<h1 id="Kobo%20Clara%20Notes">Kobo Clara Notes</h1>

<p>Last Updated: 2021-02-15</p>

<p>My ereader of choice is the Kobo Clara HD and I particularly like it because my

eyes hurt less when reading for long periods of time compared to when I read on

my phone or when I still had my iPad. It also had much longer battery life and

only need to charge it about once every two weeks when I read for about 4 hours

on average daily.</p>

<p>However, the two notable things I don&#39;t like about it is it&#39;s included

telemetry, like using Google Analytics by default and keeping a unique salt</p>

<p>Spyware&#47;Anti-Features:

* You may or may not like this, I personally hate it

* I don&#39;t like the new redesign in firmware v4.23.15505</p>

<p>I&#39;m also assuming your Kobo reader and it&#39;s SD card&#39;s device file would be

would located at &#47;dev&#47;sdf and be mounted at &#47;mnt&#47;kobo.</p>

<h1 id="Upgrade&amp;#47;Backup%20Included%20SD%20Card">Upgrade&#47;Backup Included SD Card</h1>

<p>While the included 8GB microSD card is decent for storing your ebook library

that may not have a lot of images, that would likely not be enough if you were

aiming to read some comics on your ereader as they can be pretty big (quite a

few of mine are over a gigabyte, with some over 8). Luckily, you can replace

the microSD card with another one. </p>

<p>Before upgrading, you should backup the SD card to into an image file so the

filesystem would be preserved when putting the contents of the image on the new

SD card. I&#39;m using the command <code>dd</code> but there might be another program doing

the same thing. Even if you&#39;re not going to upgrade, I still suggest to backup

the SD card in case something goes wrong.</p>

<pre><code class="language-sh">dd if=&#47;dev&#47;sdf of=kobo_sd.img conv=sync

</code></pre>

<p>After this is done, you can plug in your new SD card and reimage kobo_sd.img

onto it. With dd, you can do something like:</p>

<pre><code class="language-sh">dd if=kobo_sd.img of=&#47;dev&#47;sdf conv=sync

</code></pre>

<p>Checking it&#39;s partition table via <code>lsblk</code> or <code>fdisk -l</code> should show three

partitions. If you replaced the SD card with something bigger, than you should

resize the third partition.</p>

<h1 id="Bypassing%20Registration%20On%20Setup">Bypassing Registration On Setup</h1>

<p>When setting up your Kobo, you will be asked to sign into a Kobo account. There

are other options like logging in via Google, Walmart, and other stores, but I

don&#39;t like having to login to a device that would likely not be connected to

the public internet. Fortunately, you can bypass this by choosing that you

cannot connect to a Wi-Fi network and mount your Kobo to your computer. In,

<code>.kobo&#47;KoboReader.sqlite</code>, you can run:</p>

<pre><code class="language-sh">echo "INSERT INTO user(UserID,UserKey) VALUES(&#39;1&#39;,&#39;&#39;);" \

| sqlite3 KoboReader.sqlite

</code></pre>

<p>This way you don&#39;t have to install their application just to be able to use

your device.</p>

<p>Note: Do not try doing this when you still have your SD card mounted before you

setup your device. The device&#39;s screen would likely not update, at least on an

early firmware version like v4.7.10733.</p>

<h1 id="Blocking%20Google%20Analytics%20and%20other%20Telemetry">Blocking Google Analytics and other Telemetry</h1>

<p>Just adding <code>0.0.0.0 analytics.google.com</code> to &#47;etc&#47;hosts may be enough to block

most of the telemetry from being sent. However, you can try intercepting what

connections your Kobo is making via mitmproxy set to transparent mode or using

a hosts file that blocks all connections to Google (but not necessarily to

Kobo&#39;s servers) like <a href="https://codeberg.org/baobab/hosts">Baobab&#39;s host file</a>

<a href="https://codeberg.org/baobab/hosts/raw/branch/master/hosts">(raw file here)</a>.</p>

<p>To put the hosts file without root (which will be detailed in another section),

you can make a directory called etc, put the hosts file in there, and tar it

into a file called KoboRoot.tgz.</p>

<pre><code class="language-sh">mkdir etc

wget -O etc&#47;hosts https:&#47;&#47;codeberg.org&#47;baobab&#47;hosts&#47;raw&#47;branch&#47;master&#47;hosts

tar czvf KoboRoot.tgz etc

cp KoboRoot.tgz &#47;mnt&#47;kobo&#47;.kobo&#47;

</code></pre>

<p>When you move a tar file with that name into your Kobo&#39;s .kobo folder, it&#39;s

contents gets untarred into it&#39;s root at &#47; when the device is turned on again,

which is usually done for their updates but can be used for custom files like

this and gaining root access.</p>

<h1 id="Gaining%20Root%20Access%20via%20Telnet">Gaining Root Access via Telnet</h1>

<p>To gain root access, we first need to get the <code>&#47;etc&#47;inittab</code> and

<code>&#47;etc&#47;inetd.conf</code> which you can get from mounting the SD card&#39;s first partition

into your computer (the second partition seems to be like a backup). You should

copy those two files into a folder called <code>etc</code> somewhere (probably not on the

SD card).</p>

<p>In the <code>etc&#47;inittab</code> file, you should add these two lines:</p>

<pre><code>::sysinit:&#47;etc&#47;custominit.sh

::respawn:&#47;usr&#47;sbin&#47;inetd -f &#47;etc&#47;inetd2.conf

</code></pre>

<p>You would want to rename the etc&#47;inetd.conf file you copied into

etc&#47;inetd2.conf (or whatever the custom inetd.conf&#39;s filename is) and when

editing that, you should add:</p>

<pre><code>23 stream tcp nowait root &#47;bin&#47;busybox telnetd -i

</code></pre>

<p>However, if there is already a commented line for root telnet in the

inetd2.conf, you should probably still add the above line and ignore the

commented line as that may or may not work (didn&#39;t for me).</p>

<p>After that, you just have to tar the <code>etc&#47;</code> folder again and copy it to your

Kobo&#39;s onboard&#47;third partition&#39;s <code>.kobo</code> folder.</p>

<pre><code class="language-sh">tar czvf KoboRoot.tgz etc

cp KoboRoot.tgz &#47;mnt&#47;kobo&#47;.kobo&#47;

</code></pre>

<p>Now you could put your SD card back into your Kobo provided that they are

already unmounted and turn your Kobo back on.</p>

<p>After connecting to the WiFi, simplying telnetting (?) into your Kobo and

logging in as root should give you a root shell. :D

<code>

telnet $KOBO_IP

</code></p>

<p>By default, root has no password so you should change it with <code>passwd</code>.</p>

<h1 id="Getting%20SSH%20and%20SFTP%20access%20via%20Dropbear">Getting SSH and SFTP access via Dropbear</h1>

<p>I&#39;m using Dropbear instead of OpenSSH because it&#39;s better suited for embedded

hardware like the Kobo Clara HD. Obviously we can&#39;t copy a binary compiled for

amd64 or whatever architecture your compiling computer is running so we would

have to cross-compile for our ereader.</p>

<p>Fortunately, we are not required to cross-compile gcc&#47;clang and friends as we

can simply download the linaro arm toolchain which has the binaries for gcc and

others included. You could get the toolchain <a href="https://releases.linaro.org/components/toolchain/binaries/latest-7/arm-linux-gnueabihf/">here</a>

and you should get the release that matches your host&#39;s architecture. After

untarring the file, you should also set your PATH variable to the toolchain&#39;s

bin&#47; folder so you don&#39;t have to manually set the CC and CXX variables when

building Dropbear.</p>

<pre><code>wget https:&#47;&#47;releases.linaro.org&#47;components&#47;toolchain&#47;binaries&#47;latest-7&#47;arm-linux-gnueabihf&#47;gcc-linaro-7.5.0-2019.12-x86_64_arm-linux-gnueabihf.tar.xz

tar xvf gcc-linaro-7.5.0-2019.12-x86_64_arm-linux-gnueabihf.tar.xz

export PATH=$(pwd)&#47;gcc-linaro-7.5.0-2019.12-x86_64_arm-linux-gnueabihf&#47;bin:$PATH

