Rooting New Hardware
To start the rooting process please scroll down...
The following is a description on how I got root access on the new 1.4.1 firmware and hardware. I used an error I found in firmware 1.4.0 that also exists in 1.4.1. You may distribute this publication and use it for any purpose. Note that you do this at your own risk, and I do not give any guarantees. It seems that I am the first who got root on 1.4.1.
Sorry for my bad English, i'm Russian.
I would be grateful if you would refer to my authorship of this method. :) - cdump
Firmware updates are serviced through WiFi/3G using SyncML for information about any new firmware versions. Barnes & Noble's server would respond to the request as follows:
<SoftwareData TargetName="Bravo" PlatformName="Bravo1" MajorVersion="1" MinorVersion="4" URL="signed_bravo_update-delta-1.4.0-release.dat" FileSize="27836556" LastUpdated="1277118600" DownloadOver3G="false"/>
Nook downloads the firmware to the file /system/media/sdcard/filename.dat, and if the size of the file is equal to the amount claimed in the information stated in the SyncML data, the file is moved to /system/media/sdcard/signed_bravo_update.dat and the standard firmware update mechanism (checksum, etc..) is run. The first mistake is that if the filesize declared in the SyncML data and the actual size of the downloaded files differ, the downloaded file will not move and is not removed.
Code that generates the path where to save the downloaded file:
String var2 = var1.getUrl(); StringBuilder var5 = (new StringBuilder()).append("/system/media/sdcard/"); String var7 = var5.append(var2).toString(); File var4 = new File(var7);
In this example, var1.getUrl() returns the value of a URL parameter to SyncML. After inserting something like ../../../init.rc in the URL, var7 will be equal to / system/media/sdcard/../../../init.rc, which is equivalent to /init.rc. It turns out we can upload any file to any place in the system! However, it turns out that changing most files would've be hard, as the update service has no permissions.
But I found the following entry in /init.rc:
chmod 0777 /etc/wifi_stop.sh
This means that writing of this file is available to anyone!
Let's do it!
1. Change your WiFi router DHCP DNS to point to your notebook IP address.
2. Configure a BIND DNS server on your notebook to resolve sync.barnesandnoble.com and edmfiletransfer.barnesandnoble.com to your notebook's IP address.
3. Configure lighttpd mod_rewrite:
url.rewrite-once = ( "^/sync/001/Default.aspx.*" => "nook.pl", "^/edmfiletransfer.*" => "file.dat" )
And put following files in document-root
nook.pl - http://pastebin.com/NWLcej83
file.dat - http://pastebin.com/c4i03Rvd
Warning: FileSize on line 22 in nook.pl must not equal the real file.dat size (I use file.dat's real size + 1)! If they are equal, your wifi_stop.sh will be removed and your nook may brick!
4. At this point, connect your nook to WiFi, unregister it (in Settings -> Device) and register it again. This process forces the software update to check for a new version, and a message will appear about a failed update download--this message is safe to ignore
5. Stop and start the WiFi on the nook (toggle Airplane mode on, then off) and connect to the nook via adb
6. Modify /init.rc to enable adb, and remove any changes from /etc/wifi_stop.sh
7. Return the router DNS settings to default.
1.4.1 image (unsigned) from restore partition: http://www.multiupload.com/QOVUVGT9UM
This description is very brief glimpse of the cracking process. I think the owners of nookdevs could potentially run a DNS server to host the published script above. At this point, the person doing the cracking the will only change the settings in their WiFi router's DNS settings to point to nookdevs and continue the process from there.
If you have any questions, please ask them in discussion on this page.
I Successfully used this method to root my 1.4.2 nook. -prophreak
- Would you be able to post 1.4.2 firmware? --Spec 05:19, 16 October 2010 (PDT)
Tommy gives additional instructions : Applying With Details