10-25-2011, 12:02 PM | #46 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
|
10-25-2011, 01:21 PM | #47 |
Enthusiast
Posts: 42
Karma: 39432
Join Date: May 2011
Device: none
|
Sorry, I missed that.
The kernel in the 4.0.1 source from Amazon ignores command line from boot loader, so there is no much use looking in that direction. |
Advert | |
|
10-25-2011, 03:02 PM | #48 |
Time Waster
Posts: 422
Karma: 289160
Join Date: May 2011
Device: Kobo Glo and Aura HD
|
a couple thoughts:
-maybe updating option in recovery doesn't check signature (I don't know why it shouldn't, but may be worth a try) -root password could be the same as recovery password, have you tried that? another one: hitting ctrl+c during boot could drop you into a shell. Last edited by giorgio130; 10-25-2011 at 03:07 PM. Reason: adding an idea |
10-25-2011, 04:34 PM | #49 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
The root partition has been dumped! Yes, @giorgio, according to ichinomoto, that is what he did. I feel stupid for not having thought of that. I was thinking way too hard. uboot. recovery script. kernel. When the solution was right in front of me (using root password, same as recovery password). So thanks again to ichinomoto for getting the serial port, getting root, and dumping the nand. Now is the second half of the journey. Actually analyzing the operating system.
|
10-25-2011, 04:36 PM | #50 |
Enthusiast
Posts: 42
Karma: 39432
Join Date: May 2011
Device: none
|
The kindle browser is using a very old webkit. Perhaps there is a known exploit that works? It runs as root, so even reading or writing a local file should be enough:
http://www.metasploit.com/modules/au...t_xslt_dropper This is not an easy option, but the iMX50x SoCs have two external boot mode signals that control the boot process, allowing for download and execution a program from the USB port. This will allow you to run a non crippled uboot. http://cache.freescale.com/files/32b...=Documentation |
Advert | |
|
10-25-2011, 04:43 PM | #51 | |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
Quote:
Last edited by yifanlu; 10-25-2011 at 05:22 PM. |
|
10-25-2011, 06:23 PM | #52 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
I know the format for the new update files now.
0x4 bytes update type: SP01 means signature file 0x4 bytes certificate number: 0 = pubdevkey01.pem, 1 = pubprodkey01.pem, 2 = pubprodkey02.pem (first one does not exist, second two are same as older kindles) 0x38 byte unknown: I think this is random/garbage data. Someone test this by taking a 4.0 kindle. Downloading the 4.0.1 update, and changing the 0x38 bytes of data from offset 0x8 to 0x40 to 00 or random digits. I need to know for sure so we can ignore this space 0x100 / 0x80 byte signature depending on the size of the certificate as noted by the certificate number. This is used to validate the second part of the file (below). If validation is passed, the next part is extracted and run. 0x4 byte update type: FC04 means signed update ... same as older updates The new Kindle updater script also has more information on the usage of various fields of the headers and I'll be writing an updated "kindle_update_tool.py" sometime in the future. Also, I'll be gone for the next few days or maybe a week or so, so sorry. |
10-26-2011, 10:34 AM | #53 |
Evangelist
Posts: 413
Karma: 1477913
Join Date: Jan 2006
Location: Netherlands
Device: KA1, Galaxy S8, Galaxy Tab A 10.1, ReMarkable
|
I haven't got the faintest idea what you guys are babbling on about and am deeply impressed by it. I fervently hope you are succesful for I want a Kindle Touch as soon as it's available in my country, BUT with all the hacks I've grown used to on my old Kindle.
So please, go on babbling! |
10-26-2011, 06:21 PM | #54 |
Junior Member
Posts: 1
Karma: 10
Join Date: Oct 2011
Device: Kindle 4
|
Hi all, nice to see that there is already so much progress.
I made a preliminary kindle_update_tool.py with yifanlu's instructions so others can have a look at the extracted firmware: https://gist.github.com/1318051 |
10-27-2011, 02:48 PM | #55 |
BLAM!
Posts: 13,477
Karma: 26012494
Join Date: Jun 2010
Location: Paris, France
Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E
|
Great news !
For the less adventurous, I've somewhat hacked around the packager to make it parse (at least) the 4.0.1 update, thanks to yifanlu for the details, and rng29a for the initial implementation . (Hopefully, I did it in a backwards compatible way, but I didn't verify that on a whole lot of files). It's in the original packager thread. Last edited by NiLuJe; 10-27-2011 at 02:52 PM. |
10-27-2011, 03:04 PM | #56 |
Groupie
Posts: 157
Karma: 1777
Join Date: Sep 2010
Location: Minsk, Belarus
Device: Kindle 4
|
I have got rootfs for 4.0 and 4.0.1 firmwares. If somebody interested in, ask in PM.
|
10-27-2011, 04:03 PM | #57 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
I won't be home for a while, but on my free time, I'm planning to rewrite the kindle update tool from scratch because I don't like how some parts of it are implemented. Also, I forgot to mention how the FC04 update format works (the part after the SP01 signature):
0x4 byte header "FC04" 0x8 bytes source version (used to be 4 bytes) 0x8 bytes target version (used to be 4 bytes) 0x2 bytes number of devices supported for each device: 0x2 bytes device id of each supported device end for each 0x2 bytes critical update flag + 1 byte padding 0x32 byte md5 hash "munged" (dm) 0x2 bytes number of metadata for each metadata: 0x2 bytes string length that amount of bytes string metadata "munged" (dm) end for each |
10-28-2011, 09:06 PM | #58 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
https://github.com/yifanlu/KindleTool
Here's the new update tool that I'm writing. It's written in pure C. My first "real" experience with C. Not anywhere near done. I'm just finished with extraction and haven't touched on creation. My goal is for it to be 1) lightweight (no need to download python), 2) fast (300MB update extracted in 5 seconds. took 5 minutes with the python tool), 3) portable (hopefully will work on osx, windows, linux, and arm-linux (on the kindle itself). I know the python tool is "good enough", but I constantly find problems with it, like slow extraction times on 300mb recovery updates. I also hope that some other experienced developers can help so I'm putting it on github. |
10-29-2011, 09:05 PM | #59 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
Not really anything new in terms of jailbreaking, but WHEN it's possible to jailbreak, it will be VERY EASY to modify the boot images (as we modify the screen savers now).
EDIT: To change custom bootscreens: 1) modify /var/local/java/prefs/com.amazon.ebook.framework/prefs 2) set low_level_screens.dir to any directory 3) Put images into this directory K4 also has built in custom screensaver support 1) modify /var/local/java/prefs/com.amazon.ebook.framework/prefs 2) Add this line: "screensaver.enable.userdefined=true" 3) put your screensavers into /mnt/us/sleepscreens Just some advice for future purposes when we jailbreak this thing. Also, it seems like all kindles include a secondary rootfs partition for diags. This partition contains SSH and usbnetwork. However, other then using the serial port, I don't think you can reboot to this mode. EDIT: When I posted this, I was referring to the Kindle 4, not the touch. Last edited by yifanlu; 12-10-2011 at 04:50 PM. |
10-31-2011, 05:18 PM | #60 |
BLAM!
Posts: 13,477
Karma: 26012494
Join Date: Jun 2010
Location: Paris, France
Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E
|
Ha! Nice find!
And the screensaver stuff is in there as far back as in a Kindle 2 (at least on 2.5.x)! It automatically tag them with the 'Slide and release power switch to wake' black bar on the bottom (at least on a K2). Couldn't get the framework to pick up a config file from /mnt/us/system instead of /var/local/java/prefs though (just in case it might be doable *without* a jailbreak, like the alt font family). |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
No Progress bar on the Touch... | grizedale | Amazon Kindle | 13 | 09-29-2011 05:02 PM |
Questions about jailbreaking a Kindle 3 | daviesgeek | Kindle Developer's Corner | 0 | 09-13-2011 02:09 PM |
Touch screen vs keyboard e-ink only | Zarich | Which one should I buy? | 24 | 03-05-2011 06:47 AM |
Which Kindle do I need for jailbreaking? | chas0039 | Kindle Developer's Corner | 6 | 11-10-2010 10:04 PM |