06-28-2014, 12:13 AM | #31 |
Member
Posts: 21
Karma: 15174
Join Date: Feb 2014
Device: SONY PRS-T1 T3
|
Hacking is based on hardware, namely you have to open the reader. Firmware dump has already been finished. AFAIK, Sony uses signature verification for root access, so software hacking requires a master. I can not do it.
Last edited by Yokowa; 06-28-2014 at 01:51 AM. |
06-28-2014, 09:04 AM | #32 |
Zealot
Posts: 101
Karma: 34554
Join Date: Aug 2012
Device: none
|
|
Advert | |
|
06-28-2014, 09:14 AM | #33 |
Enthusiast
Posts: 27
Karma: 3248
Join Date: Jun 2013
Location: Germany
Device: PRS-T2, PRS-T3
|
maybe one of the known Coders would be so kind to look at the dump? If not could you post a tut for your hardware hack, if its feasible for a soldering starter.
|
06-28-2014, 09:41 AM | #34 |
meat popsicle
Posts: 225
Karma: 100000
Join Date: Jul 2007
Location: USA
Device: Kindles, Pixels, iPads
|
Yokowa, how good you are with hardware?
I have an idea which if realized should allow for inexpensive (relatively) hardware dependent way of jailbreaking any Sony readers with SD slot which does not require physically opening the devices. It is based on understanding of the script Sony is using to verify signature of update package: if I am not mistaken internally Sony script (sh or bash - does not matter here) verifies signature of provided package (using openssl executable) and if it is OK issues mount on it, eventually running update script from inside of mounted file. Update file has a name update.img and signature should be update.sig. If you would be able to make sure that update.img for signature check is the original one from Sony but mounted update.img is yours - you will be able to run jailbreak the same way we did on T2 devices with firmware with opened hole. For that it should be possible to use SD card emulation (simple SPI mode should do fine). Such device plugged into reader SD slot (as SD card) will internally count block reads and after signature verification is done (last block of the original Sony file has been read?) will start providing content of your update.img with jailbreak, allowing for it to be installed. I believe similar hack has been used before on various devices using simple MCU based boards (Teensy, Arduino, Freescale Freedom or Texas Instrumental Launchpad) capable of implementing SPI protocol slave mode. Information on SD card protocol today is freely available and SPI capable board could be purchased for $10-$20. You just need a lot of time and some will Last edited by rupor; 06-28-2014 at 10:06 AM. |
06-29-2014, 12:06 AM | #35 |
Member
Posts: 21
Karma: 15174
Join Date: Feb 2014
Device: SONY PRS-T1 T3
|
rupor, I know the basic elctronics mainly analog circuits, not very familiar with embeded system boards, but I think I can handle some digital circuits.
This is my understanding of your idea: Use the original update.img and update.img.sig from sony to pass the signature verification. when the script starts to mount update.img, the SD card emulator provides the update.img modified for jailbreak. According to the script "linuxrc" from t3, the correct update.img.sig is generated from update.img by sha, rsa, aes-cbc, but in the flash packages(jailbreak.7z,resize.7z...) you made for t2, you use the same update.img.sig2 for different update.img, which confuses me a lot. My questions is: where to get the original update.img and its update.img.sig that could pass the verification? Last edited by Yokowa; 06-29-2014 at 12:10 AM. |
Advert | |
|
06-29-2014, 09:55 AM | #36 |
meat popsicle
Posts: 225
Karma: 100000
Join Date: Jul 2007
Location: USA
Device: Kindles, Pixels, iPads
|
It was my understanding that update package from Sony should have it... Let me take a look.
|
06-29-2014, 10:08 AM | #37 |
Zealot
Posts: 101
Karma: 34554
Join Date: Aug 2012
Device: none
|
What about copying the calculated signature of an Sony EBX-5059 Update package in /usr/local/sony/bin/functions-c's unpack_package_updater() and renaming the *.package update.img for the verification step?
Yokowa could do this with his rooted device. |
06-29-2014, 08:32 PM | #38 |
meat popsicle
Posts: 225
Karma: 100000
Join Date: Jul 2007
Location: USA
Device: Kindles, Pixels, iPads
|
Yep, this should work...
|
07-01-2014, 07:31 AM | #39 |
Member
Posts: 21
Karma: 15174
Join Date: Feb 2014
Device: SONY PRS-T1 T3
|
I have not done a test, just took a look at the scripts. The verification processes seem to be the same, but we'd better do a real test. The signature file is not created by calculation but dd from the "PRS-T3 Updater.package", so we can use them to pass verification but can not sign update.img with jailbreak, for we don't know the private key.
I am not good at scripts, it will be handy if any of you guys can send me modified scripts(bs, functions-c, functions-d,...), which can extract the update.img and its signature to sdcard. Then I will test. Last edited by Yokowa; 07-01-2014 at 09:55 AM. |
07-01-2014, 10:13 AM | #40 |
Sorceress
Posts: 167
Karma: 19604
Join Date: Nov 2006
Location: Montreal
Device: Onyx Air2&Nova 3C,Kindle oasis1,Kobo Forma,iPad pro 12.9&9.7,and more.
|
Great news! At least some movement in the right direction ))
Last edited by hel; 07-01-2014 at 10:23 AM. |
07-01-2014, 01:10 PM | #41 | |
Zealot
Posts: 101
Karma: 34554
Join Date: Aug 2012
Device: none
|
Quote:
EDIT: The /linuxrc from mmcblk2p1 would be useful as well. Last edited by ebmr; 07-01-2014 at 03:11 PM. |
|
07-02-2014, 10:52 PM | #42 |
Junior Member
Posts: 4
Karma: 10
Join Date: Oct 2011
Device: kindle3 wifi
|
|
07-11-2014, 11:21 AM | #43 |
Groupie
Posts: 154
Karma: 26294
Join Date: Oct 2013
Device: kindle keyboard,kindle touch,PB touch lux
|
wait for great message for ROOTED T3!
|
07-14-2014, 07:46 PM | #44 |
Addict
Posts: 320
Karma: 99999
Join Date: Oct 2011
Location: Germany
Device: Onyx Boox M92, Icarus Illumina E653
|
It's a pity there is so little activity on this topic. The hardware hack seemed so promising... Btw has somebody uploaded the flash dump in the meantime?
|
07-15-2014, 04:30 AM | #45 |
Zealot
Posts: 101
Karma: 34554
Join Date: Aug 2012
Device: none
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
PRS-T2 prs-t2 rooted problem | borceda | Sony Reader | 1 | 09-19-2013 09:33 PM |
PRS-T1 Rooted Sony PRS-T1 - android web browsers (any changes for the better? ) | Mike777 | Sony Reader | 0 | 07-26-2012 09:58 AM |
PRS-T1 Sony PRS-T1Russian rooted after restored factory settings does not work anymore! | matteos72 | Sony Reader | 1 | 03-10-2012 12:45 PM |
rooted nook touch vs rooted sony prs-t1 | sk1 | Which one should I buy? | 0 | 01-28-2012 11:09 AM |
PRS-T1 LOVE the PRS-T1 when rooted | soiidus | Sony Reader | 1 | 11-26-2011 12:18 PM |