Sony Reader hack
This page is for the original PRS500.
[edit] Note
Many of these hacks are presumably pre-EPUB firmware update.
[edit] Sony Reader internals
[edit] Flash partitions
Here's the flash memory map:
dev: size erasesize name mtd0: 00200000 00010000 "sdm device NOR 0" mtd1: 079a0000 00020000 "sdm device NAND/SBL 0" mtd2: 08000000 00020000 "eBook-1 NAND flash partition 0" mtd3: 00040000 00010000 "Loader" mtd4: 00010000 00010000 "Reserved" mtd5: 00010000 00010000 "FIS directory" mtd6: 00080000 00020000 "nblconfig" mtd7: 00180000 00010000 "Linux" mtd8: 00010000 00010000 "msbios" mtd9: 00010000 00010000 "Id" mtd10: 00010000 00010000 "Info" mtd11: 00160000 00020000 "Linux0" mtd12: 007e0000 00020000 "Rootfs2" mtd13: 00980000 00020000 "Rootfs" mtd14: 00700000 00020000 "Fsk" mtd15: 00300000 00020000 "Opt0" mtd16: 05be0000 00020000 "Data"
[edit] Mounting
- /opt, /opt1/keys and /opt1/info are mounted from cramfs images, meaning they're read-only.
- /opt0 and /Data use jffs2 which is writable
- /etc and /var are copied to ramdisk (created in /dev/shm/) and remounted at /
Mapping to the filesystem:
- Id -> /opt1/keys
- Info -> /opt1/info
- Fsk -> /opt
- Opt0 -> /opt0
- Data -> /Data
[edit] Processes
1 init
2 keventd
7 mtdblockd
29 msbdrv_thread
31 sdbdrv_thread
47 jffs2_gcd_mtd15
49 jffs2_gcd_mtd16
121 tinyhttp.sh
125 tinyhttp
126 tinyhttp
127 tinyhttp
128 tinyhttp
130 tinyhttp
131 tinyhttp
145 tinyhttp
147 tinyhttp
148 tinyhttp
123 getty
3 ksoftirqd_CPU0
4 kswapd
5 bdflush
6 kupdated
The main reader application is "tinyhttp".
[edit] Misc
- Reader (and CONNECT) seems to use Times style font by default.
[edit] How to revert to factory settings
Note: The device needs to be able to boot up far enough to run the tinyhttp application in order for the steps below to be effective. If your hacking has wrecked the flash image so badly that it cannot boot this far, see Recovering From Catastrophic Failure (Unbricking) below.
- If the device is on, slide the "Power" so that it turns off. Look for a small pinhole on the back panel and press the reset button on the back using a pin.
- Slide the “Power” button to turn it on. While the screen displays "Starting up ...", you will see the light above the "Power" button flash in yellow. Wait for 35 to 40 seconds, then proceed to hold down the “MARK” and “VOL +” buttons.
- CONTINUE TO keep these 2 buttons pressed for about 5 to 10 seconds, until the round “PAGE” button makes a quick blue flash.
- CONTINUE to keep these 2 buttons pressed for another 25 seconds, the screen will show a “Reset All” message, and ask to delete all content.
- Press button '5' to clean up content, this could take several minutes if you have many files on the Reader. When the deletion completes, the Reader will turn off.
- Press the "Power" button to turn it on; this could take several minutes if you have many files on the Reader.
- Connect your device to your PC and log-in to the store.
- Go to Account>Manage Devices – you will be asked if you’d like to authorize this device to your account. Please say yes.
- Your device should be ready to read eBooks purchased from your account.
[edit] Recovering From Catastrophic Failure (Unbricking)
If you manage to completely brick the device to where it cannot boot at all (remains at "Starting up..." page indefinitely), you will need to do the following to recover to the factory flash image.
- Charge the device overnight to make sure it has enough power for the recovery process.
- Use a paper clip or pin to depress the reset button in the small hole on the back of the unit. Turn the unit on.
