Sony Reader hack

From MobileRead
Jump to: navigation, search

This page is for the original PRS500.


[edit] Note

Many of these hacks are presumably pre-EPUB firmware update.

[edit] Sony Reader internals

[edit] Flash partitions

Here's the flash memory map:

dev:    size      erasesize name
mtd0:   00200000  00010000  "sdm device NOR 0"
mtd1:   079a0000  00020000  "sdm device NAND/SBL 0"
mtd2:   08000000  00020000  "eBook-1 NAND flash partition 0"
mtd3:   00040000  00010000  "Loader"
mtd4:   00010000  00010000  "Reserved"
mtd5:   00010000  00010000  "FIS directory"
mtd6:   00080000  00020000  "nblconfig"
mtd7:   00180000  00010000  "Linux"
mtd8:   00010000  00010000  "msbios"
mtd9:   00010000  00010000  "Id"
mtd10:  00010000  00010000  "Info"
mtd11:  00160000  00020000  "Linux0"
mtd12:  007e0000  00020000  "Rootfs2"
mtd13:  00980000  00020000  "Rootfs"
mtd14:  00700000  00020000  "Fsk"
mtd15:  00300000  00020000  "Opt0"
mtd16:  05be0000  00020000  "Data"

[edit] Mounting

  • /opt, /opt1/keys and /opt1/info are mounted from cramfs images, meaning they're read-only.
  • /opt0 and /Data use jffs2 which is writable
  • /etc and /var are copied to ramdisk (created in /dev/shm/) and remounted at /

Mapping to the filesystem:

  • Id -> /opt1/keys
  • Info -> /opt1/info
  • Fsk -> /opt
  • Opt0 -> /opt0
  • Data -> /Data

[edit] Processes

1 init
  2 keventd
  7 mtdblockd
  29 msbdrv_thread
  31 sdbdrv_thread
  47 jffs2_gcd_mtd15
  49 jffs2_gcd_mtd16
    125 tinyhttp
      126 tinyhttp
          127 tinyhttp
          128 tinyhttp
          130 tinyhttp
          131 tinyhttp
          145 tinyhttp
          147 tinyhttp
          148 tinyhttp
  123 getty
3 ksoftirqd_CPU0
4 kswapd
5 bdflush
6 kupdated

The main reader application is "tinyhttp".

[edit] Misc

  • Reader (and CONNECT) seems to use Times style font by default.

[edit] How to revert to factory settings

Note: The device needs to be able to boot up far enough to run the tinyhttp application in order for the steps below to be effective. If your hacking has wrecked the flash image so badly that it cannot boot this far, see Recovering From Catastrophic Failure (Unbricking) below.

  1. If the device is on, slide the "Power" so that it turns off. Look for a small pinhole on the back panel and press the reset button on the back using a pin.
  2. Slide the “Power” button to turn it on. While the screen displays "Starting up ...", you will see the light above the "Power" button flash in yellow. Wait for 35 to 40 seconds, then proceed to hold down the “MARK” and “VOL +” buttons.
  3. CONTINUE TO keep these 2 buttons pressed for about 5 to 10 seconds, until the round “PAGE” button makes a quick blue flash.
  4. CONTINUE to keep these 2 buttons pressed for another 25 seconds, the screen will show a “Reset All” message, and ask to delete all content.
  5. Press button '5' to clean up content, this could take several minutes if you have many files on the Reader. When the deletion completes, the Reader will turn off.
  6. Press the "Power" button to turn it on; this could take several minutes if you have many files on the Reader.
  7. Connect your device to your PC and log-in to the store.
  8. Go to Account>Manage Devices – you will be asked if you’d like to authorize this device to your account. Please say yes.
  9. Your device should be ready to read eBooks purchased from your account.

[edit] Recovering From Catastrophic Failure (Unbricking)

If you manage to completely brick the device to where it cannot boot at all (remains at "Starting up..." page indefinitely), you will need to do the following to recover to the factory flash image.

