PB62x/740: root + sshd, ftpd, smbd, iptables, usbnet (needs testers)

[ezdiy]

This tutorial & tools is meant for power users who can make use of configuring the device in fancy ways, such as running custom stuff for linux, development and troubleshooting. Note that you DON'T need root just for *running* standard apps such as coolreader or koreader.

As of v8, this package does:

• install public su binary
• install iptables binary, and script to load firewall rules on startup
• install ssh, smb, ftp, http services and launch those at boot
• on newer firmwares (FW6.0+) adds kernel support for cifs, nfs, tuntap etc
• permanetly enable usbnet (even when mass storage is on, usbnet runs alongside)
• configure all services for file transfer - sftp (ssh), ftp, webdav, smb
• forbid wifi suspends when something is connected to service, ie transfer in progress
• provide some misc utilities for QoL - lftp, htop, powertop, ssh/scp client, nano, rsync
• some other minor tweaks, such as cpu scaling or working terminfo and loopback

Devices supported
Known to work on/tested by users in this thread:

• InkPad 2, 3, Pro - PB840, PB740, PB740-2
• Touch HD2, HD 3 - PB631, PB632
• Lux 3, 4, 5 - PB626, PB627, PB628
• Color - PB633

+ if you have other device it works on please report.

Essentially if your firmware version ends like 5.xx.yyyy (FW5) or 6.xx.yyyy (FW6), *it should run* - these images are all nearly identical. However I have no way to verify that for a fact, other people should just try it. The kit takes a lot of effort to fail as gracefully as possible, but you might want to start slowly only with jailbreak su and nothing else on older devices, as bugs in older kernels can introduce nasty boot crashes, especially when configuring for combined usbnet.

How to install

Extract the 2 app files from pbjb*.zip release on github into applications folder of your device.

Then from app menu:

* Launch @Jailbreak. If it succeeds, it will install root su. It does nothing else. Running it again will undo root.
* Launch @Services. This will install the system services, kernel modules, settings menus etc. su must be installed. If jailbreak is missing, the app will silently fail to run. Running it again will undo the install.

Once the device boots after Services install, new menu entry 'Rooted device settings' should appear in settings menu. In it, it will show generated root password, you can change it to your own too.

With that, ssh into root@169.254.0.1 when you connect usbnet. All other services expect same root/password pair. If usbnet is not working for you for some reason, you can navigate Settings->Rooted Device Settings->System Status and it will show you current wifi ip you can use to access the device.

Samba/WebDAV share

Spoiler:

For frequent use of the device's storage from a PC, its useful to map the share permanently as:

Code:

net use p: \\169.254.0.1\uext1

Or alternatively, if CIFS doesn't work for you for some reason:

Code:

net use p: http://169.254.0.1/ext1/ 1234 /USER:root

(where 1234 is whatever password the device has)

And use that network drive instead of using the usual USB mass storage. The reason for doing this is that you can now set the device to 'charge only' mode when plugging to USB, and keep reading a book while files are copied.

The full list of the shares when you navigate to \\169.254.0.1 or via http (webdav) is:

ext1 - main storage (wifi & usbnet & webdav), passworded
ext2 - sd storage (wifi & usbnet & webdav), passworded
ext3 - sd2 storage (wifi & usbnet & webdav), passworded
uext1,uext2,uext3 (usbnet/SMB ONLY), no password
public - see below (wifi & usbnet & webdav), read only, no password

Finally, theres a hidden 'system' share exposing root of the filesystem tree (on webdav too). Use only if you know what that means. Most of it is mounted read only by default, so you need to ssh in anyway (perhaps to fix wrong permissions introduced by samba as well).

Password-less access for guests

Guest samba (\\ip\public) and http://ip/public and anonymous ftp land the visitor in 'public' folder you can create on the main storage. By pulling documents in there you can share stuff with random strangers/devices you don't trust on the LAN.

Troubleshoot

Spoiler:

Huh, I click explore network neighborhood and it shows no shares?

Go to settings->Root device settings->System status, and you should see wifi ip in there. Then nvigate to \\ip\ in explorer to see the shares over wifi.

Either passworded or unpassworded shares take forever to load, or just plain fail with some weird error
This is unfortunate peculiarity of some windows versions disabling SMB1. What this means is that you connected via usbnet (or to public via wifi) without password, and then tried passworded share from same computer. Windows is really stupid about this and will keep hammering with as a guest, "it worked the first time, right?". This is consequence of SMB2+ having no concept of per-share security, only per-user. The solution is to never introduce your computer as a guest if you want to use passworded share as well.

