How to make custom ROM for Cybook e-readers
Monday, 06 July 2015
|
Écrit par
Grégory Soutadé

Bookeen doesn't provides any way to hack their e-ink e-readers. Nevertheless, after they introduce a secured update file format for the first Cybook serie, they come back to a "tar-like" format for their e-readers based on Allwiner platform (new Odyssey, Muse, Nolimbook...). With this format, they try to be closest to Android platform.

Be careful : handling all bookeen's readers is difficult because there is a lot of derived/customized readers available ! For this, Bookeen has its own server that checks for serial number to determine which update to serve. A special attention must be done with manipulating boot and bootloader images, it can bricks your e-reader !

This tutorial will only works with UNIX/Linux tools, I do not plan to do it for Windows.

So, let's start. An archive is commonly named CybUpdate.bin. In facts it's a .tar.bz2 file.

First, decompresse it :

mkdir decompressed
cd decompressed
tar -jxvf ../CybUpdate.bin

The following content should be created :

contents
bootloader.fex
boot.fex
rootfs.fex

I think that boot.fex and bootloader.fex are optional, but not sure. Two types of files are present :

  • contents that contains meta information
  • fex files

Contents has the following format :

<ident>|<filename>|<length>|<sha256sum>|<version>

idents are :

  • LOAD for bootloader
  • BOOT for boot partition
  • ROOT for rootfs

Fex extension is a generic one that actually is flash images in different format (vfat, ext...).

In bootloader.fex and rootfs.fex we have a file "/version" specifying the current version (allowing to do checks). Mounting bootloader and rootfs is quite easy :

mkdir root
sudo mount -t ext2 rootfs.fex root -o loop

mkdir bootloader
sudo mount -t vfat bootloader.fex bootloader -o loop

After doing modifications, just unmount the directory and the image is automatically generated ! (Don't forget to update contents metadata).

boot.fex is more complex, it has Android bootloader format. You have to use split_bootimg.pl to decompress it.

mkdir boot
cd boot
../split_bootimg.pl ../boot.fex
> Page size: 2048 (0x00000800)
> Kernel size: 10863524 (0x00a5c3a4)
> Ramdisk size: 2253456 (0x00226290)
> Second size: 0 (0x00000000)
> Board name: sun5i
> Command line: 
> Writing boot.fex-kernel ... complete.
> Writing boot.fex-ramdisk.gz ... complete.

Then we decompress ramdisk :

mkdir ramdisk_decompressed
cd ramdisk_decompressed
gzip -dc ../boot.fex-ramdisk.gz | cpio -i

You can re compress it with :

find | cpio -o | gzip -c > ../boot.fex-ramdisk.gz

Rebuilding boot is done with mkbootimg. Be careful to use the same parameters split_bootimg.pl displayed !

./mkbootimg.py --kernel boot.fex-kernel --ramdisk boot.fex-ramdisk.gz --pagesize 2048 --board sun5i -o ../boot.fex

As you see, there is nothing complicated here, but mistakes with boot/bootloader or init scripts can bricks your e-reader.

Have fun !

#
1
De
Pirloui
, le
21 July 2015 08:07
You can't ever brick an Allwinner plateform, if you boot into FEL mode, you can flash a new image.
Répondre
Auteur :


e-mail* :


Le commentaire :


#
2
De
Greg
, le
21 July 2015 09:07
Nice to know ! I keep the warning to prevent peoples for doing anything bad.
Répondre
Auteur :


e-mail* :


Le commentaire :


#
12
De
lramos
, le
15 March 2019 19:03
Can you take a step-by-step how to write new firmware to the bricked eReader? I have researched how to solve this, but so far I have not had any significant breakthrough.
Répondre
Auteur :


e-mail* :


Le commentaire :


#
13
De
Greg
, le
16 March 2019 07:03
I think you need to sold an UART or USB cable directly on board in order to access FEL mode.
Répondre
Auteur :


e-mail* :


Le commentaire :


#
14
De
lramos
, le
16 March 2019 11:03
Hello Greg! First of all I thank you for your initiative of the site, because it helped me a lot!

So, I already soldered and I have serial communication (RX / TX / GND). But

I need to know how to write new firmware.

I followed his example, downloaded CybUpdate.bin, unzipped it. Now I need to know how to recover the system. My eReader is locked on a screen.