  1. Charge the device overnight to make sure it has enough power for the recovery process.
  2. Use a paper clip or pin to depress the reset button in the small hole on the back of the unit. Turn the unit on.
  3. Wait until the "Starting up..." page is displayed for a few seconds and you see the orange LED blinking. Just count like 3 to 4 sec. from the moment you see the LED blinking.
  4. Repeat steps 2 and 3 ten times.
  5. On the tenth reset let the Reader boot and after a few minutes the message "Firmware update is not finished correctly. Please execute firmware update again." will be displayed.
  6. Connect the USB cable and the device will automatically go into recovery ("Updating firmware now...") mode.
  7. Flash the device with the original PRS500 updater.
  8. Make sure you have installed the original Connect Library software that came with the CD. The drivers in Calibre or from a more recent version of the Connect Library software may not let the Firmware updater recognise the device properly, so make sure you are using the original drivers from the CD.
  9. Always check if there is not a newer version. This is version

[edit] Additional programs

[edit] Sony Reader Connect software

[edit] ebookUsb.dll interface

[edit] Functions

[edit] CheckBlock
[edit] UsbBeginEnd
[edit] UsbBuffFree
void UsbBuffFree(Answer* answer);
[edit] UsbCancelCallBack
[edit] UsbConnect
[edit] UsbConvertDevPathToPCPath
[edit] UsbConvertDriveLetterToID
[edit] UsbConvertIDToDriveLetter
[edit] UsbConvertPCPathToDevPath
[edit] UsbDisConnect
[edit] UsbElectricIsConnect
[edit] UsbEndSecureSession
[edit] UsbFreeDevProperty
[edit] UsbGetDevProperty
[edit] UsbGetIDforPC
[edit] UsbGetProtcolVer
[edit] UsbGetdevNofromID
[edit] UsbInitCheck
[edit] UsbKeyExchangeAndAuthentication@0
[edit] UsbReceiveProc
int UsbReceiveProc(Request* request, size_t answersize, Answer* answer);

"answersize" is how much data you expect to get in the answer.

[edit] UsbSendProc
int UsbSendProc(Request* request, SendBuffer* buf, size_t sendsize, DWORD* bytesSent);
[edit] UsbSendReceiveProc@20
[edit] UsbSetCallBack@8
[edit] UsbUnlockDevice@4

[edit] Data types

[edit] Request
struct Request {
 DWORD reqNo;
 DWORD reserved[2];
 DWORD extralen;

Request.extralen is the size of data following the header.

[edit] Answer
struct Answer {
 DWORD reserved[3];
 DWORD dataLen;
 char  data[1]; //variable length
[edit] SendBuffer
struct SendBuffer {
 DWORD type; //0x10005 for WriteFile
 DWORD reserved[2];
 DWORD dataLen;
 char  data[1]; //variable length
[edit] FileOpenRequest
struct FileOpenRequest: Request {
 DWORD nPathLen;
 char path[1]; //variable length

For FileOpen: extralen=4+nPathLen, answersize = 4. (and you should get 4 in Answer.dataLen).

[edit] FileOpenAnswer
struct FileOpenAnswer: Answer {
 DWORD hFile;
[edit] DirEnumNextAnswer
struct DirEnumNextAnswer: Answer {
 DWORD nType; //1=file,2=dir
 DWORD nPathLen;
 char path[1];//of nPathLen bytes


The reflashing package is here: It needs Python with ctypes package and uses dlls from Connect software. So the best way to get it running is to drop the file in "\Program Files\Sony\CONNECT Reader\Data\bin".

A more recent version of the script (version 0.41) is File:Ebook py

[edit] Read Only Mode Usage:

Sony Reader utility 0.41 (c) 2006 Igor Skochinsky Usage: cmd [params]

 ls <dir> [-R]: list device directory <dir> [recursively]
 get <path> [destPath]: download <path> from the device to current directory or
 cat <path>: dump <path> from the device to the console.

