11-12-2011, 02:00 PM | #61 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
Ok, a tiny progress. I've found a way to access/read most files on the Kindle. However, I can't pass arguments. So it's basically useless. However, if we didn't have a NAND dump, it would have been useful.
|
11-12-2011, 11:56 PM | #62 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
Also, here's a webkit code execution exploit that works on the Kindle 4.
http://imthezuk.blogspot.com/2010/11...fter-free.html http://trac.webkit.org/changeset/64706 However, the POC linked above is designed for Android 2.1 and just does a DoS on the Kindle 3/4. When I have time, I'll play around with it to see if I can get the pointer right. The shell code for above tries to call /system/bin/sh while Kindle uses /bin/sh, so the shell code needs to change too. Also, the current shell code tries to open a reverse shell. When testing it out to see if it works, on your computer, do "nc -l 12345". Set your computer's ip and port in hex in the HTML file, ln -sf /bin/sh /system/bin/sh, and load it with your Kindle. Then mess with the pointer found in the NaN() until you can type in shell commands on your computer and it loads on the Kindle (no output though). If THAT works, then I can modify the shell code to jailbreak. Have fun. |
11-14-2011, 05:58 PM | #63 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
As I've predicted, the days of unix filesystem/shell gliching is over. We must now find real exploits. I've spent the last few days exploring various binaries and system files and I've come up with a list of potential exploit vectors. I've listed them from most likely to least likely.
The thing we need to look for is for a part of the kindle that 1) accepts user input. Aka, reads files from the FAT32 partition. 2) Runs natively (no java involved, that's 95% of the Kindle OS). 3) preferably non-open source. Open source projects are usually very secure, as if an exploit exists, it would have been found long ago by smart people. -PDF Reader. This seems like a great bet. The entire PDF library is a Java JNI library. /usr/java/lib/libAdobePDFReader.so and /usr/java/lib/libPDFReader.so. They are ~10MB total, so it would be easy to slip up somewhere. In addition, it is Amazon code (not open source). It also reads PDF files, a very complex file structure. There's bound to be a stack/heap/buffer overflow somewhere. -libTopaz.so & libjniaudible.so. Found in the same dir as the pdf reader. These two are also amazon code, but there is less input to be read and the filesizes are small. However, there could be something there. -/usr/bin/browserd. The Kindle webkit browser is actually a native code. The java frameworks "connects" to browserd through sockets and only feeds it urls and key input. I've spent most of my time analyzing this binary and I think it's a dead end. There are stack guards present and the only user input is URLs and a few files. None of the files have a complex structure and it reads them pretty straightforward. I did find 3 bugs in the binary, but none of them can lead to code execution. As someone mentioned, it uses an old version of webkit so we could use one of the many patched webkit exploits. I've tried a couple, but none of them worked. The kindle arch is very stripped down. -Java framework - This is the GUI that you see. I'm sure there are tons of ways to crash the framework, but because of java's VM sandbox, most if not all are useless. I did stack overflow a couple of times but nothing useful came out of it. -Linux filesystem - VERY unlikely. These files are pretty secure, but even worse, we don't really have access to any of them so if there is an exploit, we can't really feed data. To have an idea of what to look for, here are some possible goals, from best bet to worse. Achieving any one of the following would make achieving the goals above it easier. 1) Running native code (duh) 2) Running a shell script/getting shell access 3) Writing to the root partition 4) Writing to the vars partition 5) Reading any partition other then the FAT32 one 6) Crashing native code 7) Crashing Java framework Anyone else have any ideas? |
11-15-2011, 04:29 AM | #64 |
Junior Member
Posts: 1
Karma: 2710
Join Date: Nov 2011
Device: Kindle Non-Touch
|
No ideas sorry, just words of encouragement.
I'm checking this thread every few days, can't say I have the skills to help but really appreciate the work you're doing. Thanks yifanlu! |
11-15-2011, 09:45 AM | #65 |
Junior Member
Posts: 8
Karma: 10
Join Date: Nov 2011
Device: Kindle4
|
I second Zeromus, i just registered only to tell you how great your work is and how much we look forward to your Kindle4 hack !
BTW: My kindle arrives on 24. Dec, so you still have some time. |
11-15-2011, 04:17 PM | #66 | |
Junior Member
Posts: 1
Karma: 10
Join Date: Nov 2011
Device: Kindle 4 non-touch
|
Quote:
If so, it may be vulnerable to CVE-2011-0226 (see http://esec-lab.sogeti.com/post/Anal...3-font-exploit for an analysis of a recent iPhone jailbreak using this exploit). |
|
11-15-2011, 04:49 PM | #67 | |||
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
Quote:
Quote:
Quote:
|
|||
11-15-2011, 08:18 PM | #68 |
Junior Member
Posts: 1
Karma: 10
Join Date: Nov 2011
Device: Kindle
|
Hello, guys.
I could try to be of some help if you could just tell me how to ssh/read files/do whatever with kindle from my desktop. |
11-15-2011, 08:58 PM | #69 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
|
11-16-2011, 04:47 AM | #70 |
ebook fan
Posts: 735
Karma: 2528718
Join Date: Dec 2010
Device: PocketBook 301+, Kindle 3 Wi-Fi, Onyx Boox A62, Kindle Touch
|
Thanks, yifanlu, for you effort! I'm very interested in jailbreak for Kindle 4...
