# Kobo Clara HD Notes for Nickel
Last Updated: 2021-07-10

My ereader of choice is the Kobo Clara HD and I particularly like it because my
eyes hurt less when reading for long periods of time compared to when I read on
my phone or when I still had my iPad. It also had much longer battery life and
only need to charge it about once every two weeks when I read for about 4 hours
on average daily.

However, the two notable things I don't like about it is it's included
telemetry, like using Google Analytics by default and keeping a unique salt

Spyware/Anti-Features:
* Google Analytics (a lot of actions, if not everything, is sent to Google)
* Auto-update by default
  * You may or may not like this, I personally hate it
  * I don't like the new redesign in firmware v4.23.15505

I'm also assuming your Kobo reader and it's SD card's device file would be
would located at /dev/sdf and be mounted at /mnt/kobo.

If you're going to not be using Nickel and instead be using something like
[Plato](https://github.com/baskerville/plato), there's a newer version of this
article available [here](kobo-clara-plato.html), but the notes are for ~KSM~
loading Plato directly and not though k/fmon because I don't want to load
Nickel if I'm already using a different reader.

# Upgrade/Backup Included SD Card
While the included 8GB microSD card is decent for storing your ebook library
that may not have a lot of images, that would likely not be enough if you were
aiming to read some comics on your ereader as they can be pretty big (quite a
few of mine are over a gigabyte, with some over 8). Luckily, you can replace
the microSD card with another one. 

Before upgrading, you should backup the SD card to into an image file so the
filesystem would be preserved when putting the contents of the image on the new
SD card. I'm using the command `dd` but there might be another program doing
the same thing. Even if you're not going to upgrade, I still suggest to backup
the SD card in case something goes wrong.

```
dd if=/dev/sdf of=kobo_sd.img conv=sync
```

After this is done, you can plug in your new SD card and reimage kobo\_sd.img
onto it. With dd, you can do something like:

```
dd if=kobo_sd.img of=/dev/sdf conv=sync
```

Checking it's partition table via `lsblk` or `fdisk -l` should show three
partitions. If you replaced the SD card with something bigger, than you should
resize the third partition.

# Bypassing Registration On Setup
When setting up your Kobo, you will be asked to sign into a Kobo account. There
are other options like logging in via Google, Walmart, and other stores, but I
don't like having to login to a device that would likely not be connected to
the public internet. Fortunately, you can bypass this by choosing that you
cannot connect to a Wi-Fi network and mount your Kobo to your computer. In,
`.kobo/KoboReader.sqlite`, you can run:

```
echo "INSERT INTO user(UserID,UserKey) VALUES('1','');" \
	| sqlite3 KoboReader.sqlite
```

This way you don't have to install their application just to be able to use
your device.

Note: Do not try doing this when you still have your SD card mounted before you
setup your device. The device's screen would likely not update, at least on an
early firmware version like v4.7.10733.

# Blocking Google Analytics and other Telemetry
Just adding `0.0.0.0 analytics.google.com` to /etc/hosts may be enough to block
most of the telemetry from being sent. However, you can try intercepting what
connections your Kobo is making via mitmproxy set to transparent mode or using
a hosts file that blocks all connections to Google (but not necessarily to
Kobo's servers) like [Baobab's host file](https://codeberg.org/baobab/hosts)
[(raw file here)](https://codeberg.org/baobab/hosts/raw/branch/master/hosts).

To put the hosts file without root (which will be detailed in another section),
you can make a directory called etc, put the hosts file in there, and tar it
into a file called KoboRoot.tgz.

```
mkdir etc
wget -O etc/hosts https://codeberg.org/baobab/hosts/raw/branch/master/hosts
tar czvf KoboRoot.tgz etc
cp KoboRoot.tgz /mnt/kobo/.kobo/
```

When you move a tar file with that name into your Kobo's .kobo folder, it's
contents gets untarred into it's root at / when the device is turned on again,
which is usually done for their updates but can be used for custom files like
this and gaining root access.

# Gaining Root Access via Telnet
To gain root access, we first need to get the `/etc/inittab` and
`/etc/inetd.conf` which you can get from mounting the SD card's first partition
into your computer (the second partition seems to be like a backup). You should
copy those two files into a folder called `etc` somewhere (probably not on the
SD card).

In the `etc/inittab` file, you should add these two lines:

```
::sysinit:/etc/custominit.sh
::respawn:/usr/sbin/inetd -f /etc/inetd2.conf
```

You would want to rename the etc/inetd.conf file you copied into
etc/inetd2.conf (or whatever the custom inetd.conf's filename is) and when
editing that, you should add:

```
23 stream tcp nowait root /bin/busybox telnetd -i
```

However, if there is already a commented line for root telnet in the
inetd2.conf, you should probably still add the above line and ignore the
commented line as that may or may not work (didn't for me).

