View Single Post
Old 01-23-2010, 09:13 AM   #5
jft
Enthusiast
jft began at the beginning.
 
Posts: 43
Karma: 10
Join Date: Jan 2010
Location: Germany
Device: Kindle DXi
Ok. So here are the details about the sigs:

Quote:
he difference with earlier Kindle is that now each file in the package must be signed.
The signature is then checked against the RSA key installed in the ROM.

Unfortunately, there's no way to bypass that check .

So what we first do is install an extra RSA key in the device.
that's what the update file update_freekindle.bin is for.

update_freekindle.bin uses a "feature" (some would call it a flaw) of the tar compressor. Kindle binary package are just gzipped tar files slightly encrypted as discovered by Igor Skochinsky. When extracting the content of the update, the Kindle simply call tar on it.

Tar follows simlinks ; and we use this to write where we're not supposed to.
Quote:
What this package does is add our key to the list of keys available. So next time the Kindle will check the signatures of the files we are installing, the verification process will succeed.
And here is the funky part of the script:

Code:
# Create fake symlink
        namedir = '__dir' + str(random.randint(1000,9999))
        tarinfo = tarfile.TarInfo(namedir)
        tarinfo.type = tarfile.SYMTYPE
        tarinfo.linkname = KINDLE_HACK_DIR
        tar.addfile(tarinfo)
        
        # Create new key
        fd , tmpfile = tempfile.mkstemp()
        fs = os.fdopen(fd,"wb")
        fs.write(NEW_KEY)
        fs.close()
        tarinfo = tar.gettarinfo(tmpfile, arcname=namedir+'/'+KINDLE_HACK_KEYNAME)
        add_tarfile(tarinfo, tmpfile, tar)
        os.remove(tmpfile)
So a symlink in the tar is created that points to the dir on the kindle that includes the amazon public key. Also an entry with "our" public key in the symlink dir. Tar on the kindle extracts the symlink and then "our" key into the folder the symlink points to. Now the Kindle approves the signatures of the files included in the tar (created with "our" private key).

The public key has to be exchanged because we do not have access to the private key of amazon and so could never create valid signatures.

See wikipedia for detailed information about signatures.

Last edited by jft; 01-23-2010 at 09:19 AM.
jft is offline   Reply With Quote