Thread: Connecting 8BitDo Micro (HID Keyboard) to legacy PocketBook 912 — "Permission Denied"
View Single Post
Old 01-01-2026, 03:43 AM   #7
SERG-987
Member
SERG-987 has top level security clearance to Area 51.SERG-987 has top level security clearance to Area 51.SERG-987 has top level security clearance to Area 51.SERG-987 has top level security clearance to Area 51.SERG-987 has top level security clearance to Area 51.SERG-987 has top level security clearance to Area 51.SERG-987 has top level security clearance to Area 51.SERG-987 has top level security clearance to Area 51.SERG-987 has top level security clearance to Area 51.SERG-987 has top level security clearance to Area 51.SERG-987 has top level security clearance to Area 51.
 
Posts: 12
Karma: 94378
Join Date: Nov 2023
Device: PocketBook 912 + Note Max
I am currently preparing to gain full root access to an e-book reader based on the Samsung S3C6410 CPU (EBR-100 platform). I have already established an SSH connection as a restricted user (sreader) and analyzed the system structure.
Technical Details:
Bootloader: U-Boot 1.3.4 (password protected, but password is known).
OS: Linux with BusyBox v1.16.1.
Filesystem: The root partition (/) is ext2 mounted as Read-Only. Since it is not SquashFS, I expect to be able to remount it as RW once I have serial console access.
Persistence Strategy: The /mnt/secure partition is ext3 and is mounted as Read-Write. I have verified that it supports SUID flags and execution. I have already placed a BusyBox binary (mybox) there as a "foothold."
Planned Actions (Awaiting UART Cables):
Connect via UART (3.3V TTL) and interrupt the boot process to enter the U-Boot prompt.
Modify boot arguments: setenv bootargs ${bootargs} rw init=/bin/sh to bypass the standard init process and gain an immediate root shell.
Remount the root filesystem: mount -o remount,rw /.
Grant SUID permissions to the system BusyBox or modify the owner of my staged binary: chown root:root /mnt/secure/mybox and chmod 4755 /mnt/secure/mybox.
Modify /etc/init.d/rcS to automate Bluetooth configuration (hciconfig hci0 sspmode 1) on boot.
Objective:
Enable Bluetooth Simple Secure Pairing (SSP) which is currently restricted due to lack of root privileges (Operation not permitted). UART cables are ordered and en route for 2026 delivery.

Spoiler:
mount
rootfs on / type rootfs (rw)
/dev/root on / type ext2 (ro,errors=continue)
none on /proc type proc (rw)
none on /var type tmpfs (rw,size=131072k)
none on /sys type sysfs (rw)
none on /var/dev/pts type devpts (rw,mode=622,ptmxmode=000)
tmpfs on /var/dev/shm type tmpfs (rw)
/dev/mmcblk0p3 on /ebrmain type ext2 (ro,errors=continue)
/dev/mmcblk0p2 on /mnt/secure type ext3 (rw,errors=continue,data=ordered)
/dev/loop0 on /ebrmain/cramfs type cramfs (ro)
/dev/mmcblk0p1 on /mnt/ext1 type vfat (rw,dirsync,nosuid,nodev,noatime,fmask=0000,dmask= 0000,allow_utime=0022,codepage=cp437,iocharset=utf 8,errors=remount-ro)
/dev/mmcblk1 on /mnt/ext2 type vfat (rw,dirsync,nosuid,nodev,noatime,fmask=0000,dmask= 0000,allow_utime=0022,codepage=cp437,iocharset=utf 8,errors=remount-ro)
id
uid=102(sreader) gid=102(sreader) groups=3003
ls -l /bin/sh /bin/busybox
-rwxr-xr-x 1 root root 408068 Apr 11 2012 /bin/busybox
lrwxrwxrwx 1 root root 7 Apr 11 2012 /bin/sh -> busybox
ls -F /etc/init.d/
rcS*
cat /etc/init.d/rcS
#! /bin/sh

usleep 250000

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/lib:
runlevel=S
prevlevel=N
umask 022
export PATH runlevel prevlevel

trap ":" INT QUIT TSTP

/bin/mount -o remount,ro rootfs /

/bin/mount -t proc none /proc

/bin/mount -t tmpfs none /var -o size=128M
/bin/mount -t sysfs none /sys

/bin/mkdir -p /var/dev
/bin/mkdir -p /var/lib
/bin/mkdir -p /var/run
/bin/mkdir -p /var/log
/bin/mkdir -p /var/tmp

cp -rfp /usr/dev/* /dev

#insmod /lib/modules/pvi_io.ko
/bin/hwconfig -v

/bin/hwconfig -d
DTYPE=$?
/bin/hwconfig -c
CTYPE=$?
if [ $CTYPE = 2 ] ; then
insmod /lib/modules/cfbcopyarea.ko
insmod /lib/modules/cfbimgblt.ko
insmod /lib/modules/cfbfillrect.ko
if [ $DTYPE = 3 ] ; then
insmod /lib/modules/s1d13521fb-9d7.ko
else
insmod /lib/modules/s1d13521fb.ko
fi
else
echo "*** unknown controller type: $CTYPE"
fi

