[Progress] Jailbreaking Kindle 4.0 (Touch/No Keyboard) - Page 4

yifanlu · 10-25-2011, 12:02 PM

Quote:

Originally Posted by Matan

Does u-boot still have memory read/write commands? You could write an ATAG_CMDLINE directly.

Referring to my previous post.

Quote:

To summarize, most uboot options (including read/write to NAND or RAM) are gone.

Matan · 10-25-2011, 01:21 PM

Sorry, I missed that.

The kernel in the 4.0.1 source from Amazon ignores command line from boot loader, so there is no much use looking in that direction.

giorgio130 · 10-25-2011, 03:02 PM

a couple thoughts:
-maybe updating option in recovery doesn't check signature (I don't know why it shouldn't, but may be worth a try)
-root password could be the same as recovery password, have you tried that?

another one:
hitting ctrl+c during boot could drop you into a shell.

yifanlu · 10-25-2011, 04:34 PM

The root partition has been dumped! Yes, @giorgio, according to ichinomoto, that is what he did. I feel stupid for not having thought of that. I was thinking way too hard. uboot. recovery script. kernel. When the solution was right in front of me (using root password, same as recovery password). So thanks again to ichinomoto for getting the serial port, getting root, and dumping the nand. Now is the second half of the journey. Actually analyzing the operating system.

Matan · 10-25-2011, 04:36 PM

The kindle browser is using a very old webkit. Perhaps there is a known exploit that works? It runs as root, so even reading or writing a local file should be enough:

http://www.metasploit.com/modules/au...t_xslt_dropper

This is not an easy option, but the iMX50x SoCs have two external boot mode signals that control the boot process, allowing for download and execution a program from the USB port. This will allow you to run a non crippled uboot.

http://cache.freescale.com/files/32b...=Documentation

yifanlu · 10-25-2011, 04:43 PM

Quote:

Originally Posted by Matan

The kindle browser is using a very old webkit. Perhaps there is a known exploit that works? It runs as root, so even reading or writing a local file should be enough:

http://www.metasploit.com/modules/au...t_xslt_dropper

This is not an easy option, but the iMX50x SoCs have two external boot mode signals that control the boot process, allowing for download and execution a program from the USB port. This will allow you to run a non crippled uboot.

http://cache.freescale.com/files/32b...=Documentation

Thanks for the advice. My main concern right now is finding out how the signature checks for the updater works. If that's secure, we should try another avenue of getting in. It seems like after, what, 4 years of exploiting the updater script. It may have lived it's days.

yifanlu · 10-25-2011, 06:23 PM

I know the format for the new update files now.

0x4 bytes update type: SP01 means signature file
0x4 bytes certificate number: 0 = pubdevkey01.pem, 1 = pubprodkey01.pem, 2 = pubprodkey02.pem (first one does not exist, second two are same as older kindles)
0x38 byte unknown: I think this is random/garbage data. Someone test this by taking a 4.0 kindle. Downloading the 4.0.1 update, and changing the 0x38 bytes of data from offset 0x8 to 0x40 to 00 or random digits. I need to know for sure so we can ignore this space
0x100 / 0x80 byte signature depending on the size of the certificate as noted by the certificate number.

This is used to validate the second part of the file (below). If validation is passed, the next part is extracted and run.

0x4 byte update type: FC04 means signed update
... same as older updates

The new Kindle updater script also has more information on the usage of various fields of the headers and I'll be writing an updated "kindle_update_tool.py" sometime in the future.

Also, I'll be gone for the next few days or maybe a week or so, so sorry.

bartveld · 10-26-2011, 10:34 AM

I haven't got the faintest idea what you guys are babbling on about and am deeply impressed by it. I fervently hope you are succesful for I want a Kindle Touch as soon as it's available in my country, BUT with all the hacks I've grown used to on my old Kindle.
So please, go on babbling!

rng29a · 10-26-2011, 06:21 PM

Hi all, nice to see that there is already so much progress.

