Extracting eBooks from your REB1200

I, like many of you, have purchased books from Gemstar's bookstore. Some of them, I have not even read yet. I wish to read them someday.
I no longer trust that Gemstar will provide for me. I don't even remember my registration - so if my hardware goes Gemstar can do nothing for my titles.

I have therefore taken action to liberate my titles, as I have been told a few of you have already. Instead of keeping my program to myself, I am breaking with tradition and dispensing with the unwritten rules about not touching purchased content.

Presenting "eliberate" - this is a complete and almost user friendly approach to rescuing your lovely imps from the cold dead screen your heartless eBook. Download it now

Here are the instructions. I have executed through these instructions to confirm that they should work. I will be available to answer questions should they arise.

To use this software, you need to have the following:
(A) REB1200 Reader with software versions 2.0, 2.3, 3.1, or 3.3 (Only 2.3 and 3.3 are sure to work, the others are at your own risk).
(B) PC running Windows or the ability to compile software for your O/S.
(C) Compact Flash reader device for your PC
(D) hub, switch or other router

This process will walk you through copying your titles into unencrypted .IMP files which you can then use on any device or read on your PC. These instructions assume no familiarity with the command-line.

1. Installation
Unzip the package to c:\reb1200\
You should have two .exe files (reb12dump.exe, eliberate.exe) and this file.
1. First, you will need to extract the hardware keys from the REB1200 unit.
1a. Find your PC's IP address with "ipconfig /all"

1b. Configure your REB1200 to connect to your PC by going to Settings, Ethernet Connection, then HTTP Proxy. Enable it and enter your PC's IP address and port 8080.
Make a note if you have to use a "Manual configuration" instead of the usual "Use DHCP"

1c. VERY IMPORTANT. Put the REB1200 to sleep.

1d. On the PC Go to start, then run, and enter the following command:
If you are using manual settings, you would instead use
c:\reb1200\reb12dump.exe -M
A console window will appear, and your PC is waiting for connections.

1e. Wake up the REB1200, connect to either your Online Bookshelf or the Bookstore.

1f. You may get an error message at the top of the REB1200 screen.
If you see "Error (400)" you should click "Continue" and return to step 1e. Similarly for "Error (600)" or even rarely "Error (100)".
If you get more than 6 "Error (600)" messages in a row, you should close the DOS window, and add the "-A" option to reb12dump.exe
c:\reb1200\reb12dump.exe -A
or (With manual settings)
c:\reb1200\reb12dump.exe -A -M

If the REB1200 locks, remove the battery, replace and repeat at step 1e.

1g. After some repeats, you should see the DOS window disappear, leaving an "Error (400)". This is normal. Click "Continue" and put the REB1200 to sleep.

2. Extracting the books
2a. Remove the CF card from the REB1200 and put it in the PC's CF reader

2b. Find its drive mapping (for example, G:\)

2c. Go to "Start", then "Run", then
c:\reb1200\eliberate g:\softbks

2d. Your books should be present in C:\reb1200 as IMP files.

s3tigmata [s3tigmata@yahoo.com]

My gut feeling on this (and I could be wrong) is that this exploit will not have an impact on the bookshelf's and existing people's content.
The number of people reading this group and who are willing to take the risk involved in running the hack are small enough that I doubt folks will care.

It will probably elicit an update to the firmware in the post-Gemstar ebooks (aka ETI1 and ETI2 books, but I don't think anyone here are using those yet). Mostly to fix the buffer overrun and prevent the exploit from running anymore.

I'll also point out that this exploits a buffer overrun and the utility is using this to run arbitrary code on the ETI1/1200/2150 (while the buffer overrun is probably in the ETI2, 1150 and 2200 firmware, the ARM stack layout is different and would prevent it from working). Keep in mind you could easily corrupt things on your ebook using this (and that's ignoring the fact that this exploit may or may not have other things it does besides unlocking your books).

I'm just saying this so folks understand there is some risk in using this. I'm not sure the original author stresses the problems a mistake with the hack could cause. The error 600 and error 400's you'll see are bus and address errors which could be occurring at time frames when the device is writing to the compact flash and/or internal flash. If these operations are interrupted at the wrong time then the device could leave stuff on the device inconsistent (can you say unbootable).

And while I'm at it, you never really need to remove the battery to reboot the unit. It's just as easy to simply close the cover and wait a minute. This is electrically safer than the battery pull as the closed cover will cause a reset on the CPU and won't cause wear and tear on the battery, case or battery cover.

Just my 2 cents, feel free to ignore all of this and do as you like... Erik Walter [ebook@erikwalter.com]