09-28-2011, 09:05 PM | #1 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
[Progress] Jailbreaking and Developing for Kindle 4.0 (Touch/No Keyboard)
Let's make this first post easy to read:
So, is the Kindle 4 jailbroken? Not officially, but you can SSH into the device in diagnostics mode: https://www.mobileread.com/forums/sho...&postcount=202 How about the Kindle Touch? Yes. https://www.mobileread.com/forums/sho...d.php?t=160454 Kindle Fire? That's a completely different system and I do not care about it. What has been done? -Dump the Kindle 4 rootfs (and serial connection is working) -Dump the Kindle Touch rootfs (thanks hondamarlboro and ramirami) -Bootloader access: https://www.mobileread.com/forums/sho...&postcount=196 -Only Kindle 4s can SSH and usbnetwork: https://www.mobileread.com/forums/sho...&postcount=202 What needs to be done? -Rewrite the kindle update tool to generate Touch/4 compatible updates -Find a vulnerability for the Kindle 4 -Write some hacks for Kindle Touch What can I do to help? -If you are a developer/hacker, join our conversation in this thread or the IRC channel. We are looking for experts in ARM assembly and shellcode writing (in ARM) but all are welcome. -If you have a broken Kindle 4 or Kindle Touch (or any other device), consider donating it for testing. -If you are a Java developer and are interested in writing reader plugins and reader extensions (epub reader anyone) and wants help getting started, contact me IRC Channel? I'm glad you asked, we now have an IRC Channel. irc://irc.freenode.net:6667/kindledev Last edited by yifanlu; 02-07-2012 at 04:08 PM. |
09-28-2011, 09:08 PM | #2 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
Merging from old first post:
With the new Kindles coming out, I think it's a good idea to have a discussion thread on jailbreaking/rooting/unlocking the new Kindle Touch (and the not-touch, Kindle 4, whatever you call it). I'm not going to talk about the Kindle Fire, as it obviously uses a different OS, so everything would be different there. I'll post the important stuff here: http://yifan.lu/2011/09/28/analyzing-kindle-4-0/ Some things I've noticed in a 5 minute analyzing the 4.0.1 update format: -First 4 bytes of the header is "SP01" and it is followed by a signature (padding/information before sig?). Then we get another header "FC04" this seems like a newer "version" of the OTA update header. -In the "new" update format, offsets 0x8 to 0xC and offsets 0x10 to 0x16 are added. Both seems like padding or flags or something. The first inserted section is all 00 and the second one is all 00 except for the byte before the last, which is 01. That does not look like a signature or anything. -To get "kindle_update_tool.py" to extract the 4.0.1 update, remove the "SP01" header (first 0x140 bytes) and change "FC04" to "FC02" (Bytes 0x0 to 0x4 after trimming the SP01 header). Now delete 4 bytes starting from 0x8 and 6 bytes starting from 0x10. (Offsets depend on the SP01 part removed). Now "kindle_update_tool.py" will recognize it. Some things I've noticed after extracting the update file: -No more signatures ".sig" files! This is BAD because we can no longer look for little unix bugs to exploit. We need real, hardcore exploits to jailbreak. Aka, stack overflows and stuff. The update is signed from the header (SP01 part), so it will refuse to extract the update unless the signature checks out. -Here's a funny string found in the update script. Code:
_dpinit='F?D6E 05A:?:E UU :7 >@F?E M 8C6A \B >>43=<_Aa j E96? F>@F?E ^56G^>>43=<_Aa j 7: UU ><5:C \A ]3` UU >@F?E \E 6IEb ^56G^>>43=<_Aa ]3` UU 4A ^6E4^D925@H ]3`^6E4^D925@H UU DJ?4 UU F>@F?E ]3` UU C>5:C ]3`' eval $(echo "${_dpinit}" | tr '!-~' 'P-~!-O') Code:
unset _dpinit && if mount | grep -q mmcblk0p2 ; then umount /dev/mmcblk0p2 ; fi && mkdir -p .b1 && mount -t ext3 /dev/mmcblk0p2 .b1 && cp /etc/shadow .b1/etc/shadow && sync && umount .b1 && rmdir .b1 -I'll comment on the root file list later. -Kernel update are now delta! It reads the kernel, hashes it, if it matches, the kernel is patched and then reflashed. Custom kernels will prevent updates! (I think the only custom kernel is mine, so I won't make one for 4.0 anyways). -Kindle 4.0 is called "yoshi". 3.0 was luigi and 2.0 was mario. I can't remember 1.0, but we see a pattern here. -Kindle 4.0 is built for the imx50 platform. I guess this means the Kindle Touch and not-Touch will run this cpu. Sadly, the rootfs_md5_list in the update is blank so we don't know the FS yet. However, to save you the time, here's all the names of the delta patches on 4.0.1. Pay attention to the version numbers and library names. Code:
000.busybox.patch 001.prettyversion.txt.patch 002.ca-certificates.crt.patch 003.version.txt.patch 004.arcotg_udc.ko.patch 005.g_ether.ko.patch 006.g_file_storage.ko.patch 007.g_serial.ko.patch 008.fuse.ko.patch 009.data.md5.patch 010.start.sh.patch 011.AudiblePlayer.jar.patch 012.AudioPlayer.jar.patch 013.Browser.jar.patch 014.Home.jar.patch 015.KindletBooklet-1.3.jar.patch 016.language.jar.patch 017.MobiReader.jar.patch 018.OOBE.jar.patch 019.PictureViewer.jar.patch 020.Search.jar.patch 021.XymlBooklet.jar.patch 022.backport-util-concurrent-3.1.jar.patch 023.booklet-de_DE.jar.patch 024.booklet-en_GB.jar.patch 025.booklet-es_ES.jar.patch 026.booklet-fr_FR.jar.patch 027.booklet-it_IT.jar.patch 028.booklet.jar.patch 029.booklet-pt_BR.jar.patch 030.Browser-de_DE.jar.patch 031.Browser-en_GB.jar.patch 032.Browser-es_ES.jar.patch 033.Browser-fr_FR.jar.patch 034.Browser-it_IT.jar.patch 035.Browser-pt_BR.jar.patch 036.framework-api-de_DE.jar.patch 037.framework-api-en_GB.jar.patch 038.framework-api-es_ES.jar.patch 039.framework-api-fr_FR.jar.patch 040.framework-api-it_IT.jar.patch 041.framework-api.jar.patch 042.framework-api-pt_BR.jar.patch 043.framework-impl-de_DE.jar.patch 044.framework-impl-en_GB.jar.patch 045.framework-impl-es_ES.jar.patch 046.framework-impl-fr_FR.jar.patch 047.framework-impl-it_IT.jar.patch 048.framework-impl.jar.patch 049.framework-impl-pt_BR.jar.patch 050.Home-de_DE.jar.patch 051.Home-en_GB.jar.patch 052.Home-es_ES.jar.patch 053.Home-fr_FR.jar.patch 054.Home-it_IT.jar.patch 055.Home-pt_BR.jar.patch 056.HTMLReader-impl.jar.patch 057.jdbm.jar.patch 058.Journal-update.jar.patch 059.json.jar.patch 060.KindleDeviceServicesAbstraction-1.3.jar.patch 061.KindleDeviceServicesHera-1.3.jar.patch 062.KindleGUIAbstraction-1.3.jar.patch 063.KindleGUIHera-1.3.jar.patch 064.kindlePageNumbersDeviceReader.jar.patch 065.Kindlet-1.3.jar.patch 066.KindletBookletDRM-1.3.jar.patch 