Tag Archives: adb

Tolino Shine 3 – 15.3.0 update

Good news

The adbd binary is the same of 14.1.0:

$ md5sum tolino-1*/ramdisk/sbin/adbd
1d23e203eba05102e6cb642a117b8d64  tolino-14.1.0/ramdisk/sbin/adbd
1d23e203eba05102e6cb642a117b8d64  tolino-15.3.0/ramdisk/sbin/adbd

The direct download link for the new Shine 3 firmware is https://tolinodownload-a.akamaihd.net/ereader/15.3.0/OS44/update.zip.

As a sidenote, you can find the latest Tolino updates on the Tolino website.

Everything documented is still relevant

Tolino Shine 3: patch adbd to run as root

References

TL;TR

  1. install prerequisites
  2. create the script nop.sh
  3. extract adbd from initial ramdisk
  4. patch adbd

    ./nop.sh adbd "4f f4 fa 60 0e f0 86 ed 00 28 df d1 4f f4 fa 60 16 f0 47 f8 00 28 d9 d1" && \
        cat adbd.patched > adbd && rm adbd.patched 
    ./nop.sh adbd '0e f0 de ed' && \
        cat adbd.patched > adbd && rm adbd.patched
    
  5. recreate boot.img

  6. test and flash via fastboot

Prerequisites

  1. I’m working on Ubuntu 21.10, so I’ve to install these packages

    apt install abootimg openjdk-11-jdk
    
  2. We are going to patch a binary file, so we have to use a disassembler: Ghidra

Procedure

Extract the adbd binary from Tolino firmware update file

  1. download the right version of your update (for me it’s currently 14.1.0)

    wget https://download.pageplace.de/ereader/14.1.0/alldevices/update.zip
    

    (as a sidenote, you can find the latest tolino update on the Tolino website)

  2. extract boot.img

    unzip update.zip boot.img
    
  3. unpack boot.img (we need the initial ramdisk initrd.img)

    abootimg -x boot.img
    
  4. extract the ramdisk in a directory

    mkdir ramdisk
    zcat initrd.img | ( cd ramdisk/ && cpio -imd )
    

You’ll find adbd in this path ramdisk/sbin/adbd.

Setup disassembler (Ghidra)

  1. open Ghidra and select File, New Project..., Next, choose a directory for the project and give it a name

  2. click on CodeBrowser (it’s a green dragon) ghidra code browser

  3. File, Import File... and navigate in the previous ramdisk/ folder, under ramdisk/sbin/ and choose adbd

  4. go on and select all the possible analysis checkboxes, then Analyze

Find all the interesting functions

When the Tolino starts adbd is not activated. We can enable it, (following these steps), but it will run under uid=2000 and git=2000 (no root).

If you inspect the source code, you’ll see that there are some references to functions related to users/groups/capabilities:

  • setuid(2000)
  • setgid(2000)
  • prctl(PR_CAPBSET_DROP, ...)

We need to inhibit those calls.

Patch setuid and setgid

The first 2 functions are called as shown below (AID_SHELL is 2000, full code here):

    gid_t groups[] = { AID_ADB, AID_LOG, AID_INPUT, AID_INET, AID_GRAPHICS,
                       AID_NET_BT, AID_NET_BT_ADMIN, AID_SDCARD_R, AID_SDCARD_RW,
                       AID_MOUNT, AID_NET_BW_STATS };
    if (setgroups(sizeof(groups)/sizeof(groups[0]), groups) != 0) {
        exit(1);
    }
    /* then switch user and group to "shell" */
    if (setgid(AID_SHELL) != 0) {
        exit(1);
    }
    if (setuid(AID_SHELL) != 0) {
        exit(1);
    }
    D("Local port disabled\n");

Under Ghidra search for 0x7d0 (200010) using Search, Program Text. Choose Instruction Operands and Search All. You should see something like this ghidra search 0x7d0

The first 2 occurences are near each other. Here’s in the code browser ghidra searched lines

We can translate it as

So it would be great to replace all the highlighted part with nop (no operation instruction in assembler).

