Antoine Amarilli's blog

Hacking the fnacbook (aka. Kobo by Fnac)

— updated

I just got a Fnacbook for Christmas. Of course, I have no intention to use this device to buy DRM-ed files, or sync it to the cloud, or use any of the invasive "social" features provided. In this post, I give some information to understand what the beast does, how to get a shell, and how to prevent it from accessing the manufacturer's website using /etc/hosts.

Of course, though this information seems correct as of this writing, it might become outdated as new versions of the firmware get released and other versions of the device come out. Be careful, and don't blame me if something goes wrong.

See also my followup post about the Kobo Touch and Kobo Glo.

What's in the box?

There is little documentation (and no useful documentation) provided with the device in the Fnac packaging, but you can find out from the serial number that the device is a Kobo Touch N905. It's pretty hard not to get confused by people writing about different Kobo devices. The Wikipedia page about the Kobo eReader gives an overview of the existing devices.

Mounting the device

The device can just be mounted as an UMS drive on a Linux computer. Beware, however: if the device appears as /dev/sdb, you need to mount /dev/sdb directly, not /dev/sdb1. Indeed, running fdisk -l /dev/sdb will not show any partitions. This is normal, and confused me for some time.

Registration, and how to circumvent it

When powering up the device, it will first ask you to pick a language, and will then ask you to install the free desktop application on your computer and synchronize with it. Of course, this application is not free as in freedom, and getting it to run under Linux seems nontrivial. You can skip the activation step, but some features (like activating Wi-fi) will not be available until it has been completed. Or rather, until the device thinks it has been completed.

Fortunately, the device is just naively checking for a record in an sqlite database that is available when you mount it on your computer, so this is easy to fake. Assuming that you mounted the device as /mnt/kobo with suitable permissions, just run:

echo "insert into user values('foo', 'foo', 'foo', 'foo', 'foo');" | sqlite3 /mnt/kobo/.kobo/KoboReader.sqlite

When you unmount the device and unplug it and tap the sync icon, you should now be able to use Wi-fi.

Reading life, and why you might want to disable it

The settings page mentions a feature called "Reading Life" which is presented as something which "allows you to track your reading activity and win awards from Kobo". Reading the presentation page, however, I get the impression that it is some "social" feature which will also allow Kobo (and maybe their partners) to track your reading activity. I don't know the exact scope of this, but if you're like me, you'll probably want to disable this right away. This can be done from the settings menu. An alternative, more radical method is presented in the next sections.

it seems that the device is also sending tracking information via Google Analytics, see this thread

Updating the firmware

When the device gets an Internet connection, it will silently connect to mobile.kobobooks.com and, among other things, request a firmware update. If one is available, it will download it automatically and prompt you to install it. I found some information about the details of this exchange, but it is outdated. Fortunately, someone already did the sniffing and we have the URL of firmware 1.9.16 which is the most recent as of this writing. You can download it manually, examine it and install it by uncompressing the zip archive in the .kobo folder (source).

Rolling your own update to get a shell

Retrieving the update manually makes it possible to examine what it contains. In the zip file, you can see that the device is using u-boot, and you can see a KoboRoot.tgz file. As it turns out, if such a file is present in the .kobo folder, it will just get decompressed to /. This means that we can alter the system to suit our needs.

Actually, someone already documented the process to get telnetd and ftpd running, though the instructions need to be adjusted for the firmware you have. For version 1.9.16, you will need to:

  • Create /etc/inetd.conf as documented in the old instructions.
  • Prepare /etc/init.d/rcS by retrieving it from the KoboRoot.tgz in the original update and adding the following lines at the end (from the old instructions and updated info):
    mkdir -p /dev/pts
    mount -t devpts devpts /dev/pts
    /usr/sbin/inetd /etc/inetd.conf &
    
  • Ensure that rcS is executable.

Now, zip the resulting etc folder in a file named KoboRoot.tgz, put it on the device like regular firmware, unplug, and the device will install it and reboot. Now, if everything worked well, you can connect to a network and have telnet and ftp access as root (with no password). Of course, this is unsecure, and you should setup a password (just run busybox passwd from the root shell).

Running dropbear

Running dropbear on the device provides an ssh client and an ssh server, which can supersede both ftp and telnet, is more secure, and can be used for passwordless authentication. This comment indicates how to do it, except that you will need to set root's home to /root in /etc/passwd (and use /root/.ssh as the ssh configuration directory) to get key authentication working (dropbear will complain about permissions not being right otherwise).

(In case the comment above disappears, the crucial information is that you should use the "diablo Extras free armel" version of dropbear from Maemo. more information about dropbear and reverse ssh on my followup post)

Note that scp access (or ftp) allows you to upload books to your device over Wi-fi. However, it will not trigger the content indexing phase that the device normally performs, which is why it will not see new books or will crash when trying to access books which no longer exist. The indexing step is triggered by plugging the device to a computer and unplugging (even without mounting it), and I haven't found any way to trigger it from the shell yet. :-( actually, there is one, see my followup post

Another problem is that the device will apparently turn off the Wi-fi connection automatically after some time to save battery, which is annoying when using a shell. I haven't found how to disable this yet. a crude one is suggested in my followup post

Factory reset

If you keep the home button pressed while booting the device, it will immediately and without confirmation perform a factory reset. I am not sure yet about how this reset is performed, but it seems to be pretty low-level, as it seems to restore the root filesystem in the factory state. I confess that I messed up at some point and flashed something which prevented the device from booting, but the factory reset was able to save me. I guess it is hard to brick the device unless you start messing with u-boot, though this is just a guess.

Preventing the device from phoning home

It is likely that any updates to the root fs will overwrite /etc/init.d/rcS and require you to perform part of this setup again. Or maybe it will change the way updates are installed and break this setup. Since those updates get installed automatically whenever an Internet connection is enabled on the device, this is a problem.

I don't know of any way to make updates opt-in. The only way I found is to use the /etc/hosts to block the device from contacting its parent site. This also has the benefit of blocking any tracking like Reading Life. To do this, add the following to /etc/hosts:

0.0.0.0 kobobooks.com mobile.kobobooks.com www.kobobooks.com dev.kobobooks.com
0.0.0.0 partner.dev.kobobooks.com ecimages.kobobooks.com images.kobobooks.com
0.0.0.0 www.google-analytics.com ssl.google-analytics.com google-analytics.com

added Google Analytics blocking as per this thread

To check that this works, just connect to a network and the device should give an error message "Network Error". Of course, the connection is perfectly functional, and the device is just complaining about not being able to reach its server. Note that you can replace 0.0.0.0 with the IP of a machine you control if you want to see what the device is sending and possibly forge replies. I haven't tried this yet.

This means that you will not automatically get the latest updates from Kobo, of course (which is the whole point). If an update is released, first review it to see what it does, and, if it doesn't do anything evil, download it and install it manually like explained above, after fixing the rcS file if necessary.

More info

If you really want to hack the reader, code is available. I also recommend the blog post series by Craig Ringer about the device.

I also recommend Hacking the Kobo Touch for Dummies, and my followup post about the Kobo.

comments welcome at a3nm<REMOVETHIS>@a3nm.net