I made a preliminary kindle_update_tool.py with yifanlu's instructions so others can have a look at the extracted firmware:
https://gist.github.com/1318051

NiLuJe · 10-27-2011, 02:48 PM

Great news

!

For the less adventurous, I've somewhat hacked around the packager to make it parse (at least) the 4.0.1 update, thanks to yifanlu for the details, and rng29a for the initial implementation

. (Hopefully, I did it in a backwards compatible way, but I didn't verify that on a whole lot of files).

It's in the original packager thread.

Sir Alex · 10-27-2011, 03:04 PM

I have got rootfs for 4.0 and 4.0.1 firmwares. If somebody interested in, ask in PM.

yifanlu · 10-27-2011, 04:03 PM

I won't be home for a while, but on my free time, I'm planning to rewrite the kindle update tool from scratch because I don't like how some parts of it are implemented. Also, I forgot to mention how the FC04 update format works (the part after the SP01 signature):

0x4 byte header "FC04"
0x8 bytes source version (used to be 4 bytes)
0x8 bytes target version (used to be 4 bytes)
0x2 bytes number of devices supported
for each device:
0x2 bytes device id of each supported device
end for each
0x2 bytes critical update flag + 1 byte padding
0x32 byte md5 hash "munged" (dm)
0x2 bytes number of metadata
for each metadata:
0x2 bytes string length
that amount of bytes string metadata "munged" (dm)
end for each

yifanlu · 10-28-2011, 09:06 PM

https://github.com/yifanlu/KindleTool

Here's the new update tool that I'm writing. It's written in pure C. My first "real" experience with C. Not anywhere near done. I'm just finished with extraction and haven't touched on creation. My goal is for it to be 1) lightweight (no need to download python), 2) fast (300MB update extracted in 5 seconds. took 5 minutes with the python tool), 3) portable (hopefully will work on osx, windows, linux, and arm-linux (on the kindle itself). I know the python tool is "good enough", but I constantly find problems with it, like slow extraction times on 300mb recovery updates. I also hope that some other experienced developers can help so I'm putting it on github.

yifanlu · 10-29-2011, 09:05 PM

Not really anything new in terms of jailbreaking, but WHEN it's possible to jailbreak, it will be VERY EASY to modify the boot images (as we modify the screen savers now).

EDIT: To change custom bootscreens:
1) modify /var/local/java/prefs/com.amazon.ebook.framework/prefs
2) set low_level_screens.dir to any directory
3) Put images into this directory

K4 also has built in custom screensaver support
1) modify /var/local/java/prefs/com.amazon.ebook.framework/prefs
2) Add this line: "screensaver.enable.userdefined=true"
3) put your screensavers into /mnt/us/sleepscreens

Just some advice for future purposes when we jailbreak this thing.

Also, it seems like all kindles include a secondary rootfs partition for diags. This partition contains SSH and usbnetwork. However, other then using the serial port, I don't think you can reboot to this mode.

EDIT: When I posted this, I was referring to the Kindle 4, not the touch.

NiLuJe · 10-31-2011, 05:18 PM

Ha! Nice find!

And the screensaver stuff is in there as far back as in a Kindle 2 (at least on 2.5.x)!
It automatically tag them with the 'Slide and release power switch to wake' black bar on the bottom (at least on a K2).

Couldn't get the framework to pick up a config file from /mnt/us/system instead of /var/local/java/prefs though (just in case it might be doable *without* a jailbreak, like the alt font family).

