MobileRead Forums - View Single Post - kindle 2 international version require electronic signeture for updater

clarknova · 10-29-2009, 05:46 AM

There's a way you can break in to the K2int with a carefully crafted tarbomb. Because the update files are just tarballs that are encoded and prefixed with a header, it's an easy thing.

The update scripts (of the K1/K2/KDX, and certainly the K2int does the same) do this to unpack the bin:

Code:

extract_bundle()
{
    dd if=$1 bs=${BLOCK_SIZE} skip=1 | dm | tar -C $2 -xzvf -
}

GNU tar and BusyBox tar don't fall for tarbombs that have leading slashes or parent directory references, however, they do preserve symlinks.

So if we write a startup script that will execute arbitrary code on boot:

Code:

#!/bin/sh

EXEC=/mnt/us/exec.sh

_FUNCTIONS=/etc/rc.d/functions
[ -f ${_FUNCTIONS} ] && . ${_FUNCTIONS}

check_exec()
{
  if [ -e $EXEC ]; then
    /bin/sh $EXEC
    exit 0
  fi
}

case "$1" in
  start)
    check_exec
    ;;
  stop)
    ;;
  *)
    msg "Usage: $0 (start|stop)" W >&2
    exit 1
    ;;
esac

exit 0

We can call this S90arbitrary_code. If this is in the rc5.d directory, then it will execute (hopefully before framework, so this also gives us limited anti-brick capabilities) on startup. At which point it would look for a shell script in the root of the USB partition and execute it if it exists. Now we just need to craft the tarball on a unix machine:

Code:

# mkdir foo
# cd foo
# ln -s /etc/rc5.d bar
  #### We've just created bar which is a symlink to /etc/rc5.d
# tar cvf /tmp/bomb.tar bar
  #### Now we've added the bar symlink to /tmp/bomb.tar
# rm bar
  #### unlink bar
# mkdir bar
# cd bar
# ... create the S90arbitrary_code file ...
# chmod 755 S90arbitrary_code
   #### make it executable.
# cd ..
# tar rvf /tmp/bomb.tar bar/S90arbitrary_code
   #### append the script to the tarball.
# gzip /tmp/bomb.tar

This leaves us with /tmp/bomb.tar.gz which contains two files, bar, a symlink to /etc/rc5.d and bar/S90arbitrary_code. When unpacked it will create the symlink first, and then extract S90arbitrary_code to where that symlink points (/etc/rc5.d).

So if you then scramble the tarball (see igorsk's page), and prepend the necessary 64 byte update header, then the K2int will end up creating the /etc/rc5.d/S90arbitrary_code startup script for you when it tries to run the update. The update will fail, but it won't matter. Any code you place into a file called "exec.sh" on the USB partition of your K2int will be executed after startup (and on each reboot).

Needless to say, this isn't for everyone, and has a potential for damage. But if someone with a K2int wants in badly enough without wanting to wait for a serial console or an official update bin, then this will work, and hopefully allow them to get an image of the firmware and see what the new signature routines in the /usr/sbin/otaup script are.

Update: I just tested this on my K2(US) and it works perfectly, so it should work just as well on the K2(International).

10-29-2009, 05:46 AM	#4
clarknova Addict Posts: 241 Karma: 2617 Join Date: Mar 2009 Location: Greenwood, SC Device: Kindle 2	Break in with a tarbomb. There's a way you can break in to the K2int with a carefully crafted tarbomb. Because the update files are just tarballs that are encoded and prefixed with a header, it's an easy thing. The update scripts (of the K1/K2/KDX, and certainly the K2int does the same) do this to unpack the bin: Code: extract_bundle() { dd if=$1 bs=${BLOCK_SIZE} skip=1 \| dm \| tar -C $2 -xzvf - } GNU tar and BusyBox tar don't fall for tarbombs that have leading slashes or parent directory references, however, they do preserve symlinks. So if we write a startup script that will execute arbitrary code on boot: Code: #!/bin/sh EXEC=/mnt/us/exec.sh _FUNCTIONS=/etc/rc.d/functions [ -f ${_FUNCTIONS} ] && . ${_FUNCTIONS} check_exec() { if [ -e $EXEC ]; then /bin/sh $EXEC exit 0 fi } case "$1" in start) check_exec ;; stop) ;; ) msg "Usage: $0 (start\|stop)" W >&2 exit 1 ;; esac exit 0 We can call this S90arbitrary_code. If this is in the rc5.d directory, then it will execute (hopefully before framework, so this also gives us limited anti-brick capabilities) on startup. At which point it would look for a shell script in the root of the USB partition and execute it if it exists. Now we just need to craft the tarball on a unix machine: Code: # mkdir foo # cd foo # ln -s /etc/rc5.d bar #### We've just created bar which is a symlink to /etc/rc5.d # tar cvf /tmp/bomb.tar bar #### Now we've added the bar symlink to /tmp/bomb.tar # rm bar #### unlink bar # mkdir bar # cd bar # ... create the S90arbitrary_code file ...* # chmod 755 S90arbitrary_code #### make it executable. # cd .. # tar rvf /tmp/bomb.tar bar/S90arbitrary_code #### append the script to the tarball. # gzip /tmp/bomb.tar This leaves us with /tmp/bomb.tar.gz which contains two files, bar, a symlink to /etc/rc5.d and bar/S90arbitrary_code. When unpacked it will create the symlink first, and then extract S90arbitrary_code to where that symlink points (/etc/rc5.d). So if you then scramble the tarball (see igorsk's page), and prepend the necessary 64 byte update header, then the K2int will end up creating the /etc/rc5.d/S90arbitrary_code startup script for you when it tries to run the update. The update will fail, but it won't matter. Any code you place into a file called "exec.sh" on the USB partition of your K2int will be executed after startup (and on each reboot). Needless to say, this isn't for everyone, and has a potential for damage. But if someone with a K2int wants in badly enough without wanting to wait for a serial console or an official update bin, then this will work, and hopefully allow them to get an image of the firmware and see what the new signature routines in the /usr/sbin/otaup script are. Update: I just tested this on my K2(US) and it works perfectly, so it should work just as well on the K2(International). Last edited by clarknova; 10-29-2009 at 07:36 AM.