Kindle Touch 5.0 Jailbreak

[yifanlu]

Quote:

Originally Posted by Novas

Hi yifanlu,
I try to use your tool to create new update package to kindle touch.
I use it this way ./kindletool create ota2 -dk5w /media/USB_DISK/kindle/install/
but I get this error message:
Cannot read input.
Segmentation fault
What is wrong? Directory /media/USB_DISK/kindle/install/ exist and included install files.

Are you sure you want to output to stdout? Try outputting to a file.

[yifanlu]

The 5.0.3 update patches this jailbreak method. However, if you already jailbreaked before updating, the key that it installed is still intact and allows you to install custom packages, so jailbreak before updating if you can. Regardless, ixtab's method still works.

[geekmaster]

Quote:

Originally Posted by yifanlu

Ah, I saw the data.tgz early on and I though "it would be great if we have a way to use absolute path. I could read the man file. Ah, whatever". If amazon doesn't patch this. This means I can make use of some of the stack overflow bugs I've found. Nice job! (you could have waited until amazon patched my jailbreak and go screw you amazon, we're back in)

It looks like you got your wish with the 5.0.3 update. The data.tar.gz bug did not (yet) achieve the notoriety of the infamous "MP3 Jailbreak", and managed to slide through Amazon's latest update...

[ixtab]

@yifanlu: thanks for the PM.

I'm currently thinking about what the best way to package a "one-click jailbreak" for 5.0.3 is. Will let you know about the outcome here.

[yifanlu]

It doesn't have to be pretty. Just tell the user to copy the data.tar.gz file and reboot. And in my opinion, the pc side should not contain any executables/scripts since users may not want to run some random exe even if it's to properly copy the tar.gz

Oh, and in case you haven't figured it out already, the payload still works. Aka, installing the custom key without replacing any files.

[demonseye316]

vaniaspeedy thanks for the link. took about ten seconds to hack the kindle v.5.0

have you tried pathartl's method with Kindle Touch Software Update V5.0.3? or maybe i'll just wait for ixtab's one-click jailbreak for 5.0.3.

@ixtab are you going to do something similar to this? (http://pathartl.me/5387/remove-ads-on-kindle-touch) thanks.

[yifanlu]

I hope not.

[geekmaster]

People can do whatever they want as long as they do no harm to others. Helping others by publishing "How To" links and such begins to cross the line between "user" and "pusher". IMHO.


TOS

[ixtab]

Here it is.

This jailbreak should work with all versions of the Kindle Touch currently available. (5.0.0 - 5.0.3).

Instructions are contained in the archive. Please report back any issues here.

[ixtab]

@demonseye316: no.

@yifanlu: Took longer than I expected because I was intermittently bitten by a misunderstanding and tried to find solutions for a nonexistent problem. Just to clarify on this: merely putting an update*.bin, then restarting was also not working with the MP3 jailbreak, or was it?

- via Settings->Update, the update works, because pubdevkey01.pem is considered.
- just putting it there and restarting does not work, because pubdevkey01.pem does not seem to be considered. Constantly getting Update error 3 here.

At least this is the current state of affairs on my device. I may also have screwed up something somewhere... (I thought that update*.bin had previously worked here as well with just restarting).

Can anyone clarify on this (i.e. how their device behaves for these two cases, with the mp3 jailbreak first, and then with the tar one)?

[yifanlu]

Quote:

Originally Posted by ixtab

@demonseye316: no.

@yifanlu: Took longer than I expected because I was intermittently bitten by a misunderstanding and tried to find solutions for a nonexistent problem. Just to clarify on this: merely putting an update*.bin, then restarting was also not working with the MP3 jailbreak, or was it?

- via Settings->Update, the update works, because pubdevkey01.pem is considered.
- just putting it there and restarting does not work, because pubdevkey01.pem does not seem to be considered. Constantly getting Update error 3 here.

At least this is the current state of affairs on my device. I may also have screwed up something somewhere... (I thought that update*.bin had previously worked here as well with just restarting).

Can anyone clarify on this (i.e. how their device behaves for these two cases, with the mp3 jailbreak first, and then with the tar one)?

Unfortunately, the updates that run on restart are of another type (see option "kindletool create recovery"). The key for that is embedded inside the kernel (initramfs to be specific). In short, nope. Your bug also works on kindle 4s, so it would be nice if we get it working on there too. You can't use the dev key method, but you can use my key binding method from the 3.2.1 jailbreak. If you don't have the time, I can do it for you.

[ixtab]

@yifanlu: Thanks for the reply.

The problem is that I only have a KT, no other device, so I can't really be of much use for other platforms because I can't test anything. But of course, you're welcome to port the method to whichever other platform it can be used on. It's not like it's "mine" ;-)

[yifanlu]

I just bought a kindle 4, so I should be able to do tests in a week or so. I know you don't own the tar bug, but you did discover it. I remember finding the data.tar.gz extraction thing and saying in the IRC "wouldn't it be nice if we could extract the tar with absolute paths. Unfortunately tar has that fixed years ago".

[ixtab]

Just thinking aloud:

We might actually be lucky enough for this method not to be fixed by Amazon. The mp3 bug was a serious security vulnerability which could affect inadvertent users. This one is also a vulnerability, but it's much less dangerous IMO, because it's much harder to trick an unsuspecting user into it.

As I said before, it would be nice if Amazon realized the potential of allowing users to tamper with their devices (at own risk). We already have very useful stuff around like the launcher, or the (upcoming) localization.

If all else fails, there's still usbhid mode. I'm loosely following the thread, but admit I'm too shy currently to try it out for fear of bricking the device without being able to get it back into a working state. (i.e. if things are safe to be done via USB, and recoverable by that, I'm fine to give it a go. I'm not fine with opening the device and soldering etc...)

That said, if it's possible to read/write files (or even entire partitions) via usbhid mode, then that'd probably be the way to look for a jailbreak method which is almost impossible to "close" -- or am I missing something here?

[eureka]

Quote:

Originally Posted by ixtab

That said, if it's possible to read/write files (or even entire partitions) via usbhid mode, then that'd probably be the way to look for a jailbreak method which is almost impossible to "close" -- or am I missing something here?

It should be possible to load u-boot into RAM in USB Downloader mode and run it. u-boot sources provided by Amazon contains metadata of "program image" for loading and running it in USB downloader mode. u-boot could be pointed to Linux kernel in RAM, loaded there after u-boot. So, with our loaded kernel (and our initramfs) we could do anything.

But it's possible that Amazon enabled High Assurance Boot feature which is requiring that program image must be signed with some RSA key. The only way to check it is to try to load any "program image".