View Single Post
Old 12-01-2019, 07:28 AM   #7
Marco77
Connoisseur
Marco77 can illuminate an eclipseMarco77 can illuminate an eclipseMarco77 can illuminate an eclipseMarco77 can illuminate an eclipseMarco77 can illuminate an eclipseMarco77 can illuminate an eclipseMarco77 can illuminate an eclipseMarco77 can illuminate an eclipseMarco77 can illuminate an eclipseMarco77 can illuminate an eclipseMarco77 can illuminate an eclipse
 
Posts: 55
Karma: 8430
Join Date: Mar 2016
Device: PW3, Clara HD, PB740
Hi ezdiy,
I'm ABSOLUTELY baffled as to how sending a buffer to a seemingly random IPC queue can grant you root privesc! ▄█▀█●

My config (OS is Win10 1809):
Quote:
- Vivlio-branded Inkpad3, model PB740, purchased circa June 2019

- Info gathering via ereader menus
Device / Version info
Software version V740.5.19.992
Release date: 20190410_152958

- Info gathering via execution through pbterm

uname -a: Linux pocketbook 3.10.65 #2 SMP Fri Mar 29 11:59:01 EET 2019 armv7l GNU/Linux

/proc/version: Linux version 3.10.65 (jenkins@bsp-builder) (gcc version 4.9.2 20140904 (prerelease) (crosstool-NG linaro-1.13.1-4.9-2014.09 - Linaro GCC 4.9-2014.09) ) #2 SMP Fri Mar 29 11:59:01 EET 2019
Observations:
- about the jailbreak process, I like the fact it doesn't mandate using /mnt/ext1/applications
- SSH USBnet works like a charm
- USBnet Samba shares are fine
- but the passworded shares take awfully long to show the credential prompt, causing the action to sometimes time out in Explorer

I haven't tried via wifi yet,do you have a sample iptables ruleset we can use to prevent communication with obreey/pocketbook?

- Not sure if it's possible, can you keep the device alive (prevent sleep) while there's activity in the services?

- This one is a quality-of-life convenience, can you create /mnt/ext1/.ssh if it doesn't exist? Also, I'm trying to get dropbear to accept pubkey authentication to no avail

- scp works fine, not sftp (probably a dropbar limitation). If it's not too complicated, can you include rsync as well?

- Generally in PBTerm /mnt/secure/su command works, any idea why /bin/sh doesn't return control?

Great work mate
Marco77 is offline   Reply With Quote