Kindle 3 WPA Supplicant

[omka88]

Is it possible to get the Kindle 3 to access 802.1x PEAP TTLS wifi using the Kindle? I am assuming since the Kindle is linux based it probably uses WPA Supplicant. That is the only way I can access wifi on my college campus and for a jailbroken android phone, the steps are like this: http://sigdroid.wordpress.com/2010/0...roid-detailed/ . Can this be done on the Kindle?

[NiLuJe]

It does seem to use wpa_supplicant as the backend, but I haven't really looked around to see where the frontend actually store/handles things, so it might not be so simple... .

[omka88]

Interesting... it would be great if someone could get this to work. That would solve the problem of not being able to access enterprise wifi networks, which the Kindle currently does not support. These wifi protocols are usually used in many universities and businesses.

[omka88]

I also found out that on the Nook, there are instructions on how to edit the WPA Supplicant to access the advanced wifi enterprise settiings at: http://nookdevs.com/Tips_and_tricks. I haven't jailbroken my Kindle yet, but is there a large difference in how the Kindle uses the WPA_Supplicant backend?

[crader]

I did the jailbreak today this is what I found out.

There are 3 applications for WPA: wpa_cli, wpa_passphrase, wpa_supplicant

wpa_supplicant ist running as a deamon.
wpa_cli is a interface with various options, one of them is "get_capability".

When I enter "get_capability eap" the output is "MD5 TLS MSCHAPV2 PEAP TTLS GTC OTP LEAP WPS".
Output of "get_capability key_mgmt" is "WPA-PSK WPA-EAP IEEE8021X WPA-NONE NONE"

So it should be possible to connect to enterprise networks, but I can't try it out right now.

[crader]

After a bit more testing I broke my wifi and I dont have a backup

WARNING: Don't use the save_config command in wpa_cli, it will break your wifi

Can someone give me the original /var/local/system/wpa_supplicant.conf file?

[NiLuJe]

Code:

ctrl_interface=/var/run/wpa_supplicant
ap_scan=1
update_config=1

(Take that with a grain of salft, I just pulled this from my terminal backlog, and with the crappy less busybox applet on the Kindle, it may be incomplete).

[omka88]

Thanks for the information crader, and sorry about what happened to your wifi. I don't know if you edited any files, but it is always safer to backup any file before you edit it in case something goes wrong.

[crader]

It works!!!

I got WPA-Enterprise working on my Kindle. It wasn't as easy as I thought and it still needs improvement, but at least it works. I explain what I found out.

There is a wpa_supplicant.conf on the Kindle but it seems that it is not useful for us because the configuration for wifi networks is not stored there. If you delete something there your wifi will stop working (thanks @NiLuJe for the config) and if you add something it has no effect.

Then there is the file wifid.conf. Thats the file where the Kindle writes it's known wifi networks. The problem is: it's encrypted. And even if we can decrypt the file, it might not be useful. I doubt that you can write all the information that is needed for an WPA-Enterprise network in there.

The last option is wpa_cli. It's a command line interface for wpa_supplicant. You can add and delete wifi networks in there, but it will not change the wifid.conf or wpa_supplicant.conf. The changes are reverted if you turn your wifi off or restart the Kindle. But if you add a new network in there, the Kindle will use it.

So that is what I do. I wrote a script which adds my wifi network to wpa_cli and I start it when I enter ~usbNetwork in my kindle. The best way to execute the script would be in the start script for the wifi connection, but I don't want to mess with the system files.

Code:

#!/bin/sh

id="`wpa_cli add_network | sed -n '2p'`"

exec="`wpa_cli << EOF
set_network $id ssid \"YOURSSID\"
set_network $id key_mgmt WPA-EAP
set_network $id group TKIP
set_network $id eap PEAP
set_network $id identity \"YOURLOGIN\"
set_network $id anonymous_identity \"YOURANONYMOUSID\"
set_network $id password \"YOURPASSWORD\"
set_network $id phase2 \"auth=none\"
enable_network $id
quit
EOF
`"
echo $exec

Change the script and save it in usbnet/bin/

Add the following line to usbnetwork

Code:

${USBNET_BINDIR}/script

Just add it before "# Load IP config"


That's all, now you should have a working WPA-Enterprise wifi connection.

[NiLuJe]

Nice!

You can put a

Code:

return 0

just after that if you don't want to use the usual usbnet features, too .

[omka88]

That's really nice work Crader! Also, is it possible to add a certificate like the "Thawte Premium Server" ca to the script if the wifi network requires it? Thanks

[omka88]

For my college wifi, I have to use the following script to access the network using a linux machine:

Quote:

network={
ssid="UIC-Wireless"
key_mgmt=IEEE8021X
eap=TTLS
identity="netid-here"
anonymous_identity="anonymous"
password="password-here"
ca_cert="/etc/ssl/certs/Thawte_Premium_Server_CA.pem"
phase2="auth=PAP"
priority=1
}

On the Kindle, would something like this work?

Quote:

#!/bin/sh

id="`wpa_cli add_network | sed -n '2p'`"

exec="`wpa_cli << EOF
set_network $id ssid "UIC-Wireless"
set_network $id key_mgmt IEEE8021X
set_network $id eap TTLS
set_network $id identity "MyLoginID"
set_network $id anonymous_identity "anonymous"
set_network $id password "MyPassword"
ca_cert="/etc/ssl/certs/Thawte_Premium_Server_CA.pem" %Not sure if kindle has this%
set_network $id phase2 "auth=PAP"
enable_network $id
quit
EOF
`"
echo $exec

[Tiersten]

If you load in the test/debug files that another MR user found on their Kindle then the @exec option beings enabled and you can run arbitary commands from the Kindle itself. If you give your script a short name then you can get slightly easier to type WPA Enterprise activation and not need to mess with the USB network feature.

[NiLuJe]

@omka88: Provided that you put your root certificate in the userstore (let's say, in a certs directory, right alongside the documents directory), that should do it:

Code:

id="$(wpa_cli add_network | sed -n '2p')"

wpa_cli \
set_network $id ssid "UIC-Wireless" \
set_network $id key_mgmt IEEE8021X \
set_network $id eap TTLS \
set_network $id identity "netid-here" \
set_network $id anonymous_identity "anonymous" \
set_network $id password "password-here" \
set_network $id ca_cert "/mnt/us/certs/Thawte_Premium_Server_CA.pem" \
set_network $id phase2 "auth=PAP" \
enable_network $id \
quit

[omka88]

Thanks NiLuJe and Tiersten!