- Wait until the "Starting up..." page is displayed for a few seconds and you see the orange LED blinking. Just count like 3 to 4 sec. from the moment you see the LED blinking.
- Repeat steps 2 and 3 ten times.
- On the tenth reset let the Reader boot and after a few minutes the message "Firmware update is not finished correctly. Please execute firmware update again." will be displayed.
- Connect the USB cable and the device will automatically go into recovery ("Updating firmware now...") mode.
- Flash the device with the original PRS500 updater.
- Make sure you have installed the original Connect Library software that came with the CD. The drivers in Calibre or from a more recent version of the Connect Library software may not let the Firmware updater recognise the device properly, so make sure you are using the original drivers from the CD.
- Always check if there is not a newer version. This is version 1.0.03.07170.
[edit] Additional programs
[edit] Sony Reader Connect software
[edit] ebookUsb.dll interface
[edit] Functions
[edit] CheckBlock
[edit] UsbBeginEnd
[edit] UsbBuffFree
void UsbBuffFree(Answer* answer);
[edit] UsbCancelCallBack
[edit] UsbConnect
[edit] UsbConvertDevPathToPCPath
[edit] UsbConvertDriveLetterToID
[edit] UsbConvertIDToDriveLetter
[edit] UsbConvertPCPathToDevPath
[edit] UsbDisConnect
[edit] UsbElectricIsConnect
[edit] UsbEndSecureSession
[edit] UsbFreeDevProperty
[edit] UsbGetDevProperty
[edit] UsbGetIDforPC
[edit] UsbGetProtcolVer
[edit] UsbGetdevNofromID
[edit] UsbInitCheck
[edit] UsbKeyExchangeAndAuthentication@0
[edit] UsbReceiveProc
int UsbReceiveProc(Request* request, size_t answersize, Answer* answer);
"answersize" is how much data you expect to get in the answer.
[edit] UsbSendProc
int UsbSendProc(Request* request, SendBuffer* buf, size_t sendsize, DWORD* bytesSent);
[edit] UsbSendReceiveProc@20
[edit] UsbSetCallBack@8
[edit] UsbUnlockDevice@4
[edit] Data types
[edit] Request
struct Request {
DWORD reqNo;
DWORD reserved[2];
DWORD extralen;
};
Request.extralen is the size of data following the header.
[edit] Answer
struct Answer {
DWORD reserved[3];
DWORD dataLen;
char data[1]; //variable length
};
[edit] SendBuffer
struct SendBuffer {
DWORD type; //0x10005 for WriteFile
DWORD reserved[2];
DWORD dataLen;
char data[1]; //variable length
};
[edit] FileOpenRequest
struct FileOpenRequest: Request { DWORD nPathLen; char path[1]; //variable length };
For FileOpen: extralen=4+nPathLen, answersize = 4. (and you should get 4 in Answer.dataLen).
[edit] FileOpenAnswer
struct FileOpenAnswer: Answer { DWORD hFile; };
[edit] DirEnumNextAnswer
struct DirEnumNextAnswer: Answer { DWORD nType; //1=file,2=dir DWORD nPathLen; char path[1];//of nPathLen bytes };
[edit] ebook.py
The reflashing package is here: File:PRSPatch01.zip. It needs Python with ctypes package and uses dlls from Connect software. So the best way to get it running is to drop the file in "\Program Files\Sony\CONNECT Reader\Data\bin".
A more recent version of the ebook.py script (version 0.41) is File:Ebook py 041.zip.
[edit] Read Only Mode Usage:
Sony Reader utility 0.41 (c) 2006 Igor Skochinsky Usage: ebook.py cmd [params]
ls <dir> [-R]: list device directory <dir> [recursively] get <path> [destPath]: download <path> from the device to current directory or destPath cat <path>: dump <path> from the device to the console.
