5,594,386 Members 37,349 Now Online
XDA Developers Android and Mobile Development Forum

Hacking the new Nook GlowLight

Tip us?
 
Edgur
Old
#1  
Junior Member - OP
Thanks Meter 10
Posts: 10
Join Date: Dec 2013
Prompt Hacking the new Nook GlowLight

I just got a new Nook GlowLight (NGL), and came here assuming I would find all sorts of wonderful information about rooting it, and cool hacks I could do to make it more usable. Imagine my surprise when I could only find a couple of threads about it at all, with almost zero information! Finding information is definitely hampered by the name of the device. Any time I google for Nook GlowLight, 99% of the results are instead about the completely different product, Nook Simple Touch with GlowLight. Frustrating!

Anyway, in an effort to get the ball rolling, I will post the little bit that I have been able to find out about my NGL.



I cannot seem to ADB into it. I plugged it in, but ADB does not recognize it. It shows up as a regular mass storage device. The USB VendorID is 2080, and the ProductID is 0007. There seems to be no information out there anywhere about 2080:0007, unfortunately.



I took the back cover off to see if there was a magical "press here to root" button. Sadly, there was not. Since there does not appear to be a NGL teardown annnnnnnnnnnnnywhere on the whole wide Interwebs, I took some amateur photos of mine to share. I didn't want to chance breaking it, as I can't really go and buy a new one right now, so it's not torn down to the individual components, sorry. Hopefully it will be enough to spark some ideas, at least.

I don't know much about hardware hacking, but I've heard about JTAG ports being used to get inside of plenty of Android devices. One of the things I noticed was four unmarked copper pads on the board. That seems about right, as apparently most JTAG interfaces have either 4 or 5 lines, plus Ground. I created a picture with the four unmarked pads + Ground marked.



I know it's not much, but hopefully this information will spark some ideas from people with more experience in cracking these devices! If anyone else has additional information to add, please post it here.
Attached Thumbnails
Click image for larger version

Name:	NGL_Back.jpg
Views:	728
Size:	261.0 KB
ID:	2440084   Click image for larger version

Name:	NGL_Battery.jpg
Views:	611
Size:	250.1 KB
ID:	2440085   Click image for larger version

Name:	NGL_PCB.jpg
Views:	624
Size:	272.2 KB
ID:	2440086   Click image for larger version

Name:	NGL_PCB_poss_JTAG.jpg
Views:	593
Size:	273.2 KB
ID:	2440087  
The Following 5 Users Say Thank You to Edgur For This Useful Post: [ Click to Expand ]
 
Renate NST
Old
(Last edited by Renate NST; 8th December 2013 at 02:02 PM.)
#2  
Renate NST's Avatar
Recognized Contributor / Recognized Developer
Thanks Meter 697
Posts: 1,774
Join Date: Feb 2012
Location: Boston
Wow, thanks for the photos.

It's really interesting how they reformulated the Nook to use the small PCB.
It seems to be the same hardware basically.
They are using a different WiFi module than the Jorjin in the old Nooks.
There might be hope for having Bluetooth.

No, those four point that you circled are definitely not JTAG.
Some of the tiny gold contact points near the OMAP 3621 processor could be.
There is a missing IC at the top which could be a TXB0104 level shifter for a UART.
I'd be interested to see if/what is on the bottom of the PCB.

VID 2080 is B&N. They have been using the PIDs sequentially, so 0007 is expected.
Presumably it presents a single USB interface and one UMS volume.

Try rebooting the Nook with the USB connected to a PC.
Does it ever say, "New device found"?

You are not going to find an ADB without modifying the INF file for the ADB driver.

Try downloading Microsoft's UsbView from here. (Thank you, FTDI.)
Run it and select the Nook on the left pane, select all on the right pane and copy it here, please.

Oh! Be sure to overwrite your serial number on the text dump.
It's not a big security risk, but still....
Just type "MYSERIALNUMBER" or something.

