10-02-2011, 02:25 PM | #16 |
Evangelist
Posts: 416
Karma: 1045911
Join Date: Sep 2011
Location: Cape Town, South Africa
Device: Kindle 3
|
While not exactly on topic - the Duokan Lite firmware has this feature, as well as customizable control over it; it might be a better source for unpacking, tho since there's no source for it, unknown if they've changed too much to stop it being easily portable.
|
10-02-2011, 02:48 PM | #17 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
All Internet traffic goes through amazon's Internet proxy. I think AT&T and other carriers had a deal with amazon that Internet is only allowed to *.amazon.com or something. Your http requests also contain a unique key that is tied to your kindle serial number and amazon refuses to process the request without the key. IF amazon is smart, their server would block the keys from kindle touch serials. If that's the case the only thing to do is to swap serials with the kindle 3. That is assuming serials are still flashable and the new kindle can be jailbroken. But I may be giving them too much credit. It could be that the 4.0 software will block Internet requests on 3G. But I wouldn't think too much about this because there's nothing stopping amazon from also pulling free Internet from kindle 3 if people start swapping serial numbers and stuff.
|
Advert | |
|
10-02-2011, 11:54 PM | #18 |
Connoisseur
Posts: 84
Karma: 26720
Join Date: Mar 2011
Device: Kindle 3 WIFI
|
To further Yifanlu's post:
Maintaining a working 3g requires not only the x-fsn and serial number but corresponding mac address and manufacturer code. |
10-04-2011, 04:51 AM | #19 |
Time Waster
Posts: 422
Karma: 289160
Join Date: May 2011
Device: Kobo Glo and Aura HD
|
I hope this is not a stupid idea. What about using the backslash bug (assuming it's still there) directly in the name of the update? Maybe this way we can get a signature check on the original update and get ours installed.
|
10-04-2011, 07:43 AM | #20 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
I don't think you understand the security of the new update. It refuses to even extract any update file that don't pass signature checks. The backslash bug is based on the fact that the extracted file list that the updater reads is messed up with a backslash.
|
Advert | |
|
10-04-2011, 06:37 PM | #21 |
wannabe developer
Posts: 192
Karma: 156548
Join Date: Mar 2011
Device: Kindle: 2xKeyboard, Classic, 2xTouch, 2xPW, PW2; Onyx: Boox M92
|
Three things :
First : DO not try to open your K4, it's almost impossible to open it without damaging cover Second : There is NO SERIAL port inside. Third : Source code is now available for both 4.0 and 4.0.1 Keypad and battery are called "tequila". There is recovery mode. Kernel Config : Spoiler:
Last edited by seaniko7; 10-04-2011 at 07:47 PM. |
10-04-2011, 10:51 PM | #22 |
Connoisseur
Posts: 84
Karma: 26720
Join Date: Mar 2011
Device: Kindle 3 WIFI
|
4.0: http://kindle.s3.amazonaws.com/Kinde...8590058.tar.gz
4.0.1: http://kindle.s3.amazonaws.com/Kinde...1440003.tar.gz sauce for those who want it. Yifanlu: Perhaps you can use this to create a sandbox 4.0.1 system or even one that works on 3.2.1. |
10-04-2011, 10:52 PM | #23 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
I haven't gotten a chance to look at the source yet. But I'm glad it's out.
Also, is the accessory port connected to anything other than power? I remember on the k3, the accessory port is connected to the serial port. There's no use for the source code in regards to jailbreaking the device. That requires a NAND dump. The last one was dumped thanks to amazon accidentally leaving test scripts on one guy's kindle, allowing shell. It'll be harder this time. I'm in the process to McGuyver-ing up a NAND dumper (which most likey won't work) which hooks directly to the motherboard. Last edited by yifanlu; 10-04-2011 at 10:55 PM. |
10-04-2011, 11:10 PM | #24 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
Ok I'm going to break my own rule and talk about the Kindle Fire.
