From nookDevs

Contents 1 Rooting 1.5 on the original nook 2 Deadsea 3 Stonefoz 4 Godzirra 5 tuxcayc

Rooting 1.5 on the original nook

I've been working on a method to root 1.5 on the original nook, and I just made a major breakthrough -- it's not root, but I managed to launch adbd as user 'system', using an exploit in the browser. I'm publishing what I've done so far since it's now authentically helpful, and because someone else might be able to help finish -- that is, to run adbd as root instead of as system.

The method uses a malformed HTML document which, in the version of WebKit used in the 1.5 release, can cause the execution of arbitrary code on the heap. Here is the copy that I had success with.

The code in that document causes the nook to open up a connection to a specified host and port and connect a shell to that host. (A future version will do something more useful, I promise.) If you want to try the document linked above, here's how:

1. Edit the html file to hardcode your own IP address in:
   1. At the top of the file in a javascript block, there are two variables, 'ip' and 'port'.
   2. You need to change 'ip' to your own IP address. Convert each octet of your IP address to hexadecimal. Mine is 192.168.7.102. This converts to C0 A8 07 66. You should then rearrange these octets to the same byte order in my proof-of-concept: \u0201\u0403 to encode 1.2.3.4.
   3. The variable 'port' represents port 4660, or 0x1234 in hexadecimal. If you want to change this for some reason, change the \u3412 sequence in the same byte-reversing way described above.
2. Use a program like nc to set your PC up to listen on the given host and port (such as: nc -vv -n -l -p 4660). (This will probably only work if you're on a LAN with your nook, but if you can follow this guide, you probably understand this).
3. Open the browser and load the html file linked above -- you can do it from my host, I don't mind.
4. One of three things will happen:
   1. Nothing (the text
   2. The browser will crash and nothing else. Start the browser up and load the page again.
   3. The browser will crash and the nook will connect to your nc session. It won't display a prompt, but you will have a shell. Run '/system/bin/ls' to prove that you're on. It will probably take a dozen or more browser crashes before this actually happens.

You can then launch /sbin/adbd using the shell, and you're in (until you power off your nook)! Unfortunately, you've only got the privileges of the account that the web browser uses -- 'system' -- but that can probably be "fixed".

An old published Android exploit successfully got me adb running as root. Now it's actually been done. I rooted stock 1.5.

I made a new version of the exploit script that may or may not work -- haven't tested it yet. This one should launch adbd as user 'system' on your nook. Load this URL in the nook 1.5 browser. If it doesn't crash, reload it. If it does crash, try to connect with adb. If it doesn't connect, load the URL again. Don't give up -- this is not a deterministic method and it might take dozens of tries to work. Or it might never work without minor tweaks to the html file -- I'm not sure yet. I'd love to hear from anyone with a new 1.5 nook who achieves success. If you do get that working, use the 'RageAgainstTheCage' exploit mentioned just above to get root. You did it!

The RageAgainstTheCage method also takes some persistence, and often it will work but crash the nook shortly thereafter. I suggest that as soon as you get root, edit the /init.rc script to enable adbd at boot and then do a hard reboot of the nook by holding down the power button until the screen clears.

Deadsea

No idea if this is the right way to inform you that the html exploit works on the latest 1.5. #10101XXX. Takes a few tries as stated. The page just keeps reloading till the browser crashes automatically. However, i can't get the exploit to run. Push to /sqlite....journals work fine. Trying to chmod 700 it comes up with a not found. ls comes up with a not found too. Appears that it's missing?

When you get on from adbd you can run 'PATH=/system/bin:/system/xbin' to access these utilities.

Could you possibily include some directions on how you managed to get the rageagainstthecage running? The readme in there was a bit brief.

It works maybe 1/3 of the time, and even when it works, the nook crashes occasionally afterwards. Neilk 17:37, 26 February 2011 (PST)

Stonefoz

Exploit confirmed to work on new hardware. Ran exploit - adbd.html, uploaded 'rageagainstthecage', shell, chmod, then run. Then re-ran the browser exploit. Second time of running the browser exploit enabled root adbd with possibility of pushing a new init.rc that enabled adbd at boot. Can't not express how ecstatic I am of finally getting 1.5 rooted on new hardware.

Glad to hear that the adbd.html version did work for someone--I didn't test it as I didn't want to disable adbd on my own nook. Do you have the new, 1.5-only version of the hardware? I have the confidence to write a 'real' instruction page now. Neilk 17:37, 26 February 2011 (PST)

Godzirra

I have the 1.5 software and a 1010 serial. I'm having some trouble. My desktop ip is 192.168.1.122 which translates to c0 a8 01 7a. In step 2, should I be reversing those octets? So I should have '\u8a0c\ua710'? Or should I have '\ua8c0\u7a01' (which is what I'm currently using)?

I'm not having it connect to the nc connection on my desktop, and I've crashed the browser about 25 times. What am I missing?

tuxcayc

Tested and successfully rooted my 10036x nook with 1.5 firmware (apparently stock, I didn't bought it and tried but couldn't do a hard reset, probably it came with 1.5 from factory) I used the 'adbd.html' file without any modification and followed the rest of the instructions (had to try a lot loading the page though...)