View Single Post
Old 09-28-2011, 09:08 PM   #2
yifanlu
Kindle Dissector
yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.
 
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
Merging from old first post:
With the new Kindles coming out, I think it's a good idea to have a discussion thread on jailbreaking/rooting/unlocking the new Kindle Touch (and the not-touch, Kindle 4, whatever you call it). I'm not going to talk about the Kindle Fire, as it obviously uses a different OS, so everything would be different there.

I'll post the important stuff here: http://yifan.lu/2011/09/28/analyzing-kindle-4-0/

Some things I've noticed in a 5 minute analyzing the 4.0.1 update format:
-First 4 bytes of the header is "SP01" and it is followed by a signature (padding/information before sig?). Then we get another header "FC04" this seems like a newer "version" of the OTA update header.
-In the "new" update format, offsets 0x8 to 0xC and offsets 0x10 to 0x16 are added. Both seems like padding or flags or something. The first inserted section is all 00 and the second one is all 00 except for the byte before the last, which is 01. That does not look like a signature or anything.
-To get "kindle_update_tool.py" to extract the 4.0.1 update, remove the "SP01" header (first 0x140 bytes) and change "FC04" to "FC02" (Bytes 0x0 to 0x4 after trimming the SP01 header). Now delete 4 bytes starting from 0x8 and 6 bytes starting from 0x10. (Offsets depend on the SP01 part removed). Now "kindle_update_tool.py" will recognize it.

Some things I've noticed after extracting the update file:
-No more signatures ".sig" files! This is BAD because we can no longer look for little unix bugs to exploit. We need real, hardcore exploits to jailbreak. Aka, stack overflows and stuff. The update is signed from the header (SP01 part), so it will refuse to extract the update unless the signature checks out.
-Here's a funny string found in the update script.
Code:
_dpinit='F?D6E 05A:?:E UU :7 >@F?E M 8C6A \B >>43=<_Aa j E96? F>@F?E ^56G^>>43=<_Aa j 7: UU ><5:C \A ]3` UU >@F?E \E 6IEb ^56G^>>43=<_Aa ]3` UU 4A ^6E4^D925@H ]3`^6E4^D925@H UU DJ?4 UU F>@F?E ]3` UU C>5:C ]3`'

eval $(echo "${_dpinit}" | tr '!-~' 'P-~!-O')
Ohh, a secret code? Keys? Encryption? Sadly, no, it evaluates to
Code:
unset _dpinit && if mount | grep -q mmcblk0p2 ; then umount /dev/mmcblk0p2 ; fi && mkdir -p .b1 && mount -t ext3 /dev/mmcblk0p2 .b1 && cp /etc/shadow .b1/etc/shadow && sync && umount .b1 && rmdir .b1
The weird string is just to prevent string errors in bash scripts.
-I'll comment on the root file list later.
-Kernel update are now delta! It reads the kernel, hashes it, if it matches, the kernel is patched and then reflashed. Custom kernels will prevent updates! (I think the only custom kernel is mine, so I won't make one for 4.0 anyways).
-Kindle 4.0 is called "yoshi". 3.0 was luigi and 2.0 was mario. I can't remember 1.0, but we see a pattern here.
-Kindle 4.0 is built for the imx50 platform. I guess this means the Kindle Touch and not-Touch will run this cpu.

