Connecting 8BitDo Micro (HID Keyboard) to legacy PocketBook 912 — "Permission Denied"

[SERG-987]

Hi everyone,

I'm trying to use an 8BitDo Micro controller in Keyboard Mode (K) as a remote for my legacy PocketBook 912 (Linux kernel 2.6.29).

I have managed to set up a local BlueZ 3.36 environment in a standalone directory on the SD card (/mnt/ext1/rootdir/opt/). I am accessing the device via SSH and a local terminal (PBTerm).

The progress so far:

1. Discovery works: hcitool scan successfully finds the gamepad: E4:178:6B:ABB 8BitDo Micro gamepad.

2. Adapter status: hciconfig -a shows the Broadcom (BT 2.1) adapter as UP RUNNING PSCAN ISCAN AUTH.

3. Binaries: I’m using hidd and rfcomm from the Optware archive (ARMv6), running them via the system linker /lib/ld-linux.so.3 to bypass noexec on FAT32.

The Problem:

Whenever I try to initiate a connection, I hit a security/permissions wall:

- hidd --connect [MAC] returns: Can't get device information: Permission denied.
- rfcomm connect 0 [MAC] 1 returns: Can't connect RFCOMM socket: Permission denied.

Sometimes a system PIN prompt appears on the E-ink screen, but "0000" or "1234" fails with an "Invalid exchange" error in the console.

My questions for the experts:

1. Since I'm logged in as the sreader user, it seems I lack the permissions to create Bluetooth sockets. Is there a known way to gain temporary root access on the PB912 (Firmware 2.1.x) to run hidd as a superuser?

2. Where does the PocketBook firmware store linkkeys? I want to manually inject the gamepad's MAC address as a "trusted" device to bypass the PIN agent. There is no /var/lib/bluetooth or /etc/bluetooth directory available to the sreader user.

3. Is there a way to kill the native pbbtservice (or equivalent) to free up hci0 for my custom BlueZ tools?

I’ve put a lot of effort into making the Micro work with this vintage device and would appreciate any guidance from the community's "old guard"!

Full dmesg and hciconfig logs are available upon request.

Code:

/bin/ash: can't access tty; job control turned off


BusyBox v1.16.1 (2010-10-11 18:29:44 EEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

$ cd /mnt/ext1/rootdir/
$ export LD_LIBRARY_PATH=/mnt/ext1/rootdir/opt/lib:$LD_LIBRARY_PATH
$ ./opt/bin/hcitool scan
Scanning ...
        E4:17:D8:6B:AB:DB       8BitDo Micro gamepad
        9E:64:03:5E:CF:8F       M01BT
$ /lib/ld-linux.so.3 /mnt/ext1/rootdir/opt/bin/hidd --connect E4:17:D8:6B:AB:DB
Can't get device information: Permission denied
$ /lib/ld-linux.so.3 /mnt/ext1/rootdir/opt/bin/hidd --search --connect E4:17:D8:6B:AB:DB
Can't get device information: Permission denied
$ /lib/ld-linux.so.3 /mnt/ext1/rootdir/opt/bin/rfcomm bind 0 E4:17:D8:6B:AB:DB 1
Can't create device: Operation not permitted
$ /lib/ld-linux.so.3 /mnt/ext1/rootdir/opt/bin/rfcomm connect 0 E4:17:D8:6B:AB:DB 1
Can't connect RFCOMM socket: Permission denied
$ /lib/ld-linux.so.3 /mnt/ext1/rootdir/opt/bin/rfcomm connect 0 E4:17:D8:6B:AB:DB 1
Can't connect RFCOMM socket: Permission denied
$ LD_LIBRARY_PATH=/mnt/ext1/rootdir/opt/lib /lib/ld-linux.so.3 /mnt/ext1/rootdir/opt/bin/rfcomm connect 0 E4:17:D8:6B:AB:DB 1
Can't connect RFCOMM socket: Permission denied
$

[SERG-987]

I have SSH access (user: sreader).

The old exploit:
/ebrmain/bin/netagent btservice "\"|| /bin/sh ..."
fails with 'command not recognized'.

It seems netagent in firmware 2.1.x has been patched.

Question: Is there a working 'Sudo' or 'Rootsh' package for this specific firmware version?

Or a known way to trigger a root shell via extensions.cfg or by replacing a system binary in /ebrmain/bin/? I already have BlueZ 3.36 tools ready, just need the # permissions to run hidd."

[rkomar]

I think that firmware 2.0.6 was the last to allow that exploit. You can probably downgrade to that version, but who knows if the bluetooth functionality is worse with it?

I don't know of any root exploits for later firmwares, but I wasn't interested enough to learn much about it. I have seen websites that show older devices being rooted, so maybe some searching will find something that you can use. None of those details ever showed up here at mobileread.

[SERG-987]

Quote:

Originally Posted by rkomar

I think that firmware 2.0.6 was the last to allow that exploit. You can probably downgrade to that version, but who knows if the bluetooth functionality is worse with it?

I don't know of any root exploits for later firmwares, but I wasn't interested enough to learn much about it. I have seen websites that show older devices being rooted, so maybe some searching will find something that you can use. None of those details ever showed up here at mobileread.

I opened up my PocketBook Pro 912, but I couldn't locate any clear UART test points or pads (no labeled TX/RX/GND like on some newer PocketBooks).

The board looks pretty clean, but nothing jumps out as serial pins.

Has anyone disassembled a 912 (or the similar 902/903) and found the UART location?

Photos of the PCB with marked pins would be incredibly helpful!

I'm still hoping to get serial console access for root – from what I've seen on other models, interrupting boot at 115200 baud drops to root shell.

If there's another way to gain root on these old 9xx series without UART, that would be great too.Appreciate any help or links to teardowns!

Thanks!

[SERG-987]

https://github.com/plops/pocketbook3...pocketbook.org

the kernel.img is probably created with the tool mkimage (from u-boot distribution, see Introduction to Das U-Boot in Linux Journal, Curt Brune, 2004-08-29)
apparently, i can’t just boot these things in qemu martin@acergpu:~/pb-contents/split$ qemu-system-arm -kernel kernel.img -mtdblock rootfs.img VNC server running on `127.0.0.1:5900’ qemu: fatal: Trying to execute code outside RAM or ROM at 0x30008000
the images are yaffs Aug 19 2010 16:52:33 (this is probably not the yaffs version, but the time, when the image was created – one hour later than the kernel) and not jffs2
software to decode yaffs http://code.google.com/p/yaffs2utils/
someone posted a possible password 0df6126571f873829f9ab23d129d786e in the u-boot, and here and there. This amount corresponds to the md5 password allenchen

[SERG-987]

/bin/ash: can't access tty; job control turned off


BusyBox v1.16.1 (2010-10-11 18:29:44 EEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

$ export LD_LIBRARY_PATH=/mnt/ext1/rootdir/opt/lib:$LD_LIBRARY_PATH
$ /mnt/ext1/rootdir/opt/sbin/hciconfig hci0 sspmode 1
Can't set Simple Pairing mode on hci0: Operation not permitted (1)
$

[SERG-987]

I am currently preparing to gain full root access to an e-book reader based on the Samsung S3C6410 CPU (EBR-100 platform). I have already established an SSH connection as a restricted user (sreader) and analyzed the system structure.
Technical Details:
Bootloader: U-Boot 1.3.4 (password protected, but password is known).
OS: Linux with BusyBox v1.16.1.
Filesystem: The root partition (/) is ext2 mounted as Read-Only. Since it is not SquashFS, I expect to be able to remount it as RW once I have serial console access.
Persistence Strategy: The /mnt/secure partition is ext3 and is mounted as Read-Write. I have verified that it supports SUID flags and execution. I have already placed a BusyBox binary (mybox) there as a "foothold."
Planned Actions (Awaiting UART Cables):
Connect via UART (3.3V TTL) and interrupt the boot process to enter the U-Boot prompt.
Modify boot arguments: setenv bootargs ${bootargs} rw init=/bin/sh to bypass the standard init process and gain an immediate root shell.
Remount the root filesystem: mount -o remount,rw /.
Grant SUID permissions to the system BusyBox or modify the owner of my staged binary: chown root:root /mnt/secure/mybox and chmod 4755 /mnt/secure/mybox.
Modify /etc/init.d/rcS to automate Bluetooth configuration (hciconfig hci0 sspmode 1) on boot.
Objective:
Enable Bluetooth Simple Secure Pairing (SSP) which is currently restricted due to lack of root privileges (Operation not permitted). UART cables are ordered and en route for 2026 delivery.

