|  10-07-2012, 11:00 AM | #31 | 
| Zealot            Posts: 101 Karma: 34554 Join Date: Aug 2012 Device: none | |
|   |   | 
|  10-07-2012, 11:27 AM | #32 | 
| Zealot            Posts: 102 Karma: 38810 Join Date: Apr 2011 Device: Sony PRS-T1 | 
			
			fantastic!
		 | 
|   |   | 
|  10-07-2012, 12:50 PM | #33 | 
| Zealot            Posts: 101 Karma: 34554 Join Date: Aug 2012 Device: none | 
			
			According to the T2 NAND dump the encryption key and the RSA private key both are identical to the T1?!    | 
|   |   | 
|  10-07-2012, 02:10 PM | #34 | 
| Zealot            Posts: 101 Karma: 34554 Join Date: Aug 2012 Device: none | 
			
			The dump contains the necessary information to create both own (update) *.package files as well as the information on what is required for an update.img on the SD card. So root access and rooting should be easily possible!   Garyn, we owe you!   Last edited by ebmr; 10-07-2012 at 04:57 PM. Reason: cheered too soon | 
|   |   | 
|  10-07-2012, 02:45 PM | #35 | 
| Zealot            Posts: 136 Karma: 493152 Join Date: Mar 2012 Location: Spain Device: Kindle Oasis 2 | 
			
			As Russian downloads fail sometimes, I've uploaded to another server: T2_NAND_dump_1.0.03.09110 http://uploaded.net/file/4yj8c1i8 T2_FS_1.0.03.09110 http://uploaded.net/file/zysjeng4 | 
|   |   | 
|  10-07-2012, 02:51 PM | #36 | 
| Zealot            Posts: 136 Karma: 493152 Join Date: Mar 2012 Location: Spain Device: Kindle Oasis 2 | |
|   |   | 
|  10-07-2012, 03:02 PM | #37 | 
| Zealot            Posts: 101 Karma: 34554 Join Date: Aug 2012 Device: none | 
			
			Telling.   (I should have switched ? and ! in my posting.) I was surprised that Sony didn't change them, but that they didn't work with porkupan's tools for the T1. (Sony changed something with the (update) *.packages as I know now after having a look in Garyn's files.) | 
|   |   | 
|  10-07-2012, 03:56 PM | #38 | 
| Fanatic            Posts: 556 Karma: 1057213 Join Date: Sep 2006 Location: North Eastern U.S. Device: Sony Reader | 
			
			The updates are signed by Sony's private key, which may be identical to the one in the Russian T1, but it doesn't matter as we don't know what it is...  Keep looking, but I don't think the update mechanism is going to be available to us this time around. There is another private key in Info, which has always been used to verify the integrity of the updates, but it is not what we need to sign the update packages... | 
|   |   | 
|  10-07-2012, 04:07 PM | #39 | 
| Zealot            Posts: 101 Karma: 34554 Join Date: Aug 2012 Device: none | 
			
			Well, how did you manage to create the PRS-T1 Updater.package in your minimal-root then?
		 | 
|   |   | 
|  10-07-2012, 04:22 PM | #40 | 
| Fanatic            Posts: 556 Karma: 1057213 Join Date: Sep 2006 Location: North Eastern U.S. Device: Sony Reader | 
			
			The updates were not signed until the PRS-G1 and PRS-T1/RU were introduced.  In the PRS-T1/US and PRS-T1/JP the updates were unsigned.  We managed to find an exploit in the MSC API program on the reader (switcher), which allowed us (for the Russian T1) to overwrite the Recovery Rootfs and Diags Rootfs with the ones that accepted packages signed by my key as well.  Also allowed to accept unsigned images for SD boot.  However, Sony has closed the hole in switcher in the T2 (amazing that they found the exact problem in their logic, which leads me to believe that they used a code analyzer tool of some sort, or stole my code that has not been published).  So, a new exploit is now needed.
		 Last edited by porkupan; 10-07-2012 at 04:44 PM. Reason: Clarity | 
|   |   | 
|  10-07-2012, 05:01 PM | #41 | 
| Zealot            Posts: 101 Karma: 34554 Join Date: Aug 2012 Device: none | 
			
			Damn!   A closer look at the handling of update.img proves you right (of course). The image's sha1 is signed and will be checked in sig_check(). | 
|   |   | 
|  10-07-2012, 06:20 PM | #42 | 
| Zealot            Posts: 102 Karma: 38810 Join Date: Apr 2011 Device: Sony PRS-T1 | 
			
			deleted message
		 Last edited by m3l7d0wN; 10-07-2012 at 06:23 PM. | 
|   |   | 
|  10-08-2012, 02:02 AM | #43 | 
| Wizard            Posts: 3,064 Karma: 18821071 Join Date: Oct 2010 Location: Sudbury, ON, Canada Device: PRS-505, PB 902, PRS-T1, PB 623, PB 840, PB 633 | 
			
			So, what is it that they are working so hard to protect?  Dictionaries?  I wonder why keeping root access from users is such a high priority?
		 | 
|   |   | 
|  10-08-2012, 06:06 AM | #44 | 
| Zealot            Posts: 102 Karma: 38810 Join Date: Apr 2011 Device: Sony PRS-T1 | 
			
			at least we have the reader apks of the T2. I have to try them on my T1
		 | 
|   |   | 
|  10-08-2012, 06:07 AM | #45 | 
| Member  Posts: 12 Karma: 10 Join Date: Aug 2012 Device: PRS-T2 | 
			
			They have now progressed even further. The T2 is hacked !!!  Still to early for a public release, but it's on it's way   | 
|   |   | 
|  | 
| 
 | 
|  Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post | 
| [Q] Can't get to settings after hacking | holgalee | Kindle Developer's Corner | 11 | 05-26-2012 07:52 AM | 
| K3 screen hacking | arikfunke | Kindle Developer's Corner | 8 | 04-28-2012 10:43 AM | 
| hacking in? | omro | Astak EZReader | 5 | 12-09-2009 05:59 PM | 
| Hacking like we had for the 500? | TadW | Sony Reader Dev Corner | 2 | 04-03-2008 05:46 AM |