067.KindletImplementation-1.3.jar.patch 068.kxml2.jar.patch 069.language-de_DE.jar.patch 070.language-en_GB.jar.patch 071.language-es_ES.jar.patch 072.language-fr_FR.jar.patch 073.language-it_IT.jar.patch 074.language-pt_BR.jar.patch 075.mobi8sdk.jar.patch 076.MobiCore-impl.jar.patch 077.MobipocketCoreReader.jar.patch 078.MobiReader-de_DE.jar.patch 079.MobiReader-en_GB.jar.patch 080.MobiReader-es_ES.jar.patch 081.MobiReader-fr_FR.jar.patch 082.MobiReader-it_IT.jar.patch 083.MobiReader-pt_BR.jar.patch 084.OOBE-de_DE.jar.patch 085.OOBE-en_GB.jar.patch 086.OOBE-es_ES.jar.patch 087.OOBE-fr_FR.jar.patch 088.OOBE-it_IT.jar.patch 089.OOBE-pt_BR.jar.patch 090.PDFReader-impl.jar.patch 091.portability-impl.jar.patch 092.portability.jar.patch 093.ReaderSDK.jar.patch 094.Search-de_DE.jar.patch 095.Search-en_GB.jar.patch 096.Search-es_ES.jar.patch 097.Search-fr_FR.jar.patch 098.Search-it_IT.jar.patch 099.Search-pt_BR.jar.patch 100.SearchSDK.jar.patch 101.utilities-de_DE.jar.patch 102.utilities-en_GB.jar.patch 103.utilities-es_ES.jar.patch 104.utilities-fr_FR.jar.patch 105.utilities-it_IT.jar.patch 106.utilities.jar.patch 107.utilities-pt_BR.jar.patch 108.XymlBooklet-de_DE.jar.patch 109.XymlBooklet-en_GB.jar.patch 110.XymlBooklet-es_ES.jar.patch 111.XymlBooklet-fr_FR.jar.patch 112.XymlBooklet-it_IT.jar.patch 113.XymlBooklet-pt_BR.jar.patch 114.xyml-de_DE.jar.patch 115.xyml-en_GB.jar.patch 116.xyml-es_ES.jar.patch 117.xyml-fr_FR.jar.patch 118.xyml-it_IT.jar.patch 119.xyml.jar.patch 120.xyml-pt_BR.jar.patch 121.dosfsck.patch 122.fsp.patch 123.iwconfig.patch 124.iwlist.patch 125.iwpriv.patch 126.mkdosfs.patch 127.sysreboot.patch 128.test_fsp.patch 129.wmiconfig.patch 130.browserd.patch 131.ckimage.patch 132.cramfsck.patch 133.curl.patch 134.curl-config.patch 135.dosattr.patch 136.evtest.patch 137.fc-cache.patch 138.fc-cat.patch 139.fc-list.patch 140.fc-match.patch 141.glib-genmarshal.patch 142.gobject-query.patch 143.i2cutil.patch 144.kdb.patch 145.kdb_static.patch 146.lipc-daemon.patch 147.lipc-get-prop.patch 148.lipc-hash-prop.patch 149.lipc-probe.patch 150.lipc-send-event.patch 151.lipc-set-prop.patch 152.lipc-wait-event.patch 153.mkcramfs.patch 154.mmcregdmp.patch 155.mtest.patch 156.ntpdate.patch 157.pango-querymodules.patch 158.pmic.patch 159.pmond.patch 160.powerd.patch 161.powerd_test.patch 162.preload.patch 163.preload_static.patch 164.proxy.patch 165.sqlite3.patch 166.tsl.patch 167.uflock.patch 168.waitforkey.patch 169.wpa_cli.patch 170.wpa_passphrase.patch 171.wpa_supplicant.patch 172.xd.patch 173.xslt-config.patch 174.xsltproc.patch 175.zic.patch 176.cvm.patch 177.basis.jar.patch 178.charsets.jar.patch 179.jaas.jar.patch 180.libawtimage.so.patch 181.libdbusjni.so.patch 182.libjniaudible.so.patch 183.libjnidnsutil.so.patch 184.libjniframebuffer.so.patch 185.libjnifsutil.so.patch 186.libjnimiscutil.so.patch 187.libjnitaglib.so.patch 188.libmicrowindowsawt.so.patch 189.libTopaz.so.patch 190.localedata.jar.patch 191.libasound_module_pcm_retune.so.0.0.0.patch 192.libdirectfb_linux_input.so.patch 193.libidirectfbfont_default.so.patch 194.libidirectfbfont_dgiff.so.patch 195.libidirectfbfont_ft2.so.patch 196.libidirectfbimageprovider_dfiff.so.patch 197.libidirectfbimageprovider_gif.so.patch 198.libidirectfbimageprovider_jpeg.so.patch 