Kobo Touch Hacking

From MobileRead
Jump to: navigation, search

This page is still under construction.

A big thanks to stef70 for being the first to document how to hack the Kobo Touch.

Contents

[edit] Overview

The method used by the Kobo Touch to upgrade its firmware is quite simple: If the file .kobo/KoboRoot.tgz is found in the Kobo's public partition, then the .tgz file is extracted to the root of the internal system partition. By editing some of the files within KoboRoot.tgz, we can fairly easily enable telnet and ftp access, giving us root privileges.

[edit] The Hacking Process

[edit] Getting the Upgrade File

The first step is to get the current firmware so we can patch some files. There is a list of Kobo firmware files with download links here. The other way to get the latest firmware is to do a factory reset:

  1. Backup ALL your ebooks!!! (The factory reset will delete all of your files!) (Ebooks downloaded from the Kobo store will be automatically put back on your Touch when you sync the device.)
  2. Perform a factory reset. There are two ways this can be done:
    • Hold the Home button while the device turns on, or
    • On the Touch's home screen, press HOME, then Settings > Device Information > Factory Reset.
  3. Plug the Touch into your computer and use the Kobo desktop app to set up your Kobo Touch.
  4. Before you unplug your Touch, copy the file KoboRoot.tgz, found in the .kobo directory on the Touch, to your hard drive.

[edit] Editing Files

Now that we have KoboRoot.tgz, we can examine its contents. On Linux, extract the files with

tar xvzf KoboRoot.tgz

Windows users can use a program such as 7-zip to extract the files. DO NOT USE WORDPAD OR OTHER WINDOWS TEXT EDITOR (the newline characters from windows break the scripts)

The most interesting file is etc/init.d/rcS. This script is called by the init process every time the Touch boots. We can easily add our own shell commands to this script. To be flexible, we'll add the following line right before the line "/usr/local/Kobo/nickel -qws &"

/mnt/onboard/run.sh &

Annotation: Adding the line "/mnt/onboard/run.sh >>/mnt/onboard/run.out 2>&1 &" will give you a log output to "run.out" and allow you to troubleshoot any issues with the "run.sh" commands

and package it with

tar czf KoboRoot.tgz etc/init.d/rcS

Copy the KoboRoot.tgz file to the .kobo directory on your Touch, unplug it, and it will automatically install and reboot.

[edit] Enabling Telnet/FTP

There are two files, inittab and inetd.conf, that we need to edit in order to enable telnet and ftp. However, they are not found in the current firmware's KoboRoot.tgz file. So, we will create a script, run.sh, with the commands

 cp /etc/inittab /mnt/onboard
 cp /etc/inetd.conf /mnt/onboard

Connect your Touch to your computer and copy run.sh to the Touch. After a reboot, you should find the files inittab and inetd.conf on your Touch's public partition. Move them to the etc directory of the extracted KoboRoot.tgz.

The Kobo Touch runs Busybox, which contains all the tools needed to control the Touch via WiFi. Three steps are required to enable telnet and ftp.

1. Add the following lines to etc/init.d/rcS
 mkdir -p /dev/pts
 mount -t devpts devpts /dev/pts
2. To etc/inetd.conf add
 21 stream tcp nowait root /bin/busybox ftpd -w -S  /
 23 stream tcp nowait root /bin/busybox telnetd -i

Annotation: In my case (I am not the author) on a Glo 2.1.5 it only works, if I remove the forward slash at the end of the line "21 stream ..."

3. And add to etc/inittab
 ::respawn:/usr/sbin/inetd -f /etc/inetd.conf

These files can be packaged with

 tar czf KoboRoot.tgz etc/init.d/rcS etc/inittab etc/inetd.conf

Copy the produced KoboRoot.tgz to the Touch's .kobo directory and unplug.

You Should now be able to log in through telnet! You'll have to enable WiFi, such as by opening the web browser, and figure out your Touch's IP address. If you press HOME > Settings > Device Information, you can see your Touch's MAC address. Open the Touch's web browser, then, on a computer connected to the same network as the Touch, run (assuming that the IP addresses on your network are 192.168.1.x)

 sudo nmap -sP 192.168.1.1-254

to get a list of all connected devices. Look for the MAC address of your Touch. The IP address will be a couple of lines above the MAC address. Using that IP address, telnet into your Touch

 telnet 192.168.1.100

Login as root with a blank password and you're all set

[edit] Enabling USB networking

If your linux uses systemd, you will need to find the id of your usb port beforehand. To do that, plug your reader then run:

$ sudo dmesg

You should find a line that looks like this:

[XXXXXXX.XXXXXX] cdc_ether 1-2:1.0 enXXXXXXXXXXXXX: renamed from usb0

Note the code that starts with en. You will need to replace "usb0" with this code everywhere in the following instructions. This number depends on the usb port used, so be careful if you connect your reader to another port.

First, enable Telnet/FTP using the guide above, and telnet into your Kobo.

