iRex iLiad patch V2.7.1 closes security holes

[Alexander Turcic]

iRex has just issued an upgrade patch for the iLiad device, closing two security holes that were recently discovered by our forum members. Unfortunately, if you decide to upgrade you may lose the opportunity to install and run your homebrew software. Feel free to join our on-going discussion about the release.

The patch also fixes a couple of software bugs mainly related to the content browser and the PDF viewer. Our Wiki has a full list of changes.

[scotty1024]

Alex, much of the stuff I've been working with comes straight from the main stream Debian distribution. It's the same stuff people are using on Intel x86 machines, just built for the ARM CPU in an iLiad e.g. it isn't "home brew". I've even got my favorite industrial strength editor emacs (all 50mb of it) installed and running on my iLiad.

The onscreen clock I got working is from the same Matchbox tool kit iRex themselves are using. I just installed and configured a piece of it they didn't give us, even though users have been requesting an on screen clock since forever.

In fact as I've explored my iLiad I've pretty much confirmed my suspicions that 95% of the iLiad is all open source software albeit with some iRex hacks applied to a small amount of it.

The scariest part in all the exploring and experimenting is that iRex has provided no means to re-flash the unit if something goes wrong.

What I would have expected was something like this:
Place a user filessytem image on an MMC/CF card and insert into powered down unit.
Hold the connect button down and turn the unit on and hold the connect button until the unit says it is re-flashing from MMC/CF card.
Wait patiently for this to complete.
Unit automatically restarts.

I've seen their tool kit, they have all the tools to do the re-flash.

Why iRex has been unable to deliver something this simple is something I just can't understand and leaves everyone at risk, not just the experimenters.

[vranghel]

Quote:

Originally Posted by scotty1024

In fact as I've explored my iLiad I've pretty much confirmed my suspicions that 95% of the iLiad is all open source software albeit with some iRex hacks applied to a small amount of it.

The scariest part in all the exploring and experimenting is that iRex has provided no means to re-flash the unit if something goes wrong.

Its pretty interesting that although the iLiad is built with open source software it is so hard to find a way to reflash it. I'm beginning to think that this move migh be intentional on iRex's part, a way to make sure that users do not intstall an OS that did not come from them.

They might fear the havoc users might wreak if they're allowed to have their way with iRex's precious hardware. <end of sarcastic remark>

[CommanderROR]

@vranghel

Somthing along those lines might be possible...^^

[k2r]

Quote:

Originally Posted by vranghel

I'm beginning to think that this move migh be intentional on iRex's part, a way to make sure that users do not intstall an OS that did not come from them.

Question 1 is: If I they really lock down the iLiad so nobody but them got root, fixed all local exploits and maybe install some kind of additional security layer to prevent their cusomers from using the device they bought in the ways they want to, and THEN release the GPL-sources, so we would have access to the sources, could build the system but had no way to install anything - would they be in compliance with the GPL?

Question 2 is: How big is the niche-market for ebook companies that say "We don't care about our customers wishes" ?

[b_k]

i wouldn't wonder if they used one of the common bootloaders. But I think it's hard to know which bootloader is on it, or did someone finally find the serial console?

@k2r, I think that would depend on the lawyer you ask. From my point of view, no.

[arivero]

Quote:

Originally Posted by k2r

, so we would have access to the sources, could build the system but had no way to install anything - would they be in compliance with the GPL?

Answer is no, but you should go surely for UK law system because it needs of a non-literal, spirit-wise, interpretation of the GPL part about build & install scripts. Sony does a trick there in their release of sources, not including the build & install procedures, perhaps under the claim that it is obvious. Of course it was obvius... for Igorsk.

[scotty1024]

From what I've seen Igorsk isn't using the posted sources.

The Sony has a flasher which he sussed out of their DLL.

After that he grabbed the raw filesystem off the device, extracted it, modified it, and repackaged it back into a filessytem, then re-flashed that image into the Reader.

It's a modification of the method used on the Librie to make English Librie's.

[scotty1024]

Quote:

Originally Posted by b_k

i wouldn't wonder if they used one of the common bootloaders. But I think it's hard to know which bootloader is on it, or did someone finally find the serial console?

We now know where the serial console is inside the CPU: UART # 2 running at 115200 baud.

What we don't know is how one hooks a cable to it. I can provide PXA255 pin numbers if someone wants to open an iLiad and go looking. Or someone could try those extra pins on the dock connector again, it's 115200 baud...

Since they've left getty running on it, if you can hook it up there will be a login prompt waiting.

[drogo]

Quote:

Originally Posted by k2r

Question 1 is: If I they really lock down the iLiad so nobody but them got root, fixed all local exploits and maybe install some kind of additional security layer to prevent their cusomers from using the device they bought in the ways they want to, and THEN release the GPL-sources, so we would have access to the sources, could build the system but had no way to install anything - would they be in compliance with the GPL?

Question 2 is: How big is the niche-market for ebook companies that say "We don't care about our customers wishes" ?

It's already been addressed, but the answer to Question 1 is "No".

The device is available now, but there is no source code available. IANAL, but my understanding of the GPL is that the source code must be available along with the official product. You can't release the product and say "We're working on making the source available."

If they're stalling on it in order to lock out customers, then it's my opinion that they will be fighting a losing battle. You shouldn't treat your customers as someone you want to "lock out". The smart ones will circumvent your locks, and the ones who aren't smart enough will probably not be willing to mess with it. As for those who mess it up, all iLiad support dept has to do is say, "That's unsupported firmware, I can't help you with it."

Which brings me to my answer to Question 2, and that would be "About as long as the Gemstar e-reader lasted".

Edit: I just saw the thread they've released the source for the PDF reader. Still waiting for the rest...

[scotty1024]

The nice thing about ipdf source being released is I can probably take that and add djvu support to ipdf.

[arivero]

Quote:

Originally Posted by scotty1024

We now know where the serial console is inside the CPU: UART # 2 running at 115200 baud.

What we don't know is how one hooks a cable to it. I can provide PXA255 pin numbers if someone wants to open an iLiad and go looking. Or someone could try those extra pins on the dock connector again, it's 115200 baud...

There is an extra connector inside, in the upper left corner. I'd bet for it because RTS|CTS needs an extra pair of wires. But still the high impedance pins of the external connector could hide some surprise.