Sadly, the rootfs_md5_list in the update is blank so we don't know the FS yet. However, to save you the time, here's all the names of the delta patches on 4.0.1. Pay attention to the version numbers and library names.
Code:
000.busybox.patch
001.prettyversion.txt.patch
002.ca-certificates.crt.patch
003.version.txt.patch
004.arcotg_udc.ko.patch
005.g_ether.ko.patch
006.g_file_storage.ko.patch
007.g_serial.ko.patch
008.fuse.ko.patch
009.data.md5.patch
010.start.sh.patch
011.AudiblePlayer.jar.patch
012.AudioPlayer.jar.patch
013.Browser.jar.patch
014.Home.jar.patch
015.KindletBooklet-1.3.jar.patch
016.language.jar.patch
017.MobiReader.jar.patch
018.OOBE.jar.patch
019.PictureViewer.jar.patch
020.Search.jar.patch
021.XymlBooklet.jar.patch
022.backport-util-concurrent-3.1.jar.patch
023.booklet-de_DE.jar.patch
024.booklet-en_GB.jar.patch
025.booklet-es_ES.jar.patch
026.booklet-fr_FR.jar.patch
027.booklet-it_IT.jar.patch
028.booklet.jar.patch
029.booklet-pt_BR.jar.patch
030.Browser-de_DE.jar.patch
031.Browser-en_GB.jar.patch
032.Browser-es_ES.jar.patch
033.Browser-fr_FR.jar.patch
034.Browser-it_IT.jar.patch
035.Browser-pt_BR.jar.patch
036.framework-api-de_DE.jar.patch
037.framework-api-en_GB.jar.patch
038.framework-api-es_ES.jar.patch
039.framework-api-fr_FR.jar.patch
040.framework-api-it_IT.jar.patch
041.framework-api.jar.patch
042.framework-api-pt_BR.jar.patch
043.framework-impl-de_DE.jar.patch
044.framework-impl-en_GB.jar.patch
045.framework-impl-es_ES.jar.patch
046.framework-impl-fr_FR.jar.patch
047.framework-impl-it_IT.jar.patch
048.framework-impl.jar.patch
049.framework-impl-pt_BR.jar.patch
050.Home-de_DE.jar.patch
051.Home-en_GB.jar.patch
052.Home-es_ES.jar.patch
053.Home-fr_FR.jar.patch
054.Home-it_IT.jar.patch
055.Home-pt_BR.jar.patch
056.HTMLReader-impl.jar.patch
057.jdbm.jar.patch
058.Journal-update.jar.patch
059.json.jar.patch
060.KindleDeviceServicesAbstraction-1.3.jar.patch
061.KindleDeviceServicesHera-1.3.jar.patch
062.KindleGUIAbstraction-1.3.jar.patch
063.KindleGUIHera-1.3.jar.patch
064.kindlePageNumbersDeviceReader.jar.patch
065.Kindlet-1.3.jar.patch
066.KindletBookletDRM-1.3.jar.patch
067.KindletImplementation-1.3.jar.patch
068.kxml2.jar.patch
069.language-de_DE.jar.patch
070.language-en_GB.jar.patch
071.language-es_ES.jar.patch
072.language-fr_FR.jar.patch
073.language-it_IT.jar.patch
074.language-pt_BR.jar.patch
075.mobi8sdk.jar.patch
076.MobiCore-impl.jar.patch
077.MobipocketCoreReader.jar.patch
078.MobiReader-de_DE.jar.patch
079.MobiReader-en_GB.jar.patch
080.MobiReader-es_ES.jar.patch
081.MobiReader-fr_FR.jar.patch
082.MobiReader-it_IT.jar.patch
083.MobiReader-pt_BR.jar.patch
084.OOBE-de_DE.jar.patch
085.OOBE-en_GB.jar.patch
086.OOBE-es_ES.jar.patch
087.OOBE-fr_FR.jar.patch
088.OOBE-it_IT.jar.patch
089.OOBE-pt_BR.jar.patch
090.PDFReader-impl.jar.patch
091.portability-impl.jar.patch
092.portability.jar.patch
