Hacking the iRiver Story EB02 e-reader

I recently purchased an iRiver Story EB02 e-reader. I haven't actually received it yet but I was curious about its details and the type of software it would run.

I learned it's an abolute must to download / install the latest firmware so I decided to have a look at that for now as I didn't have a device to install it on anyway.

The firmware is called "ebook.hex" which is a bit mysterious. It turns out to be an ordinary zipfile with some (128 bytes) leading garbage:

0000000   i   r   i   v   e   r       N   e   t   w   o   r   k       T
0000020   e   a   m       Y   o   o       H   y   u   n   g       S   e
0000040   o   u   n   g       a   j   f   e   o   q   n   a   n   g   h
0000060   o   q   p   o   e   a   ]   [   [   k   l   m   .   /   .   .
0000100   ,   m   z   l   l   o   e   =   -   0   j   . 376   _   @ 324
0000120  \b 206 236 351 026 242 036   n 350 335   Q   a   c   1   8  \0
0000140   .   \   _   p   r   e   _   w   o   r   k   .   b   a   t  \0
0000160   .   \   E   B   O   O   K   .   y   h   s  \0   C   r   e   a
0000200   P   K 003 004 024  \0  \t  \0  \b  \0 261   m   3   <   (   G

Unpacking the zipfile will prompt for a password, however. You'll be able to find the password relatively easy using the following command, though:

$ fcrackzip -c "a" -p aaaaaaaa -v ebook.hex

The OS

The OS the iRiver Story appears to be running is (big surprise!) Linux! It appears to be for an ARM based system, using Cairo for rendering the e-books. The most suprising however is that I didn't see any GPL notices or links to source code anywhere. Let's hope that's handled better in the package when it arrives, this is starting to smell a bit like a GPL violation.

It contains a ramfs which you can easily mount

# mount -o loop rootfs.cramfs /mnt/iriver-mnt

Some observations

  • on the rootfs, /tmp/status_managers is responsible for handling upgrades (and general system startup probably). Using "strings -a" you will again find the ZIP password. It also appears to try something with "ebook.yhs.
  • the zipfile itself contains an app/ directory with some "real" binaries (book2pngd, Jmp3_player_copy and mattrib). The other files are ".feb" files and I'm not sure what they are. They're binary with some plaintext strings included. Perhaps native ARM, perhaps interpreted. The binary "/flow_copy" appears to be responsible for starting "start.feb" which in turn may be responsible for starting the other .febs.
  • booting (or at least starting stuff) from sdcard seems possible. The following snippet comes from rootfs' /etc/init.d/rcS
############ Detect SD Booting Movi Booting ###
echo 157 > /sys/class/gpio/export
if [ "`cat /sys/class/gpio/gpio157/value`" != "0" ]; then
#SD Booting
        mount -t vfat -o shortname=mixed /dev/mmcblk1p1 /mnt/SDFAT
        # SD Card에 elisamake_sh 가 있다면 
        if [ -f /mnt/SDFAT/factory/elisamake_sh ]; then
        echo "##### SD Booting #####"
        echo "##### Run script /mnt/SDFAT/factory/elisamake_sh #####"
        dos2unix /mnt/SDFAT/factory/elisamake_sh
        /mnt/SDFAT/factory/elisamake_sh
        sync
        else
        #MOVI NAND fdisk
        echo "##### SD Booting Start Fdisk MOVI NAND #####"
        fdisk -u -S 16 -H 1 /dev/mmcblk0 < /etc/init.d/sfdisk
        mkfs.vfat -n Story -F 16 /dev/mmcblk0p1
        /tmp/mke2fs /dev/mmcblk0p2
        sync
        fi
fi
  • firmware 1.61 uses Linux kernel 2.6.28.6, Linux version 2.6.28.6 (root@jang) (gcc version 4.3.2 (GCC) ) #706 PREEMPT Tue Dec 15 11:59:43 KST 2009
  • it uses/runs busybox
  • it uses SQLite
  • There may be WIFI support someday. Perhaps in this device (if it carries the hardware) or else some future device. The following is the contents of the settings.xml file:
<?xml version="1.0" encoding="utf-8"?>
<system_setting>
<setting_info>
  <passwd>NULL</passwd>
  <title1>NULL</title1>
  <title2>NULL</title2>
  <name>iriver</name>
  <phone>0000</phone>
  <time>200901010900am</time>
  <lang>2</lang>
  <shortkey>YURTF</shortkey>
  <font>NULL</font>
  <power>15</power>
  <dic>DD</dic>
  <wifi>NULL</wifi>
</setting_info>
</system_setting>

