Attention: open in a new window. PDFPrint

Hacking your ONYX BOOX 60 (Part I)

As today was the last day of the CeBIT 2010 in Hannover I just decided to grab one of the tickets remaining in my ticket deck. Normally I just try to avoid to visit the CeBIT on weekends as the halls are getting really crowded around noon because it is the day where crowds of pupils and young studends come to grab some ballpens and useless junk throws around by hardware manufacturers like nVidia and AMD.

Nevertheless I just decided to go there again and it turned out that it was a great plan as I have brought a ONYX BOOX eBook-Reader home, the one presented by ONYX on this website: http://www.onyxboox.com/

ONYX BOOX without lether  cover

 

I got a 6'' sized BOOX 60 powered by a 532 MHz arm cpu. The device contains 128 MB of RAM and 512 MB of internal flash storage. For more space requirements it allows plugging a SD card into the slot at the bottom that is compatible up to 32 GB of storage. ONYX BOOX with lether cover As most readers it has a headphone jack for MP3 playback at the bottom which is nothing really useful but there are three very interesting features:

  1. The device allows touchscreen input using a stylus. It is possible to annotate PDFs with the device.
  2. It has an integrated wifi card that allows you to connect the device directly to your wireless lan (even WPA2 PSK works great but I do not know if proxy servers are directly supported now). The device uses a webkit based browser for web access, so you could read your use the device to read online news.
  3. ONYX provides an SDK for own applications at http://www.onyxcommunity.com/. The BOOX seems to use Qt as widget api which basically means that it should not be a great deal to develop own applications if you are familiar in Qt development (which I am not until now :( ).

If you ever have developed any embedded application for a linux powered device you will instantly recognize that the BOOX is powered by an embedded linux system when you unpack the SDK. It contains a toolchain for compiling own applications and contains some precompiled Qt libraries and some device specific libraries that are used for display refresh control.

Ouou... I forgot that I titled this article "Hacking your ONYX BOOX 60"... so lets go ahead.

As I told before it is possible to put own applications onto the device. That means: You can upload your applications to the internal flash using the USB interface. I found out that the BOOX executes just all files ending on .oar. The documentation of ONXY does not mention that an .oar-File does not necessarily have to be a compiled c-application but I found out that simple shell scripts just do their job.

My BOOX device uses the ash implementation of busybox as shell which I just found out using a simple C++ application to dump the file hierarchy. As ash provides a very comprehensive scripting environment it does a good job which means that we do not have to cope with C++ for now.

You need to know that the BOOX starts all applications directly from the root directory (/) but the internal flash storage that can be accessed using USB can be found at /media/flash. This means that if you write anything into a file using the > or >> commands within your script make sure that you add the destination directory. I did this using >> $0.dump.txt for dumping the shell output. $0 will attach the full path of the script in front of the .dump.txt. So I used some first commands within a simple shell script:

#!/bin/sh

find / >> $0.find.txt
whoami >> $0.whoami.txt
ps a >> $0.psa.txt
mount >> $0.mount.txt
ifconfig >> $0.ifconfig.txt

And here are my results:

I first recognized that whoami returned "root" so all frontend applications on the device are run as root user. This means that you should carefully choose any application you load to your device as I may destroy your device. Every application has full hardware access to the /dev/mtdblock* devices. This devices contain the whole system flash and I am pretty shure that using

dd if=/dev/zero of=/dev/mtdblock0

will instantly brick your device. That means: DO NOT TOUCH ANYTHING YOU DO NOT UNDERSTAND!

Okay. Lets go on...

The process-table looks like this:

  PID  Uid        VSZ Stat Command
1 root 2752 SW init
2 root SW< [kthreadd]
3 root SW< [ksoftirqd/0]
4 root SW< [events/0]
5 root SW< [khelper]
41 root SW< [kblockd/0]
76 root SW [pdflush]
77 root SW [pdflush]
78 root SW< [kswapd0]
119 root SW< [aio/0]
657 root SW< [mtdblockd]
734 root 1604 SW< udevd --daemon
1495 root SW< [kmmcd]
1513 root 2268 SW dbus-daemon --system --print-address
1514 root 2752 SW /bin/sh /etc/watchdog.sh
1515 root 53772 SW system_manager -qws -shell=explorer
1517 root 2756 SW /sbin/getty -L ttymxc0 115200 vt100
1522 root 59968 SW explorer
1849 root SW< [loop0]
1857 root 37056 SW /usr/bin/oar_wrapper -display Transformed:Rot0:NabooS
1859 root 2752 RW /bin/sh /media/flash/find.oar -display Transformed:Ro
1866 root 2756 RW ps

Not really interesting. Some udev-deamon running and dbus as message bus.

If this is the case the port should also allow reflashing the device with some custom linux and unbrick your device if you get a running flash image for it. Oh well... you just might recognize the command line parameters delivered by the application running my find.oar-file: "-display Transformed:Ro". Theese commands should be handled by Qt...

This is the list of the mounted devices:

rootfs on / type rootfs (rw)
/dev/root on / type yaffs2 (rw)
proc on /proc type proc (rw)
sys on /sys type sysfs (rw)
tmpfs on /dev type tmpfs (rw,mode=755)
tmpfs on /tmp type tmpfs (rw)
tmpfs on /var type tmpfs (rw)
/dev/mtdblock5 on /root type yaffs2 (rw)
/dev/mtdblock6 on /media/mtd6 type yaffs2 (rw)
/dev/loop0 on /media/flash type vfat (rw,fmask=0022,dmask=0022,codepage=cp437,iocharset=utf8)

Okay. It uses yaffs2 as root filesystem which means that the root filesystem on the device is not write protected. The flash you could write using the usb cable is mounted as a vfat. So they just connect the flash to your usb-port using a filestorage gadget driver (how else?).

The output of ifconfig countains just a lo-device as I have not connected my device to my wireless lan yet.

Edit: I just started to continue my research on the device. You can find the next article Hacking your ONYX BOOX 60 (Part II).