Below is an excerpt of his initialization.

dram size =512
0xffffffff,0xffffffff
super_standby_flag = 0
HELLO! BOOT0 is starting!
boot0 version : 1.5.0
The size of Boot1 is 0x00038000.
Succeed in loading boot1 from sdmmc flash.
Ready to disable icache.
Succeed in loading Boot1.
Jump to Boot1.
[ 0.149] boot1 version : 1.7.0
[ 0.149] pmu type = 3
[ 0.150] bat vol = 3967
[ 0.152] core_para->vol_threshold=3600
[ 0.157] bat_cou=0x0000002a
[ 0.158] dcin_exist
[ 0.161] power_step_level =0x00000002, bat_vol = 0x00000f7f
[ 0.198] axi:ahb:apb=3:2:2
[ 0.198] set dcdc2=1400, clock=1008 successed
[ 0.200] key
[ 0.212] no key found
[ 0.212] --------&&&&&--flash init start------&&&&--------------
[ 0.227] flash init finish
[ 0.228] fs init ok
[ 0.228] fattype FAT16
[ 0.229] fs mount ok
[ 0.238] script finish
[ 0.240] power finish
[ 0.240] storage_type=2
[ 0.264] MSG:L50(BootMain.c):0
[ 0.279] MSG:L151(BootMain.c):init to usb pc





[ 0.357] MSG:L179(drv_de.c):----------------before eink init!!------------------------------
[ 0.427] WRN:L1962(de_bsp/de/Drv_eink.c):fetch script data lcd0_para.lcd_eink_screen_name fail
[ 0.496] ERR:L192(de_bsp/de/Drv_eink.c):[ 0.496] Open du gc16 waveform failed !
[ 0.505] ERR:L124(de_bsp/de/Drv_eink.c):[ 0.505] open common bin file failed!
[ 0.530] MSG:L184(drv_de.c):before init mode update!!
[ 1.388] MSG:L179(Board/fel_detect/fel_detect.c):startup status = -1
[ 1.389] MSG:L57(BootOS/BootOS.c):key value = 1
[ 1.394] MSG:L71(BootOS/BootOS.c):recovery key high 6, low 4
[ 1.400] MSG:L82(BootOS/BootOS.c):unable to find fastboot_key key_max value
[ 1.409] MSG:L353(BootOS/BootOS.c):Test for multi os boot with display
[ 1.414] MSG:L126(BootOS/BootOS.c):show pic start
[ 3.877] MSG:L128(BootOS/BootOS.c):show pic finish
[ 3.877] MSG:L161(BootOS/BootOS.c):load kernel start
[ 3.937] MSG:L218(BootOS/BootOS.c):load kernel successed
[ 3.937] MSG:L272(BootOS/BootOS.c):start address = 0x4a000000


U-Boot 2011.09-rc1-00001-g089926d-dirty (Feb 12 2018 - 10:36:02) Allwinner Technology

CPU: SUNXI Family
Board: A13-EVB
DRAM: 512 MiB
boot type: 3
MMC: no misc partition is found
SUNXI SD/MMC: 2
In: serial
Out: serial
Err: serial
--------fastboot partitions--------
-total partitions:7-
-name- -blk- -cnt-
bootloader : 0x12000 0x10000
env : 0x22000 0x8000
boot : 0x2a000 0x8000
rootfs : 0x32000 0xfa000
private : 0x12c000 0x10000
update : 0x13c000 0xfa000
UDISK : 0x236000 0x45a000
-----------------------------------
no misc partition is found
Hit any key to stop autoboot: 0
Répondre
Auteur :


e-mail* :


Le commentaire :


#
15
De
Greg
, le
16 March 2019 12:03
Very fine !
It seems that uBoot is working. Can you press a key to stop autoboot ? If yes, you should be able to access to uBoot shell and start flashing a binary embedded in an SDCARD (look at the partition table for the right addresses) or loading update partition and start a new update.
You're after FEL mode, but you can have access to higher level functions thanks to uBoot.
Répondre
Auteur :


e-mail* :


Le commentaire :


#
16
De
lramos
, le
17 March 2019 18:03
So, how do I load an update partition to start a new update?
Or do something from SDCARD?