The Following 2 Users Say Thank You to Renate NST For This Useful Post: [ Click to Expand ]
 
shanks7777
Old
#3  
Junior Member
Thanks Meter 2
Posts: 19
Join Date: Dec 2011
Default USBview

Quote:
Originally Posted by Renate NST View Post
Wow, thanks for the photos.

It's really interesting how they reformulated the Nook to use the small PCB.
It seems to be the same hardware basically.
They are using a different WiFi module than the Jorjin in the old Nooks.
There might be hope for having Bluetooth.

No, those four point that you circled are definitely not JTAG.
Some of the tiny gold contact points near the OMAP 3621 processor could be.
There is a missing IC at the top which could be a TXB0104 level shifter for a UART.
I'd be interested to see if/what is on the bottom of the PCB.

VID 2080 is B&N. They have been using the PIDs sequentially, so 0007 is expected.
Presumably it presents a single USB interface and one UMS volume.

Try rebooting the Nook with the USB connected to a PC.
Does it ever say, "New device found"?

You are not going to find an ADB without modifying the INF file for the ADB driver.

Try downloading Microsoft's UsbView from. (Thank you, FTDI.)
Run it and select the Nook on the left pane, select all on the right pane and copy it here, please.

Oh! Be sure to overwrite your serial number on the text dump.
It's not a big security risk, but still....
Just type "MYSERIALNUMBER" or something.

I'm not sure if this gonna be help. Anyway, I will copy the data from mine.

Device Descriptor:
bcdUSB: 0x0200
bDeviceClass: 0x00
bDeviceSubClass: 0x00
bDeviceProtocol: 0x00
bMaxPacketSize0: 0x40 (64)
idVendor: 0x2080
idProduct: 0x0007
bcdDevice: 0x0216
iManufacturer: 0x01
0x0409: "B&N"
iProduct: 0x02
0x0409: "NOOK GlowLight"
iSerialNumber: 0x03
0x0409: "MYSERIALNUMBER"
bNumConfigurations: 0x01

ConnectionStatus: DeviceConnected
Current Config Value: 0x01
Device Bus Speed: High
Device Address: 0x02
Open Pipes: 2

Endpoint Descriptor:
bEndpointAddress: 0x81 IN
Transfer Type: Bulk
wMaxPacketSize: 0x0200 (512)
bInterval: 0x00

Endpoint Descriptor:
bEndpointAddress: 0x01 OUT
Transfer Type: Bulk
wMaxPacketSize: 0x0200 (512)
bInterval: 0x01

Configuration Descriptor:
wTotalLength: 0x0020
bNumInterfaces: 0x01
bConfigurationValue: 0x01
iConfiguration: 0x00
bmAttributes: 0xE0 (Bus Powered Self Powered Remote Wakeup)
MaxPower: 0xFA (500 Ma)

Interface Descriptor:
bInterfaceNumber: 0x00
bAlternateSetting: 0x00
bNumEndpoints: 0x02
bInterfaceClass: 0x08
bInterfaceSubClass: 0x06
bInterfaceProtocol: 0x50
iInterface: 0x00

Endpoint Descriptor:
bEndpointAddress: 0x81 IN
Transfer Type: Bulk
wMaxPacketSize: 0x0200 (512)
bInterval: 0x00

Endpoint Descriptor:
bEndpointAddress: 0x01 OUT
Transfer Type: Bulk
wMaxPacketSize: 0x0200 (512)
bInterval: 0x01
The Following User Says Thank You to shanks7777 For This Useful Post: [ Click to Expand ]
 
Renate NST
Old
#4  
Renate NST's Avatar
Recognized Contributor / Recognized Developer
Thanks Meter 697
Posts: 1,774
Join Date: Feb 2012
Location: Boston
I got a little confused between this thread and private messages.

In short, the new Glow does not have ADB enabled out of the box.
The USB dumps are showing just a single UMS storage ("flash" drive) interface.

 
jwxuan
Old
#5  
Member
Thanks Meter 4
Posts: 39
Join Date: Dec 2013
Default my nook just gives the same information

Quote:
Originally Posted by Renate NST View Post
I got a little confused between this thread and private messages.

In short, the new Glow does not have ADB enabled out of the box.
The USB dumps are showing just a single UMS storage ("flash" drive) interface.
my nook just gives exactly the same information, is there any hope for hacking the new nook glowlight?
 
Renate NST
Old
#6  
Renate NST's Avatar
Recognized Contributor / Recognized Developer
Thanks Meter 697
Posts: 1,774
Join Date: Feb 2012
Location: Boston
Sure, there is hope.

There doesn't seem to be any ADB over USB.
A port scan of the WiFi would be a confirmation of no ADB over WiFi.

Check to see if any different VID/PIDs pop up when rebooting with the USB connected.
That could indicate a bootloader, fastboot.

Check to see if recovery has any options besides factory restore.
(Power up with the bottom two buttons depressed.)

Then there are all the possibilities with the case open:
  • a console interface
  • a JTAG interface
  • bootloader jumpers

If B&N releases an update image it could be examined for exploits.
The image could probably be loaded onto an older Nook, rooted and played with.

 
Edgur
Old
#7  
Junior Member - OP
Thanks Meter 10
Posts: 10
Join Date: Dec 2013
I ran a complete nmap against the Nook on both TCP and UDP while it was connected to my WiFi. No open ports found.

The USB startup looks more promising, though --

PHP Code:
Dec 13 21:19:33 MyLinuxBox kernel: [  741.701292usb 5-1: new high-speed USB device number 5 using xhci_hcd
Dec 13 21
:19:33 MyLinuxBox kernel: [  741.719705usb 5-1unable to get BOS descriptor
Dec 13 21
:19:33 MyLinuxBox kernel: [  741.722625usb 5-1: New USB device foundidVendor=0451idProduct=d00e
Dec 13 21
:19:33 MyLinuxBox kernel: [  741.722634usb 5-1: New USB device stringsMfr=33Product=37SerialNumber=0
Dec 13 21
:19:33 MyLinuxBox kernel: [  741.722639usb 5-1ProductOMAP3630
Dec 13 21
:19:33 MyLinuxBox kernel: [  741.722643usb 5-1ManufacturerTexas Instruments
Dec 13 21
:19:33 MyLinuxBox mtp-probechecking bus 5device 5"/sys/devices/pci0000:00/0000:00:10.0/usb5/5-1"
Dec 13 21:19:33 MyLinuxBox mtp-probebus5device5 was not an MTP device
Dec 13 21
:19:36 MyLinuxBox kernel: [  744.721151usb 5-1USB disconnectdevice number 5
Dec 13 21
:19:48 MyLinuxBox kernel: [  757.351633usb 5-1: new high-speed USB device number 6 using xhci_hcd
Dec 13 21
:19:48 MyLinuxBox kernel: [  757.371138usb 5-1: New USB device foundidVendor=2080idProduct=0007
Dec 13 21
:19:48 MyLinuxBox kernel: [  757.371146usb 5-1: New USB device stringsMfr=1Product=2SerialNumber=3
Dec 13 21
:19:48 MyLinuxBox kernel: [  757.371152usb 5-1ProductNOOK GlowLight
Dec 13 21
:19:48 MyLinuxBox kernel: [  757.371156usb 5-1ManufacturerB&N
Dec 13 21
:19:48 MyLinuxBox kernel: [  757.371160usb 5-1SerialNumber303xxxxxxxxxxxxx
Dec 13 21
:19:48 MyLinuxBox kernel: [  757.378672scsi6 usb-storage 5-1:1.0
Dec 13 21
:19:48 MyLinuxBox mtp-probechecking bus 5device 6"/sys/devices/pci0000:00/0000:00:10.0/usb5/5-1"
Dec 13 21:19:48 MyLinuxBox mtp-probebus5device6 was not an MTP device
Dec 13 21
:19:49 MyLinuxBox kernel: [  758.378396scsi 6:0:0:0Direct-Access     B&N      NOOK GlowLight   0100 PQ0 ANSI2
Dec 13 21
:19:49 MyLinuxBox kernel: [  758.378613scsi 6:0:0:1Direct-Access     B&N      NOOK GlowLight   0100 PQ0 ANSI2
Dec 13 21
:19:49 MyLinuxBox kernel: [  758.379838sd 6:0:0:0Attached scsi generic sg2 type 0
Dec 13 21
:19:49 MyLinuxBox kernel: [  758.380186sd 6:0:0:1Attached scsi generic sg3 type 0
Dec 13 21
:19:49 MyLinuxBox kernel: [  758.390847sd 6:0:0:1: [sdcAttached SCSI removable disk
Dec 13 21
:19:49 MyLinuxBox kernel: [  758.392285sd 6:0:0:0: [sdbAttached SCSI removable disk
Dec 13 21
:20:06 MyLinuxBox kernel: [  774.892800sd 6:0:0:0: [sdb1040352 512-byte logical blocks: (532 MB/507 MiB)
Dec 13 21:20:06 MyLinuxBox kernel: [  774.893133sd 6:0:0:0: [sdbNo Caching mode page found
Dec 13 21
:20:06 MyLinuxBox kernel: [  774.893143sd 6:0:0:0: [sdbAssuming drive cachewrite through
Dec 13 21
:20:06 MyLinuxBox kernel: [  774.894122sd 6:0:0:0: [sdbNo Caching mode page found
Dec 13 21
:20:06 MyLinuxBox kernel: [  774.894129sd 6:0:0:0: [sdbAssuming drive cachewrite through
Dec 13 21
:20:06 MyLinuxBox kernel: [  774.895708]  sdb
As you can see, when the NGL first powers on, it presents itself as VID 0451, PID d00e for three seconds.

