Hi ezdiy,
I'm ABSOLUTELY baffled as to how sending a buffer to a seemingly random IPC queue can grant you root privesc! ▄█▀█●
My config (OS is Win10 1809):
Quote:
- Vivlio-branded Inkpad3, model PB740, purchased circa June 2019
- Info gathering via ereader menus
Device / Version info
Software version V740.5.19.992
Release date: 20190410_152958
- Info gathering via execution through pbterm
uname -a: Linux pocketbook 3.10.65 #2 SMP Fri Mar 29 11:59:01 EET 2019 armv7l GNU/Linux
/proc/version: Linux version 3.10.65 (jenkins@bsp-builder) (gcc version 4.9.2 20140904 (prerelease) (crosstool-NG linaro-1.13.1-4.9-2014.09 - Linaro GCC 4.9-2014.09) ) #2 SMP Fri Mar 29 11:59:01 EET 2019
|
Observations:
- about the jailbreak process, I like the fact it doesn't mandate using /mnt/ext1/applications
- SSH USBnet works like a charm
- USBnet Samba shares are fine
- but the passworded shares take awfully long to show the credential prompt, causing the action to sometimes time out in Explorer
I haven't tried via wifi yet,do you have a sample iptables ruleset we can use to prevent communication with obreey/pocketbook?
- Not sure if it's possible, can you keep the device alive (prevent sleep) while there's activity in the services?
- This one is a quality-of-life convenience, can you create /mnt/ext1/.ssh if it doesn't exist? Also, I'm trying to get dropbear to accept pubkey authentication to no avail
- scp works fine, not sftp (probably a dropbar limitation). If it's not too complicated, can you include rsync as well?
- Generally in PBTerm /mnt/secure/su command works, any idea why /bin/sh doesn't return control?
Great work mate
