EDITED : 03rd January 2019 : Add ADB section

EDITED : 03rd September 2018 : Muse HD screen calibration issue seems solved

EDITED : 29th January 2018 : Link for Nolimbook 5.2.2020 stock rom

EDITED : 31th December 2017 : Add jailbreak for Nolimbook HD 6.3.2325

EDITED : 10th August 2017 : Add jailbreak for Muse HD 2 6.3.2536 (thanks Lupin)

EDITED : 2nd August 2016 : Add jailbreak for Odyssey Frontlight 2 6.3.2322

EDITED : 27th july 2016 : Add jailbreak for Muse 6.3.2350

EDITED : 15th august 2015 : Add jailbreak_backup (suggested by niceguy)

EDITED : 12th august 2015 : Another problem with Odyssey jailbreak reported by niceguy.

EDITED : 21th july 2015 : Totally rework Odyssey jailbreak : key generation was bad

EDITED : 07th july 2015 : Seems not to work for firmware >= 2340. Add /lib/libutils.so.

EDITED : 28th may 2015 : Remove Orizon/Fallback support (now it's tested). Set Muse jailbreak to version 6.3.2326

EDITED : 2nd april 2015

Those who do not try to hack the Cybook Odyssey e-reader won't understand the title. In facts, Bookeen appends this sentence at the end of update files. Arrogant, isn't it ? Surely, but now it's outdated.

Bookeen primary delivers a full access to its e-readers. Unfortunately, since Odyssey one they became very proprietary while its concurrents (except Amazon) lets user modify the core system. Did the concurrents puts out of business ? No. They're still alive, and they sell more e-readers than Bookeen. Kobo ahead.

OK, stop doing politic and start hacking. It has been a hard work, but I finally did it : a Cybook Jailbreak.

This jailbreak installs dropbear (a SSH client/server) onto the e-reader and launch it at boot. It has been fully tested on Cybook Odyssey and Nolimbook HD+ (Muse) whatever the firmware version running. See notes for other Cybook versions.

Disclaimer

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

ADB

I Finally found how to activate adb daemon on AW8/13 platforms (all platforms except Odyssey one). It's less destructive than apply a new update. To do it, follow these instructions :

• Plug your reader in USB mode
• Create an empty file called "adb_debug" in the mounted filesystem
• Unplug your reader
• Plug your reader in USB mode again
• A popup should appears asking you if you want your computer to see your reader's files : SAY NO
• Go to Menu -> Advanced
• Click on "Open ADB"

Now you should be able to use adb util to open a shell on your reader. I can't start adb on my Odyssey reader, maybe you should enable ADB first and plug your reader after or use adb through Wifi.

Downloads

It seems that more and more people have problems with these jailbreaks for Nolimbook device. So, please, don't try it if your current reader has a different version than the proposed one. Plus, Bookeen don't seems to upload new firmwares (they're only burned in factory). For now (as I don't own a Muse serie device), I can't provide another way to jailbreak it.

• Cybook Odyssey : All firmwares
• Cybook Ocean : 6.2.2316
• Cybook Muse/Odyssey essential : 6.3.2326
• Nolimbook/Nolimbook HD : 6.3.2325
• Cybook Odyssey frontlight 2 : 6.3.2322
• Cybook Muse/Odyssey essential/Odyssey frontlight 2/Nolimbook Testing version : 6.3.2350
• Cybook Odyssey backup : 6.2.2316
• Muse HD (screen calibration problems with this update, reported by Lupin) 6.3.2536
• SHA256SUMS
• SHA256SUMS.sign

Muse firmware should be compatible with Odyssey frontlight 2

Signature verification

gpg --verify SHA256SUMS.sign SHA256SUMS

My gpg key can be found here

Instructions

Rename downloaded files into CybUpdate.bin and copy it to the e-reader via USB. De-connect USB and start upgrade.

