View Single Post
Old 04-02-2011, 10:25 PM   #3
yifanlu
Kindle Dissector
yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.
 
Posts: 662
Karma: 170717
Join Date: Jul 2010
Device: Amazon Kindle 3
Progress report:
One of the things I want to do is allow the Kindle to create it's own update. So the Kindle 3 can generate the Kindle 2 update using its own files. (Otherwise, you have to copy all the files from the K3 to your computer and make an update with kindle_update_tool.py). The hard thing about creating a K3 update is Amazon's "encryption" method (left shift 4 OR right shift 4 & 0xff ^ 0x7a). Igor wrote the nice kindle_update_tool.py, but it would be stupid to port python to Kindle just for this one thing. So what I did was disassemble amazon's "dm" (decrypt update) and modified it to a new file "md" (encrypt update). Here's the changes

DM (from Amazon, comment by me):
Code:
		BL	getchar // get byte to modify
		EOR	R3, R0,	#0x7A // R3 = R0 ^ 0x7A
		CMN	R0, #1 // if !(R0 == 1), we are at the end of the file ...
		MOV	R0, R3,LSR#4 // R0 = R3 >> 4
		AND	R0, R0,	#0xF // R0 = R0 & 0xF
		ORR	R0, R0,	R3,LSL#4 // R0 = R0 | R3 << 4
		BNE	loc_8470 // ... then jump to end of program
		MOV	R0, #0 // clear R0 register
		ADD	SP, SP,	#4 // don't care
		LDMFD	SP!, {PC} // don't care
MD (by me, comment by me):
Code:
		BL	getchar // get byte to modify
		CMN	R0, #1 // if byte is 0x01, then ...
		MOV	R3, R0,LSR#4 // set R0 to R0 >> 0x4
		AND	R3, R3,	#0xF // set R4 to R4 & 0xF
		ORR	R3, R3,	R0,LSL#4 // set R3 to R3 | ( R0 << 0x4 )
		EOR	R0, R3,	#0x7A // set R0 to R3 ^ 0x7A
		BNE	loc_8470 // ... exit program
		MOV	R0, #0 // clear register R0
		ADD	SP, SP,	#4 // don't care
		LDMFD	SP!, {PC} // don't care
Now we can create updates from the Kindle directly.

If you want to try it out, here's the patch from dm to md: http://yifan.lu/files/md.bspatch

MD5 values:
dm: 6725ac822654b97355facd138f86d438
md.bspatch: 64404f7f82b0a1ba3561cdf12e9cbd18
md: 3b650bcf4021b41d70796d93e1aad658

Usage: bspatch /path/to/dm md /path/to/md.bspatch

You can play around with encryption, decryption by:
echo 'hello world' | md > hello.bin
cat hello.bin | dm
You should see you message back.


EDIT: Here's a script that will run on the Kindle and convert a tar.gz into an update package http://pastebin.com/2L4pqhsw

Last edited by yifanlu; 04-03-2011 at 04:56 PM.
yifanlu is offline   Reply With Quote