Thread: Kobo's busybox, setuid and mystery about /bin/busybox ?!
View Single Post
Old 07-12-2015, 05:14 PM   #7
fastrobot
Connoisseur
fastrobot is a marvel to beholdfastrobot is a marvel to beholdfastrobot is a marvel to beholdfastrobot is a marvel to beholdfastrobot is a marvel to beholdfastrobot is a marvel to beholdfastrobot is a marvel to beholdfastrobot is a marvel to beholdfastrobot is a marvel to beholdfastrobot is a marvel to beholdfastrobot is a marvel to behold
 
Posts: 53
Karma: 11844
Join Date: Jun 2014
Location: All over the place...
Device: KOBO AuraHD and GLO
Quote:
Originally Posted by frostschutz View Post
It seems to work with the official busybox binary which you can download from the busybox site.

Is there a modification to busybox by Kobo without which the device would not work? Otherwise just replace busybox entire...?
I don't know if there is a modification that is critical, or which will become critical in the future.

By comparing the source code tree of busybox for Kobo and others I can find regarding the "sanitizing" of variables; the routine isn't in the same place -- so I know Kobo's source code isn't exactly the same as other releases at least there, and if it's different there -- then how many other changes has Kobo made, and why?

So, there probably is a risk in just replacing busybox.

Thats in part why I asked George Talusan about which version my KoboAuraHD actually was using... because I wanted to make sure I was looking at the right source code to make the decision based on. ( As well as be able to recompile it according to GPL rules, and audit the binary code release to see that it is indeed the same as the source code that it supposedly comes from. )

When I wasn't able to determine for sure what the heck is going on, I made a work around binary rather than change busybox so that I wouldn't trigger any bugs that Nickel or other Kobo programs depend on Kobo's version of busybox to prevent.

GPL software, version 2, and version 3, is meant to protect the freedom of the software so that users can remove spyware, boobytrap viruses, and patent infringement bait and switches and other malicious things that can sometimes end up in them when companies decide they 'need' these things to protect their interests in the market place.

In GPL code, you -- as the user -- ought to be able to see the source code that was actually compiled, and look for modifications to the binary which violate the GPL and try to take advantage of you as a naive consumer.

It's a real question mark, that I can't determine why the code actually running on the kobo -- doesn't appear to behave the same as the source code release would suggest it ought to. I don't want to jump prematurely to conclusions, but I do want to actually verify why the code behaves strangely.

This isn't a huge time sensitive problem.

But as a security issue, I would like to know for sure that the code Talusan 'thinks' is getting loaded onto his Kobo's is in fact what is there; and that there hasn't been tampering with the binaries by greedy subcontractors, ISP's or governments who are injecting spyware or other malware into the stream illegally / in violation of the GPL.

I've seen too much industrial espionage, up close, in my line of work to take for granted that everything people 'think' is going on, is what is really happening.
fastrobot is offline   Reply With Quote