Once rebooted, activate Wifi and connect to the e-reader (you can find the IP address in your internet box/router web interface) :

ssh -o "KexAlgorithms +diffie-hellman-group1-sha1" -o "Ciphers +aes128-cbc" root@EREADERIP

There is no password.

Those who uses Windows can download putty as SSH client.

Info : I compiled a new version of dropbear, but I'm not able to test it. If someone want to test, send me an email. I will then put it on new jailbreak versions.

Enjoy !

Tip : The e-reader goes to sleep after X minutes of inactivity and switch off Wifi, and thus SSH connexion. To avoid this problem, kill ebrmain and boordr (the first re spawn the second).

Notes for Muse/Nolimbook/Odyssey essential/Odyssey frontlight 2 e-readers

The update format has changed and for my surprise it's more simple than the previous one. I saw that the whole flash is overwritten during an update. So, keep the jailbreak related to your current version.

If you want to make your own custom ROM, please read my another article How to make custom ROM for Cybook e-readers

Nolimbook recover

A lot of people bricked their reader after applying jailbreak on Carrefour Nolimbook device. KotCzarny succeded in recover its reader by reading NAND flash thanks to UART pads available on motherboard. Here is a stock ROM 5.2.2020. Thanks to him ! For any more help, he is reachable on freenode irc, channel #h3droid, nick KotCzarny.

A page dedicated to Muse device has been created on linux-sunxi. You'll find some information about Muse hardware and FEL mode (in an other section). On new hardware boards, there is no information printed about UART pins, you needs to search dedicated pins thanks to a multimeter. Don't hesitate to update the page with new information !

Backup for Odyssey

Hacking Odyssey may lead to editing/removing files you should not. A backup jailbreak that contains a full factory image (+SSH server) is available for Odyssey readers. It willl only works if /boot has not been damaged !!

Hacking Muse

Alejandro Antúnez hacks basic display/event functions in combination with DirectFB, helping develop applications. Code and example are available on GitHub. A lot of thanks to him.

Legal notices

Providing a jailbreak is not a benign choice. I had a long reflexion before this and tried to know why Bookeen doesn't wants users access core system. The only response I got was "It's not scheduled".

Laws concerning copyright are complex and different in each country. France has its own who is called DADVSI (Loi relative au droit d'auteur et aux droits voisins dans la société de l'information) which is the transposition of European directives. It defines DRM and penal sentences. We can resume in some paragraphs (sorry, french only) :

Article 13

« Art. L. 331-5. - Les mesures techniques efficaces destinées à empêcher ou à limiter les utilisations non autorisées par les titulaires d'un droit d'auteur ou d'un droit voisin du droit d'auteur d'une oeuvre, autre qu'un logiciel, d'une interprétation, d'un phonogramme, d'un vidéogramme ou d'un programme sont protégées dans les conditions prévues au présent titre.

« On entend par mesure technique au sens du premier alinéa toute technologie, dispositif, composant qui, dans le cadre normal de son fonctionnement, accomplit la fonction prévue par cet alinéa. Ces mesures techniques sont réputées efficaces lorsqu'une utilisation visée au même alinéa est contrôlée par les titulaires de droits grâce à l'application d'un code d'accès, d'un procédé de protection tel que le cryptage, le brouillage ou toute autre transformation de l'objet de la protection ou d'un mécanisme de contrôle de la copie qui atteint cet objectif de protection.

Un protocole, un format, une méthode de cryptage, de brouillage ou de transformation ne constitue pas en tant que tel une mesure technique au sens du présent article.

« Les mesures techniques ne doivent pas avoir pour effet d'empêcher la mise en oeuvre effective de l'interopérabilité, dans le respect du droit d'auteur. Les fournisseurs de mesures techniques donnent l'accès aux informations essentielles à l'interopérabilité dans les conditions définies aux articles L. 331-6 et L. 331-7.

« Les mesures techniques ne peuvent s'opposer au libre usage de l'oeuvre ou de l'objet protégé dans les limites des droits prévus par le présent code, ainsi que de ceux accordés par les détenteurs de droits.

