PRS-T3 Do you think sony prs t3 will be rooted?

[Yokowa]

Hacking is based on hardware, namely you have to open the reader. Firmware dump has already been finished. AFAIK, Sony uses signature verification for root access, so software hacking requires a master. I can not do it.

[ebmr]

Quote:

Originally Posted by Yokowa

Firmware dump has already been finished.

Could you please provide a download of the flash dump?

[ebookread]

maybe one of the known Coders would be so kind to look at the dump? If not could you post a tut for your hardware hack, if its feasible for a soldering starter.

[rupor]

Yokowa, how good you are with hardware?

I have an idea which if realized should allow for inexpensive (relatively) hardware dependent way of jailbreaking any Sony readers with SD slot which does not require physically opening the devices.

It is based on understanding of the script Sony is using to verify signature of update package: if I am not mistaken internally Sony script (sh or bash - does not matter here) verifies signature of provided package (using openssl executable) and if it is OK issues mount on it, eventually running update script from inside of mounted file. Update file has a name update.img and signature should be update.sig. If you would be able to make sure that update.img for signature check is the original one from Sony but mounted update.img is yours - you will be able to run jailbreak the same way we did on T2 devices with firmware with opened hole.

For that it should be possible to use SD card emulation (simple SPI mode should do fine). Such device plugged into reader SD slot (as SD card) will internally count block reads and after signature verification is done (last block of the original Sony file has been read?) will start providing content of your update.img with jailbreak, allowing for it to be installed.

I believe similar hack has been used before on various devices using simple MCU based boards (Teensy, Arduino, Freescale Freedom or Texas Instrumental Launchpad) capable of implementing SPI protocol slave mode. Information on SD card protocol today is freely available and SPI capable board could be purchased for $10-$20. You just need a lot of time and some will

[Yokowa]

rupor, I know the basic elctronics mainly analog circuits, not very familiar with embeded system boards, but I think I can handle some digital circuits.

This is my understanding of your idea:
Use the original update.img and update.img.sig from sony to pass the signature verification. when the script starts to mount update.img, the SD card emulator provides the update.img modified for jailbreak.

According to the script "linuxrc" from t3, the correct update.img.sig is generated from update.img by sha, rsa, aes-cbc, but in the flash packages(jailbreak.7z,resize.7z...) you made for t2, you use the same update.img.sig2 for different update.img, which confuses me a lot.

My questions is: where to get the original update.img and its update.img.sig that could pass the verification?

[rupor]

It was my understanding that update package from Sony should have it... Let me take a look.

[ebmr]

What about copying the calculated signature of an Sony EBX-5059 Update package in /usr/local/sony/bin/functions-c's unpack_package_updater() and renaming the *.package update.img for the verification step?

Yokowa could do this with his rooted device.

[rupor]

Yep, this should work...

[Yokowa]

I have not done a test, just took a look at the scripts. The verification processes seem to be the same, but we'd better do a real test. The signature file is not created by calculation but dd from the "PRS-T3 Updater.package", so we can use them to pass verification but can not sign update.img with jailbreak, for we don't know the private key.

I am not good at scripts, it will be handy if any of you guys can send me modified scripts(bs, functions-c, functions-d,...), which can extract the update.img and its signature to sdcard. Then I will test.

[hel]

Great news! At least some movement in the right direction ))

[ebmr]

Quote:

Originally Posted by Yokowa

I am not good at scripts, it will be handy if any of you guys can send me modified scripts(bs, functions-c, functions-d,...), which can extract the update.img and its signature to sdcard. Then I will test.

Well, a flash dump would come in handy. At least, the content of /usr/local/sony/bin, please, to be sure to be doing the right thing for a T3.

EDIT: The /linuxrc from mmcblk2p1 would be useful as well.

[mao_king]

Quote:

Originally Posted by rupor

Yep, this should work...

hello i updated my firmware of PRS-T1 to 1.0.07, is it possible to root it?
thanks a lot

[sbwtxj]

wait for great message for ROOTED T3!

[tuxor]

It's a pity there is so little activity on this topic. The hardware hack seemed so promising... Btw has somebody uploaded the flash dump in the meantime?

[ebmr]

Quote:

Originally Posted by tuxor

It's a pity there is so little activity on this topic. The hardware hack seemed so promising...

There is activity behind the curtain. Be patient and don't expect to much.