View Single Post
Old 10-09-2009, 01:28 AM   #58
RyeBrye
Member
RyeBrye began at the beginning.
 
Posts: 14
Karma: 10
Join Date: Sep 2009
Device: PRS-600
Quote:
Originally Posted by dclavey View Post
Surely we could (with some hacking effort) create a firmware update to simply put back functionality which will allow JavaScript to be called again from a flash drive? Could we not just patch the "Test" software routines so they call Autorun.xml on the flash card rather than the "/opt/sony/application/resources/test" directory
Well... First - if we could hack the firmware update, why would we bother even screwing around with an autorun.xml? If you can hack the firmware update you have pwned the device and can have your way with it.

Second - the firmware updates are encrypted and we need to break the encryption key. This can be extracted from a full system dump, but we don't have one.

A possible third obstacle is that it looks to me like in addition to encrypting their updates, they also sign them. I'm not sure if there is a way to make the device accept an update that isn't signed by a key we certainly don't have and wont be able to get.

After getting a full system dump, we'll have to probably scour over it and try to find some kind of exploit... i.e. a vulnerability in the pdf reader or music player, or picture viewer, or something that will let you take a carefully crafted file and as a result execute code by exploiting it.

I'm not as much an expert with these devices as others, but from what I gather what we really need is a full system dump. - Not just a dump of the files, but an actual block-for-block copy of the flash memory (i.e. use dd to copy it at a low level to an .img file) and from there we can start to poke at it and go to town.
RyeBrye is offline   Reply With Quote