Spoiler:

mount
rootfs on / type rootfs (rw)
/dev/root on / type ext2 (ro,errors=continue)
none on /proc type proc (rw)
none on /var type tmpfs (rw,size=131072k)
none on /sys type sysfs (rw)
none on /var/dev/pts type devpts (rw,mode=622,ptmxmode=000)
tmpfs on /var/dev/shm type tmpfs (rw)
/dev/mmcblk0p3 on /ebrmain type ext2 (ro,errors=continue)
/dev/mmcblk0p2 on /mnt/secure type ext3 (rw,errors=continue,data=ordered)
/dev/loop0 on /ebrmain/cramfs type cramfs (ro)
/dev/mmcblk0p1 on /mnt/ext1 type vfat (rw,dirsync,nosuid,nodev,noatime,fmask=0000,dmask= 0000,allow_utime=0022,codepage=cp437,iocharset=utf 8,errors=remount-ro)
/dev/mmcblk1 on /mnt/ext2 type vfat (rw,dirsync,nosuid,nodev,noatime,fmask=0000,dmask= 0000,allow_utime=0022,codepage=cp437,iocharset=utf 8,errors=remount-ro)
id
uid=102(sreader) gid=102(sreader) groups=3003
ls -l /bin/sh /bin/busybox
-rwxr-xr-x 1 root root 408068 Apr 11 2012 /bin/busybox
lrwxrwxrwx 1 root root 7 Apr 11 2012 /bin/sh -> busybox
ls -F /etc/init.d/
rcS*
cat /etc/init.d/rcS
#! /bin/sh

usleep 250000

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/lib:
runlevel=S
prevlevel=N
umask 022
export PATH runlevel prevlevel

trap ":" INT QUIT TSTP

/bin/mount -o remount,ro rootfs /

/bin/mount -t proc none /proc

/bin/mount -t tmpfs none /var -o size=128M
/bin/mount -t sysfs none /sys

/bin/mkdir -p /var/dev
/bin/mkdir -p /var/lib
/bin/mkdir -p /var/run
/bin/mkdir -p /var/log
/bin/mkdir -p /var/tmp

cp -rfp /usr/dev/* /dev

#insmod /lib/modules/pvi_io.ko
/bin/hwconfig -v

/bin/hwconfig -d
DTYPE=$?
/bin/hwconfig -c
CTYPE=$?
if [ $CTYPE = 2 ] ; then
insmod /lib/modules/cfbcopyarea.ko
insmod /lib/modules/cfbimgblt.ko
insmod /lib/modules/cfbfillrect.ko
if [ $DTYPE = 3 ] ; then
insmod /lib/modules/s1d13521fb-9d7.ko
else
insmod /lib/modules/s1d13521fb.ko
fi
else
echo "*** unknown controller type: $CTYPE"
fi

/bin/hwconfig -a
ATYPE=$?
if [ $ATYPE = 2 ] ; then
#insmod /lib/modules/alc5623.ko
true
elif [ $ATYPE != 0 ] ; then
echo "*** unknown audio chip: $ATYPE"
fi

/bin/hwconfig -t
TTYPE=$?
if [ $TTYPE != 0 ] ; then
echo "*** unknown touchpanel type: $TTYPE"
fi

/bin/hwconfig -g
GTYPE=$?
if [ $GTYPE = 3 ] ; then
#insmod /lib/modules/mma7455.ko
true
elif [ $GTYPE != 0 ] ; then
echo "*** unknown g-sensor type: $GTYPE"
fi

