- According to this document
http://docs.blackberry.com/en/admin/...001-1.0-US.pdf
How the tablet verifies the boot ROM code
The BlackBerry� PlayBook™ tablet uses an authentication method that is designed to verify that the boot ROM code is permitted to run on the tablet. The manufacturing process installs the boot ROM code in the memory on the tablet and the RIM signing authority system uses an RSA� public key to sign the boot ROM code. The tablet stores information that it can use to verify the digital signature of the boot ROM code.
When a BlackBerry PlayBook tablet user turns on a tablet, it runs internal ROM code that reads the boot ROM from memory and verifies the digital signature of the boot ROM code using the RSA public key. If the verification process completes, the boot ROM is permitted to run on the tablet. If the verification process cannot complete, the tablet stops running.
Ths should answer the OP question
EDIT: Are we allowed to post links? Time to check forum rules. If we are im making a thread with a link to an xda thread so we can possible gain someones interest by the volume of posts... maybe?Last edited by Meltbox360; 08-12-11 at 12:09 AM.
08-11-11 11:51 PMLike 0 - I'm sure it will be broken somehow . As one poster said once physical access is given to a device , eventually given enough time , money and manpower/brainpower is applied to breaking it , it will be broken into.
I can bet your bottom dollar some government agencies are probably trying this as we speak.08-12-11 12:32 AMLike 0 - Re: Can the Playbook be rooted?
Ans: Definitely it can. If it is made by human beings, it can be modified or changed by another human beings.
But the next questions would be, "why?". You see, before another human beings get interested in modifying some creation done by another human beings, he/she must have "valid" reasons and of course, enough resources...08-12-11 02:49 AMLike 0 - Well, not solely. Usually "security through obscurity" implies that one actually has little or no security except what obscurity provides.
In the PlayBook's case, it's just a "wee" bit more secure than that. Let's just say that obscurity is buying them a little extra security at the moment.
Somehow I don't think they designed it to rely on that. ;-)08-12-11 11:02 AMLike 0 - Yes I'm sure NIST granted FIPS approval to the Playbook in a couple months from submission and not the iPad since it came out because they thought no one would buy the Playbook and too many had the iPad for it to ever be secure!08-12-11 11:16 AMLike 0
- Hmm, and the thread gets brought back to life! Let me ask this, what exactly would someone want to accomplish with the PB once it was "rooted"? Rooting a device and loading a new ROM / boot image are two entirely different things. The bootloader on the PB is nicely locked down and I don't see that door being opened up any time soon.
Just running applications or shell under the root context only allows you access to the existing data on the file system. Even if you extracted the boot image (PB uses UBoot), you wouldn't be able to get the modified image to load because of the signing requirements mentioned earlier.
Normally the main reason for rooting is so you can load system applications that didn't come preloaded or loadable kernel modules, etc. On the PB I really don't see a good reason for this as I doubt anyone would take on the task for example of tweaking or replacing the AIR runtime on the tablet. It's not like the android market where we have many different flavors of devices to pull bits of pre-built applications onto a device that didn't have it.
We can already load whatever applications we want to on it through development mode, there are a few different methods of extracting installed applications back to a loadable BAR file (which is minimally good for anything but piracy), what else would people be looking to do with this root access?
It was asked before if I was referring to the pre-built script files and whatnot on the PB, those are interesting but hardly a location for exploitation. Get the PB file system in a location where you can freely examine all of the files and libraries and then use a program like IDA to disassemble those files. If you're familiar with assembly then you just need to get yourself an ARM instruction set guide to follow along and make your changes.(ARM instruction set info: http://infocenter.arm.com/help/index...ure/index.html) Is any of this easy? He11 no, but its also not impossible.
What are some reasons you all have for wanting to gain root access to the device? Especially when they're still in the middle of large scale software overhauls to the platform, it's kind of like ice skating uphill at this point. And personally I'm not a fan of the cat and mouse game, especially when there isn't much of a prize at the finish line.Last edited by HaTaX; 08-12-11 at 02:27 PM.
08-12-11 02:23 PMLike 0 - I realize that was really long winded, and the crux of it was this question, does the benefit of rooting outweigh the negative aspects of it? I for one do not want RIM focusing on anything software related with the PB unless it involves the NDK, or the other promised applications that have yet to materialize. Once a method for rooting goes public, you can expect them to be all over that like flies on a hot pile of sh...tuff.08-12-11 02:51 PMLike 0
-
- Yeah, only changed my tune a bit, and maybe tomorrow I'll be feeling different.
Decided to extract a few of the files out of the PB, this is a pretty nifty script.