I'm bricked, network/usb storage fails completely now...
It's absolutely crucial to keep the original packages around - for if something goes horribly wrong, and network or storage access can become completely cut off, so you can still undo stuff.

If stuff breaks to a point not even launching any app is viable (ie frozen screen), there's a boot escape hatch: Keep rapidly pressing *any* button all the while during startup. The boot script does a tally of press events, and if count is more than 5 times over a specific window of time, the services scripts will not start at all. This way you should get functioning system again assuming it was a service script causing trouble.

Low level internals

Spoiler:

Everything of above is stored on the /mnt/secure partition - this one is ext2, and mostly left alone by firmware updates, meaning the JB has a high chance of survival across OTAs. As far as jailbreaks go, this one is fairly conservative one - it doesn't modify *any* files of currently installed fw, it simply places itself in a directory the stock firmware auto-executes stuff from (/mnt/secure/runonce). This minimizes chances of conflict with future OTA updates.

I just want root access, not all this fancy stuff...

Good! That's why its split into two packages. If you run only @Jailbreak, you can get rudimentary root ssh by opening pbterm, and typing into it:

Code:

/mnt/secure/su /sbin/dropbear -G ""

You can then log in via wifi (no usbnet here) as root with no password.

[Markismus]

Thank you for including the source code. This will save me so much time! I am looking forward to reading the code.

[ezdiy]

Released v3
Changes from v1:
* Samba shares are now network neighborhood discoverable (added nmbd)
* Added packet filter if you need to firewall something (iptables)
* A lot of cosmetics for source code because people are apparently looking at it (eep)
* Added frequency scaling

When updating from past versions, simply run Services.app from the zip file, it will just copy over the past one.

Quote:

Originally Posted by Markismus

Thank you for including the source code. This will save me so much time! I am looking forward to reading the code.

I've cleaned up the Makefile to be slightly more humane, and added the output binaries of cross compile if you don't want to go through that (make clean will wipe em and go through cross compiler though).

[Markismus]

Nice!

Yes, I remember setting up cross-compilation for the Kobo with arm hard float cross compiler. It was quite a job.

Could you give me a few pointers/links for the setup of the cross-compilation?

[Markismus]

I installed your apps on my PB740-2. Ran them and after that they disappeared from the app section. Using pbterm I see 'su' in /mnt/secure.

However, cannot connect to it yet using USBnet. 'ip link' does register a extra connection. Gnome keeps complaining that the connection failed. Connecting to the PC, choosing PC-link, disconnecting, connecting, choosing Charging, disconnecting, etc.: dmesg.log

So something failed, could be my Arch Linux setup: I sometimes have trouble with USBnet on my Kobo H2O, too.

The pocketbook also doesn't register with my router when I use the WiFi, so I can't try it through that IP, too.

EDIT:
arp-scan found it! It's working:
================================================== ==
PocketBook services v2, http://github.com/ezdiy/pbjb
================================================== ==
root password can be set by saving password.txt
in top folder of storage (/mnt/ext1/password.txt)
root@192.168.2.47's password:

I looked the password up by using pbterm and the command cat /mnt/ext1/password.txt.
Quite an improvement in typing in the ssh shell instead of using pbterm!

[ezdiy]

Quote:

Originally Posted by Markismus

I installed your apps on my PB740-2. Ran them and after that they disappeared from the app section. Using pbterm I see 'su' in /mnt/secure.

However, cannot connect to it yet using USBnet. 'ip link' does register a extra connection. Gnome keeps complaining that the connection failed. Connecting to the PC, choosing PC-link, disconnecting, connecting, choosing Charging, disconnecting, etc.: dmesg.log

This is because the usbnet packet transport side is configured rndis (windows thing), not cdc (native linux thing). Pocketbook pretends as if it were tethered android phone.

The reason why it's done like this is that on windows it works out of the box (it automatically enables the ethernet interface, configures ip on it...), while on linux you have to add custom udev rule: https://wiki.archlinux.org/index.php...#USB_tethering

Within same udev rule you can also add script to auto-mount the samba share, so you can get rid of hogging mass storage.

Quote:

EDIT:
arp-scan found it! It's working:
================================================== ==
PocketBook services v2, http://github.com/ezdiy/pbjb
================================================== ==
root password can be set by saving password.txt
in top folder of storage (/mnt/ext1/password.txt)
root@192.168.2.47's password:

I looked the password up by using pbterm and the command cat /mnt/ext1/password.txt.