[edit] Write Mode Usage:
Sony Reader utility 0.41 (c) 2006 Igor Skochinsky Usage: ebook.py cmd [params]
ls <dir> [-R]: list device directory <dir> [recursively] get <path> [destPath]: download <path> from the device to current directory or destPath cat <path>: dump <path> from the device to the console. put <localfile> <devicefile>: upload file <localfile> to the <devicefile> at the device. del <devicefile>: delete <devicefile> from device. um <mode>: change update mode (normal/recovery) pinfo <name>: show info about MTD partition <name> (only in recovery mode) pwrite <name> <file>: write to MTD partition <name> from file <file> (only in recovery mode) BE VERY CAREFUL when uploading!
[edit] How to enable write mode
By default the script does not allow writing to the device. This is for your own good, and you should not enable writing unless you really know what your doing. However, if you really mess things up there are instructions on recovery on this wiki page.
To enable writing, edit the python script ebook.py and search for the line which reads:
enableWriting = 0
Change the 0 to a 1 and rerun the script with no arguments. You will now see the write mode usage, and you can use the additional commands. Be careful!
[edit] To list the files:
ebook.py ls <dir> [-R]
-R means "list recursively". Recursion for /dev and /proc subtrees is disabled since that can lead to infinite loops.
E.g.:
ebook.py ls /
ebook.py ls /etc/ -R
[edit] To download files:
ebook.py get <path>
E.g.:
ebook.py get /Data/tmp/info/model
ebook.py get /etc/init.d/
[edit] To get cramfs image
ebook.py get /dev/mtd13 0x863000
[edit] switch Reader to update mode
ebook.py um recovery
After a few seconds, Reader will reboot. Don't disconnect the unit. Wait until you get the "Updating firmware now..." message
[edit] upload new Rootfs
ebook.py pwrite "Rootfs" Rootfs.new
[edit] switch to normal mode
ebook.py um normal
[edit] Additional programs
[edit] USB Commands
The USB protocol between the PC and ebook is carried out by sending vendor-defined control requests to the device. Each request consists of a request code and parameters. The response varies with each request.
Following is a list of the request codes that make up the protocol.
This section needs documentation of request parameters and response data.
0 GetUsbProtocolVersion
1 ReqUsbConnect
10 FskFileOpen
11 FskFileClose
12 FskGetSize
13 FskSetSize
14 FskFileSetPosition
15 FskGetPosition
16 FskFileRead
17 FskFileWrite
18 FskFileGetFileInfo
19 FskFileSetFileInfo
1A FskFileCreate
1B FskFileDelete
1C FskFileRename
30 FskFileCreateDirectory
31 FskFileDeleteDirectory
32 FskFileRenameDirectory
33 FskDirectoryIteratorNew
34 FskDirectoryIteratorDispose
35 FskDirectoryIteratorGetNext
52 FskVolumeGetInfo
53 FskVolumeGetInfoFromPath
80 FskFileTerminate
100 ConnectDevice
101 GetProperty
102 GetMediaInfo
103 GetFreeSpace
104 SetTime
105 DeviceBeginEnd
106 UnlockDevice
107 SetBulkSize
110 GetHttpRequest
111 SetHttpRespponse
112 Needregistration
114 GetMarlinState
200 ReqDiwStart
201 SetDiwPersonalkey
202 GetDiwPersonalkey
203 SetDiwDhkey
204 GetDiwDhkey
205 SetDiwChallengeserver
206 GetDiwChallengeserver
207 GetDiwChallengeclient
208 SetDiwChallengeclient
209 GetDiwVersion
20A SetDiwWriteid
20B GetDiwWriteid
20C SetDiwSerial
20D GetDiwModel
20C SetDiwSerial
20E GetDiwDeviceid
20F GetDiwSerial
210 ReqDiwCheckservicedata
211 ReqDiwCheckiddata
212 ReqDiwCheckserialdata
213 ReqDiwFactoryinitialize
214 GetDiwMacaddress
215 ReqDiwTest
216 ReqDiwDeletekey
300 UpdateChangemode
301 UpdateDeletePartition
302 UpdateCreatePartition
303 UpdateCreatePartitionWithImage
304 UpdateGetPartitionSize
[edit] Credits
Igorsk!
