See Rooting new hardware FIRST if you have a nook original with a 1003* serial# or above.
Belated congratulations to [mbm] and pokey9000 for rooting the Nook Color. Check out our Nook Color portal also.
User:TimRiker has been re-despamming. New user registration disabled for a while. Need wiki help? Contact an Administrator.

Rooting New Hardware

From nookDevs

Jump to: navigation, search
  • Warning: nookDevs.com is not liable if you screw up during the root process. kthxbai
  • Warning: This will probably (probably = actually) void your warranty, nookDevs.com is not liable for that either in any way shape or form.
  • Warning: What you are about to do should only be undertaken by a competent person, not your pet monkey Guenter, even if he has a small hat (Futurama)
  • Warning: Make sure you read the FULL page BEFORE starting anything to confirm you know what you are getting into!
  • Warning: By following the instructions below you release nookDevs and all related parties from any and all liability and damages as a result of this process. We can help you if you run into problems but we help at OUR discretion.

To start the rooting process please scroll down...


e-ink Nook Rooting Navigation

Methods for Nooks with serial numbers greater than 10030:

Router based for 1.4 | No Router method for 1.4
Rooting B&N revision 1.4 to 1.7 on any hardware
With firmware 1.5 or higher

For Nooks with serial numbers less than 10030:
Softroot

Full list of rooting techniques

Contents

Introduction

How to root 1.5 on new hardware
Russian version of this post
Re-make/variation by Tommy
Alternative No Router method

The following is a description on how I got root access on the new 1.4.1 firmware and hardware. I used an error I found in firmware 1.4.0 that also exists in 1.4.1. You may distribute this publication and use it for any purpose. Note that you do this at your own risk, and I do not give any guarantees. It seems that I am the first who got root on 1.4.1.

Sorry for my bad English, i'm Russian.

I would be grateful if you would refer to my authorship of this method. :) - cdump

Bug Description

Firmware updates are serviced through WiFi/3G using SyncML for information about any new firmware versions. Barnes & Noble's server would respond to the request as follows:

<SoftwareData TargetName="Bravo" PlatformName="Bravo1" 
MajorVersion="1" MinorVersion="4" URL="signed_bravo_update-delta-1.4.0-release.dat" 
FileSize="27836556" LastUpdated="1277118600" DownloadOver3G="false"/>

Nook downloads the firmware to the file /system/media/sdcard/filename.dat, and if the size of the file is equal to the amount claimed in the information stated in the SyncML data, the file is moved to /system/media/sdcard/signed_bravo_update.dat and the standard firmware update mechanism (checksum, etc..) is run. The first mistake is that if the filesize declared in the SyncML data and the actual size of the downloaded files differ, the downloaded file will not move and is not removed.

Code that generates the path where to save the downloaded file:

String var2 = var1.getUrl();
StringBuilder var5 = (new StringBuilder()).append("/system/media/sdcard/");
String var7 = var5.append(var2).toString();
File var4 = new File(var7);

In this example, var1.getUrl() returns the value of a URL parameter to SyncML. After inserting something like ../../../init.rc in the URL, var7 will be equal to / system/media/sdcard/../../../init.rc, which is equivalent to /init.rc. It turns out we can upload any file to any place in the system! However, it turns out that changing most files would've be hard, as the update service has no permissions.

But I found the following entry in /init.rc:

chmod 0777 /etc/wifi_stop.sh

This means that writing of this file is available to anyone!

Let's do it!

1. Change your WiFi router DHCP DNS to point to your notebook IP address.

2. Configure a BIND DNS server on your notebook to resolve sync.barnesandnoble.com and edmfiletransfer.barnesandnoble.com to your notebook's IP address.

3. Configure lighttpd mod_rewrite:

url.rewrite-once = (
"^/sync/001/Default.aspx.*" => "nook.pl",
"^/edmfiletransfer.*" => "file.dat"
)

And put following files in document-root

nook.pl - http://pastebin.com/NWLcej83

file.dat - http://pastebin.com/c4i03Rvd

Warning: FileSize on line 22 in nook.pl must not equal the real file.dat size (I use file.dat's real size + 1)! If they are equal, your wifi_stop.sh will be removed and your nook may brick!

4. At this point, connect your nook to WiFi, unregister it (in Settings -> Device) and register it again. This process forces the software update to check for a new version, and a message will appear about a failed update download--this message is safe to ignore

5. Stop and start the WiFi on the nook (toggle Airplane mode on, then off) and connect to the nook via adb

6. Modify /init.rc to enable adb, and remove any changes from /etc/wifi_stop.sh

7. Return the router DNS settings to default.

Firmware image

1.4.1 image (unsigned) from restore partition: http://www.multiupload.com/QOVUVGT9UM

Conclusion

This description is very brief glimpse of the cracking process. I think the owners of nookdevs could potentially run a DNS server to host the published script above. At this point, the person doing the cracking the will only change the settings in their WiFi router's DNS settings to point to nookdevs and continue the process from there.

If you have any questions, please ask them in discussion on this page.

Addendum

I Successfully used this method to root my 1.4.2 nook. -prophreak

Would you be able to post 1.4.2 firmware? --Spec 05:19, 16 October 2010 (PDT)
do i need to remove anything from the image to make it anonymous? --Prophreak 06:23, 16 October 2010 (PDT)
No, if you get image from the end of memory card (backup image) --Cdump 06:49, 16 October 2010 (PDT)

Tommy gives additional instructions : Applying With Details

Personal tools
Navigation
Nook Classic
Nook Simple Touch
Nook Tablet
Google AdSense