More may follow once I actually have the device :)

Misc.

A happy blogging iRiver Story user

iRiver story firmware download

 Closed comments

Awesome stuff :)

I was hoping we could "hack" the firmware and change some of the stuff in there to be a bit "better", like the screensaver which no one really wants..

Did you get any further yet with hacking it?

Comment by Wiebbe — Feb 27, 2010 10:14:11 PM

@Wiebbe I’ve tried if I could exploit the elisamake_sh script but it probably only works if certain jtag ports are set (the gpio157 check).

It shouldn’t be too hard to build/zip a custom firmware but I haven’t tried it yet. Not enough time and still afraid to “brick” my new e-reader :)

Comment by Ivo — Feb 28, 2010 9:04:00 AM

I’ve just obtained this same device and made essentially the same discoveries. I’d love to hear if you get any further! Ideally this device should eventually run an Infocom interpreter, what with the full qwerty keyboard.... 8^)

Comment by Michael — Mar 1, 2010 11:41:01 PM

What is the password from archive?

Comment by x-code — Mar 4, 2010 10:37:52 PM

@x-code the password is really easy to find using the given command, so just try it.

Comment by ivo — Mar 5, 2010 9:09:37 AM

We at gpl-violations.org are investigating this device. I’ve tried the fcrackzip command you suggested and it is running for more than 5 hours without success. I’d appreciate any help on this, as we need it as one of the steps in finding evidence for GPL violations in the device.

Comment by Harald Welte — Mar 17, 2010 10:50:20 AM

What is the path of the “font” folder? I need that for a custom .css file, and I can’t crack the firmware, it thells me: “found id 76697269, ‘ebook.hex’ is not a zipfile ver 2.xx, skipping”. I’ve tried all firmwares that I found (that is, 1.61 and 1.40).

Comment by Sherman — Mar 21, 2010 1:40:21 AM

Hi,

the font directory for Iriver Story directory is as follows.

res:///mnt/MOVIFAT/font/

Just use the path in epub CSS, e.g.:

@font-face { 

font-family: serif; 

font-weight: normal; 

font-style: normal; 

src: url(res:///mnt/MOVIFAT/font/DroidSerif-Regular.ttf); }

Regards,

Viktor

Comment by Viktor Vojtko — Apr 20, 2010 4:07:41 PM

I too have tried using the fcrackzip as per above, and get nothing at all. Just gives an error saying :

found id 76697269, ‘ebook.hex’ is not a zipfile ver 2.xx, skipping no usable files found

any pointers would be helpful.

Comment by willo — Mar 21, 2010 2:52:13 AM

My fcrackzip wasn’t bothered by the added header. Just remove the first 128 bytes (up to PK), i.e. using vi -b and you should have something that looks like a zipfile.

fcrackzip should be able to find the password in a couple of hours on recently modern hardware, just let it crack overnight. I’m not comfortable sharing the password in public so you’ll have to figure this out yourself.

Comment by ivo — Mar 22, 2010 9:31:52 AM

I was able to run an elisamake_sh script after creating a dummy file named “forcecopy” on the “factory” folder of the SD card. With this procedure I recovered my Story that was unable to boot after a downgrade from 1.61 to 1.40. I wrote a script that made a copy of all the file of the 1.61 firmware to the internal flash. After this step the Story booted again normally. Many thanks to Ivo that published the procedure to unzip the firmware.