</code></pre>

<p>Now you could get the source for Dropbear and cross-compile it. The source can

be found on their <a href="https://matt.ucc.asn.au/dropbear/dropbear.html">homepage (cuckflared)</a> or <a href="https://github.com/mkj/dropbear/releases">github repo</a>.</p>

<pre><code>wget https:&#47;&#47;matt.ucc.asn.au&#47;dropbear&#47;releases&#47;dropbear-2020.81.tar.bz2

tar xvf dropbear-2020.81.tar.bz2

cd dropbear-2020.81

.&#47;configure --enable-static --host=arm-linux-gnueabihf # these two are the important flags, but other flags can be enabled&#47;disabled

make MULTI=1 PROGRAMS"dropbear dropbearkey" # MULTI=1 combines the binaries like busybox does and is also smaller in size

</code></pre>

<p>Now you only need to copy the <code>dropbearmulti</code> binary over to your Kobo. What

I&#39;ve done is running <code>python3 -m http.server</code> and downloading the file onto my

Kobo but you could also just copy it onto the microSD card.</p>

<pre><code>wget your.computer.ip.or.fqdn:8000&#47;dropbearmulti

chmod +x dropbearmulti

mv dropbearmulti &#47;usr&#47;bin

cd &#47;usr&#47;bin

ln -s dropbearmulti dropbear # optional but dropbear would be an argument for dropbearmulti

ln -s dropbearmulti dropbearkey # optional and similar to above comment

</code></pre>

<p>Now you only need to generate the host keys. My client key is ed25519 so I&#39;m not

going to generate the others.</p>

<pre><code>mkdir &#47;etc&#47;dropbear

dropbearkey -t ed25519 -f &#47;etc&#47;dropbear&#47;dropbear_ed25519_host_key # or just run include the -R flag when running dropbear

dropbear -F -r &#47;etc&#47;dropbear&#47;dropbear_ed25519_key

</code></pre>

<p>Now you could ssh into your Kobo and login as root. Remember to change root&#39;s

password beforehand though if you haven&#39;t already! I suggest copying your

public key to your Kobo via ssh-copy-id so you don&#39;t have to enter root&#39;s

password all the time and so password-based logins can be disabled in dropbear.</p>

<p>To start it on boot, you could add the following line to <code>&#47;etc&#47;inetd2.conf</code>:</p>

<pre><code>22 stream tcp nowait root &#47;usr&#47;bin&#47;dropbearmulti dropbear -i -r &#47;etc&#47;dropbear&#47;dropbear_ed25519_key

</code></pre>

<p>For some reason, the symlink wasn&#39;t resolving for me inetd so I had to call the

multi-binary directly. You could also add the command&#47;args into

&#47;etc&#47;custominit.sh.</p>

<h1 id="FTP%20Access">FTP Access</h1>

<p>If you don&#39;t or can&#39;t use sftp or scp for some reason, there&#39;s always ftp :D

There&#39;s a ftp daemon included in busybox so all we have to do is enable it in

<code>&#47;etc&#47;inetd2.conf</code>:</p>

<pre><code>21 stream tcp nowait root &#47;bin&#47;busybox ftpd -w -S &#47;

</code></pre>

<p>This would share the entire filesystem so you may or may not want to restrict

the shared directory to maybe just your ebook directory (<code>&#47;mnt&#47;onboard</code>) and

move the files out via telnet or ssh.</p>

<h1 id="Monitoring%20Connections%20via%20mitmproxy">Monitoring Connections via mitmproxy</h1>

<p>TODO</p>

<h1 id="References%20and%20Other%20Links">References and Other Links</h1>

<p><a href="https://remy.grunblatt.org/kobo-aura-h2o-electronic-reader-hacking.html">0</a>

<a href="https://yingtongli.me/blog/2018/07/30/kobo-rego.html">1</a>

<a href="https://www.mobileread.com/forums/showthread.php?t=162713">2</a>

<a href="https://wiki.mobileread.com/wiki/Kobo_Touch_Hacking">3</a></p>