2016-07-19 06:55:50

Hello,

Does anyone know how to access the internal disk of Talking book players like the Victor Stream or Book Port Plus? I've always been curious about the internal content on these devices. I'm not a programmer or hacker, but i'm assuming there's some kind of diagnostic mode or USB debugging or USB to serial interface for Linux. If no one knows, that's fine. I was just wondering how to access the internal drive with the software and other files/partitions.

Grab my Adventure at C: stages Right here.

2016-07-19 07:28:31

Hi. While i'm not sure how to access the fs directly, it appears possible to hack the bookport plus's firmware and grab it's filesystem anyway, or at least the default one, maybe the entire thing. Not sure on the stream, but you somehow got me intrested in p0wning the lil VerUp.dat that APH provides for raw updates. It scemes that all this dat file is, is this ultramassive library of code with references to paths in the filesystem, update instructions etc etc etc. It may be risky doing this on my BP it's self, but may try it. But, heres the thing. When updating, based on the wierd xml looking code in VerUp.dat, there is many references to /SDMemory/VerUp/Backup.BIN. I'm guessing, again a slight risk, but i'm guessing that, if I insert the SD card and tell it to begin updating, then half way threw the process yank out the SD Card, I should be able to plug it in and get a raw .bin file. Then well, ya know, have er, a bitta fun. I'll keep looking threw VerUp.dat though before I go and possibly own my BPP.

I am a web designer, and a game developer. If you wish see me at http://www.samtupy.com

2016-07-19 07:52:51

I wouldn't recommend doing that. Removing the card while updating could corrupt the internal disk and render the device inoperable. As for the update file, isn't that an encrypted data file with code and other files in it?

Grab my Adventure at C: stages Right here.

2016-07-19 10:31:55

um, er, update on my bp hack... whoa. Scemes a theory of mine was correct. Would be much easy if a decompiler existed that worked well, but well, we'll live hehehehehehehehehehehehe. Thinking this is some actual firmware code it's self.

I've found random parts of the built in user guide, random instances such as handles, shutdown beeps, all sorts of wierd things, but it doesn't make much sense yet, I havn't figured out a patern.
Holy, shit. Been working for a minute, and check this out!
/NAND Flash2/Guide/LOCALE_GUIDE1.wav
And below that is a wav header! Won't submit post yet, let's see if I can manage to extract this sound.
Ok, been working for another long while, and I do believe that I have figured out the instructions for the raw update data. I now have to write a script to extract this wierd filesystem data, after I extract only that contents from the instructions in VerUp.dat. Patern scemes to be.
/NAND Flash2/path/to/file.extension
<<BINData>>
/NAND Flash2/path/to/file.extension
<<BINData>>
/NAND Flash2/path/to/file.extension
<<BINData>>
/NAND Flash2/path/to/file.extension
<<BINData>>
Etc etc.
I've never ventured this deep into my bookport before. Lol. I can tell you there is a /guide folder on the flash, and this contains the wav files, probably in 22K, of tarisa or how ever you spell her name reading the BP Prompts. BBL with update...
Oi. Little mini update, APH's idea of .dll files is messed up. Or have DLL's decided to be plane text. This looks like in ini file. Well, we'll see soon if my theory about the fs data is right or now.
Ah. Ok, figured out my issue here. I had the patern reversed. It's BinData
/NAND Flash/path/to/file.extension
I had a hard time finding the beginning of the FS. Heh. Back to woik.
Ok, thought of something. If I can't succeed, someone can try messing with the network folder or USB etc, you know how on the network folder it is /SDMemory? Well, it is referenced this way in VerUp. I may try this to, but try going to \\BPName\NAND Flash2\
I doubt it would work, but it's a possibility. If I can't dump the FS this way, i'll try it. Lol I love how i'm writing a little blog. Hehehehehehehehehe. Back to woik.
Whoa, what da world is an executable doing in the bookports /APP directory. Guys, based on all these DLL's and EXE files i'm finding, I think the bookport is running some sort of DOS/Win OS.
Oh hey cool, I found the text table.ini file. Yeah guys, extracting this filesystem may proove to be very very easy. Ok, atempting to save the modded VerUp file!
File saved, time to start working on the script!
So running into issues while coding, I can work around them, but parsing all of this text is so annoying.
So, took a break from the script and completely tested what I was thinking, the entire basis! And? And? Guys? I've done it! I've done it! I have extracted a random book port plus sound from the firmware and played it! It was really staticky probs because of sample rates etc, but I could clearly hear it saying "US English. Samantha" in the sound! Really cool! Back to the god offle script...
So, worked on the thing for hours, and almost got it working. Most of the guide speech and some of the sounds are either A, encrypted, or B, not included in the update to keep the update size down. I'll finish tomorrow, I gotta go to bed. But yeah, The link i'll post tomorrow will in short give you a glimps of some of the BPP's internal FS.

I am a web designer, and a game developer. If you wish see me at http://www.samtupy.com

2016-07-19 17:54:19

I know the device runs a version of Windows CE under the hood. What I'm especially curious about are the Nuance voices. I wonder if it would be possible to replace Samantha with a version of Tom. I asked about it, but I was told by APH support that they didn't have enough internal memory for both. This thing must have a really small internal drive.

Grab my Adventure at C: stages Right here.

2016-07-19 21:42:46

Accessing the Victor Reader Stream's internal memory isn't needed unless you want to try hacking it, because you can copy any media stored in the internal memory to an SD card. You can also import and export many settings to the SD card too.

