Connecting 8BitDo Micro (HID Keyboard) to legacy PocketBook 912 — "Permission Denied"

SERG-987 · Yesterday, 02:21 PM

Hi everyone,

I'm trying to use an 8BitDo Micro controller in Keyboard Mode (K) as a remote for my legacy PocketBook 912 (Linux kernel 2.6.29).

I have managed to set up a local BlueZ 3.36 environment in a standalone directory on the SD card (/mnt/ext1/rootdir/opt/). I am accessing the device via SSH and a local terminal (PBTerm).

The progress so far:

1. Discovery works: hcitool scan successfully finds the gamepad: E4:17

8:6B:AB

B 8BitDo Micro gamepad.

2. Adapter status: hciconfig -a shows the Broadcom (BT 2.1) adapter as UP RUNNING PSCAN ISCAN AUTH.

3. Binaries: I’m using hidd and rfcomm from the Optware archive (ARMv6), running them via the system linker /lib/ld-linux.so.3 to bypass noexec on FAT32.

The Problem:

Whenever I try to initiate a connection, I hit a security/permissions wall:

- hidd --connect [MAC] returns: Can't get device information: Permission denied.
- rfcomm connect 0 [MAC] 1 returns: Can't connect RFCOMM socket: Permission denied.

Sometimes a system PIN prompt appears on the E-ink screen, but "0000" or "1234" fails with an "Invalid exchange" error in the console.

My questions for the experts:

1. Since I'm logged in as the sreader user, it seems I lack the permissions to create Bluetooth sockets. Is there a known way to gain temporary root access on the PB912 (Firmware 2.1.x) to run hidd as a superuser?

2. Where does the PocketBook firmware store linkkeys? I want to manually inject the gamepad's MAC address as a "trusted" device to bypass the PIN agent. There is no /var/lib/bluetooth or /etc/bluetooth directory available to the sreader user.

3. Is there a way to kill the native pbbtservice (or equivalent) to free up hci0 for my custom BlueZ tools?

I’ve put a lot of effort into making the Micro work with this vintage device and would appreciate any guidance from the community's "old guard"!

Full dmesg and hciconfig logs are available upon request.

Code:

/bin/ash: can't access tty; job control turned off


BusyBox v1.16.1 (2010-10-11 18:29:44 EEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

$ cd /mnt/ext1/rootdir/
$ export LD_LIBRARY_PATH=/mnt/ext1/rootdir/opt/lib:$LD_LIBRARY_PATH
$ ./opt/bin/hcitool scan
Scanning ...
        E4:17:D8:6B:AB:DB       8BitDo Micro gamepad
        9E:64:03:5E:CF:8F       M01BT
$ /lib/ld-linux.so.3 /mnt/ext1/rootdir/opt/bin/hidd --connect E4:17:D8:6B:AB:DB
Can't get device information: Permission denied
$ /lib/ld-linux.so.3 /mnt/ext1/rootdir/opt/bin/hidd --search --connect E4:17:D8:6B:AB:DB
Can't get device information: Permission denied
$ /lib/ld-linux.so.3 /mnt/ext1/rootdir/opt/bin/rfcomm bind 0 E4:17:D8:6B:AB:DB 1
Can't create device: Operation not permitted
$ /lib/ld-linux.so.3 /mnt/ext1/rootdir/opt/bin/rfcomm connect 0 E4:17:D8:6B:AB:DB 1
Can't connect RFCOMM socket: Permission denied
$ /lib/ld-linux.so.3 /mnt/ext1/rootdir/opt/bin/rfcomm connect 0 E4:17:D8:6B:AB:DB 1
Can't connect RFCOMM socket: Permission denied
$ LD_LIBRARY_PATH=/mnt/ext1/rootdir/opt/lib /lib/ld-linux.so.3 /mnt/ext1/rootdir/opt/bin/rfcomm connect 0 E4:17:D8:6B:AB:DB 1
Can't connect RFCOMM socket: Permission denied
$

SERG-987 · Yesterday, 03:12 PM

I have SSH access (user: sreader).

The old exploit:
/ebrmain/bin/netagent btservice "\"|| /bin/sh ..."
fails with 'command not recognized'.

It seems netagent in firmware 2.1.x has been patched.

Question: Is there a working 'Sudo' or 'Rootsh' package for this specific firmware version?

Or a known way to trigger a root shell via extensions.cfg or by replacing a system binary in /ebrmain/bin/? I already have BlueZ 3.36 tools ready, just need the # permissions to run hidd."

rkomar · Yesterday, 04:17 PM

I think that firmware 2.0.6 was the last to allow that exploit. You can probably downgrade to that version, but who knows if the bluetooth functionality is worse with it?

