who knows what if any check sums or identification marks might be embedded in it.

EDIT: Sorry my bad this update.img is different from the one in rupor-rescue.7z. I'm just looking at the differences and reading the thread then I'll have a go with it. I just want to make sure I do everything properly

EDIT2: Could you tell me where on the sd card I need to put the rcS file ? Right now I am attempting with "\OS Firmware\files\update.img" and in putting it in the same folder at "\OS Firmware\files\rcS"

EDIT3: It looks like he was just talking about the script located in the file so all I need is the update.img I'll try shortly.

Last edited by peter64; 07-04-2012 at 08:27 AM.
peter64 is offline   Reply With Quote
Old 07-04-2012, 10:15 AM   #6
peter64
Member
peter64 began at the beginning.
 
Posts: 11
Karma: 10
Join Date: Jul 2012
Device: PRS-G1
Hey Guys,

So I did 3 tests today and video'd them just so you can be sure that I'm doing them right.

First i setup the sd card as described with "\OS Firmware\files\update.img" then

1) I started up the reader normally with sd card in and launched "ebook_msc.exe name "PRS-G1" um recovery" which appeared to do what it was supposed to do and attempt to load into recovery mode, however it appears as if it didn't actually load anything, then it just booted up like normal on its third attempt at the loading bar.

2) I started up the reader normally with sd card in and launched "ebook_msc.exe name "PRS-G1" um normal" which appeared to do just a normal reset. The progress bar only loaded once as would be expected.

3) I removed the SD card and then executed "ebook_msc.exe name "PRS-G1" um recovery" and the behavior was exactly the same as number 1.

I suspect this means that the PRS-G1 doesn't know what to do with the image file. Or it is missing some encryption or has an invalid checksum according to the PRS-G1. I formatted the sd card as FAT32 just for the record. Any assistance that you guys can provide would be appreciated. I'm still open for sending the unit to one of the veterans here if they want to have a go at it. Perhaps they have tools to dump the NAND flash memory?

Video link will be added here when the upload finishes to youtube
http://youtu.be/qWpO_N_GuUs

If you listen closely you can tell from the beeps when the usb disconnects and reconnects to the computer. It happens when the unit shuts down and also right before it starts up to the usable state (notice it doesn't happen when the recovery boot is in progress).

Last edited by peter64; 07-04-2012 at 10:48 AM.
peter64 is offline   Reply With Quote
Old 07-04-2012, 10:51 AM   #7
peter64
Member
peter64 began at the beginning.
 
Posts: 11
Karma: 10
Join Date: Jul 2012
Device: PRS-G1
I decided I'm just going to return it tomorrow (in 12 hours) if they let me and I don't hear anything back on this thread before then.
peter64 is offline   Reply With Quote
Old 07-04-2012, 11:18 PM   #8
porkupan
Fanatic
porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.
 
porkupan's Avatar
 
Posts: 556
Karma: 1057213
Join Date: Sep 2006
Location: North Eastern U.S.
Device: Sony Reader
The currently published version of ebook_msc.exe cannot read and write files on PRS-G1. You cannot root it using the PRS-T1 method at this time.
porkupan is offline   Reply With Quote
Old 07-04-2012, 11:31 PM   #9
peter64
Member
peter64 began at the beginning.
 
Posts: 11
Karma: 10
Join Date: Jul 2012
Device: PRS-G1
Hey Porkupan,

Thanks so much for replying! Sorry to bother you again, I'm trying to figure out how large the difference is between the PRS-T1 and PRS-G1. I know you wrote the following in one thread.

Quote:
Originally Posted by porkupan View Post
If you have the Western or Japanese model of PRS-T1, your encryption keys are exactly the same as everyone else's. If you have a PRS-G1 or the Russian model of PRS-T1, the SD card update will not work for you, and the encryption method of the update packages is quite different. Beside the fact that they are signed by a private key.

One more thing to remember. If you have an update image on the SD card, it has priority over the update package in the internal memory. To get the "serial gadget" login you need to copy the XXX-Updater.package from the login_update folder in this archive into the root of the "internal memory" ("drive" READER).
I was hoping you might be able to tell me what is involved in finding the encryption key for the unit. I've looked over some of the scripts to extract the encryption key from the memory dumps and use them to unpack the upgrade "PRS-T1 Updater.package" packages. From my first inspection it looks like the only difference I could find between the PRS-G1 and PRS-T1 packages was that they now longer write "Salted__" at the beginning of the openssl encrypted files. That appears to indicate that openssl password based encryption was used. Now you will notice that there is no "Salted__" however the shift in data is approximately 8 bytes, and not 16 bytes. This emplies to me that the data is still salted and they are just hiding the "Salted__" flag from the beginning of the files. This is why I wasn't sure how you came to the conclusion that it was using public/private key encryption rather than still using the RSA password based encryption. I wanted to know in what way you had discovered the encryption for the PRS-T1 and the russian model as well as the PRS-G1 differ. I was hoping you could elaborate on how different the encryption is and if it will make it a lot more difficult to update if I were to find a way to dump the memory. I'm considering investing in some nand dumping and/or jtag equipment to have a go as it seems like an interesting challenge. I did however wonder how you dumped the initial unit to find the RSA key so you could build your first custom "PRS-T1 Updater.package". Will I need to build/buy a nand flash dumper?

