iriver Story HD firmware / root

1. iriver Story HD firmware / root
2. ========
3.  
4. firmware .hex file is ciphered with a simple 256 byte "one-time-pad" substitution
5.  
6. small .hex files are chiffred completely. large .hex files are chiffred only partially (first 2 MiB, last partial MiB with starting offset on MiB boundary)
7.  
8. decoded the hex file turns into a password protected zip file
9.  
10.  
11. obtaining key
12. ========
13.  
14. the key is in the hex file itself (with some luck in the unciphered part) or more specifically in the file 'fw_upgrade.feb'. you can access this on the device directly with the root script. look for a consecutive 256 byte sequence where each byte is unique.
15.  
16. python code to extract the key out of this file:
17.  
18. -------- 8< -------
19. #!/usr/bin/env python
20.  
21. f = open('fw_upgrade.feb', 'rb')
22.  
23. table = []
24.  
25. while 1:
26. x = f.read(1)
27.  
28. if not x:
29. break
30.  
31. try:
32. while table.index(x) >= 0:
33. table.pop(0)
34. except:
35. pass
36. finally:
37. table.append(x)
38.  
39. if len(table) == 256:
40. print table
41. -------- 8< --------
42.  
43. python code to decipher the hex file with the obtained key:
44.  
45. -------- 8< --------
46. #!/usr/bin/env python
47.  
48. key = '\xf3,a\x9e\xea-C\'o\xe4\x9a\xa4"F?.\xca\x19\x8d\xcc\xa9\x0c\xb7\xd5\x99=B\xf1\xfe\x0f\x05Z\xc1\\\xf8\x04/\xb0\xc4!\x13\xc7\xbb\xc3i\xf2(\xb4T9\xd2)@c7#~\xa0\xdf\xd3\xb8\x02\x7f\xed\xbdD\xb9E&d\x0e X\x89\x12LsM{*:\x1f\xd6z\xc0\x008rR}]\x9c\xe2v\xa6O\x1cU\x1b\x90\xde\x9b$\xd9\xdc\xb6\x1d\x85\xe9\xcd\x8a\x97\xbaq\xf7l2\x06Q_\xfbt6\xff|J\xef<h\xe8\xabVI\xb2\x0b+\x80e0\xd0\xe7\xdd\x98gKkw\x83\x8bS\x92`\xa1\xa2\xbc\x91\x823\x87W\xb5Y\xe5\x16\xee\xd8\xf6\xfa%j1\xceH\x84\xa5[\x11\xac;\xf9\x14\xe0\x8cN\x8f\x95\xf5\xaf\xe354\x9d\x81\xaeP\xd1x\x10\x88\x86\xcf\x94\x1a\xdb\xad\x18\xc8\xbf\x08\xa8\xfd\xbe\x96\xe6\tu\x93\x9f\x01\xcb\xb3m\xc5n\xd4\xa3bA\x07\xa7\xaa\xeb\xe1y\x1e\xf0\xc2\r\n^\xfc\xc6\xf4\xda\xec>\x17\x15\x03\xd7pfG\x8e\xb1\xc9'
49.  
50. f = open('storyeb07.hex', 'rb')
51. r = open('storyeb07.zip', 'wb')
52.  
53. data = f.read(0x100000)
54.  
55. while data:
56. for x in data:
57. r.write(key[ord(x)])
58. data = f.read(0x100000)
59. -------- 8< --------
60.  
61. This python script does not contain the partially ciphered logic (first 2 MiB, last partial MiB, e.g. 0.65 MiB if file is 82.65 MiB large) but in case of a partially ciphered file you can use dd or whatever to slice the two files together:
62.  
63. -------- 8< --------
64. dd if=storyeb07.hex of=storyeb07.zip conv=notrunc bs=1M skip=2 seek=2 count=79
65. -------- 8< --------
66.  
67. The ZIP file is password protected. Password can be obtained with fcrackzip or similar. Password is 'story6tw05'.
68.  
69. Directories in the ZIP file are stored as 0 byte files. unzip can't handle it. 7zip (7z x) can.
70.  
71.  
72. executing scripts as root
73. ========
74.  
75. the story hd executes a shell script for you on boot up. script has to be stored in internal memory, named heechul.sh. it is executed as root using busybox shell. this is default behaviour so nothing has to be done to activate it. it doesn't get any easier.
76.  
77. however: if this script hangs, the boot does not complete. if the boot does not complete, you have no access to internal storage. without access to internal storage, you can not fix the script. at this point you have pretty much bricked your device, as the reader does not have a factory reset shenanigan.
78.  
79. use a script that executes stuff on the SD card instead and even there only once:
80.  
81. -------- 8< --------
82. #!/bin/sh
83.  
84. # consider *.sh on the SD card
85. for f in /mnt/SDFAT/scripts/*.sh
86. do
87. # rename the script to .done
88. mv "$f" "$f".done
89. sync
90.  
91. # run the script once
92. . "$f".done 2> "$f".error > "$f".output
93. done
94. -------- 8< --------
95.  
96. this will look for *.sh in a /scripts/ folder on the sd card
97.  
98. it will rename *.sh to *.sh.done so it won't run again next time
99.  
100. it will execute the script and store stderr in *.sh.error and stdout in *.sh.output
101.  
102. example script /scripts/find.sh:
103.  
104. ------- 8< -------
105. find /
106. ------- 8< -------
107.  
108. will store the entire directory tree of your reader in /scripts/find.sh.output on the sd card
109.  
110. alternatively you can also dump the entire internal storage with dd etc. make sure your card is large enough although with gzip the dump is <1GB for me although I never used the internal memory for books
111.