I don't know of any root exploits for later firmwares, but I wasn't interested enough to learn much about it. I have seen websites that show older devices being rooted, so maybe some searching will find something that you can use. None of those details ever showed up here at mobileread.

SERG-987 · Today, 12:23 AM

Quote:

Originally Posted by rkomar

I think that firmware 2.0.6 was the last to allow that exploit. You can probably downgrade to that version, but who knows if the bluetooth functionality is worse with it?

I don't know of any root exploits for later firmwares, but I wasn't interested enough to learn much about it. I have seen websites that show older devices being rooted, so maybe some searching will find something that you can use. None of those details ever showed up here at mobileread.

I opened up my PocketBook Pro 912, but I couldn't locate any clear UART test points or pads (no labeled TX/RX/GND like on some newer PocketBooks).

The board looks pretty clean, but nothing jumps out as serial pins.

Has anyone disassembled a 912 (or the similar 902/903) and found the UART location?

Photos of the PCB with marked pins would be incredibly helpful!

I'm still hoping to get serial console access for root – from what I've seen on other models, interrupting boot at 115200 baud drops to root shell.

If there's another way to gain root on these old 9xx series without UART, that would be great too.Appreciate any help or links to teardowns!

Thanks!

SERG-987 · Today, 02:27 PM

https://github.com/plops/pocketbook3...pocketbook.org

the kernel.img is probably created with the tool mkimage (from u-boot distribution, see Introduction to Das U-Boot in Linux Journal, Curt Brune, 2004-08-29)
apparently, i can’t just boot these things in qemu martin@acergpu:~/pb-contents/split$ qemu-system-arm -kernel kernel.img -mtdblock rootfs.img VNC server running on `127.0.0.1:5900’ qemu: fatal: Trying to execute code outside RAM or ROM at 0x30008000
the images are yaffs Aug 19 2010 16:52:33 (this is probably not the yaffs version, but the time, when the image was created – one hour later than the kernel) and not jffs2
software to decode yaffs http://code.google.com/p/yaffs2utils/
someone posted a possible password 0df6126571f873829f9ab23d129d786e in the u-boot, and here and there. This amount corresponds to the md5 password allenchen

Yesterday, 02:21 PM	#1
SERG-987 Junior Member Posts: 9 Karma: 10 Join Date: Nov 2023 Device: PocketBook 912	Connecting 8BitDo Micro (HID Keyboard) to legacy PocketBook 912 — "Permission Denied" Hi everyone, I'm trying to use an 8BitDo Micro controller in Keyboard Mode (K) as a remote for my legacy PocketBook 912 (Linux kernel 2.6.29). I have managed to set up a local BlueZ 3.36 environment in a standalone directory on the SD card (/mnt/ext1/rootdir/opt/). I am accessing the device via SSH and a local terminal (PBTerm). The progress so far: 1. Discovery works: hcitool scan successfully finds the gamepad: E4:178:6B:ABB 8BitDo Micro gamepad. 2. Adapter status: hciconfig -a shows the Broadcom (BT 2.1) adapter as UP RUNNING PSCAN ISCAN AUTH. 3. Binaries: I’m using hidd and rfcomm from the Optware archive (ARMv6), running them via the system linker /lib/ld-linux.so.3 to bypass noexec on FAT32. The Problem: Whenever I try to initiate a connection, I hit a security/permissions wall: - hidd --connect [MAC] returns: Can't get device information: Permission denied. - rfcomm connect 0 [MAC] 1 returns: Can't connect RFCOMM socket: Permission denied. Sometimes a system PIN prompt appears on the E-ink screen, but "0000" or "1234" fails with an "Invalid exchange" error in the console. My questions for the experts: 1. Since I'm logged in as the sreader user, it seems I lack the permissions to create Bluetooth sockets. Is there a known way to gain temporary root access on the PB912 (Firmware 2.1.x) to run hidd as a superuser? 2. Where does the PocketBook firmware store linkkeys? I want to manually inject the gamepad's MAC address as a "trusted" device to bypass the PIN agent. There is no /var/lib/bluetooth or /etc/bluetooth directory available to the sreader user. 3. Is there a way to kill the native pbbtservice (or equivalent) to free up hci0 for my custom BlueZ tools? I’ve put a lot of effort into making the Micro work with this vintage device and would appreciate any guidance from the community's "old guard"! Full dmesg and hciconfig logs are available upon request. Code: /bin/ash: can't access tty; job control turned off BusyBox v1.16.1 (2010-10-11 18:29:44 EEST) built-in shell (ash) Enter 'help' for a list of built-in commands. $ cd /mnt/ext1/rootdir/ $ export LD_LIBRARY_PATH=/mnt/ext1/rootdir/opt/lib:$LD_LIBRARY_PATH $ ./opt/bin/hcitool scan Scanning ... E4:17:D8:6B:AB:DB 8BitDo Micro gamepad 9E:64:03:5E:CF:8F M01BT $ /lib/ld-linux.so.3 /mnt/ext1/rootdir/opt/bin/hidd --connect E4:17:D8:6B:AB:DB Can't get device information: Permission denied $ /lib/ld-linux.so.3 /mnt/ext1/rootdir/opt/bin/hidd --search --connect E4:17:D8:6B:AB:DB Can't get device information: Permission denied $ /lib/ld-linux.so.3 /mnt/ext1/rootdir/opt/bin/rfcomm bind 0 E4:17:D8:6B:AB:DB 1 Can't create device: Operation not permitted $ /lib/ld-linux.so.3 /mnt/ext1/rootdir/opt/bin/rfcomm connect 0 E4:17:D8:6B:AB:DB 1 Can't connect RFCOMM socket: Permission denied $ /lib/ld-linux.so.3 /mnt/ext1/rootdir/opt/bin/rfcomm connect 0 E4:17:D8:6B:AB:DB 1 Can't connect RFCOMM socket: Permission denied $ LD_LIBRARY_PATH=/mnt/ext1/rootdir/opt/lib /lib/ld-linux.so.3 /mnt/ext1/rootdir/opt/bin/rfcomm connect 0 E4:17:D8:6B:AB:DB 1 Can't connect RFCOMM socket: Permission denied $ Attached Thumbnails

