MobileRead Forums - View Single Post - [Progress] Jailbreaking Kindle 4.0 (Touch/No Keyboard)

geekmaster · 12-03-2011, 12:15 AM

In my routers, I dual boot. I copied the firmware into an image I store on MMC, which is what gets patched and modified. The only change in the original root is a startup script that flashes an LED, waits a few seconds for a keypress, and if none, loads the mmc driver, loopmounts the image, and does a pivotroot to it. If the button is pressed when LED flash, it falls through and does nothing, letting the stock firmware run.

We could do something similar here.

Because of the pivotroot, ONLY the image code is running, unlike chroot where only a process switches over. We can modify our copy of the OS all we want, and boot the original code by pressing a button when the LED flashes during boot. We can even intercept an update, and let the update analyze the original unmodified code, like a viral rootkit...

The kindle needs a rootkit!

Of course, having an image that is a copy of everything would use space, and the newer kindles have smaller storage. In my images, I have symlinks to the original stuff that was pivoted out to a mount point. I only replace busybox stuff when I need extra functionality. My image copy gets duplicates replaced by symlinks, making it a lot smaller.

A more modern way to do this with less manual intervention would be a COW fs that overlays the original, similar to how OpenWrt works.

If we pivotroot, it would be nice to detect a "phone home" app or backdoor intrusion by amazon, and chroot that process back to the original mountpoints.

The reason I brought this up is that it could simplify uninstalls and updates, and would allow what would otherwise be very intrusive mods.

Alternatively, bind mounts could replace pivotroot in most cases, but would still need a startup script to do the mounts.

As a minimum though, I would like to see a dual boot based on pressing a button at just the right time, signalled by an LED flash, or some onscreen indicator, or a brief non-annoying "jailbreak" sound during bootup (signalling when to press a button to skip jailbreak boot). For that matter, you could even write a boot menu to the framebuffer and wait a few seconds for a keypress before the default selection boots.

We could even select an alternate GUI or desktop from the boot menu (even a stripped down Windows inside QEMU, just because we can).

12-03-2011, 12:15 AM	#183
geekmaster Carpe diem, c'est la vie. Posts: 6,433 Karma: 10773668 Join Date: Nov 2011 Location: Multiverse 6627A Device: K1 to PW3	In my routers, I dual boot. I copied the firmware into an image I store on MMC, which is what gets patched and modified. The only change in the original root is a startup script that flashes an LED, waits a few seconds for a keypress, and if none, loads the mmc driver, loopmounts the image, and does a pivotroot to it. If the button is pressed when LED flash, it falls through and does nothing, letting the stock firmware run. We could do something similar here. Because of the pivotroot, ONLY the image code is running, unlike chroot where only a process switches over. We can modify our copy of the OS all we want, and boot the original code by pressing a button when the LED flashes during boot. We can even intercept an update, and let the update analyze the original unmodified code, like a viral rootkit... The kindle needs a rootkit! Of course, having an image that is a copy of everything would use space, and the newer kindles have smaller storage. In my images, I have symlinks to the original stuff that was pivoted out to a mount point. I only replace busybox stuff when I need extra functionality. My image copy gets duplicates replaced by symlinks, making it a lot smaller. A more modern way to do this with less manual intervention would be a COW fs that overlays the original, similar to how OpenWrt works. If we pivotroot, it would be nice to detect a "phone home" app or backdoor intrusion by amazon, and chroot that process back to the original mountpoints. The reason I brought this up is that it could simplify uninstalls and updates, and would allow what would otherwise be very intrusive mods. Alternatively, bind mounts could replace pivotroot in most cases, but would still need a startup script to do the mounts. As a minimum though, I would like to see a dual boot based on pressing a button at just the right time, signalled by an LED flash, or some onscreen indicator, or a brief non-annoying "jailbreak" sound during bootup (signalling when to press a button to skip jailbreak boot). For that matter, you could even write a boot menu to the framebuffer and wait a few seconds for a keypress before the default selection boots. We could even select an alternate GUI or desktop from the boot menu (even a stripped down Windows inside QEMU, just because we can). Last edited by geekmaster; 12-03-2011 at 12:54 AM.