[edit] Write Mode Usage:

Sony Reader utility 0.41 (c) 2006 Igor Skochinsky Usage: cmd [params]

 ls <dir> [-R]: list device directory <dir> [recursively]
 get <path> [destPath]: download <path> from the device to current directory or
 cat <path>: dump <path> from the device to the console.
 put <localfile> <devicefile>: upload file <localfile> to the <devicefile> at the device.
 del <devicefile>: delete <devicefile> from device.
 um <mode>: change update mode (normal/recovery)
 pinfo <name>: show info about MTD partition <name> (only in recovery mode)
 pwrite <name> <file>: write to MTD partition <name> from file <file> (only in recovery mode)
 BE VERY CAREFUL when uploading!

[edit] How to enable write mode

By default the script does not allow writing to the device. This is for your own good, and you should not enable writing unless you really know what your doing. However, if you really mess things up there are instructions on recovery on this wiki page.

To enable writing, edit the python script and search for the line which reads:

  enableWriting = 0

Change the 0 to a 1 and rerun the script with no arguments. You will now see the write mode usage, and you can use the additional commands. Be careful!

[edit] To list the files: ls <dir> [-R]
-R means "list recursively". Recursion for /dev and /proc subtrees is disabled since that can lead to infinite loops.

E.g.: ls / ls /etc/ -R

[edit] To download files: get <path>

E.g.: get /Data/tmp/info/model get /etc/init.d/

[edit] To get cramfs image get /dev/mtd13 0x863000

[edit] switch Reader to update mode um recovery

After a few seconds, Reader will reboot. Don't disconnect the unit. Wait until you get the "Updating firmware now..." message

[edit] upload new Rootfs pwrite "Rootfs"

[edit] switch to normal mode um normal

[edit] Additional programs

[edit] USB Commands

The USB protocol between the PC and ebook is carried out by sending vendor-defined control requests to the device. Each request consists of a request code and parameters. The response varies with each request.

Following is a list of the request codes that make up the protocol.

This section needs documentation of request parameters and response data.

0 GetUsbProtocolVersion

1 ReqUsbConnect

10 FskFileOpen

11 FskFileClose

12 FskGetSize

13 FskSetSize

14 FskFileSetPosition

15 FskGetPosition

16 FskFileRead

17 FskFileWrite

18 FskFileGetFileInfo

19 FskFileSetFileInfo

1A FskFileCreate

1B FskFileDelete

1C FskFileRename

30 FskFileCreateDirectory

31 FskFileDeleteDirectory

32 FskFileRenameDirectory

33 FskDirectoryIteratorNew

34 FskDirectoryIteratorDispose

35 FskDirectoryIteratorGetNext

52 FskVolumeGetInfo

53 FskVolumeGetInfoFromPath

80 FskFileTerminate

100 ConnectDevice

101 GetProperty

102 GetMediaInfo

103 GetFreeSpace

104 SetTime

105 DeviceBeginEnd

106 UnlockDevice

107 SetBulkSize

110 GetHttpRequest

111 SetHttpRespponse

112 Needregistration

114 GetMarlinState

200 ReqDiwStart

201 SetDiwPersonalkey

202 GetDiwPersonalkey

203 SetDiwDhkey

204 GetDiwDhkey

205 SetDiwChallengeserver

206 GetDiwChallengeserver

207 GetDiwChallengeclient

208 SetDiwChallengeclient

209 GetDiwVersion

20A SetDiwWriteid

20B GetDiwWriteid

20C SetDiwSerial

20D GetDiwModel

20C SetDiwSerial

20E GetDiwDeviceid

20F GetDiwSerial

210 ReqDiwCheckservicedata

211 ReqDiwCheckiddata

212 ReqDiwCheckserialdata

213 ReqDiwFactoryinitialize

214 GetDiwMacaddress

215 ReqDiwTest

216 ReqDiwDeletekey

300 UpdateChangemode

301 UpdateDeletePartition

302 UpdateCreatePartition

303 UpdateCreatePartitionWithImage

304 UpdateGetPartitionSize

[edit] Credits


Personal tools

MobileRead Networks