New Nook Says: No Root For You!

That is a blurry image of a Barnes & Noble Nook eReader stuck in an infinite reboot loop. This is the result of trying to downgrade the firmware to 1.0 in preparation to soft-root the device. So after a few failures the device will recover itself, right? It doesn’t look that way. No problem, don’t you just pop it open and re-write the OS to the SD card inside to do a hardware root? Nope, it looks like the newest hardware revision has replaced that convenient SD card with a memory chip.

For now it’s a brick, but we’re sure there will soon be a way to fix this. A bit of solder, some wires, and a reflash should work much in the same way an EEPROM recovery does. That is, if you have an original image to work with.

So for now, be careful not to attempt to root your nook if the serial number starts with 1003.

[Thanks Ken]

47 thoughts on “New Nook Says: No Root For You!

  1. Damn. Glad I got mine at launch then. The sad thing is I was getting the impression they were okay with rooting, since no one has been abusing the 3g and they haven’t put any security measures in the firmware updates.

  2. @Henrik-I agree, but the difficulties placed in your way when hacking hardware like this do make the task more interesting right? Hopefully the day will come when you really do own what you pay for, but in the meantime at least this common business model gives us some good exciting challenges to overcome.

  3. Nobody here is against getting their hands dirty with their devices, but in a case like this where the earlier versions were pretty much wide open and there was no abuse of the system, we shouldn’t HAVE to go through that sort of trouble. The hacking community played nice, why can’t B&N?

    It was refreshing to see a commercial device that was easily moddable for those who wanted to, and stable and easy to use for the general public. Just a shame to see that change. Especially in a case where, frankly, they can use all the sales they can get to compete with the Kindle.

  4. There is good news; at least you can have physical access to the eeprom and possibly do enhancements like a custom socket or replacing the chip all together with a mcu with multiple firmware images to choose from etc …. it is less of a problem and more of a interesting hardware /software challenge.
    Which in this case has me seconding Nemo and the article writer Ken have kindly and positively pointed out.
    I for one think the nook is a waste as a commercial-only web appliance for e-book drivel or the out dated concept like DRM etc.
    no one really wants to have a half owned device or a service that caters to part ownership of media that once read is now useless unless transferable to another entity…Blah!!
    any ways I am eager to see what comes of this development.

  5. Thanks for the heads up, but this wont affect me, i don’t buy shiny crap just to root it then realise i wasted my life because it’s still useless and unnecessary.
    Seriously, why buy something just to root it? its not like you guys do anything amazing with it anyway. Doing it just to say you did it? Well why are you complaining then? That’s the point no? a puzzle to be solved? It’s no fun in you have to follow a guide to do it that just makes you a looser.
    stfu with if you cant hack it you don’t own it.
    you do own it.
    you own an pos e-reader.
    if you want an actual computer to do actual computer things with, you should have maybe bought an actual computer.

  6. nice to see them offering something without a 3g plan. i would buy it if it was a little more powerful RAM/GHZ wise, larger, microSDHC, and capable of accepting a nice custom ROM. reading ebooks on my phone really blows and i see the cpu speed is the same, the ram unmentioned, and up to 2gb flash memory, which may or may not be used as RAM as well? sounds like it would suck, besides the battery life which sounds pretty nice.

  7. pff you root shit to make it better. maybe you should buy some unnecessary shit sometime and make it better. i bought some rooting hormone and that shit works wonders, but i didn’t need it at all really, just saw the potential for rooting and bought it and i rooted my tobacco plants so much they got rootbound but they didn’t need rooting, i just rooted them for the hell of it and once i put them in the ground they got gigantic. that is my proof of how rooting shit makes it better.

  8. Have to agree on the “you buy the hardware, you own it to do whatever you want with it” ideal, the only device so far I have I want to do an upgrade/fix to is my old Archos AV500, still a very nice unit but the harddrive developed a couple of errors on it just outside of warranty, but Archos are behaving like all the other major companies out there by locking the unit so you can’t replace the drive yourself.
    I even contacted Archos to try and pay them to replace it but didn’t get a response, this was when the AV500 was still around and still popular.

    Never intending on buying another Archos device ever again.

    They’re all bastards.

  9. Thanks for the heads up. I’ve been dithering over which ebook reader to get, but have been unconvinced by them all. We (the whole family rabble) were literally about to decent on B&N. Rooting this was important to be able to replace the garbage book selection and its atom thick scroll bar.

    As Haku says above “they’re all bastards”.

  10. I know this is hack a day, it’s just that this post is more like I didn’t manage to hack but who cares ill make a post anyway. I think you guys missed my point anyway.

    @Caleb, i didn’t realise this was grammar a day, and at least i didn’t look like a dick double posting.

  11. @ Haku Nice to see someone else still has an Archos AV500! Archos became so iffy on their product support I’ll never buy another one again. Had the TV+ that crapped out just after its warranty. Tried to get it to do anything else… No luck. It seems they churn something out for a year, support it for less and run. The AV500 is a tough egg to crack. Mine still works. I’ve tried cloning the HDD image to no avail….

  12. I didn’t start the flame war. But come on guy’s sure this isn’t the best post on hack-a-day. But at-lest it did tell people not to hack it if they had one, and it doesn’t have a Arduino. so it could be worse.