2016-07-20 00:35:28

For anyone who follows me on Twitter this may be old news, but in case you don't, I actually just today managed to extract the contents of a Victor Reader Stream UPG file. I simply used 7zip to extract the upgrade and got all the 904 stream sounds. And the stream, from what I can get out of the update, is running a modified version of Linux. Also some sounds are reused from other products, such as the stratis, and the class mate reader. And it turns out that the UPG file is actually a Squash FS archive. Squash FS is a file system that is used in Linux, usually on embedded systems.

Oh no! Somebody released the h key! Everybody run and hide!

2016-07-20 09:39:51

If you're a Bookshare member, you can get some of the sounds from the Stream by downloading the Victor Reader Soft application.

2016-07-20 23:06:12

What is the Victor Reader Soft program?

Grab my Adventure at C: stages Right here.

2016-07-20 23:40:33

Good question, Chris. And why would you need it since the Victor Reader Stream can access your Book Share account and download the books you want directly.

2016-07-23 03:09:51

Read about it here: https://www.bookshare.org/cms/help-cent … eader-soft

2016-07-24 14:19:58 (edited by jack 2016-07-24 14:23:23)

Victor Reader Soft was actually a commercial product way back when. Pc version of the Victor Reader platform. As for accessing the file system on the stream, I do agree a debug interface would be nice. I'd actually like to do that not only for curiosity, but as a faster way of transferring those large internet radio recordings or other media that transferrs too slow with the stream itself. It could already be included, since after all the Nls Players, which use a slim victor platform as the firmware interface, do have a command-line debug through an internal serial interface, the Stream probably has a debug interface as well.

2016-07-24 15:04:57 (edited by Slender 2016-07-24 15:07:17)

There is a command line debugging interface? How does it work?

Oh no! Somebody released the h key! Everybody run and hide!

2016-07-24 22:49:51

You have to press a key command that I can't quite remember off the top of my head, possibly fast forward, sleep and tone down or rewind, sleep and tone up while pressing the power key. You also can't just use a mini usb cable as the player has a full-sized usb port. A lot of stuff that's not in the player's user manual is fully exposed if you look hard enough, whether intended or not. You can even get the right-protect software that is used to right-protect the cartridges right there on the website, and could possibly use that to right-protect usb media to make a makeshift secure drive with a drive that doesn't have a physical read-write mechanism.

2016-07-25 03:49:51

Rewind, sleep and tone up worked. It seems to report the player status, which is what I've managed to access right now.

Oh no! Somebody released the h key! Everybody run and hide!

2016-07-25 13:23:54

Rewind, sleep and tone down would be library diagnostic mode, then. Also, considering there's no direct way to delete all bookmarks, the best way is volume, speed, and tone up while turning the player on, and it will clear your profile which includes bookmarks, settings, and button press history.

2016-07-25 13:47:57

How did you find these anyway? Is there something that documents these keys?

Oh no! Somebody released the h key! Everybody run and hide!

2016-07-25 17:17:55

Oh, it's completely transparent. The diagnostic mode I found through the dtbm training manual on the site, and the technical manual is up there too. That's also where I found the media right protection software. It's supposed to be for higher level diagnostics, but you can very easily stumble upon. Still wonder if that software works with any usb drive, because that would be a good way to secure a drive. Hell, if it worked on sd cards, then they could get rich of that damn lever to lock the card, because no matter how durable a card is, there still usually the first things to break because they're so easy to break!

2016-07-25 17:58:25

Where exactly are the links to the manuals? I haven't found them on the main site.

Oh no! Somebody released the h key! Everybody run and hide!

2016-07-25 20:56:45

http://www.loc.gov/nls/transition/
There you'll find the manual, as well as the write protection software.

2016-07-26 02:50:10

I've actually been interested in trying to decrypt NLS books for some time. Not for any evil purpose, but just in order to convert them into a standard file format to extract parts of them, etc. I sent a friend an NLS firmware update, and I think he said it was a SquashFS, but the audio prompts are encrypted. Apparently to go any further, someone would have to do a filesystem dump of a real, working player, not just a firmware update file.

2016-07-26 09:31:14

There are some NLS books on the Open Library website.

2016-07-27 18:09:36

Hello,

Isn't Open Library just Daisy text? What NLS books are available on the site?

Grab my Adventure at C: stages Right here.

2017-07-11 15:15:07

Hi all,
Just found this topic after doing some google searching.
I have found out that it is possible to replace the built-in memory in the stream in order to allow you to store more data from services like Daisy Direct to Player and podcasts.
You do this by removing the built-in micro-sd card and replacing it with a new one.
The stream firmware is also stored on this card.
There is a guy that will sell you a card for around $37 that is already upgraded, but I really want to do it myself.
Also, I have tried contacting him and am not getting any response.
When I tried taking an image of the old 4gb internal card and writing it to a 32gb card, the stream wouldn't boot and went into a rom recovery mode.
32gb cards should work, since I know someone who bought a 32gb card from the guy I mentioned earlier.
So, are there any hacker types on here that would be willing to help me figure this out? I'm familiar with Linux, but am probably missing something.

2017-07-11 15:52:24 (edited by jack 2017-07-11 15:54:02)

Are you telling me the micro sd card isn't soldered into the stream 2? Are you getting the thing open on your own too with its 2 screws in the top left and right side of the stream? Also, that's weird. Konrad usually responds to emails. I sold my phone to him a while back. Why not try again? And what exactly do you mean by rom recovery? The diagnostics menu? If you're gonna do this yourself, you probably also need to resize the card using linux.