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
How to get 8bitdo micro controller to automatically connect to klc?	KoboLibraColour	Kobo Reader	8	01-05-2025 12:54 PM
"Permission Denied" when Creating a Backup in Moon+ Reader	Suige	Android Devices	2	11-28-2015 02:28 PM
902 Want page to stay "open" when the PocketBook 912 goes off to sleep	FranTer	PocketBook	4	03-12-2014 12:16 PM
Bug "IOError: [Errno 13] Permission denied" when editing meta-data	ShellShock	Calibre	5	09-23-2013 12:34 AM
903 PocketBook 9.7" (902, 903, 912) with pearl	adrhc	PocketBook	30	01-12-2012 05:13 AM

Yesterday, 03:12 PM	#2
SERG-987 Junior Member Posts: 9 Karma: 10 Join Date: Nov 2023 Device: PocketBook 912	I have SSH access (user: sreader). The old exploit: /ebrmain/bin/netagent btservice "\"\|\| /bin/sh ..." fails with 'command not recognized'. It seems netagent in firmware 2.1.x has been patched. Question: Is there a working 'Sudo' or 'Rootsh' package for this specific firmware version? Or a known way to trigger a root shell via extensions.cfg or by replacing a system binary in /ebrmain/bin/? I already have BlueZ 3.36 tools ready, just need the # permissions to run hidd."

Yesterday, 04:17 PM	#3
rkomar Wizard Posts: 3,081 Karma: 18821071 Join Date: Oct 2010 Location: Sudbury, ON, Canada Device: PRS-505, PB 902, PRS-T1, PB 623, PB 840, PB 633	I think that firmware 2.0.6 was the last to allow that exploit. You can probably downgrade to that version, but who knows if the bluetooth functionality is worse with it? I don't know of any root exploits for later firmwares, but I wasn't interested enough to learn much about it. I have seen websites that show older devices being rooted, so maybe some searching will find something that you can use. None of those details ever showed up here at mobileread.

Today, 02:27 PM	#5
SERG-987 Junior Member Posts: 9 Karma: 10 Join Date: Nov 2023 Device: PocketBook 912	https://github.com/plops/pocketbook3...pocketbook.org the kernel.img is probably created with the tool mkimage (from u-boot distribution, see Introduction to Das U-Boot in Linux Journal, Curt Brune, 2004-08-29) apparently, i can’t just boot these things in qemu martin@acergpu:~/pb-contents/split$ qemu-system-arm -kernel kernel.img -mtdblock rootfs.img VNC server running on `127.0.0.1:5900’ qemu: fatal: Trying to execute code outside RAM or ROM at 0x30008000 the images are yaffs Aug 19 2010 16:52:33 (this is probably not the yaffs version, but the time, when the image was created – one hour later than the kernel) and not jffs2 software to decode yaffs http://code.google.com/p/yaffs2utils/ someone posted a possible password 0df6126571f873829f9ab23d129d786e in the u-boot, and here and there. This amount corresponds to the md5 password allenchen