  13. The security on this is weak, someone will get passed this.

    “If you can’t hack it, you don’t own it”

    Big corporate manufacturers are just getting started, wait till we see something like PS3 has without the RAM dumping and accessible encryption oracles. It’ll start taking chip hacking. PS3 even in it’s current state is secure from piracy and any custom content. Same for new x360 and old ones on some level.

  14. a simple answer, and mentioned by those who said “… abuse 3g…”.
    its just that. i believe it to be locked down so nooks, whch advertise having this free 3g thing, dont become massively banned across all the 3g cellular ISPs due to 3g abuse.

    basically if you dont like the features or lack of, dont purchase it, get something else. ive come to think this way about the OS wars(except those “my OS is better” zealots can [explitive deleted]); if it doesnt do what you want/need to do, go use something else.

  15. Millions of people bought DRMed music from companies that went under.

    B&N stock is 1/3 of what it was 4 years ago.

    Some of the Nook ebooks are as much as $648 on sale.

    Everyone who buys DRM deserves to get ripped off.

  16. @Caleb

    “for someone who this doesnt effect you sure have your panties in a bunch. learn some grammer”

    This is rich… three grammar errors and two spelling errors in your rant.

  17. The s3c6410 boots off of NAND or SD depending on a resistor strapping. There’s an internal ROM that loads a boot block from the chosen boot source into on-chip SRAM and then jumps to it. On the old Nook, the internal SD was the chosen boot source. On this one, the boot device is obviously NAND.

    If you Nook users are lucky, the boot source select pins are being used as the GPIOs for one or more of the buttons, such that holding the right button during boot will load the bootloader out of the external SD slot instead of on board NAND when the device is reset with the right button held. If not, look for test points that you can poke under the battery cover.

  18. is the NAND boot block encrypted by ROM loader or something? What’s so hard about this..there isn’t any hardware isolation.

    I don’t own any of these devices by the way.

  19. @xorpunk No. On the old models the boot device was a microSD internal to the casing. There was no NAND part. This was great because you could dd the filesystems plus the boot block at the end of the SD card to your PC and be able to rebuild the SD card after any disaster. But when they decided to move to NAND, presumably for cost savings, the default recovery scheme was lost.

    Nobody has tried looking for JTAG or the boot source select pins yet so not all is lost.

  20. @chango: even with no source pins or debug interface, it’s still a low bandwidth interface. It probably goes from a application processor directly to NAND, or to a NAND controller then the NAND.

    Devices like this aren’t really difficult to root unless they use crypto oracles and signed boot chains. Even with just signed boot chains and a locked down bootrom you end up having to find shellcode exploits and leveraging them based on RCE of the dumps.

  21. I submitted the original tip regarding this, there is more information available now for those interested.

    Not all 1003 nooks are affected, those with 10031 nooks as opposed to 10030 nooks have met with some success while rooting, the in addition to that, the 10031 nooks were running firmware version 1.4.1 as opposed to the 10030’s running 1.4.0. Not enough information for anything definitive still, but take comfort here:

    if you do still want to try and root it, go right ahead. A few other people and myself who bricked the nook were able to return/exchange it with no problems at all, though going to the store is recommended since they will be less likely to know what you did vs calling the tech guys on their support line.

  22. @xorpunk There’s nothing to subvert here. The CPU will boot any NAND or SD device regardless of a signed bootloader. If that fails, there’s JTAG with OpenOCD support for reading, erasing, and programming the usual complement of NAND devices. All it takes is someone willing to identify the right test points or vias.

    @Doppel You echoed my sentiments exactly. ObHanlon: Never attribute to malice (in business) that which is adequately explained by cheapassedness.

  23. Picked up a new nook last night. SN is 10032 running 1.4.1. Waiting for word, don’t want to have to return it. I’m am a bit peeved they didn’t inform me of the removal of the SD slot. This alone would be grounds for return I guess, since it was a factor in my decision.

  24. @ tommy there used to be 2 micro sd slots one internal and one under the battery cover for extra storage yours no longer has the one inside the unit which the os runs on. DO NOT ATTEMPT to root yours as you will brick it. luckily for me i exchanged mine today for a bad older unit from dec 09 and got a 10030 with 1.4.0 and was able to root it just fine!!

  25. dmnit, I`ve just got a nook, awesome thing,
    but it is a 1.4.1 with serial starting 1003…
    and im bit upset that i cant root it. why do i need rooting? well original nook has very shitty library, and having over 200 pdf`s (mostly manuals, but also some regular books) i have to go through all of them just to get one i need. pain in the ass when you have 50 books of the same author… rooted version have a “fix” for that… well lets hope somebody will get to 1.4.1 someday…

  26. You think you have it bad. I have over 1400 books on my Nook. If I hadn’t been lucky enough to root, I would never have been able to find titles I wanted (I tend to read 10-15 at a time). I was ready to switch to Kindle just to get a little file management. I cannot believe B&N has such a crap database system. The first database I used on an Osborne was better than this. Have they learned nothing in all these years??

  27. Glad to see there’s some progress on the 1003’s as I just got one myself. I’m not good enough to start messing with hardware roots, but will patiently wait until it gets down to a software-only level and gleefully take control of the device I paid for, own, and should damn well be able to do what I want with.

Leave a Reply to KenCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.