Code:################################################# # This file is autogenerated from the deployment # description, DO NOT EDIT # Last Change: $Id$ ################################################# bluetooth_omap_common () { case ${1} in start) devc-seromap-winbt -U 510:99 -I8192 -O8192 -a -E -t56 -T16 -f -b115200 -c48000000/16 0x4806c000^2,105; waitfor /dev/ser2; io-bluetooth -U 512:0 & waitfor /dev/io-bluetooth/btmgr 10; on -d pps-bluetooth -U 513:0 -n PlayBook; devc-seriobt -U 511:0 -tdun -u2 -c -o devperm=0660 ;; stop) Terminate devc-seriobt; Terminate pps-bluetooth; IOBTPID=`pidin -p io-bluetooth -fa | grep -v pid`; slay -fQ io-bluetooth; wait $IOBTPID; Terminate devc-seromap-winbt ;; esac } camera_mkdir () { CAMERA_DIR=${MEDIA_DIR}/camera; [ -d ${CAMERA_DIR} ] || mkdir -p ${CAMERA_DIR} } check_sanity () { if (( ${1?} < 999 )); then op='test'; else op='last'; fi; region0=${HDIFS0+"/dev/${HDIFS0}"}; region1=${HDIFS1+"/dev/${HDIFS1}"}; sanityChecking ${op} ${region0:-"NONE"} ${region1:-"NONE"} ${OFFSET_IFS0:-"-1"} 4 /proc/boot/sanity ${1?} /proc/boot/sanity.cfg || Warning "sanityChecking ${1} returned $?" } Error () { print "\033[1;30m[ \033[1;31mError\033[0m $* \033[1;30m]\033[0m" 1>&4 } Fatal () { print "\033[1;30m[ \033[1;31mFatal\033[0m $* \033[1;30m]\033[0m" 1>&4; exit 1 } filesystem_common () { ${BASEFS}/scripts/rootfs.sh; ln -Pfs /base/bin /bin; ln -Pfs /base/sbin /sbin; ln -Pfs /base/lib /lib; ln -Pfs /base/usr /usr; ln -Pfs /base/opt /opt; ln -Pfs /base/etc /etc; ln -Pfs /var/etc/id /etc/id; ln -Pfs /var/etc/dhcpd_urndis.leases /etc/dhcpd_urndis.leases; ln -Pfs /var/etc/dhcpd_usbdnet.leases /etc/dhcpd_usbdnet.leases; ln -Pfs /var/etc/iked.conf /etc/iked.conf; ln -Pfs /var/etc/wpa_supplicant.conf /etc/wpa_supplicant.conf; ln -Pfs /var/etc/system/config/audio /etc/system/config/audio; ln -Pfs /var/etc/system/config/debug_host.conf /etc/system/config/debug_host.conf; ln -Pfs /var/etc/ssh /etc/ssh; ln -Pfs /base/scripts /scripts; ln -Pfs /base/usr/hmi/sys.navigator /apps/sys.navigator; ln -Pfs /base/usr/hmi/sys.systemtray /apps/sys.systemtray; ln -Pfs /base/air /air; rm -rf /var/tmp; mkdir /var/tmp; chmod a+wrXt /var/tmp; [ -d /var/run ] || mkdir -m 0770 /var/run; [ -d /var/flmso ] || mkdir -m 0770 /var/flmso; ln -Pfs ${DEFAULT_ACCOUNT}/db /db; ${BASEFS}/scripts/startup-support/migrate_rootfs.sh ${OS_VERSION} } filesystem_encrypt () { fsencrypt -c setup -k:1:1:0:fsec-sys.so:/; [ -d /var/etc/netsecure ] || mkdir /var/etc/netsecure; chmod 770 /var/etc/netsecure; fsencrypt -c set -d 1 -p /var/etc/netsecure; for object in wpa_pps.conf vpn_pps.conf wifi_cert www; do if [ -e /var/etc/${object} ]; then cp -rf /var/etc/${object} /var/etc/netsecure; rm -rf /var/etc/${object}; fi; ln -Pfs /var/etc/netsecure/${object} /etc/${object}; done; if [ ! -e "/var/etc/netsecure/tethering/profiles" ]; then mkdir -m 770 -p "/var/etc/netsecure/tethering"; touch "/var/etc/netsecure/tethering/profiles"; chmod 660 "/var/etc/netsecure/tethering/profiles"; fi; [ -d /var/keymgr ] || mkdir /var/keymgr; chmod 0775 /var/keymgr; fsencrypt -c set -d 1 -p /var/keymgr } final_common () { [ -d /var/db/samba ] || mkdir -m 0770 -p /var/db/samba; [ -d /var/run/samba ] || mkdir -m 0770 -p /var/run/samba; [ -d /var/tmp/dtm ] || mkdir -m 0770 -p /var/tmp/dtm; [ -e /var/db/dhclient.leases ] || touch /var/db/dhclient.leases; chmod 0660 /var/db/dhclient.leases; [ -e /var/db/dhclient6.leases ] || touch /var/db/dhclient6.leases; chmod 0660 /var/db/dhclient6.leases; if [ -f /pps/system/ppsnetd/control ]; then Starting "ppsnetd listener"; print 'msg::start' >> /pps/system/ppsnetd/control; fi; /scripts/samba/smbconf.sh; SAMBA_CONFIG=`grep 'netbios_init_done' /pps/services/samba/smb`; if [[ "${SAMBA_CONFIG}" != "netbios_init_done::1" ]]; then DEVICEPIN=`cat /pps/system/nvram/deviceinfo | grep 'PIN::' | cut -d':' -f3`; PINLEN=${#DEVICEPIN}; PBNAME="PLAYBOOK-`echo $DEVICEPIN | cut -c $((${PINLEN}-3))-${PINLEN}`"; sed -i "s/\(netbios name[[:space:]]*=[[:space:]]*\)\([^[:space:]]*\)\$/\1${PBNAME}/" /accounts/1000/sys/samba/smb.conf; echo "netbios_init_done::1" >> /pps/services/samba/smb; fi; grep "autorun::1" /pps/system/navigator/config; if [ "$?" = 0 ]; then on -d /scripts/samba/smbcert.sh; fi; find /var/log -name \*.core -mtime +20 -remove!; BOOT_END_TIME=${SECONDS}; TOTAL_BOOT_TIME=$((BOOT_END_TIME - BOOT_START_TIME)); Print "==============================================="; Print "Startup Completed in ${TOTAL_BOOT_TIME} seconds"; Print "==============================================="; sleep 10 } final_sanity () { typeset act req max; act=$(pps_value /pps/system/nvram/osregion 'ActualBootRegion'); req=$(pps_value /pps/system/nvram/osregion 