Attention: open in a new window. PDFPrint

Hacking your ONYX BOOX 60 (Part II)

Well, it has been a while since I posted my short article about my first attempts to squeeze out some more information from my ONYX BOOX 60. Due to a massive lack of time I stopped my research some time after this article. Today I just decided to proceed a little bit and write down some of my ideas, how it might be possible to gain deeper access to the system.

This article also contains some images of the mainboard of the device.


Building a custom firmware image

The firmware images delivered by onyx are aes encrypted. Hence I have not been able to unpack the original firmware update but I found this thread stating that the aes-key for the image has been found. So I will spent some days and unpack the original firmware. One problem of the boox firmware is, that it makes use of yaffs2 disk images I not yet was able to mount on my system (I tried using the nandsim-device). The images I extracted were created using nanddump from mtd-utils on the boox. It might be possible that something went wrong during extration or that I am using the wrong yaffs2 driver. An other option would be extracting the files from the image directly on the boox and repack them to a new yaffs2 image.

During my firmware dumping attempts I extracted the partition table from the device that might be interesting for you guys:

dev:    size   erasesize  name
mtd0: 00100000 00020000 "nand.bootloader"
mtd1: 00100000 00020000 "nand.bootsplash"
mtd2: 00200000 00020000 "nand.kernel"
mtd3: 00300000 00020000 "nand.initramfs"
mtd4: 0a000000 00020000 "nand.rootfs"
mtd5: 02000000 00020000 "nand.configure"
mtd6: 13800000 00020000 "nand.userfs"
This has been extracted from /proc/mtd as this file decribes the partition table as used by the linux kernel. This also shows a blocksize of 128k for all nand partitions.


If you remove the backplane of the device you will find the battery pack and on the right directly beside the battery, there is a small connector. My guess is, that this small connector is a 3.3V JTAG connector (3.3V is the value, i verified). The i.MX31L CPU (MCIMX31L) supports a so called SJC (secure JTAG controller) that allows securing the JTAC interface by encrypting the JTAG communication via DES, AES, RC4 or other algorithms. So, to set up a JTAG communication with the device, you have to know the proper encryption key. I have not yet tried, if this feature is enabled, but as the firmware images are AES encrypted, I believe that it should be enabled. I will try this, as soon as I get my hands on a fitting 3.3V JTAG adapter or find the time to build my own.
ONXY BOOX 60 - removed backcover. You can see the battery-pack and the data cable connector besides.
If the device lacks the SJC support, it would be very easy to extract the original firmware and a full memory image using the JTAG interface which would bypass the image encryption I wrote about above.

Internal device pictures

I also decided to open my device today to see, what I can find inside. What you directly notice after opening the device (after that they used tons of screws to close the housing) is, that most of the PCB is just empty. The most interesting parts you find are the CPU, the wireless controller, and the display controller.
Inner board of the ONYX BOOX 60. Click to enlarge.
The other side of the PCB (display side) just looks less interesting except for the connector to the WACOM tablet device.
Display side of the ONXY BOOX main board.
WACOM tabled device of the ONYX BOOX 60.

So, what's next?

I will try to extract some firmware copies I downloaded from the device by reading the mtdblock devices and will see, if I am able to build my modified firmware upon it. As I told before, this can cause to a bricked device that might only be repaired by the ONYX support, so I have to make sure that there is a way that I can use to reflash a clean and original image. So this definitely contains some portion of deeper research on the device itself.