Can you help me with this task?
Répondre
Auteur :


e-mail* :


Le commentaire :


#
17
De
Greg
, le
17 March 2019 20:03
Send a key with your keyboard to stop autoboot.
Then, you may enter in uBoot shell.
Look at environment variables.
Play with uBoot commands (look at the documentation on internet, I don't have specific command in head) to launch kernel in update partition or simply directly flash modules from SDCARD.
Répondre
Auteur :


e-mail* :


Le commentaire :


#
18
De
lramos
, le
17 March 2019 22:03
I read the environment variables!

Trying to move on to next step rs


U-Boot 2011.09-rc1-00001-g089926d-dirty (Feb 12 2018 - 10:36:02) Allwinner Technology
arm-none-linux-gnueabi-gcc (Sourcery G++ Lite 2010.09-50) 4.5.1
GNU ld (Sourcery G++ Lite 2010.09-50) 2.20.51.20100809


sunxi#showvar
HUSH_VERSION=0.01


sunxi#printenv
boot_fastboot=fastboot
boot_normal=mmc read 40007800 2a000 10000;boota 40007800
boot_recovery=mmc read 40007800 recovery;boota 40007800
bootcmd=run setargs boot_normal
bootdelay=3
console=ttyS0,115200
init=/init
loglevel=8
mmc_root=/dev/mmcblk0p7
nand_root=/dev/nandd
setargs=setenv bootargs console=${console} root=${mmc_root} init=${init} loglevel=${loglevel}
stderr=serial
stdin=serial
stdout=serial

Environment size: 432/131068 bytes
Répondre
Auteur :


e-mail* :


Le commentaire :


#
3
De
Niceguy
, le
12 August 2015 06:08
Hi,

can you provide more information about the update image format for the old Odyssey as well?

Its CybUpdate.bin file is no tar.bz. It has the "GAME_OVER" entry at the end, and I see a byte sequence "Boo" at the top which looks like a magic sequence to me. I stripped that off to see if it's something useful, as well a few bytes more or less, but to known archive format was the result.

Any information would be great! :)

Thanks!
Répondre
Auteur :


e-mail* :


Le commentaire :


#
4
De
Greg
, le
12 August 2015 06:08
Unfortunately not for now...
Répondre
Auteur :


e-mail* :


Le commentaire :


#
5
De
Lupin
, le
07 August 2017 13:08
Great information. I just noticed this blog post. Have to try this. I think good place to start is to get one of the firmware packages, split it in parts and try to reassemble them back to an update package.
Répondre
Auteur :


e-mail* :


Le commentaire :


#
6
De
steph
, le
02 April 2018 14:04
Hello,

I have a bookeen (cybook muse hd) 6.3 boot[7] rootfs[16] (build 2538).

It seems current ssh version is for 6.3.2326 and i have 6.3.2538.

I can adapt ssh daemon to this version to play with olim-ebook-sdk
but before the battle can I have information on the best way to extract my firmware? Network, Serial port on hardware card? Other?

Thank you.
Répondre
Auteur :


e-mail* :


Le commentaire :


#
7
De
Greg
, le
02 April 2018 15:04
Hello,

The version issue is not related to SSH but to Bookeen firmware itself (SSH build is the same for everyone).

The only way to dump your current firmware is to open your reader and find serial pins, then you can have access to uBoot and dump flash to SD card.

It seems that there is no printing on new motherboards while there was on old ones. So you need to find them (a group of 3 for RX, TX and VCC).

If you have something interesting, please complete the wiki https://linux-sunxi.org/Bookeen_Muse
Répondre
Auteur :


e-mail* :


Le commentaire :


#
8
De
steph
, le
05 April 2018 19:04
Is someone know what is the best way to open bookeen hardware without breaking plastic?
Répondre
Auteur :


e-mail* :


Le commentaire :


#
9
De
steph
, le
10 January 2019 21:01
#!/bin/bash

# Bookeen Cybook Muse HD, version AWA13
# Boo Reader, version 6.3 boot[7] rootfs[16] (build 2538)

adb pull /dev/mmcblk0p1 fat.bin
adb pull /dev/mmcblk0p2 bootloader.bin
adb pull /dev/mmcblk0p5 cmdline.bin
adb pull /dev/mmcblk0p6 kernel.bin
adb pull /dev/mmcblk0p7 rootfs.bin
adb pull /dev/mmcblk0p8 priv.bin
adb pull /dev/mmcblk0p9 update.bin
Répondre
Auteur :


e-mail* :


Le commentaire :


#
10
De
Greg
, le
11 January 2019 06:01
Thanks for the information.
Répondre
Auteur :


e-mail* :


Le commentaire :


#
11
De
steph
, le
11 January 2019 19:01
no: Thanks for adb information! that was a great and useful news.
Répondre
Auteur :


e-mail* :


Le commentaire :


Auteur :


e-mail* :


Le commentaire :




* Seulement pour être notifié d'une réponse à cet article