Article 14

« Art. L. 331-7. - Tout éditeur de logiciel, tout fabricant de système technique et tout exploitant de service peut, en cas de refus d'accès aux informations essentielles à l'interopérabilité, demander à l'Autorité de régulation des mesures techniques de garantir l'interopérabilité des systèmes et des services existants, dans le respect des droits des parties, et d'obtenir du titulaire des droits sur la mesure technique les informations essentielles à cette interopérabilité. A compter de sa saisine, l'autorité dispose d'un délai de deux mois pour rendre sa décision.

« On entend par informations essentielles à l'interopérabilité la documentation technique et les interfaces de programmation nécessaires pour permettre à un dispositif technique d'accéder, y compris dans un standard ouvert au sens de l'article 4 de la loi n° 2004-575 du 21 juin 2004 pour la confiance dans l'économie numérique, à une oeuvre ou à un objet protégé par une mesure technique et aux informations sous forme électronique jointes, dans le respect des conditions d'utilisation de l'oeuvre ou de l'objet protégé qui ont été définies à l'origine.

« L'autorité a le pouvoir d'infliger une sanction pécuniaire applicable soit en cas d'inexécution de ses injonctions, soit en cas de non-respect des engagements qu'elle a acceptés. Chaque sanction pécuniaire est proportionnée à l'importance du dommage causé aux intéressés, à la situation de l'organisme ou de l'entreprise sanctionné et à l'éventuelle réitération des pratiques contraires à l'interopérabilité. Elle est déterminée individuellement et de façon motivée. Son montant maximum s'élève à 5 % du montant du chiffre d'affaires mondial hors taxes le plus élevé réalisé au cours d'un des exercices clos depuis l'exercice précédant celui au cours duquel les pratiques contraires à l'interopérabilité ont été mises en oeuvre dans le cas d'une entreprise et à 1,5 million d'euros dans les autres cas.

Article 21

« Art. L. 335-2-1. - Est puni de trois ans d'emprisonnement et de 300 000 EUR d'amende le fait :

1° D'éditer, de mettre à la disposition du public ou de communiquer au public, sciemment et sous quelque forme que ce soit, un logiciel manifestement destiné à la mise à disposition du public non autorisée d'oeuvres ou d'objets protégés ;

I think it's a good summary. The purpose of this jailbreak is to fully access a computer I OWN without damage it. Particularly, it do not help to get/read illegal content.

BSD systems are known to have the highest uptime, but our favorite GNU/Linux system can do the same if we want. At work my computer runs since 260 days without any reboot thanks to Ubuntu (LTS 10.04).

This is cool, nevertheless having software launched for a long time consume a lot of memory (I like to keep terminals and emacs open to save history), especially Firefox uses one to three giga bytes of memory (even in version 30.0). Software not used everyday goes to swap and come back when needed. This process can slow my computer for minutes (when I unlock my session).

The only solution is to kill these applications and restart them properly. I used to track memory eaters with "top" command, but it's hard to see in one time which software is using most of memory.

I wanted to do it for long time, and now it's out ! I wrote a PERL script called memstats that list processes by memory usage (and not by CPU usage like top).

It reads information from /proc/PID/stat and /proc/PID/status, so it's very Linux dependant (sorry BSDs...).

memstats output looks like "top" (because it's a good one).