The idea is that password.txt shows as a book in front explorer just after the reboot. If you have pbterm, you can also just type /sbin/ifconfig to see your wifi ip.

[Marco77]

Hi ezdiy,
I'm ABSOLUTELY baffled as to how sending a buffer to a seemingly random IPC queue can grant you root privesc! ▄█▀█●

My config (OS is Win10 1809):

Quote:

- Vivlio-branded Inkpad3, model PB740, purchased circa June 2019

- Info gathering via ereader menus
Device / Version info
Software version V740.5.19.992
Release date: 20190410_152958

- Info gathering via execution through pbterm

uname -a: Linux pocketbook 3.10.65 #2 SMP Fri Mar 29 11:59:01 EET 2019 armv7l GNU/Linux

/proc/version: Linux version 3.10.65 (jenkins@bsp-builder) (gcc version 4.9.2 20140904 (prerelease) (crosstool-NG linaro-1.13.1-4.9-2014.09 - Linaro GCC 4.9-2014.09) ) #2 SMP Fri Mar 29 11:59:01 EET 2019

Observations:
- about the jailbreak process, I like the fact it doesn't mandate using /mnt/ext1/applications
- SSH USBnet works like a charm
- USBnet Samba shares are fine
- but the passworded shares take awfully long to show the credential prompt, causing the action to sometimes time out in Explorer

I haven't tried via wifi yet,do you have a sample iptables ruleset we can use to prevent communication with obreey/pocketbook?

- Not sure if it's possible, can you keep the device alive (prevent sleep) while there's activity in the services?

- This one is a quality-of-life convenience, can you create /mnt/ext1/.ssh if it doesn't exist? Also, I'm trying to get dropbear to accept pubkey authentication to no avail

- scp works fine, not sftp (probably a dropbar limitation). If it's not too complicated, can you include rsync as well?

- Generally in PBTerm /mnt/secure/su command works, any idea why /bin/sh doesn't return control?

Great work mate

[ezdiy]

v4 released:

• Added GUI for whole installation process, each app shows wizard-like dialogs asking about stuff to do. as well as settings menu in screenshot above to enable/disable stuff, and change/view root password. To hide the password from there, simply erase it and it will become "(keep unchanged)" from then on until new one is set.
• fixed bugs with USB storage killing services, hopefuly for real this time
• wifi disconnects are no longer flatly rejected - we allow disconnect only if no services are in use, and there are no network sessions. The old style of wifi on no matter what drained battery in sleep.
• added rsync, though not sure if it works as expected
• scripts can now be put into (Main Memory)/system/init.d to be run at startup

[ezdiy]

Quote:

Originally Posted by Marco77

Hi ezdiy,
I'm ABSOLUTELY baffled as to how sending a buffer to a seemingly random IPC queue can grant you root privesc! ▄█▀█●

PocketBook is full of this stuff, it's the 90s nostalgia over there, none of this modern amazon/apple fascism.

Quote:

Not sure if it's possible, can you keep the device alive (prevent sleep) while there's activity in the services?

Disable timed shutdown in power menu, but keep wifi or bt on when USB is plugged in. If sessions are in place (shell with a terminal, tcp connections), wifi never suspends, and whole reader stays alive in turn. Not a good idea to do without USB, as it will kill battery charge in 2 days or so.

Quote:

This one is a quality-of-life convenience, can you create /mnt/ext1/.ssh if it doesn't exist? Also, I'm trying to get dropbear to accept pubkey authentication to no avail

It might either not like the symlink, or the silly permissions on the fat partition. To figure out what dropbear doesn't like, just launch another instance via /mnt/secure/bin/dropbear -F -p 33 -m -B -Y somepassword -H /mnt/secure in foreground, and it should jabber about what it does not like.

Quote:

scp works fine, not sftp (probably a dropbar limitation). If it's not too complicated, can you include rsync as well?

Done.

Quote:

Generally in PBTerm /mnt/secure/su command works, any idea why /bin/sh doesn't return control?

Not sure what you mean.

Quote:

Great work mate

Thanks for testing.

[Marco77]

Hmm, I had to uninstall the kit for now.
Not too sure why, it prevented showing micro-sd contents (ext2) in PC link mode.
Drive would appear in explorer, but not browseable (like an SD card reader when no card is inserted)
whereas the internal storage's letter was fine.

