FORUMS
Remove All Ads from XDA

Rooting Sony's e-reader DPT-RP1 and DPT-CP1

20 posts
Thanks Meter: 10
 
By sartrism, Junior Member on 11th August 2017, 05:55 AM
Post Reply Email Thread
24th August 2017, 08:11 AM |#11  
OP Junior Member
Flag Cambridge
Thanks Meter: 10
 
More
It is good to see some people have been interested in this thread.

So far, I realized that the hacker used a hardware hacking method. I actually obtained the hacked system apps from one of his customer. I guess he did sometihng like directly modifying eMMC to root and put "USBDeviceSwitcher.apk" to allow an usual USB connection. Since I don't want to take such risk, I decided to wait until the first firmware to see if there could be an indirect way to penetrate the system files. But if you want to analyze the hacked system, contact me.
The Following User Says Thank You to sartrism For This Useful Post: [ View ] Gift sartrism Ad-Free
 
 
24th August 2017, 09:40 PM |#12  
Member
Thanks Meter: 9
 
More
Quote:
Originally Posted by sartrism

It is good to see some people have been interested in this thread.

So far, I realized that the hacker used a hardware hacking method. I actually obtained the hacked system apps from one of his customer. I guess he did sometihng like directly modifying eMMC to root and put "USBDeviceSwitcher.apk" to allow an usual USB connection. Since I don't want to take such risk, I decided to wait until the first firmware to see if there could be an indirect way to penetrate the system files. But if you want to analyze the hacked system, contact me.

Does it have a web browser? Maybe you can utilize for example the Stagefright Exploit + DirtyC0W to get root.
25th August 2017, 09:08 PM |#13  
Junior Member
Thanks Meter: 1
 
More
I have found out some interesting stuff about the device with the help of the Digital Paper App.

The app is built using electron and there is a file: /Applications/Digital\ Paper\ App.app/Contents/Resources/app.asar
This file contains the electron javascript files, which handle all the communication with the device.
It can be extracted with: sudo asar extract app.asar output
(github_com/electron/asar)
This also requires node to be installed: with e.g. brew install node (changelog_com/posts/install-node-js-with-homebrew-on-os-x)

The app communicates with the device via Restlet-Framework/2.3.7 on port 8443 with tcp (no matter if it is the bluetooth, wifi or usb connection).
This is the only port that is open.

In the file: /Applications/Digital\ Paper\ App.app/Contents/Resources/output/node_modules/mw-error/lib/codeparams.js you can find all the relative paths, which are getting called during e.g. file transfer, firmware update and stuff.

Running the app and placing breakpoints reveals that before you can transfer files and stuff:
'/auth'
'/auth/nonce/'
are called in order to authenticate, which looks e.g. like url digitalpaper.local:8443/auth/nonce/1e9ee24d-6613-433a-9770-76b04333ac95
the last part of the call is the "client_id": "1e9ee24d-6613-433a-9770-76b04333ac95", which is retrieved via the url digitalpaper.local:8443/auth call.
digitalpaper.local:8443/auth/

Important:
In /Applications/Digital\ Paper\ App.app/Contents/Resources/output/lib/config.js
change the line
config.DEVBUILD = false;
to
config.DEVBUILD = true;


After you finished your modifications you have pack the output folder again:
sudo asar pack output app.asar

I did not have time to continue, but the following relative urls look promising (especially recovery_mode):

'/testmode/auth/nonce',
'/testmode/auth',
'/testmode/launch',
'/testmode/recovery_mode',
'/testmode/assets/{}',
The Following User Says Thank You to mcplectrum For This Useful Post: [ View ] Gift mcplectrum Ad-Free
26th August 2017, 03:46 AM |#14  
OP Junior Member
Flag Cambridge
Thanks Meter: 10
 
More
Quote:
Originally Posted by mcplectrum

I have found out some interesting stuff about the device with the help of the Digital Paper App.

The app is built using electron and there is a file: /Applications/Digital\ Paper\ App.app/Contents/Resources/app.asar
This file contains the electron javascript files, which handle all the communication with the device.
It can be extracted with: sudo asar extract app.asar output
(github_com/electron/asar)
This also requires node to be installed: with e.g. brew install node (changelog_com/posts/install-node-js-with-homebrew-on-os-x)

The app communicates with the device via Restlet-Framework/2.3.7 on port 8443 with tcp (no matter if it is the bluetooth, wifi or usb connection).
This is the only port that is open.

In the file: /Applications/Digital\ Paper\ App.app/Contents/Resources/output/node_modules/mw-error/lib/codeparams.js you can find all the relative paths, which are getting called during e.g. file transfer, firmware update and stuff.

Running the app and placing breakpoints reveals that before you can transfer files and stuff:
'/auth'
'/auth/nonce/'
are called in order to authenticate, which looks e.g. like url digitalpaper.local:8443/auth/nonce/1e9ee24d-6613-433a-9770-76b04333ac95
the last part of the call is the "client_id": "1e9ee24d-6613-433a-9770-76b04333ac95", which is retrieved via the url digitalpaper.local:8443/auth call.
digitalpaper.local:8443/auth/

Important:
In /Applications/Digital\ Paper\ App.app/Contents/Resources/output/lib/config.js
change the line
config.DEVBUILD = false;
to
config.DEVBUILD = true;


After you finished your modifications you have pack the output folder again:
sudo asar pack output app.asar

I did not have time to continue, but the following relative urls look promising (especially recovery_mode):

'/testmode/auth/nonce',
'/testmode/auth',
'/testmode/launch',
'/testmode/recovery_mode',
'/testmode/assets/{}',

Hope you get some result from wifi side. I also realized they use the port 8443 but couldn't get further as you.