soutade@cybelle> memstats
  PID    OWNER  VIRT   RES S       TIME         COMMAND
20098  soutade 3.10g 1.80g S   09:00:59         firefox
 1285     root  526m  259m S 6214:00:04            Xorg
 2555  soutade  862m  200m S 6214:00:10  gnome-terminal
 2113  soutade  827m  181m S 6214:00:20     gnome-panel
20081  soutade  866m  153m S   10:00:12     thunderbird
 2122  soutade 1.97g   98m S 6214:00:20        nautilus
 2192  soutade  591m   86m S 6214:00:13 indicator-apple
20104  soutade 1.07g   42m S   09:00:58          pidgin
26536  soutade  627m   40m S   06:00:22           gedit
 6517  soutade  529m   30m S 2816:00:40           emacs
 2845  soutade  442m   27m S   00:00:50           emacs
22935  soutade  449m   23m S  103:00:06           emacs
 2094  soutade  899m   23m S 6214:00:21        metacity
 2207  soutade  393m   11m S 6214:00:13 indicator-messa
 2762  soutade  114m   10m S   00:00:48          python
 9752  soutade  401m    8m S   96:00:18 gnome-screensav
 2070  soutade  766m    7m S 6214:00:22 gnome-settings-
 2914  soutade   94m    6m R   00:00:00        memstats
 2121  soutade  477m    6m S 6214:00:20 notification-da
 2489  soutade  414m    6m S 6214:00:20 update-notifier
23305  soutade  391m    5m S 5641:00:44 ubuntuone-syncd
 2280  soutade  418m    4m S 6214:00:10 gdu-notificatio
 2061  soutade   22m    4m S 6214:00:22     dbus-daemon
 1973     root  192m    4m S 6214:00:32         lightdm
 6886  soutade  581m    4m S 3797:00:46 gnome-keyring-d
 2134  soutade  539m    4m S 6214:00:19 gnome-fallback-
28423  soutade   85m    4m S   05:00:43            bash
 2389  soutade  335m    4m S 6214:00:00 zeitgeist-daemo
 6080  soutade  332m    4m S 3624:00:44      pulseaudio
 2382  soutade  400m    3m S 6214:00:00 zeitgeist-datah

memstats is licenced under GNU GPL v3 and available in my inDefero forge. Have fun !

As you may know, my work consists in developing software for embedded devices. We usually says that an embedded device is a peace of hardware with low resources (memory, CPU, flash...) taking in example phones. Nowaday, smartphones have only core software that is really embedded, the rest is sometimes more powerful than the computer I wrote this post. But, don't care, I don't work in telephony. Here (at Neotion), we do really embedded software, with chipsets clocked from 100Mhz to 200Mhz, with available RAM from 1MB to 32MB, and flash up to 8MB.

After years of developments, we can have one or more software that became too big to fit in its allocated flash partition. So, to find the guilty functions, I wrote a simple PERL script (~130 lines) that will count number of instructions for each function from objdump's output (with -ld switch) and displays statistics per function and per file (it doesn't focus on .data or .bss section). To correctly use the script, you have to compile your program with -ggdb option (to have line numbers and file paths), but you can also set optimisations (-OX).

Example with main.c

#include <stdio.h>

int function1(int a, int b)
{
    return a*b+4;
}

int function2(int a, int b, char* c)
{
    printf("Result %d*%d+4 = %s\n", a, b, c);

    return 0;
}

int main(int argc, char** argv)
{
    char buf[32];

    sprintf(buf, "%d", function1(5, 4));

    function2(5, 4, buf);
}
    

> gcc main.c -ggdb -o test
> objdump -ld test > test.txt
> ./binstats.pl --in test.txt

Total instructions 63

63	(100.00%)   /home/soutade/main.c
	38	 main
	16	 function2
	9	 function1

There are also options to filter small files, small functions and paths that helps to focus on big ones. Have fun !

Wireshark (previously Ethereal) is the best open source protocol dissector/analyzer. You can analyze an incredible amount of protocols, not only Internet ones, but every stream based protocols. Moreover you can add your own filters/dissectors written either in C or in Lua. Nevertheless, the documentation on the net concerning Lua dissectors is light and sparse. It's been hard for me to make something that works even if it's, at the end, not really complicated. I'll try to explain the basis of Lua dissectors.