'RequestedBootRegion'); check_sanity 999; max=$(pps_value /pps/system/nvram/osregion 'MaxBootCount'); if [[ $max == 0 ]]; then if [[ $act == $req ]]; then print "[n]BootUp::booted"; else print "[n]BootUp::rollback"; fi; /usr/sbin/sud.sh --setup-only; else print "[n]BootUp::insane"; fi >> /pps/system/nvram/osregion } launcher_start () { local nav_config="/pps/system/navigator/config"; [ -e ${BASEFS}/scripts/startup-support/authman.verify ] && ${BASEFS}/scripts/startup-support/authman.verify; if [ "${FACTORY_MODE}" == "1" ]; then echo "autorun::0" >> "${nav_config}"; touch /.factorymode; else if [ -e /.factorymode ]; then echo "autorun::1" >> "${nav_config}"; rm /.factorymode; fi; fi; grep "autorun::1" "${nav_config}"; if [ ${?} == 0 ]; then reset_navigator_icon_order; fi; [ -x ${BASEFS}/bin/setfacl ] && ${BASEFS}/bin/setfacl -m user:89:rw /pps/system/development/control; on -d softlimit -w 970 launcher -U 89:0 -p / -v -b ${1} 2>&1 | on -d -u logger multilog t ${LOGDIR}/launcher } launcher_stop () { NAVCTRL=/pps/system/navigator/control; exec 5<> ${NAVCTRL}; echo "msg::terminateAll" 1>&5; COUNT=0; while [ ${COUNT} -lt 5 ]; do cat 0<&5 | grep -q Terminated; if [ ${?} == 0 ]; then echo "All Apps Terminated"; break; fi; sleep 1; COUNT=$((COUNT+=1)); done; exec 5>&-; Terminate navigator; Terminate launcher } mixer_common () { case ${1} in start) WAITFOR "/dev/snd/mixerC0D0" /dev/snd/mixerC0D0; on -d pps-mixer ;; stop) Terminate pps-mixer ;; esac } mmrenderer_start () { WAITFOR "/pps/services/audio/devices" /pps/services/audio/devices; rm -Rf /pps/services/multimedia/renderer/context; rm -Rf /pps/services/multimedia/renderer/component; on -d mm-renderer -c -U 520 } mmrenderer_stop () { Terminate mm-renderer } pps_common () { PPSDIR="/pps"; PPSPDIR="/var/pps"; case ${1} in start) if ! slay -f -sNULL pps; then return 0; fi; WAITFOR "${PPSPDIR}" ${PPSPDIR}; [ -d ${PPSPDIR} ] || mkdir -p ${PPSPDIR}; rm -rf ${PPSDIR}; pps -U 99:0 -C -t 300000 -p ${PPSPDIR} -l 2; WAITFOR "pps" ${PPSDIR} 90; ${BASEFS}/scripts/startup-support/migrate_pps.sh ${OS_VERSION}; CC_VAL=$(grep "^lang_countryCode:" "/pps/system/settings"); if [ -z "${CC_VAL}" ] || [ "${CC_VAL}" == "lang_countryCode::" ]; then echo "autorun::1" >> "/pps/system/navigator/config"; rm -rf /accounts/1000/appdata/sys.firstlaunch*; fi; [ -d "${PPSDIR}/system/nvram" ] || mkdir -p "${PPSDIR}/system/nvram"; if ! slay -f -sSIGUSR1 nvram_resource_manager; then WAITFOR "NVRAM deviceinfo not present" "${PPSDIR}/system/nvram/deviceinfo"; WAITFOR "NVRAM osregion not present" "${PPSDIR}/system/nvram/osregion"; if cat /pps/system/nvram/deviceinfo | grep -q "InProduction:b:true"; then echo "Enabling Factory Mode"; FACTORY_MODE=1; fi; fi; echo '[n]dev_mode_enabled:b:false' >> ${PPSDIR}/system/development/devmode; ln -Pfs /pps/system/air/nativeWindows /base/air/nativeWindows; ln -Pfs /pps/system/air/nativeExtensions /base/air/nativeExtensions ;; stop) Terminate pps ;; esac } pps_value () { cat ${1?} | grep "^${2?}:" | { IFS=: read n e v; print $v } } Print () { print ${1+"$@"} 1>&3 } Reloading () { Print "\033[1;30m[ \033[1;32mReloading\033[0m $* \033[1;30m]\033[0m" } reset_navigator_icon_order () { local nav_data="/accounts/1000/appdata/sys.navigator/data"; if [ -e "${nav_data}" ]; then rm -rf "${nav_data}"/*; fi } Restarting () { Print "\033[1;30m[ \033[1;32mRestarting\033[0m $* \033[1;30m]\033[0m" } sapphire_enabled () { SQUIDLET_ADDR="127.0.0.2:187"; BB_ADDR="127.0.0.2:188"; BES_ADDR="127.0.0.2:189"; BIS_ADDR="127.0.0.1:187"; BBSD_CACHE="/accounts/1000/sysdata/sapphire/sdcache"; BBSD_SPLIT_CACHE="/accounts/1000-corp/sysdata/sapphire/sdcache"; BBSD_MOUNT_POINT="/BlackBerry"; BBSD_WEBDAVADDR="${BB_ADDR}"; SQUIDLET_CACHE="/accounts/1000/sysdata/sapphire/squidcache"; SQUIDLET_SPLIT_CACHE="/accounts/1000-corp/sysdata/sapphire/squidcache"; case ${1} in start) ifconfig lo1 create; ifconfig lo1 ${BB_ADDR%:*}; if [ "${?}" == "1" ]; then Error "Unable to startup bridge network interface"; fi; fsec-corp; on -d SapphireProxy -U99:0 -p ${BB_ADDR} -p ${BES_ADDR} -b0 -p ${BIS_ADDR}; on -d Squidlet -U99:0,1000,1002,1100,1102 -s ${SQUIDLET_ADDR} -p ${BB_ADDR} -c ${SQUIDLET_CACHE} -C ${SQUIDLET_SPLIT_CACHE} -n256; on -d Notifications -U99:0 -p ${BB_ADDR} -h ${SQUIDLET_ADDR} -t ${BIS_ADDR}; on -d PasswordManager -U99:0 -p ${BB_ADDR}; WAITFOR "/pps/system/sapphire/status" /pps/system/sapphire/status; on -d BBSDCard -U99:0,1000,1001,1002,1100,1101,1102 -m ${BBSD_MOUNT_POINT} -p ${BBSD_CACHE} -c ${BBSD_SPLIT_CACHE} -s ${BBSD_WEBDAVADDR} -P 0770 -w; on -d BitmapGenerator -U99:0 ;; stop) Terminate SapphireProxy; Terminate Squidlet; Terminate Notifications; Terminate PasswordManager; Terminate