Private Investigation - Kobo eReader - First Contact
HOW IT BEGAN
Ever since I got involved in the financial sector, I've spent a lot of time trading stocks and reading the Wall-street Journal instead of bug bounty reports. As a result, my hacking skills got a bit rusty and needed a refresh. So, I decided to invest some time into evaluating how robust today’s embedded security really are against a somewhat capable and experienced hacker. But which one should I dive into first?
During Cansecwest last year, I was showing one of the speakers around Vancouver. While wandering through a local consumer electronics shop, we spotted a Kobo eReader on the shelf. With a grin, I joked, “we should hack it, do you think there’s a bug bounty for eReaders? we then laughed and left it behind. But maybe now it’s time to make a move. After a quick search, I found that Kobo eReader is a global e-reading company HQ in Toronto, Canada. It was acquired by the Japanese e-commerce giant Rakuten in 2011. Kobo is known for its diverse range of e-reader devices, offering a strong alternative to Amazon Kindle. Best of all, Kobo even has a dedicated webpage focused on products security.
However, I was somewhat disappointed to find that their website states, “Kobo does not offer monetary rewards for vulnerability disclosures. In addition, the website also state that Kobo does not use universal default or easily guessable passwords; I later discovered that this is not entirely true.
Even though there’s no bug bounty, I still believe the whole journey will make a great series of articles for blog. By sharing my hacking experience with the Kobo eReader, I hope to inspire more people to take an interest in hardware hacking. So, fasten your seatbelt - let the exploration begin!
MYSTERY BAUD-RATE
Kobo offers various versions of its eReaders, the one I have is the Kobo Clara BW. Since I love low-level hardware hacking, my first step with any device is to disassemble it. Using a blade, I was able to easily pop open the case.
A closer inspection reveals that the Kobo Clara BW is powered by a MediaTek ARM processor and uses an eMMC chip for storage. An upgrade from earlier models that relied on SD cards for file storage.
What really caught my attention was the presence of clearly labelled debug ports, with the TX/RX pins appearing to be UART connections. You’d think that once we connect to the ports, we could start messing around immediately right?
Well, we’re not there yet. Here comes our first roadblock. If you’ve done similar project before, you know that configuring the correct baud rate is essential to receiving clear text. Normally, the default baud rate for most devices is either 9600 or 115200. Unfortunately, that’s not the case here, when using those settings, we only receive garbage text.
So, we needed to find the exact baud rate for the Kobo eReader first. About 10 years ago, a great security researcher named devttys0 released a python script to brute-force baud rates. This method usually works well, but unfortunately, it didn’t work out this time. By looking at the source code, we can see that the usual baud rates are hard-coded. So if our target device doesn’t use those rates, the script won’t be able to figure it out.
Lucky for us, we have a hardware hacker’s best friend the logic analyzer. I used the Saleae Logic2, the best part is that Saleae provides an extension called Baud Rate Estimate. With it, we were able to easily find the correct secret baud rate.
With the correct baud rate configured, we successfully received meaningful text and were greeted by the login prompt from the Kobo eReader.
A fun fact: sometimes, the order in which you hack really matters. If I had chosen to root the device first, I probably would have found the correct baud rate clearly written inside a cmdline configuration file first, which would have saved me all the hassle! :p
In addition, the U-Boot configuration parameter “bootdelay” specifies a 2 seconds wait during the boot process. This gives us a 2 seconds window to manually interrupt the boot and access the U-Boot prompt of Kobo eReader.
GOT ROOT? DOUBLE KILL!
When the Kobo eReader is powered on for the first time, it automatically contacts the remote server to check for any available firmware updates. we can verify the installed firmware and kernel versions in the Device Information section.
In addition, the device also supports firmware updates via USB. Specifically, if a file named KoboRoot.tgz is placed in the .kobo folder of the public partition, the Kobo will extract the contents of this archive into the root directory and then reboot automatically.
This mechanism can be leveraged to modify system files to enable additional services. For example, Telnet access can be enabled by including the appropriate configuration within the inetd.conf.user file.
Interestingly, up until Kobo firmware version 4.41.23145, the device’s /etc/passwd file contained an admin account with a password that could be easily guessed or cracked.
This finding stands in contrast to Kobo’s stated position that they do not use universal default or easily guessable passwords.
We were then able to login to the Kobo eReader via Telnet or Serial port using those credentials, which granted us root privileges.
Finally, a firmware patch 4.42.23296 released by Kobo in May 2025 appears to have addressed this issue.
We have confirmed that the admin account has indeed been removed.
However, the root cause of the issue is that the Kobo eReader does not implement any key signing to harden the firmware.
As a result, it is possible to remove the password for the root account and regain access easily with root privilege.
POST-EXPLOITATION
Once we gained root access on the eReader, uncovering more details about the device became effortless. A simple command revealed that the Kobo Clara BW is powered by an ARMv7 processor built on the MediaTek MT8180 platform.
As with any post-exploitation phase, it’s advisable to enumerate and analyze all accessible files, as they may contain sensitive information. Configuration files are often a valuable starting point, as they can reveal credentials, API keys, or other security-critical data.
For example, a bt_config.bak file located in the bluedroid directory contains Bluetooth encryption keys in plain-text.
The wpa_supplicant.conf file, stored in /etc/wpa_supplicant/, holds the encryption keys for all Wi-Fi networks you’ve ever connected to, making it a critical target for attackers.
Analysis of the files system revealed that, similar to many other embedded devices, Kobo eReader relies heavily on BusyBox, which may introduce more potential attack vectors.
A common action attackers take after gaining root access to a target system is to install a hidden backdoor for reverse shell to maintain persistent access. This can be easily achieved using BusyBox’s nc command or more stealthily by leveraging openssl, as the latter encrypts all traffic
SUMMARY
In the first part of this article, we explored how to identify the actual baud rate and successfully gain root access on the Kobo eReader. In the upcoming article, we’ll dive deeper, demonstrating how to setup hidden backdoor for persistent access and how to perform fuzzing techniques to uncover vulnerabilities. Stay tuned for “Private Investigation – Kobo eReader – Deep Dive.”
REFERENCE
https://github.com/devttys0/baudrate
https://github.com/kobolabs/Kobo-Reader
https://pgaskin.net/KoboStuff/kobofirmware.html
https://help.kobo.com/hc/en-us/articles/22713672676119-Kobo-s-Policy-relative-to-the-Security-of-our-Connected-Products