To actually start inetd, you should add these lines somewhere in
/etc/custominit.sh:

```
mkdir -p /dev/pts
mount -t devpts devpts /dev/pts
/usr/sbin/inetd /etc/inetd2.conf
```

After that, you just have to tar the `etc/` folder again and copy it to your
Kobo's onboard/third partition's `.kobo` folder.

```
tar czvf KoboRoot.tgz etc
cp KoboRoot.tgz /mnt/kobo/.kobo/
```
Now you could put your SD card back into your Kobo provided that they are
already unmounted and turn your Kobo back on.

After connecting to the WiFi, simplying telnetting (?) into your Kobo and
logging in as root should give you a root shell. :D
```
telnet $KOBO_IP
```

By default, root has no password so you should change it with `passwd`.

# Getting SSH and SFTP access via Dropbear
I'm using Dropbear instead of OpenSSH because it's better suited for embedded
hardware like the Kobo Clara HD. Obviously we can't copy a binary compiled for
amd64 or whatever architecture your compiling computer is running so we would
have to cross-compile for our ereader.

Fortunately, we are not required to cross-compile gcc/clang and friends as we
can simply download the linaro arm toolchain which has the binaries for gcc and
others included. You could get the toolchain [here](https://releases.linaro.org/components/toolchain/binaries/latest-7/arm-linux-gnueabihf/)
and you should get the release that matches your host's architecture. After
untarring the file, you should also set your PATH variable to the toolchain's
bin/ folder so you don't have to manually set the CC and CXX variables when
building Dropbear.

```
wget https://releases.linaro.org/components/toolchain/binaries/latest-7/arm-linux-gnueabihf/gcc-linaro-7.5.0-2019.12-x86_64_arm-linux-gnueabihf.tar.xz
tar xvf gcc-linaro-7.5.0-2019.12-x86_64_arm-linux-gnueabihf.tar.xz
export PATH=$(pwd)/gcc-linaro-7.5.0-2019.12-x86_64_arm-linux-gnueabihf/bin:$PATH
```

Now you could get the source for Dropbear and cross-compile it. The source can
be found on their [homepage (clownflared)](https://matt.ucc.asn.au/dropbear/dropbear.html) or [github repo](https://github.com/mkj/dropbear/releases).

```
wget https://matt.ucc.asn.au/dropbear/releases/dropbear-2020.81.tar.bz2
tar xvf dropbear-2020.81.tar.bz2
cd dropbear-2020.81
./configure --enable-static --host=arm-linux-gnueabihf
# MULTI=1 combines the binaries like busybox does and is also smaller in size
make MULTI=1 PROGRAMS="dropbear dropbearkey" 
```

Now you only need to copy the `dropbearmulti` binary over to your Kobo. What
I've done is running `python3 -m http.server` and downloading the file onto my
Kobo but you could also just copy it onto the microSD card.

```
wget your.computer.ip.or.fqdn:8000/dropbearmulti
chmod +x dropbearmulti
mv dropbearmulti /usr/bin
cd /usr/bin
# below are optional but dropbear(key) would be an argument for dropbearmulti
ln -s dropbearmulti dropbear    
ln -s dropbearmulti dropbearkey
```

Now you only need to generate the host keys. My client key is ed25519 so I'm not
going to generate the others.

```
mkdir /etc/dropbear
dropbearkey -t ed25519 -f /etc/dropbear/dropbear_ed25519_host_key 
dropbear -F -r /etc/dropbear/dropbear_ed25519_key 
```

Now you could ssh into your Kobo and login as root. Remember to change root's
password beforehand though if you haven't already! I suggest copying your
public key to your Kobo via ssh-copy-id so you don't have to enter root's
password all the time and so password-based logins can be disabled in dropbear.

To start it on boot, you could add the following line to `/etc/inetd2.conf`:

```
22 stream tcp nowait root /usr/bin/dropbearmulti dropbear -i -r /etc/dropbear/dropbear_ed25519_key
```

For some reason, the symlink wasn't resolving for me inetd so I had to call the
multi-binary directly. You could also add the command/args into
/etc/custominit.sh.

# FTP Access
If you don't or can't use sftp or scp for some reason, there's always ftp :D
There's a ftp daemon included in busybox so all we have to do is enable it in
`/etc/inetd2.conf`:

```
21 stream tcp nowait root /bin/busybox ftpd -w -S /
```

This would share the entire filesystem so you may or may not want to restrict
the shared directory to maybe just your ebook directory (`/mnt/onboard`) and
move the files out via telnet or ssh.

# References and Other Links
[0](https://remy.grunblatt.org/kobo-aura-h2o-electronic-reader-hacking.html)
[1](https://yingtongli.me/blog/2018/07/30/kobo-rego.html)
[2](https://www.mobileread.com/forums/showthread.php?t=162713)
[3](https://wiki.mobileread.com/wiki/Kobo_Touch_Hacking)