Device/V3+/SoftwareInvestigation – OpenInkpot

Context Navigation

All investigation done with the BEBook One 2010, update firmware version 2.02NL.091127. There is a lot of similarity with the V3 investigation.

Unzipped this contains one file v3asetup.bin. It can be unpacked with mkv3update layout v3a.

Segments

kernel:          data
logo:            DOS executable (device driver)
rofs:            Linux Compressed ROM File System data, little endian size 3239936 version #2 sorted_dirs CRC 0x7bdd786e, edition 0, 1757 blocks, 477 files
rootfs:          Linux Compressed ROM File System data, little endian size 84414464 version #2 sorted_dirs CRC 0xe513a503, edition 0, 34136 blocks, 629 files
userdata:        Linux jffs2 filesystem data little endian

Kernel

The kernel is ARM little-endian non-thumb code, you can view it with biew. It is a standard zimage. Looking to the strings inside the unpacked kernel, it's a different version than the one in the V3 source code; however it matches the V5 source code from Jinke.

Linux version 2.6.21.5-cfs-v19 (maoyk@celling) (gcc version 4.0.0) #1132 Fri Jun 18 15:30:53 CST 2010

Comparing the loader with arch/arm/boot/compressed/head.S (from the correct kernel version of course) gives the kernel base address (aka zreladdress) 0x30008000. Disassembling with that base shows a lot of broken pointers to 0xc00?????: apparently through some MMU magic the correct base address is 0xc0008000. The few broken pointers left point to after the image: I think that should be the bss section.

The kernel also has an s3c2410-epaper module. It seems to communicate through mapped memory.

userdata

How to mount jffs2 on a desktop. But the data is pretty boring: cdma-connect cdma-disconnect cdma-options gprs-connect gprs-disconnect gprs-options profile

logo

220 bytes, containing the following 16 bytes:

00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF
black ----------------------------------> white

This coincides with the 16-color monochrome display of the V3+. As remarked in mkv3update.c, it's actually two 600x800 images. Presumably is one for starting up and the other is for shutting down. The pixels are standard left-to-right top-to-bottom.

You can use imagemagick like this to create a logo from whatever file:

convert Tux.svg -geometry 600x800! -depth 4 gray:/dev/stdout | convert -size 600x800 -depth 4 gray:/dev/stdin -depth 8 gray:code/logo

Append two to create a valid logo file.

rofs and rootfs

These are tricky to unpack because Jinke modified cramfs to hold bigger files. Specifically, the width of the size field is increased from 24 to 28 bits. Patch your unpack tool accordingly.

Most of it is the same as in the v3, but theres also rootfs /root/epson.ko . It's quite big and complicated, but the most important parts seem to be the s3c2410-epaper platform driver and its lcd driver. They communicate to the display via s3c2410_gpio_cfgpin.

What puzzled me is that I can't find how its loaded. There are commented out insmod lines in rofs /usr/bin/startx but nothing more. Based on /sys/devices/platform/s3c2410-epaper it seems is isn't used at all, only the kernel one is!

TODO

File a GPL complaint at gpl-violations.org.

Download in other formats:

Plain Text