I created this simple script just to do it (nop.sh):

#!/bin/bash

set -e

if [[ $# -ne 2 ]]; then
    echo "Usage:"
    echo "  $(basename "$0") <file> <hex string>"
    exit 1
fi
input="$1"
hex="$(tr -d ' :' <<< "$2")"
output="$input.patched"

# build a nop string, the same size of "hex"
nops="$(printf "%*s" $(( ${#hex} / 4)) '' | sed 's: :00bf:g')"

# patch and rebuild binary
xxd -ps "$input" | tr -d '\n' | sed "s:$hex:$nops:g" | xxd -r -p > "$output"

# confirm substitution
[[ $(md5sum <"$input") != "$(md5sum <"$output")" ]] || { echo "$(basename "$0"): [WARNING] nothing done" >&2; exit 2; }

# check file size
[[ $(stat -c%s "$input") = $(stat -c%s "$output") ]] || { echo "$(basename "$0"): [ERROR] size mismatch" >&2; exit 3; }

echo "$output done"

Open the binary view under Windows, Bytes and select the block of code. In the Bytes window copy the highlighted bytes and do this

./nop.sh adbd "4f f4 fa 60 0e f0 86 ed 00 28 df d1 4f f4 fa 60 16 f0 47 f8 00 28 d9 d1"
cat adbd.patched > adbd
rm adbd.patched 

Patch prctl(PR_CAPBSET_DROP, ...)

Then we have to remove prctl(PR_CAPBSET_DROP, ...).

The code is right after ADB_EXTERNAL_STORAGE

Translated to

It’s sufficient to remove the call 0e f0 de ed

./nop.sh adbd '0e f0 de ed'
cat adbd.patched > adbd
rm adbd.patched

This adbd will run with root privileges, but we have to set up the boot.img accordingly. Copy the file as shown and follow these steps.

cp adbd /tmp/adbd.patched
Tolino Shine 3

Tolino Shine 3: use adb as root

These are the steps I took to get:

$ adb shell
root@ntx_6sl:/ # id
uid=0(root) gid=0(root) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)

Disclaimer

I am not responsible if you brick / ruin your device in any way. Basic computer skills required. Proceed with caution. I cannot be held responsible if anything goes wrong.

Prerequisites

  1. We need a patched adbd which runs as root in /tmp/adbd.patched, so follow these steps.

  2. I’m working on Ubuntu 21.10 so I’ve to install this package

    sudo apt install abootimg
    
  3. It could be a good idea to have a full backup.

Procedure

  1. download the right version of your update (for me it’s currently 14.1.0)

    wget https://download.pageplace.de/ereader/14.1.0/alldevices/update.zip
    

    (as a sidenote, you can find the latest tolino update on the Tolino website)

  2. extract boot.img

    unzip update.zip boot.img
    
  3. unpack boot.img (we need the initial ramdisk initrd.img)

    abootimg -x boot.img
    
  4. extract the ramdisk in a directory

    mkdir ramdisk
    zcat initrd.img | ( cd ramdisk/ && cpio -imd )
    
  5. modify the ramdisk to enable debug mode, disable secure modes, enable mtp and adb

    cd ramdisk/
    sed -i 's:^ro.secure=1$:ro.secure=0:' default.prop
    sed -i 's:^ro.debuggable=.*$:ro.debuggable=1:' default.prop
    sed -i 's:^persist.sys.usb.config=mass_storage$:persist.sys.usb.config=mtp,adb:' default.prop
    sed -i 's:setprop ro.adb.secure 1:setprop ro.adb.secure 0:' init.rc
    
  6. replace adbd with a patched one which runs with root privileges (let’s suppose it’s in /tmp/adbd.patched, see here)

    cat /tmp/adbd.patched > sbin/adbd
    
  7. recreate the initrd.img

    # we're still working in ramdisk/ directory
    find . ! -name . | LC_ALL="C" sort | cpio -o -H newc -R +0:+0 | gzip -c > ../initrd.img
    cd ..
    
  8. replace the old initrd.img inside boot.img

    abootimg -u boot.img -r initrd.img
    
  9. safely temporarily test the new boot.img, type on the pc

    fastboot boot boot.img
    
  10. reboot Tolino in fastboot mode, this will temporarily boot the new boot.img

  11. test on the pc if adb is running in privileged mode, you should see

    $ adb shell
    root@ntx_6sl:/ # id
    uid=0(root) gid=0(root) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)
    
  12. permanently flash the new boot.img, type on the pc

    fastboot flash boot boot.img
    
  13. reboot Tolino in fastboot mode and you shoud see

    $ fastboot flash boot boot.img
    < waiting for any device >
    Sending 'boot' (4376 KB)                           OKAY [  0.146s]
    Writing 'boot'                                     OKAY [  0.437s]
    Finished. Total time: 0.601s
    
  14. after flashing, reboot

    fastboot reboot
    

How to enable/disable Android logcat when using a custom kernel

A good source of information could be found in this page, but none of them worked for me.

The most useful article I found was on xda and here’s the solution:

  • enable
    echo 0 > /sys/module/logger/parameters/log_mode
    
  • enable at boot, but not when suspended
    echo 1 > /sys/module/logger/parameters/log_mode
    
  • completely disabled:
    echo 2 > /sys/module/logger/parameters/log_mode
    

(you need a rooted device)