For whom trying to hack it, here is the link for the already 'hacked' system apps (including the original files) - that of the famous hacked RP1 video. Inside the subfolder S1, there are also the hacked system apps for DPT-S1 just in case.

https://www.dropbox.com/sh/dvtvokdzr...iWUOzrM3a?dl=0
26th August 2017, 03:48 AM |#15  
OP Junior Member
Flag Cambridge
Thanks Meter: 10
 
More
Quote:
Originally Posted by George Malas

Does it have a web browser? Maybe you can utilize for example the Stagefright Exploit + DirtyC0W to get root.

The stock device has no web browser, no sd-card, no usb connection, and no typical system. I think SONY was haunted by some security issues maybe because they thought the major users are lawyers or very important people? lol
31st August 2017, 01:15 AM |#16  
Junior Member
Thanks Meter: 0
 
More
Any chance to create a buffer overflow PDF to attack RP1's pdf reader?
6th September 2017, 12:07 AM |#17  
Member
Thanks Meter: 0
 
More
I am unable to help, but wanted to let you know I am definitely interested in and supportive of this. If this device can be unlocked as suggested in that one youtube video then I would buy it, despite the steep price.
6th September 2017, 11:18 PM |#18  
Quote:
Originally Posted by jess91

I am unable to help, but wanted to let you know I am definitely interested in and supportive of this. If this device can be unlocked as suggested in that one youtube video then I would buy it, despite the steep price.

If you're interested and supportive of this then go buy one anyway and apply yourself to going forward figuring out how to get it done. Other than that, you're not supportive, you're just hopeful that someone figures it out and then you'll probably go get one.

DO NOT CONTACT ME VIA PM TO RECEIVE HELP, YOU WILL BE IGNORED. KEEP IT IN THE THREADS WHERE EVERYONE CAN SHARE
7th September 2017, 10:17 AM |#19  
Junior Member
Thanks Meter: 0
 
More
Hey guys,

I also recently got the RP1 and am also looking for ways to mod it. Big kudos and thanks to all of you for posting this! This alread is amazing. @sartrism: can you maybe give me a hint how to load the files on the rp1? Sorry if this might be a stupid question but I'm new to adroid and that stuff.
8th September 2017, 08:33 AM |#20  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by Paderico

Hey guys,

I also recently got the RP1 and am also looking for ways to mod it. Big kudos and thanks to all of you for posting this! This alread is amazing. @sartrism: can you maybe give me a hint how to load the files on the rp1? Sorry if this might be a stupid question but I'm new to adroid and that stuff.

Just a little update from my side. I'm currently tryng to recreate the steps @mcplectrum was using. It seems that my RP1 also uses other ports. I tried to wireshark the USB and WiFi connection. By that I saw that often GET /registration/information is called for Host: localhost:58052. Moreover the first call is GET /register/serial_number also on port 5808. This was via USB.
Trying to trigger the /auth/ call via Telnet returns nothing unfortunately. But also the 8080 port is open. Trying to call digitalpaper.local:8443/auth/ returns nothing on firefox.

@mcplectrum: how did you get the client_id and what would one need that for?

I also tried to change the config.DEVBUILD to true but that seemed to change nothing at all.

So to sum up what we know:
The device is using some kind of android structure, the source code seems to use the uboot bootloader, all communication is done by a rest restlet framework. So actually there should be some kind of way to use the restlet framework to PUT or POST the modified files.
The other option would be directly flash the eMMC right? I would take the risk and just load it on my device and see what happens. Any hints on how to do that?
8th September 2017, 09:16 AM |#21  
Quote:
Originally Posted by Paderico

Just a little update from my side. I'm currently tryng to recreate the steps @mcplectrum was using. It seems that my RP1 also uses other ports. I tried to wireshark the USB and WiFi connection. By that I saw that often GET /registration/information is called for Host: localhost:58052. Moreover the first call is GET /register/serial_number also on port 5808. This was via USB.
Trying to trigger the /auth/ call via Telnet returns nothing unfortunately. But also the 8080 port is open. Trying to call digitalpaper.local:8443/auth/ returns nothing on firefox.

@mcplectrum: how did you get the client_id and what would one need that for?

I also tried to change the config.DEVBUILD to true but that seemed to change nothing at all.

So to sum up what we know:
The device is using some kind of android structure, the source code seems to use the uboot bootloader, all communication is done by a rest restlet framework. So actually there should be some kind of way to use the restlet framework to PUT or POST the modified files.
The other option would be directly flash the eMMC right? I would take the risk and just load it on my device and see what happens. Any hints on how to do that?

If you're up to it, try some kind of RIFF box/OctoBox setup.

DO NOT CONTACT ME VIA PM TO RECEIVE HELP, YOU WILL BE IGNORED. KEEP IT IN THE THREADS WHERE EVERYONE CAN SHARE
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes