Ok. So here are the details about the sigs:
Quote:
he difference with earlier Kindle is that now each file in the package must be signed.
The signature is then checked against the RSA key installed in the ROM.
Unfortunately, there's no way to bypass that check .
So what we first do is install an extra RSA key in the device.
that's what the update file update_freekindle.bin is for.
update_freekindle.bin uses a "feature" (some would call it a flaw) of the tar compressor. Kindle binary package are just gzipped tar files slightly encrypted as discovered by Igor Skochinsky. When extracting the content of the update, the Kindle simply call tar on it.
Tar follows simlinks ; and we use this to write where we're not supposed to.
|
Quote:
What this package does is add our key to the list of keys available. So next time the Kindle will check the signatures of the files we are installing, the verification process will succeed.
|
And here is the funky part of the script:
Code:
# Create fake symlink
namedir = '__dir' + str(random.randint(1000,9999))
tarinfo = tarfile.TarInfo(namedir)
tarinfo.type = tarfile.SYMTYPE
tarinfo.linkname = KINDLE_HACK_DIR
tar.addfile(tarinfo)
# Create new key
fd , tmpfile = tempfile.mkstemp()
fs = os.fdopen(fd,"wb")
fs.write(NEW_KEY)
fs.close()
tarinfo = tar.gettarinfo(tmpfile, arcname=namedir+'/'+KINDLE_HACK_KEYNAME)
add_tarfile(tarinfo, tmpfile, tar)
os.remove(tmpfile)
So a symlink in the tar is created that points to the dir on the kindle that includes the amazon public key. Also an entry with "our" public key in the symlink dir. Tar on the kindle extracts the symlink and then "our" key into the folder the symlink points to. Now the Kindle approves the signatures of the files included in the tar (created with "our" private key).
The public key has to be exchanged because we do not have access to the private key of amazon and so could never create valid signatures.
See
wikipedia for detailed information about signatures.