Do you have a manual how to connect to it through the serial port? Some time ago I tried to find a root hack for my PocketBook 301+, but without success Probably I'll buy Kindle 4 for jailbreaking Last edited by sergeyvl12; 11-16-2011 at 04:50 AM. |
11-16-2011, 11:18 PM | #71 |
Junior Member
Posts: 1
Karma: 10
Join Date: Nov 2011
Device: Kindle Touch
|
Hello
Hi all,
Just purchased 2 of these devices, and love the hardware & platform concept, but greatly object/dislike the enforced advertising content. I've had a read through this thread, and while I don't have the technical skills to push this project forward, I will do my best to offer constructive comments on potential lines of attack. My thanks to Lifanyu & other contributors for your efforts, and more importantly, your commentary & instructions. Your generosity in sharing the results of your efforts is appreciated, by more than just myself, I'm sure. Cheers, 'Kat |
11-16-2011, 11:20 PM | #72 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
I'm going to throw some ideas around about a kindle packaging system. I have two problems with kindle hacks. First, install and uninstalling hacks are messy. Install scripts could modify any files and there isn't a system of where data/binaries should be stored. Also, it's hard to keep up with all the installers/uninstallers and versionings. And using kindle's update system could seem confusing to new users as they think they're upgrading. The second problem is we don't have a nice, GUI, launcher. I'm thinking of using the debian packaging system, but I don't want to modify rootfs if I could prevent it. I was thinking of a custom package structure where to install an app, you copy a folder to the "packages" folder on the kindle or something. In that folder will be an startup script, a shutdown script, a run on demand script, and stop on demand script (optional). It would also contain it's own data in that folder. We only install one startup script to the kindle when jail breaking and that script loads all hacks on startup. To uninstall, just delete the folder for the package. And second, someone (maybe me) could write an app launcher that is activated by a shortcut key or gesture.
The package structure could be like: USB Root ->packages -->ssh --->startup.sh --->shutdown.sh --->run.sh --->stop.sh --->bin ---->dropbear --->etc ---->dropbear.conf -->screensaver --->startup.sh --->images ---->image1.png ---->image2.png And so on. Can developers give some feedback about this? Last edited by yifanlu; 11-16-2011 at 11:22 PM. |
11-16-2011, 11:45 PM | #73 | |
Junior Member
Posts: 5
Karma: 1126
Join Date: Oct 2011
Device: K4
|
Quote:
Last edited by aquariumdrinker; 11-16-2011 at 11:47 PM. Reason: URL correction |
|
11-17-2011, 05:55 AM | #74 | |
Junior Member
Posts: 4
Karma: 10
Join Date: Nov 2011
Device: Kindle 4
|
Quote:
So why doesn't a preset package management system fit Kindle? It's simply too heavy to maintain. As you said, rootfs is useless. While gentoo-prefix won't bother you with rootfs, it is unacceptable in size (20x in size of general kindle apps). A PMS is actually a tool chain about filesystem tree layout, with versioning tools like git/hg/svn included. The trick is to proceed metadata well and keep files organized. Am I going to run, say `apt get update` on my kindle? I don't think so. The most frequent senario is to connect kindle with pc then sync with, what you said, a GUI application. Since executing commands from kindle is unnecessary, why not consider kindle as an output directory? Thus the problem becomes, that we need a PMS on pc only and kindle is just a local branch. Every install/uninstall/upgrade/reverse operation can be seen as one synchronisation with local repos. An invisible advantage will be, that library management can be integrated into this sync tool flawlessly. About the launcher, an official implementation (the one shipped with jailbreak package) is preferable. This concerns usability and only in this way can you control the init/halt of kindle apps. You can make some rules before a 3rd app can be listed in your launcher, for example, config file location etc. I'm not talking about auditing, but I do consider double-way user-friendly design between jailbreakers and app-developers. In my design, a slim version of PMS just has to do something right, 1. filesystem layout, I totally agree with you about filesystem layout. Technically it is done by adding a global $PREFIX="/packages/" in scripts. 2. dependency, I don't know if it matters as most kindle apps are independent. 3. versioning, a simple cut/copy/paste works well I think, especially when configurations are preserved in separate directories. In summary, I imagine this PMS for kindle to be mainly an application on pc. If it is written by c/python, it's probably naturally cross platformed. Here is a link to gentoo's pms specifications if you are interested. |
|
11-17-2011, 03:09 PM | #75 |
Junior Member
Posts: 6
Karma: 10
Join Date: Sep 2011
Device: sony prs
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
No Progress bar on the Touch... | grizedale | Amazon Kindle | 13 | 09-29-2011 05:02 PM |
Questions about jailbreaking a Kindle 3 | daviesgeek | Kindle Developer's Corner | 0 | 09-13-2011 02:09 PM |
Touch screen vs keyboard e-ink only | Zarich | Which one should I buy? | 24 | 03-05-2011 06:47 AM |
Which Kindle do I need for jailbreaking? | chas0039 | Kindle Developer's Corner | 6 | 11-10-2010 10:04 PM |