Comment by projects — Mar 24, 2010 7:23:41 PM

‘projects’ said the Story can be recovered after downgrading, but I know nothing about this programming stuff so I cannot do anything. Can anyone show me how to do it, as detailed as possible? It costs a lot of money to buy a Story, and now it’s just a piece of trash.

Comment by haianh — Aug 9, 2010 3:28:54 AM

@projects Please post contents of elisamake_sh script you used to bring Story back to life. Thanks in advance!

Comment by tdk — Aug 24, 2010 2:34:02 PM

Thanks ivo, I finally got the password after stripping out the first 128 bytes of the file (also seemed to crack the password faster).

It’s amazing to see how many GPL violations that iriver have committed, pitty really as they’ve created a nice device, easy to use and read on. Hopefully one day they will publish the os side of things and let the open source community create an even better interface/system to use.

Comment by willo — Mar 27, 2010 9:00:18 PM

I recently bought the Story (REI-EB02(B)). It says it’s running the 1.61 fw, s/w platform 0.8.10. I tried to run a shell script by making the factory directory with elisamake_sh and all the stuff, but it didn’t work out. It seems that it doesn’t execute it at all. Also tried to make a date_time file in the root of the SD card (as it’s being read from the rc.elisa script: if [ -f /mnt/SDFAT/date_time ]; then), but that didn’t work either. I tried to reset my Story with the slide switch as well as the reset button, none of the methods seemed to work.

Any news on the hacking front?

Comment by ruudis — Apr 2, 2010 9:28:41 PM

@willo Check my other entries on the subject - there has been some progress by others in hacking the Story.

Comment by ivo — Apr 4, 2010 10:48:21 AM

OS on Story is now opensource

Comment by pim — Apr 25, 2010 10:50:13 PM

Thanks guy !

I fixed my iriver thanks to this blog

Comment by framore — Jul 16, 2010 4:20:31 AM

@framore Could you please provide instructions on how you fixed your Story? Thanks in advance!

Comment by tdk — Aug 24, 2010 2:35:56 PM

I had the same problem with an iriver story. After firmware upgrading/downgrading, it did not go further than the start screen. The steps I took to recover it, after figuring out the device and internal file structure:

take a empty SD card

create a folder “factory” on the SD card

create an empty file “forcecopy” in the folder “factory”

extract the contents of the ebook.hex file (version 1.71 in my case) into a subfolder “iriver” in the folder “factory”

create a file “elisamake_sh” inside the folder “factory” with the following content: 

— 

#!/bin/sh 

cp -r -f /mnt/SDFAT/factory/iriver/* /mnt/MOVIEXT2/iriver/ —

After this it booted again. Of course everything without any guarantee.... If anyone has better ideas, let me know.

Comment by madlad — Aug 28, 2010 2:59:25 PM

Of course, the content of the file should be two lines, one is “#!/bin/sh”, the other is the rest, so “cp -r -f” etc…

Comment by madlad — Aug 28, 2010 3:01:25 PM

anyone know what’s the full path name of the embedded fonts of Story?

I hope to use the embedded fonts in my CSS file. I found there are ttf files named “iRiverSD.ttf”, “iriverSMJ.ttf” under the “font” directory of the ebook.hex.

but I can not use it by “url(res:///mnt/MOVIFAT/font/iRiverSD.ttf)”, Is this url right for the embedded font?

Comment by flyisland — Oct 11, 2010 11:04:06 AM 

iriver.com has a possibly related FAQ entry regarding fonts: www.iriver.com/support/faq_view.asp?fNum=482

Comment by ivo — Oct 12, 2010 8:15:45 AM

@ivo I just check the faq, it’s about how to use your own fonts, what I want is to use the built-in fonts of Story in CSS file.

Story shipped with some built-in Chinese fonts, and I have already found them under the “font” folder of the ebook.hex (according to your useful instruction above).

I’d like to know, after Story mount the OS, what’s the full path name the “font” folder of it’s *built-in” fonts?

Comment by flyisland — Oct 13, 2010 3:47:17 AM 

Last updated April 18, 2013, 4:35 p.m.
comments powered by Disqus