SHARE
TWEET

iriver Story HD firmware / root

a guest Oct 22nd, 2011 3,066 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. iriver Story HD firmware / root
  2. ========
  3.  
  4. firmware .hex file is ciphered with a simple 256 byte "one-time-pad" substitution
  5.  
  6. small .hex files are chiffred completely. large .hex files are chiffred only partially (first 2 MiB, last partial MiB with starting offset on MiB boundary)
  7.  
  8. decoded the hex file turns into a password protected zip file
  9.  
  10.  
  11. obtaining key
  12. ========
  13.  
  14. the key is in the hex file itself (with some luck in the unciphered part) or more specifically in the file 'fw_upgrade.feb'. you can access this on the device directly with the root script. look for a consecutive 256 byte sequence where each byte is unique.
  15.  
  16. python code to extract the key out of this file:
  17.  
  18. -------- 8< -------
  19. #!/usr/bin/env python
  20.  
  21. f = open('fw_upgrade.feb', 'rb')
  22.  
  23. table = []
  24.  
  25. while 1:
  26.   x = f.read(1)
  27.  
  28.   if not x:
  29.      break
  30.  
  31.   try:
  32.       while table.index(x) >= 0:
  33.           table.pop(0)
  34.   except:
  35.       pass
  36.   finally:
  37.       table.append(x)
  38.  
  39.   if len(table) == 256:
  40.       print table
  41. -------- 8< --------
  42.  
  43. python code to decipher the hex file with the obtained key:
  44.  
  45. -------- 8< --------
  46. #!/usr/bin/env python
  47.  
  48. key =  '\xf3,a\x9e\xea-C\'o\xe4\x9a\xa4"F?.\xca\x19\x8d\xcc\xa9\x0c\xb7\xd5\x99=B\xf1\xfe\x0f\x05Z\xc1\\\xf8\x04/\xb0\xc4!\x13\xc7\xbb\xc3i\xf2(\xb4T9\xd2)@c7#~\xa0\xdf\xd3\xb8\x02\x7f\xed\xbdD\xb9E&d\x0e X\x89\x12LsM{*:\x1f\xd6z\xc0\x008rR}]\x9c\xe2v\xa6O\x1cU\x1b\x90\xde\x9b$\xd9\xdc\xb6\x1d\x85\xe9\xcd\x8a\x97\xbaq\xf7l2\x06Q_\xfbt6\xff|J\xef<h\xe8\xabVI\xb2\x0b+\x80e0\xd0\xe7\xdd\x98gKkw\x83\x8bS\x92`\xa1\xa2\xbc\x91\x823\x87W\xb5Y\xe5\x16\xee\xd8\xf6\xfa%j1\xceH\x84\xa5[\x11\xac;\xf9\x14\xe0\x8cN\x8f\x95\xf5\xaf\xe354\x9d\x81\xaeP\xd1x\x10\x88\x86\xcf\x94\x1a\xdb\xad\x18\xc8\xbf\x08\xa8\xfd\xbe\x96\xe6\tu\x93\x9f\x01\xcb\xb3m\xc5n\xd4\xa3bA\x07\xa7\xaa\xeb\xe1y\x1e\xf0\xc2\r\n^\xfc\xc6\xf4\xda\xec>\x17\x15\x03\xd7pfG\x8e\xb1\xc9'
  49.  
  50. f = open('storyeb07.hex', 'rb')
  51. r = open('storyeb07.zip', 'wb')
  52.  
  53. data = f.read(0x100000)
  54.  
  55. while data:
  56.     for x in data:
  57.         r.write(key[ord(x)])
  58.     data = f.read(0x100000)
  59. -------- 8< --------
  60.  
  61. This python script does not contain the partially ciphered logic (first 2 MiB, last partial MiB, e.g. 0.65 MiB if file is 82.65 MiB large) but in case of a partially ciphered file you can use dd or whatever to slice the two files together:
  62.  
  63. -------- 8< --------
  64. dd if=storyeb07.hex of=storyeb07.zip conv=notrunc bs=1M skip=2 seek=2 count=79
  65. -------- 8< --------
  66.  
  67. The ZIP file is password protected. Password can be obtained with fcrackzip or similar. Password is 'story6tw05'.
  68.  
  69. Directories in the ZIP file are stored as 0 byte files. unzip can't handle it. 7zip (7z x) can.
  70.  
  71.  
  72. executing scripts as root
  73. ========
  74.  
  75. the story hd executes a shell script for you on boot up. script has to be stored in internal memory, named heechul.sh. it is executed as root using busybox shell. this is default behaviour so nothing has to be done to activate it. it doesn't get any easier.
  76.  
  77. however: if this script hangs, the boot does not complete. if the boot does not complete, you have no access to internal storage. without access to internal storage, you can not fix the script. at this point you have pretty much bricked your device, as the reader does not have a factory reset shenanigan.
  78.  
  79. use a script that executes stuff on the SD card instead and even there only once:
  80.  
  81. -------- 8< --------
  82. #!/bin/sh
  83.  
  84. # consider *.sh on the SD card
  85. for f in /mnt/SDFAT/scripts/*.sh
  86. do
  87.     # rename the script to .done
  88.     mv "$f" "$f".done
  89.     sync
  90.  
  91.     # run the script once
  92.     . "$f".done 2> "$f".error > "$f".output
  93. done
  94. -------- 8< --------
  95.  
  96. this will look for *.sh in a /scripts/ folder on the sd card
  97.  
  98. it will rename *.sh to *.sh.done so it won't run again next time
  99.  
  100. it will execute the script and store stderr in *.sh.error and stdout in *.sh.output
  101.  
  102. example script /scripts/find.sh:
  103.  
  104. ------- 8< -------
  105. find /
  106. ------- 8< -------
  107.  
  108. will store the entire directory tree of your reader in /scripts/find.sh.output on the sd card
  109.  
  110. alternatively you can also dump the entire internal storage with dd etc. make sure your card is large enough although with gzip the dump is <1GB for me although I never used the internal memory for books
  111.  
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top