Thread: Connecting 8BitDo Micro (HID Keyboard) to legacy PocketBook 912 — "Permission Denied"
View Single Post
Old 01-08-2026, 11:39 AM   #10
SERG-987
Member
SERG-987 has top level security clearance to Area 51.SERG-987 has top level security clearance to Area 51.SERG-987 has top level security clearance to Area 51.SERG-987 has top level security clearance to Area 51.SERG-987 has top level security clearance to Area 51.SERG-987 has top level security clearance to Area 51.SERG-987 has top level security clearance to Area 51.SERG-987 has top level security clearance to Area 51.SERG-987 has top level security clearance to Area 51.SERG-987 has top level security clearance to Area 51.SERG-987 has top level security clearance to Area 51.
 
Posts: 22
Karma: 94378
Join Date: Nov 2023
Device: PocketBook 912 + Note Max
I managed to get persistent root access on this old BusyBox-based e‑reader.
Here is the procedure I used.

Interrupt U‑Boot and boot directly into a shell as PID 1:

setenv bootargs root=/dev/mmcblk0p4 rootdelay=2 rw init=/bin/sh noinitrd console=ttySAC2,115200 hwconfig=0x0110032233414237 platform=ep3
movi read kernel c0008000
bootm c0008000


Verify that the system is running and that I already have a root shell:

uname -a
id


Make a backup of /etc/passwd:

text
cp /etc/passwd /etc/passwd.bak
ls -l /etc/passwd /etc/passwd.bak

Remove the password for the root account by replacing root:x: with root:::

sed -i 's/^root:x:/root::/' /etc/passwd
head -5 /etc/passwd
# Expect:
# root::0:0:root:/:/bin/sh

Enable setuid root on BusyBox so that su works later from a normal user:

ls -l /bin/busybox
chmod u+s /bin/busybox
ls -l /bin/busybox
# Expect:
# -rwsr-xr-x 1 root root 408068 Apr 11 2012 /bin/busybox

After reboot, I can log in as the regular user over SSH and then simply run:

su
id
# uid=0(root) gid=0(root) …

This gives me a persistent, passwordless root login (via su) on the device, while still keeping a backup of the original /etc/passwd as /etc/passwd.bak in case I need to restore it.

Code:
setenv bootargs root=/dev/mmcblk0p4 rootdelay=2 rw init=/bin/sh noinitrd console=ttySAC2,115200 hwconfig=0x0110032233414237 platform=ep3

movi read kernel c0008000

bootm c0008000


BusyBox v1.16.1 (2010-10-11 18:29:44 EEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

/bin/sh: can't access tty; job control turned off
# uname -a
Linux (none) 2.6.29.6 #1 PREEMPT Fri Dec 9 16:05:22 EET 2011 armv6l GNU/Linux
# id
uid=0(root) gid=0(root)
# cp /etc/passwd /etc/passwd.bak
# ls -l /etc/passwd /etc/passwd.bak
-rw-r--r--    1 root     root           155 Apr 11  2012 /etc/passwd
-rw-r--r--    1 root     root           155 Jan  8 15:51 /etc/passwd.bak
# sed -i 's/^root:x:/root::/' /etc/passwd
# cat /etc/passwd | head -5
root::0:0:root:/:/bin/sh
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/sbin:
nobody:*:99:99:Nobody:/:
reader:*:101:101:reader:/:
# ls -l /bin/busybox
-rwxr-xr-x    1 root     root        408068 Apr 11  2012 /bin/busybox
# chmod u+s /bin/busybox
# ls -l /bin/busybox
-rwsr-xr-x    1 root     root        408068 Apr 11  2012 /bin/busybox
#
Attached Images
File Type: bmp scr0026.bmp (485.3 KB, 38 views)
SERG-987 is offline   Reply With Quote