Edit: will try with v4

Edit2: OK, after the 'Rooted device settings' reboot in v4, selecting "PC Link", the problem is still there.
I turned USBnet off, rebooted, plugged USB back in, PC Link, SD contents show up again

[ezdiy]

Quote:

Originally Posted by Marco77

Edit2: OK, after the 'Rooted device settings' reboot in v4, selecting "PC Link", the problem is still there.
I turned USBnet off, rebooted, plugged USB back in, PC Link, SD contents show up again

Yea, I was afraid something like this could happen (I have 740-2, so no SD card).

Try version 4.2: https://github.com/ezdiy/pbjb/releas...2-g69594f2.zip (just reinstall Services.app from there).

[Marco77]

Quote:

Originally Posted by ezdiy

It might either not like the symlink, or the silly permissions on the fat partition. To figure out what dropbear doesn't like, just launch another instance via /mnt/secure/bin/dropbear -F -p 33 -m -B -Y somepassword -H /mnt/secure in foreground, and it should jabber about what it does not like.

[1018] Dec 06 01:13:13 /mnt/secure/.ssh must be owned by user or root, and not writable by others
^C[1011] Dec 06 01:13:27 Early exit: Terminated by signal

/mnt/secure # ls -ald /mnt/secure/.ssh /mnt/ext1/.ssh
drwxrwxrwx 2 root root 4096 Dec 1 13:07 /mnt/ext1/.ssh
lrwxrwxrwx 1 root root 14 Dec 5 23:09 /mnt/secure/.ssh -> /mnt/ext1/.ssh

So yeah, it doesn't like the mode. And chmod has no effect, because of its mount mode:

Quote:

/dev/user_int on /mnt/ext1 type vfat (rw,dirsync,nosuid,nodev,noatime,fmask=0000,dmask= 0000,allow_utime=0022,codepage=437,iocharset=utf8, shortname=mixed,errors=remount-ro)

Could you neuter that dropbear check (return success)?

Quote:

Originally Posted by ezdiy

Quote:

Not sure what you mean.

/mnt/secure/su /bin/sh
does not give a root shell. Maybe because of not having a pty for non-root, not too sure.

Quote:

Originally Posted by ezdiy

Yea, I was afraid something like this could happen (I have 740-2, so no SD card).

Try version 4.2: https://github.com/ezdiy/pbjb/releas...2-g69594f2.zip (just reinstall Services.app from there).

Yup, now it works! Thanks!

[Markismus]

@ezdiy Is it feasible to run an OpenVPN client on the pocketbook?

(Apparently, you have to root the iPhone to have a chance get it to allow tethered connections over the VPN, ..... )

What crosscompiler should I use. The processor on the Inkpad3Pro is sun8iw10, B288, 2xCortex-A7. Does this mean that the same packages compiled for Raspberry pi2 will work on the B288, too?

I am looking at PiVPN which should be lightweight enough and works on the RaspberryPi2.

[ezdiy]

v5 released

https://github.com/ezdiy/pbjb/releases/tag/v5

* fixed terminfo breakage (ie readline now works properly in things like lftp or gdb)
* added lftp (universal client for sftp, ftp(s), torrent, http(s) opendir)
* added nano, htop, powertop (text editor, fancy system/power diagnostics)
* added sftp server, and device can be now browsed as such
* fixed pubkey authenticatoin, just put your .ssh/authorized_keys on main storage
* added http server, autoindex folder serving, but also configured for ssi, cgi
* http also does webdav transfers (shares named/passworded the same as on smb)
* added 'system status' settings menu entry to show some basic diagnostics, running services, device's IP etc

Quote:

Originally Posted by Markismus

@ezdiy Is it feasible to run an OpenVPN client on the pocketbook?

(Apparently, you have to root the iPhone to have a chance get it to allow tethered connections over the VPN, ..... )

What crosscompiler should I use. The processor on the Inkpad3Pro is sun8iw10, B288, 2xCortex-A7. Does this mean that the same packages compiled for Raspberry pi2 will work on the B288, too?

I am looking at PiVPN which should be lightweight enough and works on the RaspberryPi2.

Unfortunately the kernel doesn't have tun device compiled, so openvpn doesn't work out of the box. There's somewhat limited use for that anyway, as the only user would be most likely the web browser - so one is better off with something like tor/open proxies. Will see if that can be made as separate application as it doesn't really need root.

Quote:

Originally Posted by Marco77

Could you neuter that dropbear check (return success)?

Done.

[jelbo]

This is amazing. I'm getting my PocketBook Touch HD 3 today and I'm very tempted to test this out.