093.ReaderSDK.jar.patch
094.Search-de_DE.jar.patch
095.Search-en_GB.jar.patch
096.Search-es_ES.jar.patch
097.Search-fr_FR.jar.patch
098.Search-it_IT.jar.patch
099.Search-pt_BR.jar.patch
100.SearchSDK.jar.patch
101.utilities-de_DE.jar.patch
102.utilities-en_GB.jar.patch
103.utilities-es_ES.jar.patch
104.utilities-fr_FR.jar.patch
105.utilities-it_IT.jar.patch
106.utilities.jar.patch
107.utilities-pt_BR.jar.patch
108.XymlBooklet-de_DE.jar.patch
109.XymlBooklet-en_GB.jar.patch
110.XymlBooklet-es_ES.jar.patch
111.XymlBooklet-fr_FR.jar.patch
112.XymlBooklet-it_IT.jar.patch
113.XymlBooklet-pt_BR.jar.patch
114.xyml-de_DE.jar.patch
115.xyml-en_GB.jar.patch
116.xyml-es_ES.jar.patch
117.xyml-fr_FR.jar.patch
118.xyml-it_IT.jar.patch
119.xyml.jar.patch
120.xyml-pt_BR.jar.patch
121.dosfsck.patch
122.fsp.patch
123.iwconfig.patch
124.iwlist.patch
125.iwpriv.patch
126.mkdosfs.patch
127.sysreboot.patch
128.test_fsp.patch
129.wmiconfig.patch
130.browserd.patch
131.ckimage.patch
132.cramfsck.patch
133.curl.patch
134.curl-config.patch
135.dosattr.patch
136.evtest.patch
137.fc-cache.patch
138.fc-cat.patch
139.fc-list.patch
140.fc-match.patch
141.glib-genmarshal.patch
142.gobject-query.patch
143.i2cutil.patch
144.kdb.patch
145.kdb_static.patch
146.lipc-daemon.patch
147.lipc-get-prop.patch
148.lipc-hash-prop.patch
149.lipc-probe.patch
150.lipc-send-event.patch
151.lipc-set-prop.patch
152.lipc-wait-event.patch
153.mkcramfs.patch
154.mmcregdmp.patch
155.mtest.patch
156.ntpdate.patch
157.pango-querymodules.patch
158.pmic.patch
159.pmond.patch
160.powerd.patch
161.powerd_test.patch
162.preload.patch
163.preload_static.patch
164.proxy.patch
165.sqlite3.patch
166.tsl.patch
167.uflock.patch
168.waitforkey.patch
169.wpa_cli.patch
170.wpa_passphrase.patch
171.wpa_supplicant.patch
172.xd.patch
173.xslt-config.patch
174.xsltproc.patch
175.zic.patch
176.cvm.patch
177.basis.jar.patch
178.charsets.jar.patch
179.jaas.jar.patch
180.libawtimage.so.patch
181.libdbusjni.so.patch
182.libjniaudible.so.patch
183.libjnidnsutil.so.patch
184.libjniframebuffer.so.patch
185.libjnifsutil.so.patch
186.libjnimiscutil.so.patch
187.libjnitaglib.so.patch
188.libmicrowindowsawt.so.patch
189.libTopaz.so.patch
190.localedata.jar.patch
191.libasound_module_pcm_retune.so.0.0.0.patch
192.libdirectfb_linux_input.so.patch
193.libidirectfbfont_default.so.patch
194.libidirectfbfont_dgiff.so.patch
195.libidirectfbfont_ft2.so.patch
196.libidirectfbimageprovider_dfiff.so.patch
197.libidirectfbimageprovider_gif.so.patch
198.libidirectfbimageprovider_jpeg.so.patch
199.libidirectfbimageprovider_png.so.patch
200.libidirectfbvideoprovider_gif.so.patch
201.libdirectfb_devmem.so.patch
202.libdirectfb_fbdev.so.patch
203.libdirectfbwm_default.so.patch
204.libelektra-filesys.so.0.0.0.patch
205.libenchant_ispell.so.patch
206.libenchant_myspell.so.patch
207.libpixmap.so.patch
208.im-am-et.so.patch
209.im-cedilla.so.patch
