Hacking on the PRS-600 - can you run arbitrary code?

[dclavey]

Quote:

Originally Posted by porkupan

It's not the autorun.xml, it's the place where this file is. In PRS-600 the only autorun allowed is the autorun from /opt/sony/application/resources/test directory. That's all...

Why does the service manual, page 8, say :

Quote:

2. Make the new directly as “/Sony Reader/software” on the SD
memory card.
3. Make the new fi le as “/Sony Reader/software/Autorun.xml” on
the SD memory card.

Surely this suggests that it is possible to make an Autorun.xml on the SD card work?

[porkupan]

Quote:

Originally Posted by dclavey

Surely this suggests that it is possible to make an Autorun.xml on the SD card work?

Well, does it say that the file has to be non-empty, or anything like that? This is pretty much all there has to be - a file. But this is not the file that's used to load the autorun scripts.

[dclavey]

Quote:

Originally Posted by porkupan

But this is not the file that's used to load the autorun scripts.

O sorry , I was under the impression that if you put a Autorun.xml and Autorun.js in the "special" directory "/Sony Reader/software" and inserted the SD Card in a 300, 500 or 505 Sony unit that the Javascript code would magically run...

And that the whole point of this Thread was to work out why a 600 (and 700 presumably) did not run the Javascript...

As I have only just bought a 600, and am a hacker, running Javascript sounded like fun, especially as my experiments to put 13,000 books on a 16 Gig fash drive failed, and I am looking to see if I can program my way around it. (It failed because it takes hours to re-index every time you remove the USB,see seperate thread) I am thinking I might be able to store my books in a blob on the flash drive and extract them when I want them.

Regarding Autorun.xml and Autorun.js in the "special" directory "/Sony Reader/software" Have I got it completely wrong?

[igorsk]

On the devices before PRS-600 a user-supplied autorun.xml gets loaded. On PRS-600, a user-supplied autorun.xml plus some buttons triggers loading of internal autorun.xml. The content of the user-supplied autorun.xml is completely ignored.

[dclavey]

Quote:

Originally Posted by igorsk

On PRS-600, a user-supplied autorun.xml plus some buttons triggers loading of internal autorun.xml.

Got it, even had a look at the test menu in question, just a moment ago.

Do we suspect there is some other secret (undocumented) way of getting Javascript to run? Or that Sony have closed all the back doors other than hacking a firmware update itself?

[igorsk]

It seems they disabled external stuff quite completely.

[Darkstorm666]

Quote:

Originally Posted by RyeBrye

It doesn't seem to do anything with the CONTENTS of said xml file.

Anyone want to provide me with a dump of the firmware of the 600? Probably will need to use a serial console.

I'll need to pour over the image and see a few things. 1: what kind of encryption is used on the images. 2: what key is used to decrypt it 3: if there is something about the autorun.xml that needs to be done differently to run commands from it.

My wife won't let me take hers apart. If we want to wait until october to hack these things, I suppose I could get one too.

I have a PRS-600 Reader. But I have to say that it supports very little ebook formats.
It doesn't support the .LIT format. Isn't there someone here who can make the OS of the reader support .LIT. I'd be very grateful.

This website gives you the open source codes that they used in the PRS-600. http://www.sony.net/Products/Linux/

Darkstorm666

[kenmark]

Quote:

Originally Posted by Darkstorm666

I have a PRS-600 Reader. But I have to say that it supports very little ebook formats.

The PRS-600 supports lrf lrx pdf ePub txt rtf (Plus doc & docx through eBook Library to rtf)

[dclavey]

Quote:

Originally Posted by Darkstorm666

It doesn't support the .LIT format.

Calibre seems to convert books in .LIT format to ePub format quite well. I have converted over 2000 books, and ePub is a very easy format to tweek after conversion.

[dclavey]

Quote:

Originally Posted by igorsk

It seems they disabled external stuff quite completely.

