Kobo Bootimage Packer/Unpacker

[BloodRagg]

Hi,

These are scripts for packing and unpacking the bootimage of Kobo devices.

I made these a while ago but never had a reason to release them until now
They are tested on a Kobo Aura HD and a couple of images (clara,h2o,hd iirc)

Instead of running through the code. I solely used the image binary for reverse engineering.
The memory maps are done in hexadecimal offset instead of decimal offsets (crazy humans)
Which as you can see makes more sense. I think I found all the checksums and magic markers.

Of course with all reverse engineering don't expect this to be in 100% working order.
But should give you enough room to play

kbunpack.sh: unpacks a bootimage into its parts.
kbpack.sh: packs and or repacks the bootimage.

So you can insert new kernels waveforms dtb's and more.

This is what I know to be true thus far, this isnt 100% fact.

Code:

Flash/Mmc layout found in master boot record with an offset of
9.5MiB to 24MiB.

Sector Size= 512 bytes
Device          Sectors   Size Id Type   Name
------------------------------------------------------------
mmcblk0          19456    9.5M -- RAW    bootimage Aura HD
mmcblk0          49152   24.0M -- RAW    bootimage Aura H2O
------------------------------------------------------------
mmcblk0p1        524289   256M 83 Linux  rootfs
mmcblk0p2        524289   256M 83 Linux  recoveryfs
mmcblk0p3        rest        rest b  FAT32  KOBOeReader
------------------------------------------------------------

The map of the boot image, goes for most devices.
Newer devices have a firmware and device tree blob (mx6)

[ master boot record      ] at 0x00000000
[ serial number           ] at 0x00000200
[ u-boot binary           ] at 0x00000400
[ ntx config size         ] at 0x0007fff0
[ ntx hardware config     ] at 0x00080000
[ firmware blob size      ] at 0x00080bf0
[ firmware blob           ] at 0x00080c00
[ linux device tree blob  ] at 0x000a0c00
[ u-boot environment      ] at 0x000c0000
[ data1 (unknown)         ] at 0x000e0000
[ data2 (unknown)         ] at 0x000f0000
[ uImage/kernel           ] at 0x00100000
[ ramdisk/initrd (unused) ] at 0x00400000
[ e-ink waveform size     ] at 0x006ffff0
[ e-ink waveform          ] at 0x00700000
[ logo (unused)           ] at 0x00900000 (overwritten if waveform is bigger)
[ Aura HD END-------------] at 0x00980000
[ Aura H2O END------------] at 0x01800000

u-boot has been modified by ntx for three purposes:
1. adding the board configuration
2. adding multiple boot configurations, they modified it
   to boot into 3 configurations
   * boot from rootfs into Kobo e-Reader software
     (press power)
   * boot from recoveryfs into recovery software
     (hold light button, then press power)
   * boot from external mmc/sdcard if present on device.
     (hold light button and hold power button)
3. custom boot functions that start with 'ntx_' that
   loads into memory:
   * ntx hardware configuration
   * device tree blob (mx6)
   * e-ink waveform
   then starts the kernel
   
On the root partition /dev/root which is a softlink to either
 * /dev/mmcblk0p1 (rootfs)
 * /dev/mmcblk0p2 (recoveryfs)
 * /dev/mmcblk1p1 (micro sd card)

searches for /linuxrc    (softlink to /bin/busybox)
searches for /sbin/init  (softlink to /bin/busybox)
kicks of /etc/init.d/rcS (in single user mode)
kicks of /etc/inittab    (in multi user mode)

/etc/init.d/rcS
* mounts /proc /sys /dev /var /tmp (basic liunx setup)
* loads udev to populate /dev (i think they chose for udev as mdev hangs on hotplug/kernel panic *kernel bug*)
* drivers are loaded (loading with insmod instead of fixing modprobe and loading it)
* powerled is turned off
* e-Reader software is loaded

Unpacking:

Code:

build@build:~$ ./kbunpack.sh boot.img
Kobo Boot Image Unpacker v0.1b (c) April 2019 GPLv2 by BloodRagg