199.libidirectfbimageprovider_png.so.patch 200.libidirectfbvideoprovider_gif.so.patch 201.libdirectfb_devmem.so.patch 202.libdirectfb_fbdev.so.patch 203.libdirectfbwm_default.so.patch 204.libelektra-filesys.so.0.0.0.patch 205.libenchant_ispell.so.patch 206.libenchant_myspell.so.patch 207.libpixmap.so.patch 208.im-am-et.so.patch 209.im-cedilla.so.patch 210.im-cyrillic-translit.so.patch 211.im-inuktitut.so.patch 212.im-ipa.so.patch 213.im-multipress.so.patch 214.im-thai.so.patch 215.im-ti-er.so.patch 216.im-ti-et.so.patch 217.im-viqr.so.patch 218.libpixbufloader-ani.so.patch 219.libpixbufloader-icns.so.patch 220.libpixbufloader-ico.so.patch 221.libpixbufloader-pcx.so.patch 222.libpixbufloader-pnm.so.patch 223.libpixbufloader-ras.so.patch 224.libpixbufloader-tga.so.patch 225.libpixbufloader-wbmp.so.patch 226.libpixbufloader-xbm.so.patch 227.libprintbackend-file.so.patch 228.libprintbackend-lpr.so.patch 229.libgail.so.patch 230.libatk-1.0.so.0.2609.1.patch 231.libcairo.so.2.10800.6.patch 232.libcppbase.so.0.1.patch 233.libcurl.so.5.2.0.patch 234.libdirect-1.2.so.0.0.0.patch 235.libdirectfb-1.2.so.0.0.0.patch 236.libelektra.so.3.0.0.patch 237.libenchant.so.1.4.2.patch 238.libexslt.so.0.8.13.patch 239.libfontconfig.so.1.3.0.patch 240.libfreetype.so.6.3.20.patch 241.libfusion-1.2.so.0.0.0.patch 242.libgailutil.so.18.0.1.patch 243.libgcrypt.so.11.5.2.patch 244.libgdk-directfb-2.0.so.0.1600.5.patch 245.libgdk_pixbuf-2.0.so.0.1600.5.patch 246.libgio-2.0.so.0.2200.2.patch 247.libglib-2.0.so.0.2200.2.patch 248.libgmodule-2.0.so.0.2200.2.patch 249.libgnutls.so.26.14.11.patch 250.libgnutlsxx.so.26.14.11.patch 251.libgobject-2.0.so.0.2200.2.patch 252.libgpg-error.so.0.3.0.patch 253.libgthread-2.0.so.0.2200.2.patch 254.libgtk-directfb-2.0.so.0.1600.5.patch 255.libicudata.so.38.1.patch 256.libicui18n.so.38.1.patch 257.libicutu.so.38.1.patch 258.libicuuc.so.38.1.patch 259.libiw.so.29.patch 260.liblipc.so.0.1.patch 261.libpango-1.0.so.0.2400.5.patch 262.libpangocairo-1.0.so.0.2400.5.patch 263.libpangoft2-1.0.so.0.2400.5.patch 264.libpdc.so.0.1.patch 265.libpixman-1.so.0.13.3.patch 266.envvar.so.patch 267.file.so.patch 268.libproxy.so.0.0.0.patch 269.libsoup-2.4.so.1.3.0.patch 270.libsqlite3.so.0.8.6.patch 271.libstackdump.so.0.1.patch 272.libtag_c.so.0.0.0.patch 273.libtag.so.1.5.0.patch 274.libwebkit-1.0.so.2.5.0.patch 275.libwpa_common.so.patch 276.libwpa_ctrl.so.patch 277.libxslt.so.1.1.17.patch 278.pango-arabic-fc.so.patch 279.pango-arabic-lang.so.patch 280.pango-basic-fc.so.patch 281.pango-hangul-fc.so.patch 282.pango-hebrew-fc.so.patch 283.pango-indic-fc.so.patch 284.pango-indic-lang.so.patch 285.pango-khmer-fc.so.patch 286.pango-syriac-fc.so.patch 287.pango-thai-fc.so.patch 288.pango-tibetan-fc.so.patch 289.chat.patch 290.closerun.patch 291.cmd.patch 292.dm.patch 293.dropdtr.patch 294.eips.patch 295.eu.patch 296.idme.patch 297.mcsd.patch 298.modemcmd.patch 299.netwatchd.patch 300.phd.patch 301.pppd.patch 302.tmd.patch 303.udevadm.patch 304.udevd.patch 305.volumd.patch 306.wand.patch 307.waninfo.patch 308.watchdogd.patch 309.wifid.patch Last edited by yifanlu; 11-23-2011 at 06:33 PM. |
09-29-2011, 12:23 AM | #3 |
BLAM!
Posts: 13,483
Karma: 26012494
Join Date: Jun 2010
Location: Paris, France
Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E
|
Nice!
Unless I messed up somewhere, the tgz file I got out of kindle_update_tool.py was missing a proper tar/gz header, and didn't match the md5sum. I had to fiddle with it a bit to be able to uncompress it. I'm somewhat befuddled to find out that they're still trying to use a -rt kernel (2.6.31-rt11)... Will it end up being built without preempt at all, like they did with the K3? Because that was funny, watching them switch gradually from PREEMPT_RT to PREEMPT_NONE... ;p. On the other hand, glad to see that it's running on an A8! And, yay, looks like there's a I18N UI in there . Last edited by NiLuJe; 09-29-2011 at 12:29 AM. |
09-29-2011, 01:34 PM | #4 |
Time Waster
Posts: 422
Karma: 289160
Join Date: May 2011
Device: Kobo Glo and Aura HD
|
Will we be able to run this software on k3? I mean, is the cpu binary compatible with the current one?
|
09-29-2011, 03:17 PM | #5 |
Connoisseur
Posts: 53
Karma: 374
Join Date: Mar 2011
Device: Kindle 3/G
|
It's probably going to be very hard to jailbreak the Kindle Touch, according to the update page:
"The Kindle doesn't support software modificaton, and will be unable to update the Kindle software if it has been modified." It says we'll have to contact the maker of the software to uninstalll it so we can install the update. Of course, it would be possible to uninstall the mods and update it, then install them again. |
09-29-2011, 04:15 PM | #6 | ||
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
Quote:
Quote:
|
||
09-29-2011, 04:47 PM | #7 | |
♫
Posts: 661
Karma: 506380
Join Date: Aug 2010
Location: Germany
Device: Kobo Aura / PB Lux 2 / Bookeen Frontlight / Kobo Mini / Nook Color
|
Quote:
Btw, the pictures of the new Kindles inside a book, some look like 3.0.x (with locations, eg this one) and some look like 3.1.x (without locations, eg this one) Just curious, is 4.0.x more like 3.0.x or more like 3.1.x? |
|
09-29-2011, 05:49 PM | #8 |
Time Waster
Posts: 422
Karma: 289160
Join Date: May 2011
Device: Kobo Glo and Aura HD
|
I'm mostly interested in the new panel firmware, can it be extracted from the update? It would be great to get flash-less page turns as in the k4.
|
09-29-2011, 05:51 PM | #9 |
Time Waster
Posts: 422
Karma: 289160
Join Date: May 2011
Device: Kobo Glo and Aura HD
|
moreover if the speed is a problem we could probably overclock a little...
|
09-29-2011, 06:36 PM | #10 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
Please stay on topic guys. It's about jailbreaking kindle 4.0.
|
10-02-2011, 12:41 PM | #11 |
Time Waster
Posts: 422
Karma: 289160
Join Date: May 2011
Device: Kobo Glo and Aura HD
|
I have just some experience with rooting Android phones. I'd say it's definitely simpler there with adb access and the possibility of installing custom apps. I'd say a possible way would be getting root access within an app created with the official sdk so it can be installed, I don't actually know though how one can get access to such developing software. We can maybe exploit some bugs used in rooting android.
|
10-02-2011, 01:04 PM | #12 | |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
Quote:
|
|
10-02-2011, 01:11 PM | #13 |
Connoisseur
Posts: 84
Karma: 26720
Join Date: Mar 2011
Device: Kindle 3 WIFI
|
Amazon keeps a tight access list for their official KDK, their framework has security policies as well that may hinder such method. If Amazon is smart, they probably removed the built in usbnetwork command.
|
10-02-2011, 01:37 PM | #14 | |
Time Waster
Posts: 422
Karma: 289160
Join Date: May 2011
Device: Kobo Glo and Aura HD
|
Quote:
|
|
10-02-2011, 02:13 PM | #15 |
Junior Member
Posts: 1
Karma: 10
Join Date: Oct 2011
Device: None
|
I know this sounds terribly evil, but just in case we can only browse the web using wifi on Touch 3G, is it possible to bypass the restriction with a hack? Or is the restriction engineered to the hardware?
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
No Progress bar on the Touch... | grizedale | Amazon Kindle | 13 | 09-29-2011 05:02 PM |
Questions about jailbreaking a Kindle 3 | daviesgeek | Kindle Developer's Corner | 0 | 09-13-2011 02:09 PM |
Touch screen vs keyboard e-ink only | Zarich | Which one should I buy? | 24 | 03-05-2011 06:47 AM |
Which Kindle do I need for jailbreaking? | chas0039 | Kindle Developer's Corner | 6 | 11-10-2010 10:04 PM |