How to make custom ROM for Cybook e-readers
Monday, 06 July 2015
|
Écrit par
Grégory Soutadé

Bookeen doesn't provides any way to hack their e-ink e-readers. Nevertheless, after they introduce a secured update file format for the first Cybook serie, they come back to a "tar-like" format for their e-readers based on Allwiner platform (new Odyssey, Muse, Nolimbook...). With this format, they try to be closest to Android platform.

Be careful : handling all bookeen's readers is difficult because there is a lot of derived/customized readers available ! For this, Bookeen has its own server that checks for serial number to determine which update to serve. A special attention must be done with manipulating boot and bootloader images, it can bricks your e-reader !

This tutorial will only works with UNIX/Linux tools, I do not plan to do it for Windows.

So, let's start. An archive is commonly named CybUpdate.bin. In facts it's a .tar.bz2 file.

First, decompresse it :

mkdir decompressed
cd decompressed
tar -jxvf ../CybUpdate.bin

The following content should be created :

contents
bootloader.fex
boot.fex
rootfs.fex

I think that boot.fex and bootloader.fex are optional, but not sure. Two types of files are present :

  • contents that contains meta information
  • fex files

Contents has the following format :

<ident>|<filename>|<length>|<sha256sum>|<version>

idents are :

  • LOAD for bootloader
  • BOOT for boot partition
  • ROOT for rootfs

Fex extension is a generic one that actually is flash images in different format (vfat, ext...).

In bootloader.fex and rootfs.fex we have a file "/version" specifying the current version (allowing to do checks). Mounting bootloader and rootfs is quite easy :

mkdir root
sudo mount -t ext2 rootfs.fex root -o loop

mkdir bootloader
sudo mount -t vfat bootloader.fex bootloader -o loop

After doing modifications, just unmount the directory and the image is automatically generated ! (Don't forget to update contents metadata).

boot.fex is more complex, it has Android bootloader format. You have to use split_bootimg.pl to decompress it.

mkdir boot
cd boot
../split_bootimg.pl ../boot.fex
> Page size: 2048 (0x00000800)
> Kernel size: 10863524 (0x00a5c3a4)
> Ramdisk size: 2253456 (0x00226290)
> Second size: 0 (0x00000000)
> Board name: sun5i
> Command line: 
> Writing boot.fex-kernel ... complete.
> Writing boot.fex-ramdisk.gz ... complete.

Then we decompress ramdisk :

mkdir ramdisk_decompressed
cd ramdisk_decompressed
gzip -dc ../boot.fex-ramdisk.gz | cpio -i

You can re compress it with :

find | cpio -o | gzip -c > ../boot.fex-ramdisk.gz

Rebuilding boot is done with mkbootimg. Be careful to use the same parameters split_bootimg.pl displayed !

./mkbootimg.py --kernel boot.fex-kernel --ramdisk boot.fex-ramdisk.gz --pagesize 2048 --board sun5i -o ../boot.fex

As you see, there is nothing complicated here, but mistakes with boot/bootloader or init scripts can bricks your e-reader.

Have fun !

#
1
De
Pirloui
, le
21 July 2015 08:07
You can't ever brick an Allwinner plateform, if you boot into FEL mode, you can flash a new image.
Répondre
Auteur :


e-mail* :


Le commentaire :


#
2
De
Greg
, le
21 July 2015 09:07
Nice to know ! I keep the warning to prevent peoples for doing anything bad.
Répondre
Auteur :


e-mail* :


Le commentaire :


#
3
De
Niceguy
, le
12 August 2015 06:08
Hi,

can you provide more information about the update image format for the old Odyssey as well?

Its CybUpdate.bin file is no tar.bz. It has the "GAME_OVER" entry at the end, and I see a byte sequence "Boo" at the top which looks like a magic sequence to me. I stripped that off to see if it's something useful, as well a few bytes more or less, but to known archive format was the result.

Any information would be great! :)

Thanks!
Répondre
Auteur :


e-mail* :


Le commentaire :


#
4
De
Greg
, le
12 August 2015 06:08
Unfortunately not for now...
Répondre
Auteur :


e-mail* :


Le commentaire :


#
5
De
Lupin
, le
07 August 2017 13:08
Great information. I just noticed this blog post. Have to try this. I think good place to start is to get one of the firmware packages, split it in parts and try to reassemble them back to an update package.
Répondre
Auteur :


e-mail* :


Le commentaire :


#
6
De
steph
, le
02 April 2018 14:04
Hello,

I have a bookeen (cybook muse hd) 6.3 boot[7] rootfs[16] (build 2538).

It seems current ssh version is for 6.3.2326 and i have 6.3.2538.

I can adapt ssh daemon to this version to play with olim-ebook-sdk
but before the battle can I have information on the best way to extract my firmware? Network, Serial port on hardware card? Other?

Thank you.
Répondre
Auteur :


e-mail* :


Le commentaire :


#
7
De
Greg
, le
02 April 2018 15:04
Hello,

The version issue is not related to SSH but to Bookeen firmware itself (SSH build is the same for everyone).

The only way to dump your current firmware is to open your reader and find serial pins, then you can have access to uBoot and dump flash to SD card.

It seems that there is no printing on new motherboards while there was on old ones. So you need to find them (a group of 3 for RX, TX and VCC).

If you have something interesting, please complete the wiki https://linux-sunxi.org/Bookeen_Muse
Répondre
Auteur :


e-mail* :


Le commentaire :


#
8
De
steph
, le
05 April 2018 19:04
Is someone know what is the best way to open bookeen hardware without breaking plastic?
Répondre
Auteur :


e-mail* :


Le commentaire :


Auteur :


e-mail* :


Le commentaire :




* Seulement pour être notifié d'une réponse à cet article