10-07-2012, 11:00 AM | #31 |
Zealot
Posts: 101
Karma: 34554
Join Date: Aug 2012
Device: none
|
|
10-07-2012, 11:27 AM | #32 |
Zealot
Posts: 102
Karma: 38810
Join Date: Apr 2011
Device: Sony PRS-T1
|
fantastic!
|
Advert | |
|
10-07-2012, 12:50 PM | #33 |
Zealot
Posts: 101
Karma: 34554
Join Date: Aug 2012
Device: none
|
According to the T2 NAND dump the encryption key and the RSA private key both are identical to the T1?!
|
10-07-2012, 02:10 PM | #34 |
Zealot
Posts: 101
Karma: 34554
Join Date: Aug 2012
Device: none
|
The dump contains the necessary information to create both own (update) *.package files as well as the information on what is required for an update.img on the SD card. So root access and rooting should be easily possible!
Garyn, we owe you! Last edited by ebmr; 10-07-2012 at 04:57 PM. Reason: cheered too soon |
10-07-2012, 02:45 PM | #35 |
Zealot
Posts: 136
Karma: 493152
Join Date: Mar 2012
Location: Spain
Device: Kindle Oasis 2
|
As Russian downloads fail sometimes, I've uploaded to another server:
T2_NAND_dump_1.0.03.09110 http://uploaded.net/file/4yj8c1i8 T2_FS_1.0.03.09110 http://uploaded.net/file/zysjeng4 |
Advert | |
|
10-07-2012, 02:51 PM | #36 |
Zealot
Posts: 136
Karma: 493152
Join Date: Mar 2012
Location: Spain
Device: Kindle Oasis 2
|
|
10-07-2012, 03:02 PM | #37 |
Zealot
Posts: 101
Karma: 34554
Join Date: Aug 2012
Device: none
|
Telling. (I should have switched ? and ! in my posting.)
I was surprised that Sony didn't change them, but that they didn't work with porkupan's tools for the T1. (Sony changed something with the (update) *.packages as I know now after having a look in Garyn's files.) |
10-07-2012, 03:56 PM | #38 |
Fanatic
Posts: 556
Karma: 1057213
Join Date: Sep 2006
Location: North Eastern U.S.
Device: Sony Reader
|
The updates are signed by Sony's private key, which may be identical to the one in the Russian T1, but it doesn't matter as we don't know what it is... Keep looking, but I don't think the update mechanism is going to be available to us this time around.
There is another private key in Info, which has always been used to verify the integrity of the updates, but it is not what we need to sign the update packages... |
10-07-2012, 04:07 PM | #39 |
Zealot
Posts: 101
Karma: 34554
Join Date: Aug 2012
Device: none
|
Well, how did you manage to create the PRS-T1 Updater.package in your minimal-root then?
|
10-07-2012, 04:22 PM | #40 |
Fanatic
Posts: 556
Karma: 1057213
Join Date: Sep 2006
Location: North Eastern U.S.
Device: Sony Reader
|
The updates were not signed until the PRS-G1 and PRS-T1/RU were introduced. In the PRS-T1/US and PRS-T1/JP the updates were unsigned. We managed to find an exploit in the MSC API program on the reader (switcher), which allowed us (for the Russian T1) to overwrite the Recovery Rootfs and Diags Rootfs with the ones that accepted packages signed by my key as well. Also allowed to accept unsigned images for SD boot. However, Sony has closed the hole in switcher in the T2 (amazing that they found the exact problem in their logic, which leads me to believe that they used a code analyzer tool of some sort, or stole my code that has not been published). So, a new exploit is now needed.
Last edited by porkupan; 10-07-2012 at 04:44 PM. Reason: Clarity |
10-07-2012, 05:01 PM | #41 |
Zealot
Posts: 101
Karma: 34554
Join Date: Aug 2012
Device: none
|
Damn!
A closer look at the handling of update.img proves you right (of course). The image's sha1 is signed and will be checked in sig_check(). |
10-07-2012, 06:20 PM | #42 |
Zealot
Posts: 102
Karma: 38810
Join Date: Apr 2011
Device: Sony PRS-T1
|
deleted message
Last edited by m3l7d0wN; 10-07-2012 at 06:23 PM. |
10-08-2012, 02:02 AM | #43 |
Wizard
Posts: 3,009
Karma: 18765431
Join Date: Oct 2010
Location: Sudbury, ON, Canada
Device: PRS-505, PB 902, PRS-T1, PB 623, PB 840, PB 633
|
So, what is it that they are working so hard to protect? Dictionaries? I wonder why keeping root access from users is such a high priority?
|
10-08-2012, 06:06 AM | #44 |
Zealot
Posts: 102
Karma: 38810
Join Date: Apr 2011
Device: Sony PRS-T1
|
at least we have the reader apks of the T2. I have to try them on my T1
|
10-08-2012, 06:07 AM | #45 |
Member
Posts: 12
Karma: 10
Join Date: Aug 2012
Device: PRS-T2
|
They have now progressed even further. The T2 is hacked !!!
Still to early for a public release, but it's on it's way |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
[Q] Can't get to settings after hacking | holgalee | Kindle Developer's Corner | 11 | 05-26-2012 07:52 AM |
K3 screen hacking | arikfunke | Kindle Developer's Corner | 8 | 04-28-2012 10:43 AM |
hacking in? | omro | Astak EZReader | 5 | 12-09-2009 05:59 PM |
Hacking like we had for the 500? | TadW | Sony Reader Dev Corner | 2 | 04-03-2008 05:46 AM |