/bin/hostname pocketbook
#echo burn > /sys/bus/i2c/drivers/max17043/1-0036/burn
#echo 0 > /sys/bus/i2c/drivers/max17043/1-0036/reset
#/bin/batt_calibrate.sh &
echo performance > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor

if /bin/swupdate -c ; then
# moving all to ramfs for reliable update
mkdir -p /tmp/root/proc /tmp/root/sys
mkdir -p /tmp/root/mnt/ext1 /tmp/root/mnt/ext2 /tmp/root/tmp
cp -rpH /dev /tmp/root/
cp -rpH /etc /tmp/root/
cp -rpH /bin /tmp/root/
cp -rpH /sbin /tmp/root/
cp -rpH /lib /tmp/root/
mount -t proc proc /tmp/root/proc
mount -t sysfs none /tmp/root/sys
sync
exec chroot /tmp/root /bin/swupdate -u &
exit
fi

mount -a
chmod 700 /mnt/secure
chmod u+s,g+s /mnt/secure
chown -R 102:102 /mnt/secure

echo "Setting loopback interface"
ifconfig lo 127.0.0.1 netmask 255.0.0.0

#RUNNING AP
if [ -f /ebrmain/pocketbook ]; then
export QT_QPA_PLATFORM=pocketbook
cd /ebrmain
./pocketbook
cd /
else
echo "no ebrmain executable - starting device test"
/bin/swupdate -t &
fi



cat /etc/passwd
root:x:0:0:root:/:/bin/sh
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/sbin:
nobody:*:99:99:Nobody:/:
reader:*:101:101:reader:/:
sreader:*:102:102:sreader:/:

dmesg | grep -i blue
<6>Bluetooth: Core ver 2.15
<6>Bluetooth: HCI device and connection manager initialized
<6>Bluetooth: HCI socket layer initialized
<6>Bluetooth: HCI UART driver ver 2.2
<6>Bluetooth: HCI H4 protocol initialized
<6>Bluetooth: L2CAP ver 2.13
<6>Bluetooth: L2CAP socket layer initialized
<6>Bluetooth: SCO (Voice Link) ver 0.6
<6>Bluetooth: SCO socket layer initialized
<6>Bluetooth: RFCOMM socket layer initialized
<6>Bluetooth: RFCOMM TTY layer initialized
<6>Bluetooth: RFCOMM ver 1.11
<6>Bluetooth: BNEP (Ethernet Emulation) ver 1.3
<6>Bluetooth: BNEP filters: protocol multicast
<6>Bluetooth: HIDP (Human Interface Emulation) ver 1.2
lsmod

