Tuesday, December 22, 2009

Nook updates

Now that the nook softroot is out, I'd like to take a moment to explain the structure of the updates, the nook bootup process in general, and how the softroot came about.

The "softroot" that was released is simply an unsigned update file that copies a custom init.rc to the device that enables adb (only over wifi, for now). Unsigned update, you ask? Yes. The nook accepts unsigned updates. The structure of an update is fairly simple. Basically, it's a .tar.gz file that contains at least 3 files: Firmware_Update/update.script, Firmware_Update/md5sums and Firmware_Update/sha1sums.

The update.script file is a script that is run by turboboot - a proprietary bootloader/recovery environment that is used in the nook. Documentation for turboboot can be found easily with $favorite_search_engine. The turboboot environment is a minimal linux+busybox environment. It allows you to run arbitrary system commands from the update.script, so you can really do just about anything you want in an update.

For the md5sums and sha1sums file, the only requirement is that running md5sum -c md5sums and sha1sum -c sha1sums from the Firmware_Update  directory will succeed. So you need to have at least 1 valid checksum in each file.

That's basically it for the update. You can add whatever else the update needs of course. To run the update, place the .tar.gz file on the root of the external sdcard, named bravo_update.dat, power off the nook, and then after powering it back on, immediately press the page up/page down buttons. It should then check for the update file, unpack it, validate the md5sums and sha1sums files, and then run the update.

If you've already taken a look at the 1.1.0 or 1.1.1 update files that have been released recently, you've probably noticed that they aren't just a plain .tar.gz, but they have what appears to be a signature header at the beginning of the file. As far as I can tell, when a new update is available, the nook system software will download the signed update to the 3rd partition of the internal sdcard, verify it and then strip off the signature header and place the plain .tar.gz in the root of the 2rd partition of the internal sdcard. It then sets a value in a specific place on the sdcard that tells turboboot to check the internal sdcard instead of the external sdcard for the update. And then when the nook reboots, turboboot finds the unsigned update file and applies it.

If you want to poke around in the 1.1.1 update, the file is available for download from Barnes and Noble's Nook FAQ page. Once you download the update, you'll need to strip off the signature header before extracting it:

tail -c +174 signed_bravo_update.dat > signed_bravo_update.tar.gz

Finally, a bit more about the nook's start-up in general. The nook appears to boot directly from the sdcard. There is around 200mb of space at the end of the sdcard, past the end of the last partition, where various things are stored: bootloader, kernel, etc. These all appear to be stored at specific locations relative to the end of the sdcard.

The primary bootloader is stored at an offset relative to the end of the sdcard. For non-sdhc cards, this is at endofsd-9k. And there is additional bootloader code stored at endofsd-281k.

The kernel is stored at endofsd-4377k, and interestingly, the last full firmware update that was applied on the nook is stored at endofsd-135449k. And finally the kernel and ramdisk for the turboboot environment is stored at endofsd-139545k.

The ramdisk for the turboboot environment contains an interesting script named initboot.script that handles the update process. One of it's features is that if the nook fails to successfully boot 3 times in a row, then it will perform a "fallback", and will wipe out the OS partition and re-apply the full update that is stored in the ending area of the sdcard.

It was when I was first looking at the initboot.script file that I realized that the nook accepted unsigned updates. Once I realized that, I pinged fellow nookdev robbiet480 (because he has a nook, and I don't yet :/) and after a few tries, was able to build an initial proof-of-concept update that he ran on his nook and proved that we could in fact get an unsigned update to run.

From there, the other nookdev members took it from the proof-of-concept that I did to the actual softroot that is available now. Great job guys!


  1. [...] This post was mentioned on Twitter by Stephen, jairomeo. jairomeo said: RT @Stericson: JesusFreke back into Android??? Well, kinda :) http://bit.ly/8WEoc9 JF roots the Nook without even touching one! [...]

  2. Social comments and analytics for this post...

    This post was mentioned on Twitter by Stericson: JesusFreke back into Android??? Well, kinda :) http://jf.andblogs.net/2009/12/23/nook-updates/ JF roots the Nook without even touching one!...

  3. Nice job JF. I may have to look into getting a nook for my girlfriend now.


  4. Wow, thanks for the hard work. You rock.

  5. This is awesome :D
    Now i only have to figure out why i can't connect to my home wifi :O Without that i can't install anything cool :(

  6. Dear Sir,

    You are a scholar and a gentleman. Thank you ever so much for this hack and your hard work.

    And God bless the internets and all their tubes!



Note: Only a member of this blog may post a comment.