/bin/hwconfig -a
ATYPE=$?
if [ $ATYPE = 2 ] ; then
#insmod /lib/modules/alc5623.ko
true
elif [ $ATYPE != 0 ] ; then
echo "*** unknown audio chip: $ATYPE"
fi

/bin/hwconfig -t
TTYPE=$?
if [ $TTYPE != 0 ] ; then
echo "*** unknown touchpanel type: $TTYPE"
fi

/bin/hwconfig -g
GTYPE=$?
if [ $GTYPE = 3 ] ; then
#insmod /lib/modules/mma7455.ko
true
elif [ $GTYPE != 0 ] ; then
echo "*** unknown g-sensor type: $GTYPE"
fi

/bin/hostname pocketbook
#echo burn > /sys/bus/i2c/drivers/max17043/1-0036/burn
#echo 0 > /sys/bus/i2c/drivers/max17043/1-0036/reset
#/bin/batt_calibrate.sh &
echo performance > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor

if /bin/swupdate -c ; then
# moving all to ramfs for reliable update
mkdir -p /tmp/root/proc /tmp/root/sys
mkdir -p /tmp/root/mnt/ext1 /tmp/root/mnt/ext2 /tmp/root/tmp
cp -rpH /dev /tmp/root/
cp -rpH /etc /tmp/root/
cp -rpH /bin /tmp/root/
cp -rpH /sbin /tmp/root/
cp -rpH /lib /tmp/root/
mount -t proc proc /tmp/root/proc
mount -t sysfs none /tmp/root/sys
sync
exec chroot /tmp/root /bin/swupdate -u &
exit
fi

mount -a
chmod 700 /mnt/secure
chmod u+s,g+s /mnt/secure
chown -R 102:102 /mnt/secure

echo "Setting loopback interface"
ifconfig lo 127.0.0.1 netmask 255.0.0.0

#RUNNING AP
if [ -f /ebrmain/pocketbook ]; then
export QT_QPA_PLATFORM=pocketbook
cd /ebrmain
./pocketbook
cd /
else
echo "no ebrmain executable - starting device test"
/bin/swupdate -t &
fi



cat /etc/passwd
root:x:0:0:root:/:/bin/sh
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/sbin:
nobody:*:99:99:Nobody:/:
reader:*:101:101:reader:/:
sreader:*:102:102:sreader:/:

dmesg | grep -i blue
<6>Bluetooth: Core ver 2.15
<6>Bluetooth: HCI device and connection manager initialized
<6>Bluetooth: HCI socket layer initialized
<6>Bluetooth: HCI UART driver ver 2.2
<6>Bluetooth: HCI H4 protocol initialized
<6>Bluetooth: L2CAP ver 2.13
<6>Bluetooth: L2CAP socket layer initialized
<6>Bluetooth: SCO (Voice Link) ver 0.6
<6>Bluetooth: SCO socket layer initialized
<6>Bluetooth: RFCOMM socket layer initialized
<6>Bluetooth: RFCOMM TTY layer initialized
<6>Bluetooth: RFCOMM ver 1.11
<6>Bluetooth: BNEP (Ethernet Emulation) ver 1.3
<6>Bluetooth: BNEP filters: protocol multicast
<6>Bluetooth: HIDP (Human Interface Emulation) ver 1.2
lsmod