[edit] Manually (e.g. for one-time use - stops working after reboot)

Make sure your Kobo is not plugged in through USB, then issue these commands on your Kobo:

> killall nickel
(nickel is the reader app; you will be able to restart it afterwards with http://pastebin.com/gEuQpaU5)
> /bin/busybox insmod /drivers/ntx508/usb/gadget/arcotg_udc.ko
> /bin/busybox insmod /drivers/ntx508/usb/gadget/g_ether.ko
plugin won't connect through nickel - we have to set it up manually:
> ifconfig usb0 192.168.2.2

Now plug in your Kobo into your PC through USB, and then issue these commands on your PC:

> lsusb
this should show Netchip Technology, Inc. Linux-USB Ethernet/RNDIS Gadget - if so then:
> ifconfig usb0 192.168.2.1
> telnet 192.168.2.2
and you can now log in as root with the same password (default: no password) as in the WiFi case above.

[edit] Automatically (e.g. for permanent use - this will work across reboots)

It is probably the easiest to edit this on your PC and then FTP it back to Kobo (I use Gftp on Ubuntu):

On Kobo:

> killall nickel
put these commands at end of /etc/init.d/rcS
/bin/busybox insmod /drivers/ntx508/usb/gadget/arcotg_udc.ko
/bin/busybox insmod /drivers/ntx508/usb/gadget/g_ether.ko
put this command at end of /usr/local/Kobo/udev/ac and /usr/local/Kobo/udev/plug
ifconfig usb0 192.168.2.2
(You probably don't need to put them into both, but I'm too lazy to check.)
Now it's time to restart your Kobo to check whether your changes took effect:
> reboot

After the main GUI on Kobo appears (but I think maybe it doesn't matter), plug the Kobo into the PC through USB. Ignore the popup that appears.

then on your PC:

$ ifconfig usb0 192.168.2.1
$ telnet 192.168.2.2

NOTE: On OS X instead of 'usb0' you need something like 'en0'; the number depending on the USB port

and you can now log in as root with the same password (default: no password) as in the WiFi case above.

[edit] Notes On Suspend

This seems to work

echo 1 > /sys/power/state-extended //turns of neonode touchscreen
echo mem > /sys/power/state
then after resume
echo 0 > /sys/power/state-extended

found this file after looking at strace of nickel

open("/sys/power/state-extended", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3
dup2(3, 1) //copy filehandle
write(1, "1\n", 2) = 2
execve("/bin/sh", ["sh", "-c", "echo mem > /sys/power/state"]

from kobolabs source /KoboLabs/hw/imx508/cls/linux-2.6.35.3/kernel/power/main.c

static ssize_t state_extended_store(struct kobject *kobj, struct kobj_attribute *attr,
const char *buf, size_t n)
{
  if ( buf[0] == '1' )
  {
    if(!g_sys_full_suspend_state)
    {
      neonode_activate(0); disable_irq_wake(get_homekey_irq());
      g_sys_full_suspend_state=1;
    }
  }else if(g_sys_full_suspend_state)
  {
    neonode_activate(1);
    enable_irq_wake(get_homekey_irq());
    g_sys_full_suspend_state=0;
  }

I have tried the above with wifi off and unplugged it seems to work but have not fully tested by looking at battery level after awhile.

[edit] Account Bypass

[edit] Sideloaded Mode

This is a feature added in 4.31.19086.[1] If an update is needed, the configuration file can be edited before, after, or during the process of sideloading the firmware.

1. If working from a factory state, move through the setup and select "Don't have a Wi Fi network?", this will allow you to mount the device.

2. Mount the device.

3. To /mnt/.kobo/Kobo/Kobo eReader.conf, under [ApplicationPreferences], add

SideloadedMode=true

4. Eject and restart the device.

[edit] Adding a Fake User

echo "insert into user values('value0', 'value1', 'value2', 'value3', 'value4', 'value5', 'value6');" | sqlite /mnt/KOBOeReader/.kobo/KoboReader.sqlite


Database format may depends on the Kobo's firmware version. In 3.11.0, I did as this

$ sqlite3 ./KoboReader.sqlite
SQLite version 3.8.10.2 2015-01-01 00:00:00
Enter ".help" for usage hints.
sqlite> INSERT INTO "user" VALUES('value0','value1','value2','value3','value4', 'value5', 'value6', 'value7' ,'value8');
sqlite>

On the Kobo Clara HD, the previous commands failed because the table had 20 columns instead of 7 or 9, so the following command must be used. This should also work on other Kobo models providing that there are no more columns other than UserID and UserKey that don't accept NULL values

echo "insert into user (UserID, UserKey)  values (1, 'empty')" | sqlite3 /mnt/KOBOeReader/.kobo/KoboReader.sqlite

[edit] Simplifying re-hacking on updates

Firmware updates will overwrite the files you edited to hack your device, effectively un-hacking it, to avoid having to edit a bunch of complex files again, you can decouple the modifications from the original files.

Make a file named customInit.sh on the root directory (or anywhere else you like) with the lines you would normally put in the /etc/init.d/rcS file, and remove your modified lines from /etc/init.d/rcS file.

Rename your modified /etc/inetd.conf file to /etc/inetd2.conf

Now when a oficial firmware update un-hacks your device you can simply add the following lines to /etc/inittab (using the KoboRoot.tgz method) and restore the hack

::respawn:/usr/sbin/inetd -f /etc/inetd2.conf
::once:/bin/sh /customInit.sh

[edit] More Kobo Hacking

[edit] References

  1. https://www.mobileread.com/forums/showthread.php?p=4191419#post4191419
Personal tools
Namespaces

Variants
Actions
Navigation
MobileRead Networks
Toolbox