Surely we could (with some hacking effort) create a firmware update to simply put back functionality which will allow JavaScript to be called again from a flash drive? Could we not just patch the "Test" software routines so they call Autorun.xml on the flash card rather than the "/opt/sony/application/resources/test" directory

Regarding the 600 sources

■MAKEDEV-3.21-3.src.rpm
■busybox-1.9.1.tgz
■dosfstools-2.11.src.tar.gz
■freetype-2.1.10080414.tar.gz
■initscripts-8.31.6-1.src.rpm
■linux-2.6.23_090626.tgz
■linux-kernel-headers-2.6.13-1.src.rpm
■make-3.80-10.2.src.rpm
■modules_090626.tgz
■mtd-20050419-2.src.rpm
■nandboot_090626.tgz
■openssl-0.9.8j.tar.gz
■procps-3.2.6-3.5.src.rpm
■sourceryg++-4.2-28armeabi.src.rpm
■uClibc-0.9.29.tar.gz
■udev-106-4.src.rpm
■util-linux-2.13-0.20.4.src.rpm
■zlib-1.2.3-1.2.1.src.rpm

What tools can I use to look inside these sources? Which sources are the most interesting from a patching point of view?

[Justice Strike]

Quote:

Originally Posted by dclavey

Surely we could (with some hacking effort) create a firmware update to simply put back functionality which will allow JavaScript to be called again from a flash drive? Could we not just patch the "Test" software routines so they call Autorun.xml on the flash card rather than the "/opt/sony/application/resources/test" directory

Regarding the 600 sources

■MAKEDEV-3.21-3.src.rpm
■busybox-1.9.1.tgz
■dosfstools-2.11.src.tar.gz
■freetype-2.1.10080414.tar.gz
■initscripts-8.31.6-1.src.rpm
■linux-2.6.23_090626.tgz
■linux-kernel-headers-2.6.13-1.src.rpm
■make-3.80-10.2.src.rpm
■modules_090626.tgz
■mtd-20050419-2.src.rpm
■nandboot_090626.tgz
■openssl-0.9.8j.tar.gz
■procps-3.2.6-3.5.src.rpm
■sourceryg++-4.2-28armeabi.src.rpm
■uClibc-0.9.29.tar.gz
■udev-106-4.src.rpm
■util-linux-2.13-0.20.4.src.rpm
■zlib-1.2.3-1.2.1.src.rpm

What tools can I use to look inside these sources? Which sources are the most interesting from a patching point of view?

rpm2cpio and cpio

Code:

rpm2cpio php-5.1.4-1.esp1.x86_64.rpm | cpio -idmv

but really... if you have to ask this question you really shouldn't be playing with this stuff.

[Darkstorm666]

Even though I would like my reader to support .LIT format, I suppose that for now the best tool for conversion is indeed Calibre. Thank you, dclavey, for that excellent suggestion.

[RyeBrye]

Quote:

Originally Posted by dclavey

Surely we could (with some hacking effort) create a firmware update to simply put back functionality which will allow JavaScript to be called again from a flash drive? Could we not just patch the "Test" software routines so they call Autorun.xml on the flash card rather than the "/opt/sony/application/resources/test" directory

Well... First - if we could hack the firmware update, why would we bother even screwing around with an autorun.xml? If you can hack the firmware update you have pwned the device and can have your way with it.

Second - the firmware updates are encrypted and we need to break the encryption key. This can be extracted from a full system dump, but we don't have one.

A possible third obstacle is that it looks to me like in addition to encrypting their updates, they also sign them. I'm not sure if there is a way to make the device accept an update that isn't signed by a key we certainly don't have and wont be able to get.

After getting a full system dump, we'll have to probably scour over it and try to find some kind of exploit... i.e. a vulnerability in the pdf reader or music player, or picture viewer, or something that will let you take a carefully crafted file and as a result execute code by exploiting it.

I'm not as much an expert with these devices as others, but from what I gather what we really need is a full system dump. - Not just a dump of the files, but an actual block-for-block copy of the flash memory (i.e. use dd to copy it at a low level to an .img file) and from there we can start to poke at it and go to town.

[itestl]

Full dump NAND04GW3B is here: http://rapidshare.com/files/290174389/PRS_600_dump.zip
password - radugaif

I found this here: http://www.the-ebook.org/forum/viewtopic.php?t=12007

[okalyddude]

Interesting, I did not realize how easy the 505 and other models were to hack, and I guess Sony is covering their tracks better.. I wish these companies did not worry so much about people hacking their devices. There needs to be more open source devices by design. Most of the hacks people make are simple and beneficial (like adding a clock, duh) So update, how's this looking for all you hacker people? I will likely order my 600 soon, and am curious what will be possible in the near future.