dhd 197504 0 - Live 0xbf000000
env
SSH_CLIENT=192.168.1.90 55309 1124
MAIL=/var/mail/sreader
USER=sreader
OLDPWD=/
HOME=/
LOGNAME=sreader
PATH=/bin:/usr/bin:/sbin:/usr/sbin:/mnt/ext1/system/bin:/mnt/ext1/applications/pb_sshd/usr/bin:/mnt/ext1/applications/pb_sshd/usr/sbin
SHELL=/bin/sh
PWD=/bin
SSH_CONNECTION=192.168.1.90 55309 192.168.1.234 1124
ls -al /mnt/secure
drws--S--- 6 sreader sreader 4096 Mar 24 2017 .
drwxr-xr-x 6 root root 1024 Apr 11 2012 ..
-r-------- 1 sreader sreader 4 Dec 28 2011 .freezestatus
-rw-rw-rw- 1 sreader sreader 16 Aug 15 2012 .hashsum_1
-rw-rw-rw- 1 sreader sreader 16 Aug 15 2012 .hashsum_2
drwxr-xr-x 2 sreader sreader 4096 Jun 25 2019 dictionaries
-rwxr-xr-x 1 sreader sreader 16 Aug 25 2018 last_update
drwxr-xr-x 2 sreader sreader 16384 Mar 21 2011 lost+found
-rwxr-xr-x 1 sreader sreader 58 Mar 24 2017 netdevcache
-rwxr-xr-x 1 sreader sreader 1267 Jun 7 2010 nvram.txt
drwxr-xr-x 2 sreader sreader 4096 Jun 25 2019 pbpk
-rwxr-xr-x 1 sreader sreader 8 Aug 15 2012 reg.status
-rwxr-xr-x 1 sreader sreader 80 Aug 15 2012 swupdate.db
drwxr-xr-x 3 sreader sreader 4096 Nov 23 16:58 tts
ls -al /mnt/secure
drws--S--- 6 sreader sreader 4096 Mar 24 2017 .
drwxr-xr-x 6 root root 1024 Apr 11 2012 ..
-r-------- 1 sreader sreader 4 Dec 28 2011 .freezestatus
-rw-rw-rw- 1 sreader sreader 16 Aug 15 2012 .hashsum_1
-rw-rw-rw- 1 sreader sreader 16 Aug 15 2012 .hashsum_2
drwxr-xr-x 2 sreader sreader 4096 Jun 25 2019 dictionaries
-rwxr-xr-x 1 sreader sreader 16 Aug 25 2018 last_update
drwxr-xr-x 2 sreader sreader 16384 Mar 21 2011 lost+found
-rwxr-xr-x 1 sreader sreader 58 Mar 24 2017 netdevcache
-rwxr-xr-x 1 sreader sreader 1267 Jun 7 2010 nvram.txt
drwxr-xr-x 2 sreader sreader 4096 Jun 25 2019 pbpk
-rwxr-xr-x 1 sreader sreader 8 Aug 15 2012 reg.status
-rwxr-xr-x 1 sreader sreader 80 Aug 15 2012 swupdate.db
drwxr-xr-x 3 sreader sreader 4096 Nov 23 16:58 tts

drws--S--- 6 sreader sreader 4096 Mar 24 2017 .
drwxr-xr-x 6 root root 1024 Apr 11 2012 ..
-r-------- 1 sreader sreader 4 Dec 28 2011 .freezestatus
-rw-rw-rw- 1 sreader sreader 16 Aug 15 2012 .hashsum_1
-rw-rw-rw- 1 sreader sreader 16 Aug 15 2012 .hashsum_2
drwxr-xr-x 2 sreader sreader 4096 Jun 25 2019 dictionaries
-rwxr-xr-x 1 sreader sreader 16 Aug 25 2018 last_update
drwxr-xr-x 2 sreader sreader 16384 Mar 21 2011 lost+found
-rwxr-xr-x 1 sreader sreader 58 Mar 24 2017 netdevcache
-rwxr-xr-x 1 sreader sreader 1267 Jun 7 2010 nvram.txt
drwxr-xr-x 2 sreader sreader 4096 Jun 25 2019 pbpk
-rwxr-xr-x 1 sreader sreader 8 Aug 15 2012 reg.status
-rwxr-xr-x 1 sreader sreader 80 Aug 15 2012 swupdate.db
drwxr-xr-x 3 sreader sreader 4096 Nov 23 16:58 tts
-sh: drws--S---: not found
-sh: drwxr-xr-x: not found
-sh: -r--------: not found
-sh: -rw-rw-rw-: not found
-sh: -rw-rw-rw-: not found
-sh: drwxr-xr-x: not found
-sh: -rwxr-xr-x: not found
-sh: drwxr-xr-x: not found
-sh: -rwxr-xr-x: not found
-sh: -rwxr-xr-x: not found
-sh: drwxr-xr-x: not found
-sh: -rwxr-xr-x: not found
-sh: -rwxr-xr-x: not found
-sh: drwxr-xr-x: not found
SERG-987 is offline   Reply With Quote