Thanks again!

EDIT: I just noticed the part in your comment about it being signed by a private key. It looks like the only way to root this would be to reprogram the nand flash directly. Perhaps this is a bit too much for a first project, knowing the public key on the unit wouldn't really get me far in terms of making a general XXX-Updater.package... Correct me if I'm wrong in this understanding. Thanks!

EDIT2: Finally I forgot to mention, that if you'de be interested in taking a look I'm very happy to pay to ship my device to you.

Last edited by peter64; 07-05-2012 at 12:02 AM.
peter64 is offline   Reply With Quote
Old 07-05-2012, 08:13 AM   #10
peter64
Member
peter64 began at the beginning.
 
Posts: 11
Karma: 10
Join Date: Jul 2012
Device: PRS-G1
Hey so I decided to keep the unit, so I opened it up just to see what was inside. Here's the list of chips.

Quote:
1) 016A, MBCC (top top, right)
2) WM8321G, 17AVKR8, 00C (top, right) (unknown) (http://www.cecb2b.com/shop/WM8321G_ic_359_91798318.html)
3) F0513A, 1129EM434 (mid, right) (unknown)
4) MCIMX508CVK8B, N78A, CTGK1131L, CHINA (mid, mid right) (arm processor) (http://www.futureelectronics.com/en/...X508CVK8B.aspx)
5) NNNIX?, H5MS2G22AFR, J3M 131A, [upsidedownA]TKE0618EA2 (mid, mid left) (dram) (http://www.applegate.co.uk/listings/...M-1034853.html)
6) CIRRUS, 42L52CNZ, C1AV1125, MAL (bottom, mid) (sound) (http://www.alldatasheet.com/datashee...42L52-CNZ.html)
7) E INK, TOS65181, TI 151, A2ZR G4 (mid, mid left left) (unknown)
8) SanDisk, SDIN5D1-2G, TAIWAN, 1367S0Z1CH (left, bottom bottom) (internal storage memory)
(http://download.siliconexpert.com/pd...al/sdin5c2.pdf) or (http://www.doc88.com/p-37689806964.html)
(11.5 mm x 13 mm x 1.2 mm)
(http://www.ironwoodelectronics.com/p...ocket_emmc.cfm)
9) HC4067BQ, L1D3L701, UnD133B (left, bottom mid) (16 channel analog multiplexer/demultiplexer) (http://www.techrepublic.com/photos/c...6330940?seq=45)
10) VM15AD, LMV65, 4MT (left, middle) (unknown)
11) HC4067BQ, L1D3L701, UnD1338 (left, top) (16 channel analog multiplexer/demultiplexer) (http://www.techrepublic.com/photos/c...6330940?seq=45)
12) M430, F2272, T1 J18K, CQQK G4 (mid top, mid left left) (ultra low power micro controller) (http://www.techrepublic.com/photos/c...6330940?seq=44)
13) 4011, WC120 (top, left)
14) 2600P, E18RA (top, mid left)
15) 8YK, 16J, PNJ8 (top, mid)
The flash memory chip looks like it's a SDIN5D1-2G. I was a little sad because it looks like these types of chips are very hard to re-solder because they are BGA packages. The interesting part is they appear to be the same chips as are used in some usb flash drives, so if I could unsolder and resolder I could in theory dump it from a usb flash drive.
Here's a good video for how to solder and unsolder BGA packages.

http://www.youtube.com/watch?v=vva2t21sOAs&feature=plcp
http://www.youtube.com/watch?v=KjKEmKUatJ4

I'm going to go down to the electronics district this weekend and see if I can find myself an assortment of low capacity sandisk usb flash drives and open afew up to see if they use compatible chips. Then maybe try my hand at de-soldering and resoldering one afew times.

Also i found these which should do the trick, so I might order a couple of these to test with!
http://item.taobao.com/item.htm?id=14549603972

If anyone knows anything about jtag and can comment on what the the test points and jtag points might be on the back of the board. Or knows of a good site where I can go to find out how to test for jtag, serial points it might save me having to try and de-solder the nand memory.

Last edited by peter64; 07-22-2012 at 01:12 AM.
peter64 is offline   Reply With Quote
Reply

Tags
prs-g1, prs-t1, root

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Ended Sony PRS-505 & Sony PRS-600 ($120 shipped) nya Flea Market 8 04-04-2011 01:00 PM
Amazon Kindle/Sony PRS-700/Sony PRS-505 Comparison Photos chrissy Which one should I buy? 18 05-06-2009 12:25 PM
Poll: Sony Reader PRS-505 upgrade to Sony PRS-700 Kris777 Sony Reader 70 02-18-2009 06:34 PM
Just saw Sony PRS 700 and PRS 505 at Sony Style Store gamegirl Sony Reader 14 12-15-2008 04:16 PM
Sony Reader PRS-505 upgrade to Sony PRS-700 Kris777 Sony Reader 23 12-08-2008 06:56 AM


All times are GMT -4. The time now is 08:41 AM.


MobileRead.com is a privately owned, operated and funded community.