1) Installation

You need to have a wireshark that supports Lua support (wireshark -v). After that, create or edit ~/.wireshark/init.lua. To load a new plugin, just type

dofile("mydissector.lua")

Create the new file ~/.wireshark/mydissector.lua

2) Post Dissector

There are three types of dissectors :

• Dissector : you add your own protocol
• Chained dissector : you add new fields to an existing protocol
• Post dissector : you interact after all packets has been parsed

An example for each of one can be found here. I'll describe a post dissector, but other types of dissectors has pretty the same format.

Tip 1
If you want to display someting on the console, just do

print(something)

Tip 2
If the base array is not defined, add this to ~/.wireshark/init.lua

-- Display Bases
 base = {
    ["NONE"] = 0,
    ["DEC"] = 1,
    ["HEX"] = 2,
    ["OCT"] = 3,
    ["DEC_HEX"] = 4,
    ["HEX_DEC"] = 5,
}

First, you need to define your protocol : Proto(<internal name>, <displayed name>)

p_dummyproto = Proto("dummyproto","DummyProto")

Then, define your fields : ProtoField.TYPE(<internal name>, <displayed name>, [base], [values], [mask])
TYPE are defined here

-- Simple field without value
local f_X =  ProtoField.uint16("dummyproto.f_X","Field X")
-- Simple field displayed in hex format
local f_Y =  ProtoField.uint8("dummyproto.f_Y","Field Y", base.HEX)
-- Field with precomputed values and bitfield
local VALS_ZZ    = {[0] = "Single", [1] = "Dual"}
local f_Z =  ProtoField.uint8("dummyproto.f_Z","Field Z", base.HEX, VALS_ZZ, 0x3)

Third step is to register each field

p_dummyproto.fields = {f_X, f_Y, f_Z}

After that, the big part : protocol dissection. Fields are organized as a tree. You have to parse each byte (or range of bytes) in the given buffer and append your fields. Be careful : objects returned by :add function has userdata type and cannot be directly manipulated.

function p_dummyproto.dissector(buffer,pinfo,tree)
   -- Access to another field
   local f_udp_port = Field.new("udp.port")

   -- If it exists and has the right value
   if f_udp_port and tostring(f_udp_port) == tostring(5555) then
     -- Add our protocol dissection with data in buffer[17, 17+14]
     local subtree = tree:add(p_dummyproto, buffer(17,14))

     -- Add a subtree to our root for the first two bytes
     local t = subtree:add(f_X, buffer(17, 2))

     -- Add a sub subtree
     local t2 = t:add(f_Y, buffer(17, 1))

     -- Parse sub data
     parse_data(t, buffer, 18)
   end
end

function parse_data(tree, buffer, start)
     -- Wireshark integrate bitop from luajit http://bitop.luajit.org/
     field_1 = buffer(start, 1):uint()
     field_1 = bit.band(field_1, 0x3)

     -- You can also append free text information to current field
     if field_1 < 16 then
         tree:append_text(" field information")
     end
end

Finally register your post dissector

register_postdissector(p_dummyproto)

A complete example can be found here. It's a full reimplementation of ARP protocol dissector in Lua.

After 6 years of wonderful services I decided to change my superb Nokia 7373 by a Nexus 4 (thanks to the last price down). Welcome to the 21th century with a big smartphone running Android. One problem : how to transfer my contacts from Nokia to Android ? After reading some articles on the net I didn't find any simple solution. So I developped a perl script that will convert contacts extracted from Nokia Suite to vCad format (.vcf). The procedure is bellow :

• Extract your contacts with Nokia Suite into a CSV file
• Run this script (you can see help with -h switch)
• Copy vcf files to your phone (you can copy them in DCIM directory if you have a Nexus 4, it works)
• Go to "contact" application and import all vcf files

Now you can use your mobile phone as before. Personally I deactivated contact synchronisation because I do not want to give phone numbers of my friends to Google (even if I suppose it already has). *Beware* this script has been developped for French people : default call prefix is +33 (you can change it) and a cell phone numbers starts with 6 in France (you can change it). If you're in another country you may have to tweak it. Currently it can extract first name, last name, phone numbers and email. Have fun !