dhd 197504 0 - Live 0xbf000000
env
SSH_CLIENT=192.168.1.90 55309 1124
MAIL=/var/mail/sreader
USER=sreader
OLDPWD=/
HOME=/
LOGNAME=sreader
PATH=/bin:/usr/bin:/sbin:/usr/sbin:/mnt/ext1/system/bin:/mnt/ext1/applications/pb_sshd/usr/bin:/mnt/ext1/applications/pb_sshd/usr/sbin
SHELL=/bin/sh
PWD=/bin
SSH_CONNECTION=192.168.1.90 55309 192.168.1.234 1124
ls -al /mnt/secure
drws--S--- 6 sreader sreader 4096 Mar 24 2017 .
drwxr-xr-x 6 root root 1024 Apr 11 2012 ..
-r-------- 1 sreader sreader 4 Dec 28 2011 .freezestatus
-rw-rw-rw- 1 sreader sreader 16 Aug 15 2012 .hashsum_1
-rw-rw-rw- 1 sreader sreader 16 Aug 15 2012 .hashsum_2
drwxr-xr-x 2 sreader sreader 4096 Jun 25 2019 dictionaries
-rwxr-xr-x 1 sreader sreader 16 Aug 25 2018 last_update
drwxr-xr-x 2 sreader sreader 16384 Mar 21 2011 lost+found
-rwxr-xr-x 1 sreader sreader 58 Mar 24 2017 netdevcache
-rwxr-xr-x 1 sreader sreader 1267 Jun 7 2010 nvram.txt
drwxr-xr-x 2 sreader sreader 4096 Jun 25 2019 pbpk
-rwxr-xr-x 1 sreader sreader 8 Aug 15 2012 reg.status
-rwxr-xr-x 1 sreader sreader 80 Aug 15 2012 swupdate.db
drwxr-xr-x 3 sreader sreader 4096 Nov 23 16:58 tts
ls -al /mnt/secure
drws--S--- 6 sreader sreader 4096 Mar 24 2017 .
drwxr-xr-x 6 root root 1024 Apr 11 2012 ..
-r-------- 1 sreader sreader 4 Dec 28 2011 .freezestatus
-rw-rw-rw- 1 sreader sreader 16 Aug 15 2012 .hashsum_1
-rw-rw-rw- 1 sreader sreader 16 Aug 15 2012 .hashsum_2
drwxr-xr-x 2 sreader sreader 4096 Jun 25 2019 dictionaries
-rwxr-xr-x 1 sreader sreader 16 Aug 25 2018 last_update
drwxr-xr-x 2 sreader sreader 16384 Mar 21 2011 lost+found
-rwxr-xr-x 1 sreader sreader 58 Mar 24 2017 netdevcache
-rwxr-xr-x 1 sreader sreader 1267 Jun 7 2010 nvram.txt
drwxr-xr-x 2 sreader sreader 4096 Jun 25 2019 pbpk
-rwxr-xr-x 1 sreader sreader 8 Aug 15 2012 reg.status
-rwxr-xr-x 1 sreader sreader 80 Aug 15 2012 swupdate.db
drwxr-xr-x 3 sreader sreader 4096 Nov 23 16:58 tts

drws--S--- 6 sreader sreader 4096 Mar 24 2017 .
drwxr-xr-x 6 root root 1024 Apr 11 2012 ..
-r-------- 1 sreader sreader 4 Dec 28 2011 .freezestatus
-rw-rw-rw- 1 sreader sreader 16 Aug 15 2012 .hashsum_1
-rw-rw-rw- 1 sreader sreader 16 Aug 15 2012 .hashsum_2
drwxr-xr-x 2 sreader sreader 4096 Jun 25 2019 dictionaries
-rwxr-xr-x 1 sreader sreader 16 Aug 25 2018 last_update
drwxr-xr-x 2 sreader sreader 16384 Mar 21 2011 lost+found
-rwxr-xr-x 1 sreader sreader 58 Mar 24 2017 netdevcache
-rwxr-xr-x 1 sreader sreader 1267 Jun 7 2010 nvram.txt
drwxr-xr-x 2 sreader sreader 4096 Jun 25 2019 pbpk
-rwxr-xr-x 1 sreader sreader 8 Aug 15 2012 reg.status
-rwxr-xr-x 1 sreader sreader 80 Aug 15 2012 swupdate.db
drwxr-xr-x 3 sreader sreader 4096 Nov 23 16:58 tts
-sh: drws--S---: not found
-sh: drwxr-xr-x: not found
-sh: -r--------: not found
-sh: -rw-rw-rw-: not found
-sh: -rw-rw-rw-: not found
-sh: drwxr-xr-x: not found
-sh: -rwxr-xr-x: not found
-sh: drwxr-xr-x: not found
-sh: -rwxr-xr-x: not found
-sh: -rwxr-xr-x: not found
-sh: drwxr-xr-x: not found
-sh: -rwxr-xr-x: not found
-sh: -rwxr-xr-x: not found
-sh: drwxr-xr-x: not found

[rkomar]

It sounds like you found the pads to connect to the UART. Where were they?

[SERG-987]

Quote:

Originally Posted by rkomar

It sounds like you found the pads to connect to the UART. Where were they?

CON4

115200 / none / 8 / 1 / NONE

8 - GND
9 - TX
10 - RX