Five years ago, I bought a Supernote A5. It was (and mostly still is) a great device for reading and writing on an eInk display, and it runs plain old linux.

The deciding reason I went for this device instead of the competition is that I was “under the impression” that they were about to enable full SSH access to the device! Awesome!

“Why were you under that impression?”, I hear the skeptics ask. Well, their spokesperson has stated that they would do so. Via mail, and on reddit, publicly, multiple times. I was still torn, so sent them a DM, asking if this was ineed factual. “Yes”, they said, “the next quarterly update will enable SSH access!”.

Great!

Well, it’s been 5 years. They did not follow through. A couple updates were published, none contained the promised functionality, the spokesperson stopped answering questions about SSH. The last software update I received is from 2.5yrs ago. Mentions of the original Supernote A5 have largely been scrubbed from their website.

Let me be clear, the device still functions perfectly. But it is in danger of becoming e-waste because it is so needlessly complicated to get stuff on the device. I’m currently in need of an ebook reader with (ideally) OPDS capability, and I am pretty confident I’d be able to get something like koreader running on this, or at least just run a script to sync files over SSH. Also, I frankly feel wounded in my pride having a Linux device in my possession which refuses to do my bidding (I’m joking of course, but also I am 100% serious).

Here’s all I know:

  • plugging it in via USB, the device reads as an MTP device, with access only to the documents/books/… stored on it
  • you can place an update.zip file (obtained from the SN website) into the root of that MTP directory, and upon reboot, the device will update. To me, this appears to be the most promising route of gaining access.
  • unfortunately, the zip file is encrypted. The decryption key clearly has to be known to the device, but since I have no access to it,…

I’m a software engineer, but I have zero knowledge of the “dark arts”, so to speak. If anyone could help me (or point me into the right direction!), I would really be grateful. I don’t want this (generally nice) product to turn into a paperweight instead of a paper replacement :(

  • 0v0@sopuli.xyz
    link
    fedilink
    arrow-up
    2
    ·
    1 month ago

    The attack worked, the password is cmF0dGEK.

    This was obtained by generating 32 possible plaintexts for the first 10 bytes of system.zip (based on the different values in the headers of ~300 zip files on my system), plus three null bytes for the high bytes of compressed size, file name length and extra field length.

    • smiletolerantly@awful.systemsOP
      link
      fedilink
      arrow-up
      0
      ·
      1 month ago

      No way!! You’re the goat. I spent the day trying to get behind how the cracking worked by making simple examples, and you just… Solve the puzzle :D

      Awesoms, thank you so much!! I’ll appreciate update this thread if this leads to something :D

      • MTK@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        1 month ago

        Check out the file update.zip > system.zip > zImage

        It’s the image for the device probably, check this guide out

        https://jamchamb.net/2022/01/02/modify-vmlinuz-arm.html

        You can probably get some sort of boot script implanted in there, or even just load the image in a vm, modify it, and recreate it.

        You might also need to modify the install script there since it seems to check if the update already exists and it might not run thinking you are up to date.

      • IsoKiero@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 month ago

        I did quickly check the files on update.zip and it looks like they’re tarballs embedded in a shell script and image files including pretty much the whole operating system on the thing.

        You can extract those even without a VM and do whatever you want with the files and package them back up, so, you can override version checks and you can inject init.d scripts, binaries and pretty much everything to the device, including changing passwords to /etc/shadow and so on.

        I don’t know how the thing actually operates, but if it isn’t absolutely necessary I’d leave bootloader (appears to be uboot) and kernel untouched as messing up those might end up with a bricked device and then easy options are broken and you’ll need to try to gain access via other means, like interfacing directly with the storage on the device (which most likely includes opening the thing up and wiring something like arduino or an serial cable to it).

        But beyond that, once you override version checks, it should be possible to upload the same version number over and over again until you have what you need. After that you just need suitable binaries for the hardware/kernel, likely some libraries from the same package and a init-script and you should be good to go.

        The other way you can approach this is to look for web server configurations from the image and see if there’s any vulnerabilities (like apache running as root and insecure script on top of that to inject system files via http), which might be the safest route at least for a start.

        I’m not really experienced on a things like this, but I know a thing or two about linux, so do your homework before attempting anything, have a good luck and have fun while tinkering!