Kobo Touch Hacking
This page is still under construction.
A big thanks to stef70 for being the first to document how to hack the Kobo Touch.
Contents |
[edit] Overview
The method used by the Kobo Touch to upgrade its firmware is quite simple: If the file .kobo/KoboRoot.tgz is found in the Kobo's public partition, then the .tgz file is extracted to the root of the internal system partition. By editing some of the files within KoboRoot.tgz, we can fairly easily enable telnet and ftp access, giving us root privileges.
[edit] The Hacking Process
[edit] Getting the Upgrade File
The first step is to get the current firmware so we can patch some files. There is a list of Kobo firmware files with download links here. The other way to get the latest firmware is to do a factory reset:
- Backup ALL your ebooks!!! (The factory reset will delete all of your files!) (Ebooks downloaded from the Kobo store will be automatically put back on your Touch when you sync the device.)
- Perform a factory reset. There are two ways this can be done:
- Hold the Home button while the device turns on, or
- On the Touch's home screen, press HOME, then Settings > Device Information > Factory Reset.
- Plug the Touch into your computer and use the Kobo desktop app to set up your Kobo Touch.
- Before you unplug your Touch, copy the file KoboRoot.tgz, found in the .kobo directory on the Touch, to your hard drive.
[edit] Editing Files
Now that we have KoboRoot.tgz, we can examine its contents. On Linux, extract the files with
tar xvzf KoboRoot.tgz
Windows users can use a program such as 7-zip to extract the files.
The most interesting file is etc/init.d/rcS. This script is called by the init process every time the Touch boots. We can easily add our own shell commands to this script. To be flexible, we'll add (BEFORE the call to nickel)
/mnt/onboard/run.sh &
and package it with
tar czf KoboRoot.tgz etc/init.d/rcS
Copy the KoboRoot.tgz file to the .kobo directory on your Touch, unplug it, and it will automatically install and reboot.
[edit] Enabling Telnet/FTP
There are two files, inittab and inetd.conf, that we need to edit in order to enable telnet and ftp. However, they are not found in the current firmware's KoboRoot.tgz file. So, we will create a script, run.sh, with the commands
cp /etc/inittab /mnt/onboard cp /etc/inetd.conf /mnt/onboard
Connect your Touch to your computer and copy run.sh to the Touch. After a reboot, you should find the files inittab and inetd.conf on your Touch's public partition. Move them to the etc directory of the extracted KoboRoot.tgz.
The Kobo Touch runs Busybox, which contains all the tools needed to control the Touch via WiFi. Three steps are required to enable telnet and ftp.
- 1. Add the following lines to etc/init.d/rcS
mkdir -p /dev/pts mount -t devpts devpts /dev/pts
- 2. To etc/inetd.conf add
21 stream tcp nowait root /bin/busybox ftpd -w -S / 23 stream tcp nowait root /bin/busybox telnetd -i
Annotation: In my case (I am not the author) on a Glo 2.1.5 it only works, if I remove the forward slash at the end of the line "21 stream ..."
- 3. And add to etc/inittab
::respawn:/usr/sbin/inetd -f /etc/inetd.conf
These files can be packaged with
tar czf KoboRoot.tgz etc/init.d/rcS etc/inittab etc/inetd.conf
Copy the produced KoboRoot.tgz to the Touch's .kobo directory and unplug.
You Should now be able to log in through telnet! You'll have to enable WiFi, such as by opening the web browser, and figure out your Touch's IP address. If you press HOME > Settings > Device Information, you can see your Touch's MAC address. Open the Touch's web browser, then, on a computer connected to the same network as the Touch, run (assuming that the IP addresses on your network are 192.168.1.x)
sudo nmap -sP 192.168.1.1-254
to get a list of all connected devices. Look for the MAC address of your Touch. The IP address will be a couple of lines above the MAC address. Using that IP address, telnet into your Touch
telnet 192.168.1.100
Login as root with a blank password and you're all set
[edit] Enabling Telnet/FTP USB
Get wifi telnet access using above guide
Manually
on kobo before plugging in >killall nickel can restart with http://pastebin.com/gEuQpaU5 >/bin/busybox insmod /drivers/ntx508/usb/gadget/arcotg_udc.ko >/bin/busybox insmod /drivers/ntx508/usb/gadget/g_ether.ko plugin don't connect through nickel (main app) >ifconfig usb0 192.168.2.2 on pc >lsusb should get Netchip Technology, Inc. Linux-USB Ethernet/RNDIS Gadget if so then >ifconfig usb0 192.168.2.1 >telnet 192.168.2.2
Login as root
Automatic at boot: ( prob easiest to edit on pc and ftp back to kobo i use Gftp on ubuntu)
on kobo >killall nickel can restart with http://pastebin.com/gEuQpaU5 put these command at end of /etc/init.d/ /bin/busybox insmod /drivers/ntx508/usb/gadget/arcotg_udc.ko /bin/busybox insmod /drivers/ntx508/usb/gadget/g_ether.ko
put this at end of /usr/local/Kobo/udev/ac and /usr/local/Kobo/udev/plug ifconfig usb0 192.168.2.2 prob don't need to put in both but i'm to lazy to check >reboot after main gui Ithink it doesn't matter) plug into pc ignore popup On pc >ifconfig usb0 192.168.2.1 >telnet 192.168.2.2 Login as root
[edit] Notes On Suspend
This seems to work
echo 1 > /sys/power/state-extended //turns of neonode touchscreen echo mem > /sys/power/ then after resume echo 0 /sys/power/state-extended
found this file after looking at strace of nickel
open("/sys/power/state-extended", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3
dup2(3, 1) //copy filehandle
write(1, "1\n", 2) = 2
execve("/bin/sh", ["sh", "-c", "echo mem > /sys/power/state"]
from kobolabs source /KoboLabs/hw/imx508/cls/linux-2.6.35.3/kernel/power/main.c
static ssize_t state_extended_store(struct kobject *kobj, struct kobj_attribute *attr,
const char *buf, size_t n)
{
if ( buf[0] == '1' )
{
if(!g_sys_full_suspend_state)
{
neonode_activate(0); disable_irq_wake(get_homekey_irq());
g_sys_full_suspend_state=1;
}
}else if(g_sys_full_suspend_state)
{
neonode_activate(1);
enable_irq_wake(get_homekey_irq());
g_sys_full_suspend_state=0;
}
I have tried the above with wifi off and unplugged it seems to work but have not fully tested by looking at battery level after awhile.