BBSDCard; Terminate BitmapGenerator; Terminate fsec-corp ;; esac } screen_omap () { case ${1} in start) tiler; WAITFOR "tiler" /dev/tiler; screen; WAITFOR "screen" /dev/screen ;; stop) Terminate tiler; Terminate screen ;; esac } Starting () { Print "\033[1;30m[ \033[1;32mStarting\033[0m $* \033[1;30m]\033[0m" } Stopping () { Print "\033[1;30m[ \033[1;32mStopping\033[0m $* \033[1;30m]\033[0m" } syslink_start () { syslink; DSP_FIRMWARE_PATH="/lib/firmware/ducati"; DSP_FIRMWARE="${DSP_FIRMWARE_PATH}/Notify_MPUSYS_reroute_Test_Core0.xem3"; DSP_FIRMWARE="${DSP_FIRMWARE} ${DSP_FIRMWARE_PATH}/base_image_app_m3.xem3"; syslink_daemon ${DSP_FIRMWARE} } syslink_stop () { Terminate syslink_daemon; sleep 2; Terminate syslink } Terminate () { typeset count=0; slay -fQ -sTERM "${1}" || slay -fQ -sCONT "${1}"; while ! slay -fQ -sNULL "${1}"; do if (( count++ >= 5 )); then slay -fQ -sKILL "${1}"; return; fi; done; return 0 } tools_common () { test -f /etc/ssh/ssh_host_rsa_key || on -d ssh-keygen -N "" -t rsa -f /etc/ssh/ssh_host_rsa_key } tools_qconndoor () { on -d qconnDoor } tools_qconn_sshd () { qconn; waitfor /etc/ssh/ssh_host_rsa_key 30 && /usr/sbin/sshd } WAITFOR () { waitfor ${2?} ${3:-60} || case "${4}" in FATAL) Fatal "${1} failed" ;; ERROR) Error "${1} failed" ;; *) Warning "${1} failed" ;; esac } Warning () { print "\033[1;30m[ \033[1;33mWarning\033[0m $* \033[1;30m]\033[0m" 1>&4 } # Defined by SERVICE_acoustic SERVICE_acoustic () { : depends-on audio; case ${1} in start) on -d io-acoustic -c /etc/system/config/acoustic.conf ;; stop) Terminate io-acoustic ;; esac } # Defined by SERVICE_activator SERVICE_activator () { : depends-on pps; case ${1} in start) typeset f active cleanup; [ -d /var/tmp/upd ] || mkdir -p /var/tmp/upd; chgrp upd /var/tmp/upd; chmod u=rwx,g=rwxs,o= /var/tmp/upd; for f in 0 1; do [ -f /pps/system/installer/coreos/$f ] || > /pps/system/installer/coreos/$f; chown upd:upd /pps/system/installer/coreos/$f; chmod 0640 /pps/system/installer/coreos/$f; done; setfacl -m u:upd:rwx /pps/system/navigator/applications/; [ -e /etc/id/[0-9][0-9][0-9][0-9]* ] || ( touch /etc/id/9999 && chown 88:88 /etc/id/9999 ); PYTHONIOENCODING=utf8:replace /base/usr/sbin/activator.py --best-effort -d 2>&1 | on -u logger multilog t n20 s500000 ${LOGDIR}/activator/; boot_region; active=$?; cleanup=$(grep -l 'result::success' /pps/system/installer/upd/deferred/${active}/* 2>/dev/null); [ -z "${cleanup}" ] || rm ${cleanup} ;; esac } # Defined by SERVICE_adl SERVICE_adl () { : depends-on pps; case ${1} in start) on -d proxyserver -au 99; on -d -p 12 softlimit -w 970 adl -runtime ${BASEFS}/air/runtimeSDK/ -airfork 2>&1 | on -d -u logger multilog t ${LOGDIR}/airfork; WAITFOR "AIR runtime" /dev/airfork 300 ;; stop) Terminate adl; Terminate proxyserver ;; esac } # Defined by SERVICE_appupdatenotifier SERVICE_appupdatenotifier () { : depends-on pps; case ${1} in start) on -d -u 99:0,0 appupdatenotifier ;; stop) Terminate appupdatenotifier ;; esac } # Defined by SERVICE_audio_winchester SERVICE_audio () { case ${1} in start) io-audio -d omap4-wm8994 aif=0,secure_capture,aif=1,mcbsp=0,aif=2,mcbsp=0; on -d mix_ctl group "Input Gain" volume=90% ;; stop) Terminate io-audio ;; esac } # Defined by SERVICE_authman SERVICE_authman () { case ${1} in start) authman -U 505 ;; stop) Terminate authman ;; esac } # Defined by SERVICE_avcontrols_winchester SERVICE_avcontrols () { case ${1} in start) WAITFOR "avcontrols" /pps/services/multimedia/mediacontroller/control; on -d /bin/winchester-avcontrols ;; stop) Terminate winchester-avcontrols ;; esac } # Defined by SERVICE_battery_winchester SERVICE_battery () { : depends-on pps; case ${1} in start) fg_mod; if [ "${FACTORY_MODE}" == "1" ]; then on -d -p 12 battery_win -U 99:0 -r 71 -C 77; else on -d -p 12 battery_win -U 99:0 -r 71; fi ;; stop) Terminate battery_win ;; esac } # Defined by SERVICE_bbidd SERVICE_bbidd () { : depends-on pps; case ${1} in start) bbidd ;; stop) Terminate bbidd ;; esac } # Defined by SERVICE_bluetooth_winchester SERVICE_bluetooth () { : depends-on wifi; bluetooth_omap_common ${1} } # Defined by SERVICE_bootinfo SERVICE_bootinfo () { Print; Print "==============================================="; Print "BOARD:${BOARD}"; Print "VARIANT:${BOARD_CONFIG}"; Print "==============================================="; Print; Print "INFORMATIONAL: "; Print "This image is subject to the terms and conditions outlined in the BlackBerry"; Print "SDK License Agreement."; Print } # Defined by SERVICE_bootreason_winchester SERVICE_bootreason () { case ${1} in start) slay -R 0x1 battery_win; on -R 0x1 -p 13 winchester-bootreason -c -h; rc=$?; if [ $rc == 127 ]; then