Extracting Image
  extracting: mbr.img (mbr)
  extracting: serial.img (serial)
  extracting: ubootbin.img (ubootbin)
  extracting: hwconfig.img (hwconfig)
  extracting: fw.img (fw)
  extracting: dtb.img (dtb)
  extracting: ubootenv.img (ubootenv)
  extracting: data1.img (data1)
  extracting: data2.img (data2)
  extracting: uimage.img (uimage)
  extracting: initrd.img (initrd)
  extracting: waveform.img (waveform)
Done.
build@build:~$ ls -l
-rw-rw-r-- 1 build build     2048 mei 26 12:16 data1.bin
-rw-rw-r-- 1 build build    65536 mei 26 12:16 data1.img
-rw-rw-r-- 1 build build     2048 mei 26 12:16 data2.bin
-rw-rw-r-- 1 build build    65536 mei 26 12:16 data2.img
-rw-rw-r-- 1 build build       66 mei 26 12:16 hwconfig.bin
-rw-rw-r-- 1 build build     3072 mei 26 12:16 hwconfig.img
-rw-rw-r-- 1 build build     6144 mei 26 12:16 initrd.bin
-rw-rw-r-- 1 build build  3145712 mei 26 12:16 initrd.img
-rw-rw-r-- 1 build build      512 mei 26 12:16 mbr.img
-rw-rw-r-- 1 build build      456 mei 26 12:16 mbr.txt
-rw-rw-r-- 1 build build      512 mei 26 12:16 serial.img
-rw-rw-r-- 1 build build       17 mei 26 12:16 serial.txt
-rw-rw-r-- 1 build build   145972 mei 26 12:16 ubootbin.bin
-rw-rw-r-- 1 build build   523248 mei 26 12:16 ubootbin.img
-rw-rw-r-- 1 build build   131072 mei 26 12:16 ubootenv.img
-rw-rw-r-- 1 build build      674 mei 26 12:16 ubootenv.txt
-rw-rw-r-- 1 build build  1953688 mei 26 12:16 uimage.bin
-rw-rw-r-- 1 build build  3145728 mei 26 12:16 uimage.img
-rw-rw-r-- 1 build build  6760928 mei 26 12:16 waveform.bin
-rw-rw-r-- 1 build build 17825808 mei 26 12:16 waveform.img
-rw-rw-r-- 1 build build  1953624 mei 26 12:16 zimage.bin
build@build:~$

Packing...

Code:

./kbpack.sh boot.img hwconfig=hwconfig.bin uimage=uimage.bin mbr=mbr.img waveform=waveform.bin

Kobo Boot Image Packer v0.1b (c) April 2019 GPLv2 by BloodRagg

Building Image
  adding: hwconfig.bin (hwconfig)
  adding: uimage.bin (uimage)
  adding: mbr.img (mbr)
  adding: waveform.bin (waveform)
Done.

Imagefile: boot.img
build@build:~$

Enjoy,
BloodRagg

Disclaimer:
This shell script is provided as is without any guarantees or warranty. In
association with the product, I make no warranties or responsibility of any
kind, either express or implied, including but not limited to warranties of
merchantability, fitness for a particular purpose, of title, or of
noninfringement of third party rights. Use of the product by a user is at
the user’s risk.

[BloodRagg]

No comments at all, is my programming that bad ?

You can use this on full sd card >> images << too, I forgot to mention that.

[Owl_]

Quote:

Originally Posted by BloodRagg

No comments at all, is my programming that bad ?

You can use this on sd card images too, I forgot to mention that.

Do you mean I can create an image of my Kobo Aura One (It has an welded chip, not an internal micro sd)?

[BloodRagg]

Quote:

Originally Posted by Owl_

Do you mean I can create an image of my Kobo Aura One (It has an welded chip, not an internal micro sd)?

>>BRICK WARNING<<

No, I made an Image Dumper for that (click here)

Then you can copy the image to your PC and play around with these tools.

Unless you really know what you are doing you should not attempt to write modified
images back to your device. That's for people with internal sd cards only! Because
they can replace it if anything goes wrong.

[jgneff]

Quote:

Originally Posted by BloodRagg

2. adding multiple boot configurations, they modified it to boot into 3 configurations
* boot from rootfs into Kobo e-Reader software (press power)
* boot from recoveryfs into recovery software (hold light button, then press power)
* boot from external mmc/sdcard if present on device. (hold light button and hold power button)

Thanks for all the interesting information. Do you know what "hold light button" means? Is that the reset button that you can press through the hole in the back with a paper clip?

[sherman]

Quote:

Originally Posted by jgneff

Thanks for all the interesting information. Do you know what "hold light button" means? Is that the reset button that you can press through the hole in the back with a paper clip?

Some early lighted models (for example, the Glo) had a dedicated button to toggle the frontlight on/off. That's probably the button referred to.

[BloodRagg]

Quote:

Originally Posted by jgneff

Thanks for all the interesting information. Do you know what "hold light button" means? Is that the reset button that you can press through the hole in the back with a paper clip?

No, what sherman said. Mine indeed has a light button. That said it can be one of the other buttons if you have any. Just look at the factory reset sequence for you device.

Quote:

Originally Posted by sherman

Some early lighted models (for example, the Glo) had a dedicated button to toggle the frontlight on/off. That's probably the button referred to.

Correct

[frostschutz]

for the (original) H2O which does not have a light button, you trigger the boot mode with the touchscreen instead... tap both bottom screen corners while holding the power button -> factory reset. don't try it unless you want to lose your data.

[BloodRagg]

I've looked into the reset button, it does nothing i.c.w. any other buttons.
Afaict its just what it says. A pinhole button to reset your cpu in case it hangs.

[BloodRagg]

Released new version , kernel/uImage extraction was 64 bytes too short

Extracting correctly now as sha256sum matched:

Code:

32cead0bc7b1a809d1f0d8f7e5ac0f321ffe0abe7e01e7901cdd82488ddd75e1  uImage-sdcard.bin
32cead0bc7b1a809d1f0d8f7e5ac0f321ffe0abe7e01e7901cdd82488ddd75e1  uImage-E606C0 (update 4.15 mark4)