Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- iriver Story HD firmware / root
- ========
- firmware .hex file is ciphered with a simple 256 byte "one-time-pad" substitution
- small .hex files are chiffred completely. large .hex files are chiffred only partially (first 2 MiB, last partial MiB with starting offset on MiB boundary)
- decoded the hex file turns into a password protected zip file
- obtaining key
- ========
- the key is in the hex file itself (with some luck in the unciphered part) or more specifically in the file 'fw_upgrade.feb'. you can access this on the device directly with the root script. look for a consecutive 256 byte sequence where each byte is unique.
- python code to extract the key out of this file:
- -------- 8< -------
- #!/usr/bin/env python
- f = open('fw_upgrade.feb', 'rb')
- table = []
- while 1:
- x = f.read(1)
- if not x:
- break
- try:
- while table.index(x) >= 0:
- table.pop(0)
- except:
- pass
- finally:
- table.append(x)
- if len(table) == 256:
- print table
- -------- 8< --------
- python code to decipher the hex file with the obtained key:
- -------- 8< --------
- #!/usr/bin/env python
- key = '\xf3,a\x9e\xea-C\'o\xe4\x9a\xa4"F?.\xca\x19\x8d\xcc\xa9\x0c\xb7\xd5\x99=B\xf1\xfe\x0f\x05Z\xc1\\\xf8\x04/\xb0\xc4!\x13\xc7\xbb\xc3i\xf2(\xb4T9\xd2)@c7#~\xa0\xdf\xd3\xb8\x02\x7f\xed\xbdD\xb9E&d\x0e X\x89\x12LsM{*:\x1f\xd6z\xc0\x008rR}]\x9c\xe2v\xa6O\x1cU\x1b\x90\xde\x9b$\xd9\xdc\xb6\x1d\x85\xe9\xcd\x8a\x97\xbaq\xf7l2\x06Q_\xfbt6\xff|J\xef<h\xe8\xabVI\xb2\x0b+\x80e0\xd0\xe7\xdd\x98gKkw\x83\x8bS\x92`\xa1\xa2\xbc\x91\x823\x87W\xb5Y\xe5\x16\xee\xd8\xf6\xfa%j1\xceH\x84\xa5[\x11\xac;\xf9\x14\xe0\x8cN\x8f\x95\xf5\xaf\xe354\x9d\x81\xaeP\xd1x\x10\x88\x86\xcf\x94\x1a\xdb\xad\x18\xc8\xbf\x08\xa8\xfd\xbe\x96\xe6\tu\x93\x9f\x01\xcb\xb3m\xc5n\xd4\xa3bA\x07\xa7\xaa\xeb\xe1y\x1e\xf0\xc2\r\n^\xfc\xc6\xf4\xda\xec>\x17\x15\x03\xd7pfG\x8e\xb1\xc9'
- f = open('storyeb07.hex', 'rb')
- r = open('storyeb07.zip', 'wb')
- data = f.read(0x100000)
- while data:
- for x in data:
- r.write(key[ord(x)])
- data = f.read(0x100000)
- -------- 8< --------
- This python script does not contain the partially ciphered logic (first 2 MiB, last partial MiB, e.g. 0.65 MiB if file is 82.65 MiB large) but in case of a partially ciphered file you can use dd or whatever to slice the two files together:
- -------- 8< --------
- dd if=storyeb07.hex of=storyeb07.zip conv=notrunc bs=1M skip=2 seek=2 count=79
- -------- 8< --------
- The ZIP file is password protected. Password can be obtained with fcrackzip or similar. Password is 'story6tw05'.
- Directories in the ZIP file are stored as 0 byte files. unzip can't handle it. 7zip (7z x) can.
- executing scripts as root
- ========
- the story hd executes a shell script for you on boot up. script has to be stored in internal memory, named heechul.sh. it is executed as root using busybox shell. this is default behaviour so nothing has to be done to activate it. it doesn't get any easier.
- however: if this script hangs, the boot does not complete. if the boot does not complete, you have no access to internal storage. without access to internal storage, you can not fix the script. at this point you have pretty much bricked your device, as the reader does not have a factory reset shenanigan.
- use a script that executes stuff on the SD card instead and even there only once:
- -------- 8< --------
- #!/bin/sh
- # consider *.sh on the SD card
- for f in /mnt/SDFAT/scripts/*.sh
- do
- # rename the script to .done
- mv "$f" "$f".done
- sync
- # run the script once
- . "$f".done 2> "$f".error > "$f".output
- done
- -------- 8< --------
- this will look for *.sh in a /scripts/ folder on the sd card
- it will rename *.sh to *.sh.done so it won't run again next time
- it will execute the script and store stderr in *.sh.error and stdout in *.sh.output
- example script /scripts/find.sh:
- ------- 8< -------
- find /
- ------- 8< -------
- will store the entire directory tree of your reader in /scripts/find.sh.output on the sd card
- alternatively you can also dump the entire internal storage with dd etc. make sure your card is large enough although with gzip the dump is <1GB for me although I never used the internal memory for books
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement