View Single Post
Old 11-05-2009, 10:56 PM   #31
Lo_Pan
Member
Lo_Pan began at the beginning.
 
Posts: 12
Karma: 10
Join Date: Nov 2009
Device: kindle 2 international
Quote:
Originally Posted by jyavenard View Post
How is that any relevant to the question or even the problem at hand?

Assuming the stuff doesn't install in recovery mode because of the way it's packaged ; why do you think repackaging something with -k2iex would suddenly work?

And even simply trying a system update for a Kindle 2 on a Kindle 2 ; what a sure way of bricking your device... And Kindle 2 package aren't signed ; so they would never work on a K2i to start with
G'day mate,

I was simply pointing out that the igor/you packer packages aren't installed either at recovery or at boot, except if runlevel three is called. They are deleted, however, if they are named update-ota-system*.bin, which is the expected behavior at the end of the updater in runlevel three. this initially led me to believe that runlevel three was (and maybe it is) being called. The only problem I have with the assumption that runlevel 3 is being called is that if i manually push a package through the updater script, it appears to work, which is contrary to all observations of booting/recovering.

US_FLASH_FILE=/mnt/us/update-ota-system*.bin
...snip...
rm -f ${US_FLASH_FILE} ${MMC_FLASH_FILE} 2>/dev/null

I don't have a kindle 2, just a 2i, but I DID see what happens if i put a k2 update bin in the k2i and attempt a recovery install, as well as just booting just to see what happened, if anything. The k2i simply ignored the package, and didnt delete it, which is what i expected, and is consistent with runlevel 3.

I suspect that the recovery and/or boot updater is similar to runlevel 3 as some of the behaviors are the same. So because I have no idea what this unseen updater is expecting in terms of the assembly of the package, i have been attempting to exploit what i suspect the script does, going off noticed similarities to the S50updater from runlevel 3.

One major hurdle is that i have very little information to go on, and the most likely exploit vector i can see is crippled by fat32 on the userstore. blowing the userstore away and replacing with ext2/3 simply results in the kindle overwriting the entire area with a fresh fat32 fs, even if multiple partitions and filesystems are created. In testing i was able to create a malformed filename that executed arbitrary shell commands on the kindle, however the filename isn't valid in fat32 land. I haven't had a chance to manually fiddle the fat32 file descriptors directly yet, but it is something i intend to do when i have some spare time. I imagine the ext idea would have failed due to the fuserland filesystem proxy that may be abstracting the media, but it was worth a shot.

I haven't gotten around to digging deeper as I have been busy with work, but I hope to get to it sometime over the weekend (provided i make it home after the bucks night), or during the next week.

So in answer to your question, i didn't think that going from k2i to k2iex would magically solve the problem, i was just saying the packages dont install when booting or recovery installing. i'll aim to be a bit more verbose next time.

Last edited by Lo_Pan; 11-05-2009 at 11:09 PM.
Lo_Pan is offline   Reply With Quote