This seems like good news! Some sort of TI OMAP boot mode?
 
Renate NST
Old
#8  
Renate NST's Avatar
Recognized Contributor / Recognized Developer
Thanks Meter 697
Posts: 1,774
Join Date: Feb 2012
Location: Boston
Yup, that's the TI 1st stage bootloader (before x-loader & u-boot).

The good news is that it's the same as the Nook Touch.
That means that we can try a bunch of things with the old Nooks.
We also know already where the console UART is on the old Nooks.

The Following User Says Thank You to Renate NST For This Useful Post: [ Click to Expand ]
 
Edgur
Old
#9  
Junior Member - OP
Thanks Meter 10
Posts: 10
Join Date: Dec 2013
Quote:
Originally Posted by Renate NST View Post
Yup, that's the TI 1st stage bootloader (before x-loader & u-boot).

The good news is that it's the same as the Nook Touch.
That means that we can try a bunch of things with the old Nooks.
We also know already where the console UART is on the old Nooks.
Fantastic. Any suggestions on where to begin? I'm willing to try experiments (though I'd obviously prefer to avoid trying things with a high likelihood of bricking my reader!)
 
Edgur
Old
#10  
Junior Member - OP
Thanks Meter 10
Posts: 10
Join Date: Dec 2013
I did some googling to see what I could figure out on my own.

If I am understanding this correctly, that 3 second window between when it identifies itself as 0451:d00e and when it disconnects again, it is receptive to receiving xloader code over the USB.

So we could, in theory, send it an xloader that will read a u-boot over USB as well. Then use that to boot the device into a minimal configuration that would basically "dd" out all of the partitions from the internal flash and emit it over the USB, so we could have a complete image of the built-in disk?

Of course, I have no idea HOW to do those things... But if you can give me some pointers, I am willing to learn.

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes