01-17-2012, 07:38 AM | #91 | |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
Quote:
|
|
01-17-2012, 08:31 AM | #92 | |
Connoisseur
Posts: 95
Karma: 128
Join Date: Feb 2010
Location: Upside-down
Device: Kindle 3g (US), KT & PaperWhite, Nook ST
|
Quote:
I acknowledge this jailbreak is working on 5.0.3. Other than that I didn't notice any big improvements. The four button sense of reading is not working anymore, |
|
Advert | |
|
01-17-2012, 10:11 AM | #93 |
Carpe diem, c'est la vie.
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
|
@ixtab: I thought you were going to use tzVar instead of locale. As we discussed in PMs shortly after you discovered the tar bug, tzVar does not clobber the locale settings.
Unfortunately, locale and tzVar only work on the Touch. They do not work on the K4NT. The only *universal* payload destination that works on both the Touch and the K4NT is the one I found that *might* survive your tar bug getting disabled (because no shared dependencies). My payload destination can be triggered using mutliple methods, and we had agreed that it could be saved until yours gets burned because the K4NT already has a developer mode method. If the goal here is to create a single jailbreak that works on both the Touch and the K4NT, we will have to use my payload destination and trigger method, and just hope that amazon does not fix ALL the trigger mechanisms for it. Last edited by geekmaster; 01-17-2012 at 10:55 AM. |
01-17-2012, 11:38 AM | #94 |
Member
Posts: 11
Karma: 10
Join Date: Jan 2012
Device: Kindle Touch
|
Hello. Anyone know if screen rotation works with the new 5.0.3 firmware? I need to landscape mode!
|
01-17-2012, 12:00 PM | #95 |
Member
Posts: 10
Karma: 10
Join Date: Jan 2012
Device: kindle touch
|
|
Advert | |
|
01-17-2012, 12:23 PM | #96 | ||
(offline)
Posts: 2,907
Karma: 6736092
Join Date: Dec 2011
Device: K3, K4, K5, KPW, KPW2
|
Quote:
b) normally, when you apply the jailbreak, you didn't even have a chance to customize the locale yet (changing locales needs our WIP localization package, which in turn requires a jailbreak); and c) there is an easy way to get back to fully localized. Quote:
|
||
01-17-2012, 12:32 PM | #97 | |
Carpe diem, c'est la vie.
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
|
Quote:
The K4NT should have even more possible payload destinations than are found in the Touch, because root is writable by default on the K4NT (no need to do "mntroot rw" despite the warning after shell login). I only tested this on the version 4.0, so it still needs to be tested on 4.0.1. I have not looked for additional exploits after discovering that the K4NT root is writable. Perhaps we should inject the developer key directly with the tar bug without relying on a script (in case the script execution gets disabled). Clearly, the Touch MP3 exploit has come and gone and it is time to use the next one (your locale payload injected with the tar bug). I will defer to yifanlu's judgement about when the time is right to use each of the remaining known exploits. Last edited by geekmaster; 01-17-2012 at 12:51 PM. |
|
01-17-2012, 01:59 PM | #98 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
|
01-17-2012, 02:35 PM | #99 | |
Carpe diem, c'est la vie.
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
|
Quote:
The tar bug that ixtab uses is dependent on the busybox file installed on the main partition. As we discussed on the IRC channel, mine does not depend on that file, and may survive repairing the busybox file that ixtab's exploit depends on. Must we expose all the details now, after you mildly chastised ixtab for releasing his details while the MP3 exploit still worked? I see no point in arguing over definitions here, to the point of guaranteeing that amazon is sure to patch both ixtab's and my methods. There was a discussion about releasing my method as a universal jailbreak that works on both the Touch and the K4NT, unlike the current Touch-only version. But that would reduce its probability to remain viable after ixtab's method goes away (especially since you claim to not know any other exploits). And besides, even if my exploit gets burned along with ixtab's, we will still have unlocked fastboot mode (as documented by rastik), and how can you NOT call that an exploit when it allows us to install whatever we choose on our kindles? And even if all of the above methods stop working, there is another way that has been tested and documented. You just need to know where to look. Plus, if your "stack smash" still works, I can (probably) use it with my (untested) shellcode that defeats ASLR. This line of research was put on hold when you announced your MP3 exploit. Of course, that would require mutual cooperation. What are the chances of that? Last edited by geekmaster; 01-17-2012 at 04:48 PM. |
|
01-17-2012, 05:38 PM | #100 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
I've said this many times before. We have payloads. Not exploits. The tar bug is an exploit. Using it in various ways are different payloads. I don't troll, I like to point out misinformation so they don't get spread and raise expectations.
The fastboot/USB download is NOT an exploit. It's a door left open on purpose (or by accident) for developers. An exploit is using a bug in some code to execute unsigned code. If amazon fixes the tar bug. They FIX the tar bug, not just one specific payload. Now there is the chance that your payload will still work (actually, seeing amazon's record, it's a high chance) but we can't depend on it. For example, the pervious update fixed two other payloads for the mp3 bug including one that allows HTML injection on the device name. Anything else is beyond my knowledge, which is why I started out with "AFAIK" Last edited by yifanlu; 01-17-2012 at 05:42 PM. |
01-17-2012, 05:57 PM | #101 | |
Carpe diem, c'est la vie.
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
|
Quote:
http://www.minipwner.com/index.php/w...-the-minipwner I have some well-publicized and well-known computer exploits behind me, from the days when your parents were still children. I have become very careful in what I do and where I publish my "adventures" since the creation of the DMCA and the Patriot Act (and caution comes with age and maturity as well). I have only used my "geekmaster" handle since I first "exploited" the Geek Squad logo to suit my own purposes shortly after they were founded in 1994, and I have been very low-key about it. I still own two of the original black Geek Squad T-shirts acquired strictly for "social engineering" purposes. Back when I was your age, I was a founding member of the "Malicious Users Group" a/k/a MUG. It was university-sponsored, and the university even bought the pizzas during our all-night hacking sessions. Our group had about 40 members (by invitation only). My user ID was MUG0002. The only caveat was that we allow the university to monitor our "sponsored" hacking sessions, and we were to report all vulnerabilites found during those official sessions so they could "harden" their system. Great times were had by all (except the poor university computer center programmers who had to keep fixing the same problems over and over again). Our domain was a little-known computer access point with a handful of "glass teletypes" that connected at 300bps, when all the other students had to use ASR-33 teletypes that only did 110bps (10 characters per second). Of course, it was still fun to use a teletype now and then, if only to make the 40-some other teletypes in the room go dead silent while mine chattered away printing out startrek game maps, while locking out even the computer operators. This was done by escalating priveleges above what even computer operators and systems administrators had. During a consulting gig at a large well-known "big-iron computing" company, I became buddies with the director of technical support when he came to me white-faced, saying "you didn't REALLY delete the systems validations file did you?". He was afraid to reboot the mainframe for routine maintenance, fearing it might not come up again. I showed him how a lowly user could insert official messages into the system logs. He was relieved. One of my projects was featured on the cover of Scientific American, but my boss stole all the credit. This may be a contributing factor for my feeling violated when people claim credit for my ideas. Anyway, enough fun for now. I know what an exploit is. Perhaps I helped to define it. P.S. There were exploits before code signing even existed. Last edited by geekmaster; 01-17-2012 at 07:25 PM. |
|
01-17-2012, 06:20 PM | #102 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
Calling someone a troll is like calling someone a racist. The term is overused so much it loses it's intended meaning and becomes a generic insult. Anything that uses "the unintended expanding of absolute paths by default when extracting tar files on the kindle" is what I call "the tar bug" and as I've said amazon will MOST LIKELY but not DEFINEATLY fix all use of this bug when they release a patch, so we should focus on finding new bugs instead of more uses for this one. Let ixtab have the credit for this one and we should all move on to looking for new bugs.
Now if I am wrong and your exploit makes no use of any variation of the tar bug, I sincerely apologize and hold my peace. Otherwise, I stand by my statement that we only have one exploit right now. Last edited by yifanlu; 01-17-2012 at 06:23 PM. |
01-17-2012, 07:40 PM | #103 | |
Carpe diem, c'est la vie.
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
|
Quote:
I have used the tar bug in the past, and I have found long-repaired security loopholes show up all over again in code rewrites, which is why I suggested to you when we were discussing UTF-8 shellcodes to use your stack smash, before I had my own kindle Touch to test with, that perhaps you should test the tar root path bug "just in case". I took your word for it when you told me "that was fixed long ago". By the time I got my Touch, you had already released you MP3 exploit, so no need to test it then. When you said in the IRC channel right after ixtab announced his tar bug discovery and I mentioned our previous discussion, you said "but we BOTH agreed that it could not work". Actually, I learned long ago to never agree to anything without reading the fine print and testing everything myself. Because I had not Touch to test with during our previous discussion, it is absurd to claim that I could have agreed to such a thing. This is a hard rule that I rarely violate. I am sorry about the Troll thing, but it seems that when I ask legitimate questions you have no time to answer me, but you are quick to challenge things that I post. This is irksome because I come from a different time than you, and word meanings evolve over time, and my experience gives me a much broader viewpoint than yours, which affects which definitions of technical jargon I choose to use. To me, arguing word definitions without supporting evidence or technical merit is akin to "trolling". Regarding word meanings, how can "troll" be akin to "racist" as you claimed above? Which ethnicity descended from Trolls? I have read many thousands of books, and I am not aware of any... |
|
01-17-2012, 07:46 PM | #104 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
Sorry, I lost track of the meaning of the argument. If I ever purposely ignored a "legitimate" question of yours, I apologize. I do have things to do beyond kindles and am by no means a kindle oracle. Let's get back on track. What we should be talking about isn't what is and isn't an exploit but the best way to jailbreak both the kindle 4 and the kindle touch.
Last edited by yifanlu; 01-17-2012 at 07:51 PM. |
01-17-2012, 07:55 PM | #105 |
(offline)
Posts: 2,907
Karma: 6736092
Join Date: Dec 2011
Device: K3, K4, K5, KPW, KPW2
|
Whooooo....
folks, calm down, please. Personal attacks won't get this any further, on the contrary. Please try to stay as constructive as you both have been until now. We've got technical challenges to solve... and BTW it's more fun to reverse-engineer than to write disgruntled replies. Get a beer, or two, or five... cheers! |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Kindle Touch 5.1, Jailbreak, and Screensaver Hack | sparrowlight | Kindle Developer's Corner | 23 | 09-26-2012 12:15 AM |
[Kindle Touch] Firmware 5.1.0 and jailbreak | ixtab | Kindle Developer's Corner | 85 | 06-28-2012 04:43 AM |
How to Kindle touch - jailbreak, screensaver | morgun | Kindle Developer's Corner | 3 | 05-21-2012 06:39 PM |
Kindle Touch Jailbreak Support Team | geekmaster | Kindle Developer's Corner | 39 | 01-14-2012 05:26 AM |