MobileRead Forums - View Single Post - ROOT permissions for Pocketbook 602/603/902/903

mr.postman · 04-24-2011, 09:19 AM

On russian forum

Google translate:
In the other topic to which I have laid out an SDK for windows, I suggested poproveryat existing exploits for 2.6.29ogo kernel, to get ROOT - but the reality was much simpler: the Chinese, making a firmware for poketbook, have left us enough holes in their written suid applications.

In this example, I'm exploiting a elementary "hole" in /ebrmain/bin/netagent. This suid application, passing the command line passed to the system as is, with the result that we can execute any command as root. In search of the hole it took me 2 evenings, it is strange that so far no one has found.

We now have:
- Getting a local shell with Ruth on the device (but this will agree, it is inconvenient, since pocket term curve to the horror)
- Raising FTP and telnet daemon (use "full" busybox, rather than a castrato from the firmware), which is now possible to pick up the WiFi to the device remotely via FTP or Telnet, and wield it as root. That is - the main thing that I personally was not enough.

Immediately, I note for root you will not need any soldering anything or make changes to the firmware, nor do any of these "low-level bullying" over the device.
All that is necessary - unzip the archive here: http://www.multiupload.com/A49K088F4J the root of the built-in memory, thus the files form the directory /mnt/ext1/applications and /mnt/ext1/system/bin on the device .
After this, run the application get_root, it will get root, include WiFi and connect to your wireless point (of course, WiFi should be pre-configured). And then you get the opportunity to work with the device via FTP and telnet simply connect to a PC to its IP address.

If the WiFi in your home someone still has not, but wants to get on-screen shell with Rutaceae rights - you can run get_root.app of pocket term (by typing in it: /mnt/ext1/applications/get_root.app) after the script work is over, you get Rutaceae shell inside the same session poterm (close the window poterm - lose Rutaceae shell and the script will run again).
But there is a "feature" pocket term - he did not draw the $ symbol to invite a shell, so that the first team will need to enter "the blind" (for example, the command id, to make sure that you Ruth).

Trablshuting:
When the script works correctly, you first turn on bluetooth stack (a side effect), after which will connect to WiFi (with the conclusion of the windows), then after 5-10 seconds your device will be available to telnet / ftp via WiFi.
If the window does not appear, or when you run through the pocket term this script worked instantly - it means something to stop him. For example, previously included WiFi / Bluetooth. In this case I recommend to obtain a paper clip and reset the device, and then try again.

Operability is guaranteed on PocketBook 60x/90x. On older devices, probably not /ebrmain/bin/netagent, and exploit it impossible to make a hole.

Once again, the download link: http://www.multiupload.com/A49K088F4J

And now a couple of questions.
Here are experts in Linux? Of particular interest - as on Linux includes a complete stereo audio via bluetooth (a2dp profile)? This is the second thing, for lack of which poketbook beat a little. Actually lack the ability to listen to mp3 through wireless headphones. Having a root, I think, now, and this possibility is quite feasible.

Disclaimer:
This hack is completely safe for your device. He did not make any changes to the firmware or hardware device that does not start automatically when you reboot, and to remove it from the device, for example, before going into service - simply delete its files manually, or to format the internal memory by regular means.
But. This hack gives you Rutaceae law. And with them you may already own, for example, to mount the system partitions on the record and delete, or spoil them important files. Do this at your own risk - because boketpuki still do not even bother to put raw from the kernel, and we do not know, check whether the boot checksum partition / file, or whether there is any protection from modification.

04-24-2011, 09:19 AM	#1
mr.postman Junior Member Posts: 1 Karma: 10 Join Date: Apr 2011 Device: pocketbook 603	ROOT permissions for Pocketbook 602/603/902/903 On russian forum Google translate: In the other topic to which I have laid out an SDK for windows, I suggested poproveryat existing exploits for 2.6.29ogo kernel, to get ROOT - but the reality was much simpler: the Chinese, making a firmware for poketbook, have left us enough holes in their written suid applications. In this example, I'm exploiting a elementary "hole" in /ebrmain/bin/netagent. This suid application, passing the command line passed to the system as is, with the result that we can execute any command as root. In search of the hole it took me 2 evenings, it is strange that so far no one has found. We now have: - Getting a local shell with Ruth on the device (but this will agree, it is inconvenient, since pocket term curve to the horror) - Raising FTP and telnet daemon (use "full" busybox, rather than a castrato from the firmware), which is now possible to pick up the WiFi to the device remotely via FTP or Telnet, and wield it as root. That is - the main thing that I personally was not enough. Immediately, I note for root you will not need any soldering anything or make changes to the firmware, nor do any of these "low-level bullying" over the device. All that is necessary - unzip the archive here: http://www.multiupload.com/A49K088F4J the root of the built-in memory, thus the files form the directory /mnt/ext1/applications and /mnt/ext1/system/bin on the device . After this, run the application get_root, it will get root, include WiFi and connect to your wireless point (of course, WiFi should be pre-configured). And then you get the opportunity to work with the device via FTP and telnet simply connect to a PC to its IP address. If the WiFi in your home someone still has not, but wants to get on-screen shell with Rutaceae rights - you can run get_root.app of pocket term (by typing in it: /mnt/ext1/applications/get_root.app) after the script work is over, you get Rutaceae shell inside the same session poterm (close the window poterm - lose Rutaceae shell and the script will run again). But there is a "feature" pocket term - he did not draw the $ symbol to invite a shell, so that the first team will need to enter "the blind" (for example, the command id, to make sure that you Ruth). Trablshuting: When the script works correctly, you first turn on bluetooth stack (a side effect), after which will connect to WiFi (with the conclusion of the windows), then after 5-10 seconds your device will be available to telnet / ftp via WiFi. If the window does not appear, or when you run through the pocket term this script worked instantly - it means something to stop him. For example, previously included WiFi / Bluetooth. In this case I recommend to obtain a paper clip and reset the device, and then try again. Operability is guaranteed on PocketBook 60x/90x. On older devices, probably not /ebrmain/bin/netagent, and exploit it impossible to make a hole. Once again, the download link: http://www.multiupload.com/A49K088F4J And now a couple of questions. Here are experts in Linux? Of particular interest - as on Linux includes a complete stereo audio via bluetooth (a2dp profile)? This is the second thing, for lack of which poketbook beat a little. Actually lack the ability to listen to mp3 through wireless headphones. Having a root, I think, now, and this possibility is quite feasible. Disclaimer: This hack is completely safe for your device. He did not make any changes to the firmware or hardware device that does not start automatically when you reboot, and to remove it from the device, for example, before going into service - simply delete its files manually, or to format the internal memory by regular means. But. This hack gives you Rutaceae law. And with them you may already own, for example, to mount the system partitions on the record and delete, or spoil them important files. Do this at your own risk - because boketpuki still do not even bother to put raw from the kernel, and we do not know, check whether the boot checksum partition / file, or whether there is any protection from modification.