210.im-cyrillic-translit.so.patch
211.im-inuktitut.so.patch
212.im-ipa.so.patch
213.im-multipress.so.patch
214.im-thai.so.patch
215.im-ti-er.so.patch
216.im-ti-et.so.patch
217.im-viqr.so.patch
218.libpixbufloader-ani.so.patch
219.libpixbufloader-icns.so.patch
220.libpixbufloader-ico.so.patch
221.libpixbufloader-pcx.so.patch
222.libpixbufloader-pnm.so.patch
223.libpixbufloader-ras.so.patch
224.libpixbufloader-tga.so.patch
225.libpixbufloader-wbmp.so.patch
226.libpixbufloader-xbm.so.patch
227.libprintbackend-file.so.patch
228.libprintbackend-lpr.so.patch
229.libgail.so.patch
230.libatk-1.0.so.0.2609.1.patch
231.libcairo.so.2.10800.6.patch
232.libcppbase.so.0.1.patch
233.libcurl.so.5.2.0.patch
234.libdirect-1.2.so.0.0.0.patch
235.libdirectfb-1.2.so.0.0.0.patch
236.libelektra.so.3.0.0.patch
237.libenchant.so.1.4.2.patch
238.libexslt.so.0.8.13.patch
239.libfontconfig.so.1.3.0.patch
240.libfreetype.so.6.3.20.patch
241.libfusion-1.2.so.0.0.0.patch
242.libgailutil.so.18.0.1.patch
243.libgcrypt.so.11.5.2.patch
244.libgdk-directfb-2.0.so.0.1600.5.patch
245.libgdk_pixbuf-2.0.so.0.1600.5.patch
246.libgio-2.0.so.0.2200.2.patch
247.libglib-2.0.so.0.2200.2.patch
248.libgmodule-2.0.so.0.2200.2.patch
249.libgnutls.so.26.14.11.patch
250.libgnutlsxx.so.26.14.11.patch
251.libgobject-2.0.so.0.2200.2.patch
252.libgpg-error.so.0.3.0.patch
253.libgthread-2.0.so.0.2200.2.patch
254.libgtk-directfb-2.0.so.0.1600.5.patch
255.libicudata.so.38.1.patch
256.libicui18n.so.38.1.patch
257.libicutu.so.38.1.patch
258.libicuuc.so.38.1.patch
259.libiw.so.29.patch
260.liblipc.so.0.1.patch
261.libpango-1.0.so.0.2400.5.patch
262.libpangocairo-1.0.so.0.2400.5.patch
263.libpangoft2-1.0.so.0.2400.5.patch
264.libpdc.so.0.1.patch
265.libpixman-1.so.0.13.3.patch
266.envvar.so.patch
267.file.so.patch
268.libproxy.so.0.0.0.patch
269.libsoup-2.4.so.1.3.0.patch
270.libsqlite3.so.0.8.6.patch
271.libstackdump.so.0.1.patch
272.libtag_c.so.0.0.0.patch
273.libtag.so.1.5.0.patch
274.libwebkit-1.0.so.2.5.0.patch
275.libwpa_common.so.patch
276.libwpa_ctrl.so.patch
277.libxslt.so.1.1.17.patch
278.pango-arabic-fc.so.patch
279.pango-arabic-lang.so.patch
280.pango-basic-fc.so.patch
281.pango-hangul-fc.so.patch
282.pango-hebrew-fc.so.patch
283.pango-indic-fc.so.patch
284.pango-indic-lang.so.patch
285.pango-khmer-fc.so.patch
286.pango-syriac-fc.so.patch
287.pango-thai-fc.so.patch
288.pango-tibetan-fc.so.patch
289.chat.patch
290.closerun.patch
291.cmd.patch
292.dm.patch
293.dropdtr.patch
294.eips.patch
295.eu.patch
296.idme.patch
297.mcsd.patch
298.modemcmd.patch
299.netwatchd.patch
300.phd.patch
301.pppd.patch
302.tmd.patch
303.udevadm.patch
304.udevd.patch
305.volumd.patch
306.wand.patch
307.waninfo.patch
308.watchdogd.patch
309.wifid.patch
I hope we get a open source release of the kernel soon.

Last edited by yifanlu; 11-23-2011 at 06:33 PM.
yifanlu is offline   Reply With Quote