shutdown -f -b; else if [ $rc == 126 ]; then on -d winch_lcdctl -s splash; else winch_lcdctl power_on; fi; fi; slay -R 0xff battery_win ;; stop) Terminate winchester-bootreason ;; esac } # Defined by SERVICE_camera_winchester SERVICE_camera () { : depends-on syslink mmsynclite; case ${1} in start) camera_mkdir; on -d camera-omap -U 521 -r ${CAMERA_DIR} -m'Research In Motion' -M'BlackBerry PlayBook' -s ${LOGDIR}/system.info -vvvv ;; stop) Terminate camera-omap ;; esac } # Defined by SERVICE_certmgr SERVICE_certmgr () { : depends-on pps; case ${1} in start) [ -e "/var/certmgr" ] || mkdir -p /var/certmgr; on -d certmgr_pps 2>&1 | on -d -u logger multilog t s100000 n10 /var/log/certmgr; WAITFOR "/pps/services/certmgr/control" /pps/services/certmgr/control; ${BASEFS}/scripts/startup-support/replace_dtm_cert.sh ;; stop) Terminate certmgr_pps ;; esac } # Defined by SERVICE_clearclipboards SERVICE_clearclipboards () { case ${1} in start | stop) if [ -e /accounts/1000/clipboard ]; then rm -rf /accounts/1000/clipboard/*; fi; if [ -e /accounts/1000-corp/clipboard ]; then rm -rf /accounts/1000-corp/clipboard/*; fi; if [ -e /accounts/devuser/clipboard ]; then rm -rf /accounts/devuser/clipboard/*; fi ;; esac } # Defined by SERVICE_coreservices SERVICE_coreservices () { : depends-on pps; case ${1} in start) coreServices ;; stop) Terminate coreServices ;; esac } # Defined by SERVICE_dtminit SERVICE_dtminit () { : depends-on pps; case ${1} in start) print "@status\n[n]state::idle\n" > /pps/system/dtm/status; chmod 0660 /pps/system/dtm/status; chown 0:0 /pps/system/dtm/status ;; stop) ;; esac }
08-18-11 08:13 PMLike 0 - Part 2
Code:# Defined by SERVICE_dumper_winchester_factory SERVICE_dumper () { case ${1} in start) dumper -S -F -m -d ${LOGDIR} ;; stop) Terminate dumper ;; esac } # Defined by SERVICE_ebm_winchester SERVICE_ebm () { case ${1} in start) WAITFOR "network status" /pps/services/networking/status_public; on -d restart /base/bin/EBMService ;; stop) Terminate EBMService ;; esac } # Defined by SERVICE_filesystem SERVICE_filesystem () { case ${1} in start) filesystem_common; filesystem_encrypt ;; esac } # Defined by SERVICE_final_winchester SERVICE_final () { case ${1} in start) final_sanity; final_common; /scripts/samba/smbiface.sh; on -d /scripts/samba/smbifwatch.sh; slay -f winch_lcdctl > /dev/null 2>&1 ;; esac } # Defined by SERVICE_fsevmgr SERVICE_fsevmgr () { case ${1} in start) fsevmgr -U 99:99 ;; stop) Terminate fsevmgr ;; esac } # Defined by SERVICE_geolocation_winchester SERVICE_geolocation () { : depends-on pps wifi; case ${1} in start) if [ -x "/base/scripts/location.sh" ]; then /base/scripts/location.sh & else WAITFOR "/dev/io-bluetooth/btgps not present" /dev/io-bluetooth/btgps; on -d io-locp -U99:0 -p /base/etc/system/config/location/gps.xml 2>&1 | on -d -u logger multilog t /var/log/gps/io-locp-gps; on -d io-locp -U99:0 -p /base/etc/system/config/location/wifi.xml -- -c /base/etc/system/config/location/glconfig.xml 2>&1 | on -d -u logger multilog t /var/log/gps/io-locp-wifi; on -d ee_provider -U99:0 2>&1 | on -d -u logger multilog t /var/log/gps/ee_provider; on -d time_provider -U99:0 2>&1 | on -d -u logger multilog t /var/log/gps/time_provider; on -d aiding_manager -U99:0 2>&1 | on -d -u logger multilog t /var/log/gps/aiding_manager; WAITFOR "Geolocation - GPS did not come up" /dev/geolocation/gps; WAITFOR "Geolocation - Wifi did not come up" /dev/geolocation/wifi; on -d location_manager -U99:0 2>&1 | on -d -u logger multilog t /var/log/gps/location_manager; WAITFOR "Geolocation - Manager did not come up" /pps/services/geolocation/control; fi ;; stop) Terminate location_manager; Terminate aiding_manager; Terminate time_provider; Terminate ee_provider; Terminate io-locp ;; esac } # Defined by SERVICE_hid_winchester SERVICE_hid () { case ${1} in start) Starting "io-hid"; io-hid -dbt; WAITFOR "io-hid" /dev/io-hid; Starting "devi-hid"; devi-hid -U 99:99 -P -r mouse kbd; WAITFOR "devi-hid" /dev/devi ;; stop) Terminate devi-hid; Terminate io-hid ;; esac } # Defined by SERVICE_hwinfopps_winchester SERVICE_hwinfopps () { case ${1} in start) on -d /base/bin/hw_info_pps ;; stop) Terminate hw_info_pps ;; esac } # Defined by SERVICE_keyboard SERVICE_keyboard () { case ${1} in start) keyboard-imf -U99:0 ;; stop) Terminate keyboard-imf ;; esac } # Defined by SERVICE_launcher SERVICE_launcher () { : depends-on adl coreservices; case ${1} in start) rm -f /pps/system/navigator/control > /dev/null 2>&1; pidin in >> ${LOGDIR}/system.info; echo "" >> ${LOGDIR}/system.info; df -P /dev/hd3 /base /dev/hd5 /dev/hd4 /dev/hd2t179 /dev/hd2 /dev/hd1 /dev/hd0 >> ${LOGDIR}/system.info; launcher_start sys.navigator ;; stop) launcher_stop ;; esac } # Defined by SERVICE_lc_winchester SERVICE_lc () { uname_m=`uname -m`; case ${1} in start) case "${uname_m}" in *Rev:00* | *Rev:01* | *Rev:02*) Starting "Light Control"; winchester-lc -d led-gpio.so -d ls-cm3217.so ;; *Rev:03* | *Rev:04* | *Rev:05* | *Rev:06* | *Rev:07* | *Spencer* | *Winchester2*) Starting "Light Control"; winchester-lc -d led-fan5702.so -d ls-cm3217.so ;; *) Warning "TODO: light control" ;; esac ;; stop) Stopping "Light Control"; Terminate winchester-lc ;; esac } # Defined by SERVICE_logging SERVICE_logging () { : depends-on filesystem; case ${1} in start) on -d -u 25:0 sh -c "sloginfo -w & sleep 300; kill \$!; echo ':::done:::'" 2>&1 | on -d -u logger multilog t n20 s500000 /var/log/sloginfo/ '-*' '+*:*' '+* * *' '-*:*TIWLDRV:*' '-*:*navigator:*' /var/log/boot/; exec > /dev/console 2>&1; uname -a > ${LOGDIR}/system.info; echo "" >> ${LOGDIR}/system.info; [ ! -e ${BASEFS}/svnrev ] || cat ${BASEFS}/svnrev >> ${LOGDIR}/system.info; [ ! -e /autoupdate/trunk-changelog ] || cat /autoupdate/trunk-changelog >> ${LOGDIR}/system.info; [ ! -e /bin/reset_cause-winchester ] || /bin/reset_cause-winchester >> ${LOGDIR}/system.info; [ ! -e /scripts/check_trimming.sh ] || /scripts/check_trimming.sh >> ${LOGDIR}/system.info; [ ! -x /usr/bin/sbversion ] || /usr/bin/sbversion >> ${LOGDIR}/system.info; if [ -x /bin/RLogging ]; then ln -Pfs /var/quincy/logs /base/opt/www/root/log; fi ;; stop) Terminate dumper ;; esac } # Defined by SERVICE_mixer_winchester SERVICE_mixer () { : depends-on pps audio; case ${1} in start) WAITFOR "/dev/snd/mixerC0D0" /dev/snd/mixerC0D0; on -d pps-mixer -h 1 -w 1 ;; stop) Terminate pps-mixer ;; esac } # Defined by SERVICE_mmrenderer_winchester SERVICE_mmrenderer () { : depends-on syslink pps audio; case ${1} in start) mmrenderer_start ;; stop) mmrenderer_stop ;; esac } # Defined by SERVICE_mmsynclite SERVICE_mmsynclite () { : depends-on mmrenderer fsevmgr; case ${1} in start) ( touch "/var/run/mmsynclite"; chmod 600 "/var/run/mmsynclite"; while [ -e "/var/run/mmsynclite" ]; do on -p 9 mmsynclite -U 80:0,1001,101 -m ${MEDIA_DIR} -d ${DEFAULT_ACCOUNT}/db/mmlibrary.db -f audio:jpeg:180x180,photo:jpeg:180x180,video:jpeg:240x212 -e '^(AlbumArt_{.*\.jpg$|AlbumArtSmall\.jpg$|\.DS_Store$|\._)' -T -D 20; if [ ${?} != 99 ]; then break; fi; sleep 2; done ) & ;; stop) rm -f /var/run/mmsynclite; Terminate mmsynclite ;; esac } # Defined by SERVICE_paymentsystem SERVICE_paymentsystem () { : depends-on bbidd; case ${1} in start) on -d paymentsystem -U 99:0 ;; stop) Terminate paymentsystem ;; esac } # Defined by SERVICE_phyctrl_winchester SERVICE_phyctrl () { : depends-on powerman; case ${1} in start) winchester_phy_ctrl -U 99:99 ;; stop) Terminate winchester_phy_ctrl ;; esac } # Defined by SERVICE_pmic_winchester SERVICE_pmic () { : depends-on powerman; case ${1} in start) pmic-twl6030-ctl -U 99:99 -p regen1,vaux3 ;; stop) Terminate pmic-twl6030-ctl ;; esac } # Defined by SERVICE_powerbrain_winchester SERVICE_powerbrain () { : depends-on pps powerman screen; case ${1} in start) on -d power_brain-winch -U 99; if [ "${FACTORY_MODE}" == "1" ]; then on -d /bin/battery_monitor 55 80; fi ;; stop) Terminate power_brain-winch ;; esac } # Defined by SERVICE_powerman_winchester SERVICE_powerman () { : depends-on pps; case ${1} in start) case "${uname_m}" in *_Winchester2_*) on -d powerman -c devpm-omap4.so -o1 -l5000 -d /etc/system/config/winchester2.pm ;; *) case "${uname_m}" in *_ES2.1_*) on -d powerman /etc/system/config/winchester.pm ;; *) on -d powerman -c devpm-omap4.so -o1 -l5000 -d /etc/system/config/winchester.pm ;; esac ;; esac; WAITFOR "powerman" "/pps/system/power/mgr" ;; esac } # Defined by SERVICE_pps SERVICE_pps () { pps_common ${1}; case ${1} in start) check_sanity 100; print "[n]BootUp::booting" >> /pps/system/nvram/osregion ;; esac } # Defined by SERVICE_ppshack SERVICE_ppshack () { pps_common ${1} } # Defined by SERVICE_pty SERVICE_pty () { case ${1} in start) devc-pty; WAITFOR "devc-pty" /dev/ttyp0 ;; stop) Terminate devc-pty ;; esac } # Defined by SERVICE_random_winchester SERVICE_random () { : excluded } # Defined by SERVICE_rlogging_winchester_factory SERVICE_rlogging () { : depends-on pps; case ${1} in start) case "${uname_m}" in *Winchester* | *Spencer* | *Henry* | *Colt* | *Blaze*) if [ -x /bin/RLogging ]; then on -d RLogging -e; fi ;; esac ;; stop) case "${uname_m}" in *Winchester* | *Spencer* | *Henry* | *Colt* | *Blaze*) if [ -x /bin/RLogging ]; then Terminate RLogging; fi ;; esac ;; esac } # Defined by SERVICE_rtc_winchester SERVICE_rtc () { case ${1} in start) rtc phoenix; if [ -e ${BASEFS}/seed/rootfs/var/load.timestamp ]; then LOAD_TS=$(cat ${BASEFS}/seed/rootfs/var/load.timestamp); DATE_TS=$(date +%Y%m%d%H%M); if [ ${DATE_TS} -lt ${LOAD_TS} ]; then date ${LOAD_TS} > /dev/null && rtc -s phoenix; fi; fi; export BOOT_START_TIME=${SECONDS} ;; stop) Terminate rtc ;; esac } # Defined by SERVICE_samba SERVICE_samba () { SMBCONFIG="/accounts/1000/sys/samba/smb.conf"; case ${1} in start) on -d smbd -s $SMBCONFIG; on -d nmbd -s $SMBCONFIG ;; stop) Terminate nmbd; Terminate smbd ;; restart) Terminate nmbd; Terminate smbd; on -d smbd -s $SMBCONFIG; on -d nmbd -s $SMBCONFIG ;; reload) slay -fQ -sSIGHUP nmbd smbd ;; esac } # Defined by SERVICE_sapphire_winchester SERVICE_sapphire () { : depends-on pps bluetooth wifi; sapphire_enabled ${1} } # Defined by SERVICE_screen_winchester SERVICE_screen () { : depends-on pps; screen_omap ${1} } # Defined by SERVICE_securedatamon_winchester SERVICE_securedatamon () { : depends-on pps; case ${1} in start) on -d -u 99:0 securedatamon ;; stop) Terminate securedatamon ;; esac } # Defined by SERVICE_sensorservices_winchester SERVICE_sensorservices () { : depends-on pps; case ${1} in start) case ${uname_m} in *Winchester2* | *Spencer*) sensor-services -U 99:0 -d sensor-accel-mma8451q.so -d sensor-mag-ami306r.so -d sensor-gyro-mpu3050.so ;; *) sensor-services -U 99:0 -d sensor-accel-bma150.so -d sensor-mag-hmc5883l.so -d sensor-gyro-mpu3050.so ;; esac ;; stop) Terminate sensor-services ;; esac } # Defined by SERVICE_simconfig SERVICE_simconfig () { : excluded } # Defined by SERVICE_soundplayerd SERVICE_soundplayerd () { : depends-on mmrenderer; case ${1} in start) on -d soundplayerd -c /etc/soundplayerd.xml -U99:0 ;; stop) Terminate soundplayerd ;; esac } # Defined by SERVICE_splashscreen SERVICE_splashscreen () { case ${1} in start) WAITFOR "/base/etc/system/config/playbook_spotlights.conf" /base/etc/system/config/playbook_spotlights.conf; on -d -p25 playbook_spotlights -configFile=/base/etc/system/config/playbook_spotlights.conf ;; stop) Terminate playbook_spotlights ;; esac } # Defined by SERVICE_syslink_winchester SERVICE_syslink () { case ${1} in start) syslink_start ;; stop) syslink_stop ;; esac } # Defined by SERVICE_tools_winchester_factory SERVICE_tools () { case ${1} in start) tools_common; tools_qconndoor ;; esac } # Defined by SERVICE_updater SERVICE_updater () { : depends-on pps coreservices authman launcher activator; case ${1} in start) waitfor /pps/system/navigator/control 15; setfacl -m u:upd:rwx /pps/system/navigator/control; setfacl -m u:upd:rwx /pps/system/navigator/applications/; setfacl -m u:upd:r,g:nto:r /pps/services/networking/proxy; setfacl -m u:upd:rw /pps/services/power/shutdown/control; if [ -f /pps/system/ppsnetd/control ]; then print 'msg::watch\ndat:json:{"object":"/pps/system/installer/upd/current/.all","exec":"/base/usr/sbin/sud.sh","timeout":86400}' >> /pps/system/ppsnetd/control; else Warning "SOFTWARE UPDATE DAEMON PPSNETD SERVICE MISSING"; PYTHONIOENCODING=utf8:replace on -d -p 9 /base/usr/sbin/sud.py; fi ;; esac } # Defined by SERVICE_usbmgr_winchester SERVICE_usbmgr () { case ${1} in start) RIM_usbmgr-Winchester ;; stop) Terminate RIM_usbmgr-Winchester ;; esac } # Defined by SERVICE_vpn SERVICE_vpn () { : depends-on pps certmgr; case ${1} in start) on -d iked -F -v3 2>&1 | on -d -u logger multilog t s100000 n10 /var/log/iked; sleep 1; on -d vpn_pps 2>&1 | on -d -u logger multilog t s100000 n10 /var/log/vpn_pps; WAITFOR "/pps/services/vpn/control" /pps/services/vpn/control ;; stop) Terminate vpn_pps; Terminate iked ;; esac } # Defined by SERVICE_wifi_winchester SERVICE_wifi () { : depends-on pty random pps; case ${1} in start) ${BASEFS}/scripts/wifi.sh 2>&4 ;; esac } # Defined by SERVICE_wimax_winchester SERVICE_wimax () { : depends-on pty random pps; case "${uname_m}" in *Spencer*) ${BASEFS}/scripts/wimax.sh "${1}" 2>&4 ;; esac } # Defined by SERVICE_wpa_winchester SERVICE_wpa () { : depends-on wifi certmgr vpn; case ${1} in start) WAITFOR "vpn" /pps/services/vpn/control; ${BASEFS}/scripts/wpa.sh ;; stop) ${BASEFS}/scripts/wpa.sh stop ;; esac } main () { RUN_LEVEL=0; if [ ${#} == 0 ]; then while [ ${RUN_LEVEL} -lt ${MAX_RUN_LEVELS} ]; do start_runlevel ${RUN_LEVEL}; echo ${RUN_LEVEL} > /dev/shmem/runlevel; RUN_LEVEL=$(($RUN_LEVEL+1)); done; start_runlevel FINAL; else if [ ${#} == 2 ]; then if [ ${1} == "runlevel" ]; then switch_run_level ${2}; else if [ ${2} == "start" ]; then Starting ${1}; SERVICE_${1} start; else if [ ${2} == "stop" ]; then Stopping ${1}; SERVICE_${1} stop; else if [ ${2} == "restart" ]; then Restarting ${1}; SERVICE_${1} restart; else if [ ${2} == "reload" ]; then Reloading ${1}; SERVICE_${1} reload; else Print "Usage $0: [[runlevel] [0-MAX]] | [SERVICENAME] [start|stop]"; fi; fi; fi; fi; fi; fi; fi } start_runlevel () { Print "Starting Run Level ${1}"; eval "SERVICES=\${RUN_LEVEL_${1}_SERVICES}"; for s in ${SERVICES}; do Starting $s; SERVICE_$s start; done } stop_runlevel () { Print "Stopping Run Level ${1}"; R_SERVICES=""; eval "SERVICES=\${RUN_LEVEL_${1}_SERVICES}"; for s in ${SERVICES}; do R_SERVICES="$s ${R_SERVICES}"; done; for s in ${R_SERVICES}; do Stopping $s; SERVICE_$s stop; done } switch_run_level () { CURRENT_RUN_LEVEL=`cat /dev/shmem/runlevel`; if [ ${CURRENT_RUN_LEVEL} == ${1} ]; then Print "Allready at runlevel ${1}"; return; fi; if [ ${1} -gt ${MAX_RUN_LEVELS} ]; then Print "RunLevel exceeds ${MAX_RUN_LEVELS}"; return; fi; Print "Going to RunLevel ${1}"; if [ ${1} -lt ${CURRENT_RUN_LEVEL} ]; then while [ ${CURRENT_RUN_LEVEL} -gt ${1} ]; do stop_runlevel ${CURRENT_RUN_LEVEL}; CURRENT_RUN_LEVEL=$(($CURRENT_RUN_LEVEL-1)); echo ${CURRENT_RUN_LEVEL} > /dev/shmem/runlevel; done; else while [ ${CURRENT_RUN_LEVEL} -lt ${1} ]; do CURRENT_RUN_LEVEL=$(($CURRENT_RUN_LEVEL+1)); start_runlevel ${CURRENT_RUN_LEVEL}; echo ${CURRENT_RUN_LEVEL} > /dev/shmem/runlevel; done; fi } MAX_RUN_LEVELS=3 RUN_LEVEL_0_SERVICES=" bootinfo filesystem pps simconfig powerman phyctrl battery bootreason logging splashscreen rtc dumper hid screen authman random coreservices audio pty dtminit wifi wimax certmgr vpn wpa usbmgr" RUN_LEVEL_1_SERVICES=" ppshack lc activator keyboard bbidd bluetooth geolocation syslink mixer mmrenderer soundplayerd adl sensorservices sapphire powerbrain clearclipboards launcher avcontrols fsevmgr mmsynclite camera updater paymentsystem pmic appupdatenotifier" RUN_LEVEL_2_SERVICES=" rlogging tools ebm securedatamon hwinfopps" RUN_LEVEL_FINAL_SERVICES=" final" umask 002 # Dup stdout to fd 3, stderr to fd 4 exec 3>&1 4>&2 # Some initial environment setup export ROOTFS=/ export BASEFS=/base/ export BOARDFILE=${BASEFS}board tdf DEFAULT_ACCOUNT="/accounts/1000" MEDIA_DIR=${DEFAULT_ACCOUNT}/shared FACTORY_MODE="0" if [ ! -a ${BOARDFILE} ];then Fatal "Missing board configuration file: ${BOARDFILE}" fi # Grab our board specific details ${BOARDFILE} export CPU .........
08-18-11 08:15 PMLike 0 - if the public key is correctly managed in the hardware, it will not be easy to change or circumvent it. im sure there is no TPM chip, but you may find that by the time you get around the key, your playbook is a physical mess, with some non working components due to the hardware changes needed to swap the keys and circumvent the bootloader in rom. if the bootloader is done right, it wont be possible to prevent it from chaining only valid code in memory. the root of trust is in the hardware, and the key must be attacked in hw to root the device. it wont be cost effective, or a secret, to anyone who tries it, and that's all that matters. so effectivelt, not rootable in any useful way. not like android where you do it to make the phone work in the first place.
Last edited by PlaybookPlayboy; 08-18-11 at 08:31 PM.
08-18-11 08:28 PMLike 0 - yay, startup.sh :P
too bad no passwords in plaintext floating around, eh?
coredumps would be amusing. anything hanging around in /var/log ?08-18-11 08:36 PMLike 0 - I bet the TAT group was thrilled that so much of their work comes over so easily!
Code:# -- Configuration file for Android/CfX Cascades Viewer generated by Motion Lab -- # Please do not change any properties in this file, if you don't know # what you are doing! The following properties will be automatically overwritten: # Name, RenderMethod, ColorFormat, SizeX and SizeY # each time you start the Viewer from Motion Lab Name=OlympusCards #General Cascades settings RenderMethod=GL2 ColorFormat=RGB_565 DepthBufferSize=0 #Device configuration FullScreen=false #PC Viewer settings Screen Width/Height SizeX=540 SizeY=960 #Settings added by user SizeX=540 SizeY=960
08-18-11 09:10 PMLike 0 - Hello all,
I found this while googling
Rooting the Blackberry PlayBook Simulator | www.cmw.me
This page claims to have rooted the playbook. I do not have the expertise to comment on it. Do you ppl think this will work?08-24-11 10:26 AMLike 0 - Hello all,
I found this while googling
Rooting the Blackberry PlayBook Simulator | www.cmw.me
This page claims to have rooted the playbook. I do not have the expertise to comment on it. Do you ppl think this will work?08-24-11 10:46 AMLike 0 - So much for the Playbook not being able to be rooted,
BlackBerry PlayBook gets root thanks to childishly named DingleBerry tool -- Engadget11-29-11 12:27 PMLike 0
- Forum
- BlackBerry PlayBook Forums
- BlackBerry PlayBook
Can the Playbook be rooted?
LINK TO POST COPIED TO CLIPBOARD