Kobo Touch Hacking

From MobileRead
Jump to: navigation, search

This page is still under construction.

A big thanks to stef70 for being the first to document how to hack the Kobo Touch.


[edit] Overview

The method used by the Kobo Touch to upgrade its firmware is quite simple: If the file .kobo/KoboRoot.tgz is found in the Kobo's public partition, then the .tgz file is extracted to the root of the internal system partition. By editing some of the files within KoboRoot.tgz, we can fairly easily enable telnet and ftp access, giving us root privileges.

[edit] The Hacking Process

[edit] Getting the Upgrade File

The first step is to get the current firmware so we can patch some files. There is a list of Kobo firmware files with download links here. The other way to get the latest firmware is to do a factory reset:

  1. Backup ALL your ebooks!!! (The factory reset will delete all of your files!) (Ebooks downloaded from the Kobo store will be automatically put back on your Touch when you sync the device.)
  2. Perform a factory reset. There are two ways this can be done:
    • Hold the Home button while the device turns on, or
    • On the Touch's home screen, press HOME, then Settings > Device Information > Factory Reset.
  3. Plug the Touch into your computer and use the Kobo desktop app to set up your Kobo Touch.
  4. Before you unplug your Touch, copy the file KoboRoot.tgz, found in the .kobo directory on the Touch, to your hard drive.

[edit] Editing Files

Now that we have KoboRoot.tgz, we can examine its contents. On Linux, extract the files with

tar xvzf KoboRoot.tgz

Windows users can use a program such as 7-zip to extract the files. DO NOT USE WORDPAD OR OTHER WINDOWS TEXT EDITOR (the newline characters from windows break the scripts)

The most interesting file is etc/init.d/rcS. This script is called by the init process every time the Touch boots. We can easily add our own shell commands to this script. To be flexible, we'll add the following line right before the line "/usr/local/Kobo/nickel -qws &"

/mnt/onboard/run.sh &

Annotation: Adding the line "/mnt/onboard/run.sh >>/mnt/onboard/run.out 2>&1 &" will give you a log output to "run.out" and allow you to troubleshoot any issues with the "run.sh" commands

and package it with

tar czf KoboRoot.tgz etc/init.d/rcS

Copy the KoboRoot.tgz file to the .kobo directory on your Touch, unplug it, and it will automatically install and reboot.

[edit] Enabling Telnet/FTP

There are two files, inittab and inetd.conf, that we need to edit in order to enable telnet and ftp. However, they are not found in the current firmware's KoboRoot.tgz file. So, we will create a script, run.sh, with the commands

 cp /etc/inittab /mnt/onboard
 cp /etc/inetd.conf /mnt/onboard

Connect your Touch to your computer and copy run.sh to the Touch. After a reboot, you should find the files inittab and inetd.conf on your Touch's public partition. Move them to the etc directory of the extracted KoboRoot.tgz.

The Kobo Touch runs Busybox, which contains all the tools needed to control the Touch via WiFi. Three steps are required to enable telnet and ftp.

1. Add the following lines to etc/init.d/rcS
 mkdir -p /dev/pts
 mount -t devpts devpts /dev/pts
2. To etc/inetd.conf add
 21 stream tcp nowait root /bin/busybox ftpd -w -S  /
 23 stream tcp nowait root /bin/busybox telnetd -i

Annotation: In my case (I am not the author) on a Glo 2.1.5 it only works, if I remove the forward slash at the end of the line "21 stream ..."

3. And add to etc/inittab
 ::respawn:/usr/sbin/inetd -f /etc/inetd.conf

These files can be packaged with

 tar czf KoboRoot.tgz etc/init.d/rcS etc/inittab etc/inetd.conf

Copy the produced KoboRoot.tgz to the Touch's .kobo directory and unplug.

You Should now be able to log in through telnet! You'll have to enable WiFi, such as by opening the web browser, and figure out your Touch's IP address. If you press HOME > Settings > Device Information, you can see your Touch's MAC address. Open the Touch's web browser, then, on a computer connected to the same network as the Touch, run (assuming that the IP addresses on your network are 192.168.1.x)

 sudo nmap -sP

to get a list of all connected devices. Look for the MAC address of your Touch. The IP address will be a couple of lines above the MAC address. Using that IP address, telnet into your Touch


Login as root with a blank password and you're all set

[edit] Enabling USB networking

First, enable Telnet/FTP using the guide above, and telnet into your Kobo.