It's codename is "banjo" and the CPU is cortex a8 in an imx51 arch. Both "yoshi" (Kindle 4/touch) and "banjo" (fire) have fastboot support I think. Someone try to get fastboot working on their kindle 4 as I don't have one. If you get into fastboot, you can flash partitions. EDIT: I think this is a dead end. To get fastboot, you need to set a param in uboot which requires a serial console. If i read correctly, only "ECT boards" (dev?) I'd 004 have serial access. Production boards "tequila" (003) skip serial port init, aka even if there is a serial port, it's disabled. Last edited by yifanlu; 10-04-2011 at 11:24 PM. |
10-04-2011, 11:25 PM | #25 |
Connoisseur
Posts: 84
Karma: 26720
Join Date: Mar 2011
Device: Kindle 3 WIFI
|
Yifanlu: In order to get fastboot working on most Android Devices you must restart it and hold a certain physical button to send the device into "bootlooder" or "recovery" mode. The K4 will have to support a similar feature in order to get Fastboot working. There are also tools similar to fastboot made by Nvidia for the Tegra SoC line called NVFlash, the point is that flashing partitions requires the SBK key which is very hard to come by, the first few device's sbk values were leaked in developer versions of the software. Maybe Amazon implemented a similar feature? I hope not, surely it can't be as easy as fastboot though.
|
10-04-2011, 11:29 PM | #26 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
See my edit. I think serial port is a dead end. I may be wrong (I'm only 70% sure since I only took a few minutes reading the code), but 1) there is/may not be a serial port on the kindle 4 and 2) if there is, it's disabled on production boards. You need serial port access to switch to fastboot mode (no button held combination).
|
10-05-2011, 12:14 AM | #27 |
Connoisseur
Posts: 84
Karma: 26720
Join Date: Mar 2011
Device: Kindle 3 WIFI
|
Ah, lets also remember nearly EVERYTHING runs as root on the Kindle.
|
10-05-2011, 12:29 AM | #28 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
Yup, that's our one advantage (although we can't say for sure it's true on the K4). However, most of the "stuff" that we can interact with (loading books, usb mounting, web browsing, etc) are Java based, and it's much harder to exploit a virtual machine with something like a buffer overflow. There is not much hope with the browser, as webkit is pretty secure as Apple, Google, etc constantly supports it.
|
10-05-2011, 12:33 AM | #29 |
Connoisseur
Posts: 84
Karma: 26720
Join Date: Mar 2011
Device: Kindle 3 WIFI
|
More research should be done with AZWs and PDFs, how the Kindle Framework loads them. There are numerous pdf vulnerabilities around, maybe we can adapt our own.
|
10-05-2011, 12:59 AM | #30 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
Ok, here's a possibly unrelated thing I found while looking through the bootloader code. On the Kindle 3/2, if you wanted to flash the serial number, mac address, etc, all you had to do was call "idme --serial XXX" or something like that. I'm guessing this is blocked on the Kindle 4 because Amazon doesn't want people spoofing serial numbers. I think they're achieving this by write-protecting that section of the MMC after bootup. Anyways, to flash the idme vars (serial, mac, boardid, etc), you flash a binary file with the magic number (header) "abcdefghhgfedcba" to 0x3f000 in the nand. I haven't looked into what the format for this file should be, but I'm guessing it's just a byte-aligned file containing all the idme variables. At bootup, when the Kindle detects this (the magic header on 0x3f000), it flashes the variables. Now, I don't know how much use this information is, as I would think you have to have root access before you can start flashing the nand, but just throwing ideas out there.
But yea, I advice everyone who's intrested to read the bootloader code. It's pretty interesting, and has the most potential for a permanent jailbreaking solution. (Aka, not patched in updates). In the source code release, it's the archive named "u-boot-2009.08.tar.bz2". The folders of interests are "/board/imx50_yoshi" (Kindle 4/touch) and "/board/imx51_banjo" (99% sure it's the Kindle fire because it talks about a "system" partition, which we find on android). Also, in "/includes/configs" you'll see "imx35_luigi.h" and "imx51_banjo.h". Last edited by yifanlu; 10-05-2011 at 01:01 AM. |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
No Progress bar on the Touch... | grizedale | Amazon Kindle | 13 | 09-29-2011 05:02 PM |
Questions about jailbreaking a Kindle 3 | daviesgeek | Kindle Developer's Corner | 0 | 09-13-2011 02:09 PM |
Touch screen vs keyboard e-ink only | Zarich | Which one should I buy? | 24 | 03-05-2011 06:47 AM |
Which Kindle do I need for jailbreaking? | chas0039 | Kindle Developer's Corner | 6 | 11-10-2010 10:04 PM |