[edit] Manually (e.g. for one-time use - stops working after reboot)

Make sure your Kobo is not plugged in through USB, then issue these commands on your Kobo:

> killall nickel
(nickel is the reader app; you will be able to restart it afterwards with http://pastebin.com/gEuQpaU5)
> /bin/busybox insmod /drivers/ntx508/usb/gadget/arcotg_udc.ko
> /bin/busybox insmod /drivers/ntx508/usb/gadget/g_ether.ko
plugin won't connect through nickel - we have to set it up manually:
> ifconfig usb0

Now plug in your Kobo into your PC through USB, and then issue these commands on your PC:

> lsusb
this should show Netchip Technology, Inc. Linux-USB Ethernet/RNDIS Gadget - if so then:
> ifconfig usb0
> telnet
and you can now log in as root with the same password (default: no password) as in the WiFi case above.

[edit] Automatically (e.g. for permanent use - this will work across reboots)

It is probably the easiest to edit this on your PC and then FTP it back to Kobo (I use Gftp on Ubuntu):

On Kobo:

> killall nickel
put these commands at end of /etc/init.d/rcS
/bin/busybox insmod /drivers/ntx508/usb/gadget/arcotg_udc.ko
/bin/busybox insmod /drivers/ntx508/usb/gadget/g_ether.ko
put this command at end of /usr/local/Kobo/udev/ac and /usr/local/Kobo/udev/plug
ifconfig usb0
(You probably don't need to put them into both, but I'm too lazy to check.)
Now it's time to restart your Kobo to check whether your changes took effect:
> reboot

After the main GUI on Kobo appears (but I think maybe it doesn't matter), plug the Kobo into the PC through USB. Ignore the popup that appears.

then on your PC:

$ ifconfig usb0
$ telnet

NOTE: On OS X instead of 'usb0' you need something like 'en0'; the number depending on the USB port

and you can now log in as root with the same password (default: no password) as in the WiFi case above.

[edit] Notes On Suspend

This seems to work

echo 1 > /sys/power/state-extended //turns of neonode touchscreen
echo mem > /sys/power/state
then after resume
echo 0 > /sys/power/state-extended

found this file after looking at strace of nickel

open("/sys/power/state-extended", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3
dup2(3, 1) //copy filehandle
write(1, "1\n", 2) = 2
execve("/bin/sh", ["sh", "-c", "echo mem > /sys/power/state"]

from kobolabs source /KoboLabs/hw/imx508/cls/linux-

static ssize_t state_extended_store(struct kobject *kobj, struct kobj_attribute *attr,
const char *buf, size_t n)
  if ( buf[0] == '1' )
      neonode_activate(0); disable_irq_wake(get_homekey_irq());
  }else if(g_sys_full_suspend_state)

I have tried the above with wifi off and unplugged it seems to work but have not fully tested by looking at battery level after awhile.

[edit] Fake registration

echo "insert into user values('value0', 'value1', value2', 'value3', 'value4', 'value5', 'value6');" | sqlite /mnt/KOBOeReader/.kobo/KoboReader.sqlite

Database format may depends on the Kobo's firmware version. In 3.11.0, I did as this

$ sqlite3 ./KoboReader.sqlite
SQLite version 2015-01-01 00:00:00
Enter ".help" for usage hints.
sqlite> INSERT INTO "user" VALUES('value0','value1','value2','value3','value4', 'value5', 'value6', 'value7' ,'value8');

[edit] Protecting your hack against Updates

Firmware updates will overwrite the files you edited to hack the kobo, luckly the /etc/inittab file is not modified! to make the hack permanent across updates, add the following line to your kobo's /etc/inittab

::respawn:/bin/sh /customInit.sh

and edit the inet line to look like this:

::respawn:/usr/sbin/inetd -f /etc/inetd2.conf

rename your /etc/inetd.conf file to /etc/inetd2.conf

make a file named customInit.sh at the / directory with the lines you would normally but in the /etc/init.d/rcS file, and remove your custom lines from the /etc/init.d/rcS file once you are sure that everything is working as intended

[edit] More Kobo Hacking

Personal tools

MobileRead Networks