10-25-2011, 03:02 PM	#48
giorgio130 Time Waster Posts: 422 Karma: 289160 Join Date: May 2011 Device: Kobo Glo and Aura HD	a couple thoughts: -maybe updating option in recovery doesn't check signature (I don't know why it shouldn't, but may be worth a try) -root password could be the same as recovery password, have you tried that? another one: hitting ctrl+c during boot could drop you into a shell. Last edited by giorgio130; 10-25-2011 at 03:07 PM. Reason: adding an idea

10-27-2011, 02:48 PM	#55
NiLuJe BLAM! Posts: 13,477 Karma: 26012494 Join Date: Jun 2010 Location: Paris, France Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E	Great news ! For the less adventurous, I've somewhat hacked around the packager to make it parse (at least) the 4.0.1 update, thanks to yifanlu for the details, and rng29a for the initial implementation . (Hopefully, I did it in a backwards compatible way, but I didn't verify that on a whole lot of files). It's in the original packager thread. Last edited by NiLuJe; 10-27-2011 at 02:52 PM.

10-29-2011, 09:05 PM	#59
yifanlu Kindle Dissector Posts: 662 Karma: 475607 Join Date: Jul 2010 Device: Amazon Kindle 3	Not really anything new in terms of jailbreaking, but WHEN it's possible to jailbreak, it will be VERY EASY to modify the boot images (as we modify the screen savers now). EDIT: To change custom bootscreens: 1) modify /var/local/java/prefs/com.amazon.ebook.framework/prefs 2) set low_level_screens.dir to any directory 3) Put images into this directory K4 also has built in custom screensaver support 1) modify /var/local/java/prefs/com.amazon.ebook.framework/prefs 2) Add this line: "screensaver.enable.userdefined=true" 3) put your screensavers into /mnt/us/sleepscreens Just some advice for future purposes when we jailbreak this thing. Also, it seems like all kindles include a secondary rootfs partition for diags. This partition contains SSH and usbnetwork. However, other then using the serial port, I don't think you can reboot to this mode. EDIT: When I posted this, I was referring to the Kindle 4, not the touch. Last edited by yifanlu; 12-10-2011 at 04:50 PM.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
No Progress bar on the Touch...	grizedale	Amazon Kindle	13	09-29-2011 05:02 PM
Questions about jailbreaking a Kindle 3	daviesgeek	Kindle Developer's Corner	0	09-13-2011 02:09 PM
Touch screen vs keyboard e-ink only	Zarich	Which one should I buy?	24	03-05-2011 06:47 AM
Which Kindle do I need for jailbreaking?	chas0039	Kindle Developer's Corner	6	11-10-2010 10:04 PM

10-25-2011, 01:21 PM	#47
Matan Enthusiast Posts: 42 Karma: 39432 Join Date: May 2011 Device: none	Sorry, I missed that. The kernel in the 4.0.1 source from Amazon ignores command line from boot loader, so there is no much use looking in that direction.

10-25-2011, 04:34 PM	#49
yifanlu Kindle Dissector Posts: 662 Karma: 475607 Join Date: Jul 2010 Device: Amazon Kindle 3	The root partition has been dumped! Yes, @giorgio, according to ichinomoto, that is what he did. I feel stupid for not having thought of that. I was thinking way too hard. uboot. recovery script. kernel. When the solution was right in front of me (using root password, same as recovery password). So thanks again to ichinomoto for getting the serial port, getting root, and dumping the nand. Now is the second half of the journey. Actually analyzing the operating system.

10-25-2011, 04:36 PM	#50
Matan Enthusiast Posts: 42 Karma: 39432 Join Date: May 2011 Device: none	The kindle browser is using a very old webkit. Perhaps there is a known exploit that works? It runs as root, so even reading or writing a local file should be enough: http://www.metasploit.com/modules/au...t_xslt_dropper This is not an easy option, but the iMX50x SoCs have two external boot mode signals that control the boot process, allowing for download and execution a program from the USB port. This will allow you to run a non crippled uboot. http://cache.freescale.com/files/32b...=Documentation

10-25-2011, 06:23 PM	#52
yifanlu Kindle Dissector Posts: 662 Karma: 475607 Join Date: Jul 2010 Device: Amazon Kindle 3	I know the format for the new update files now. 0x4 bytes update type: SP01 means signature file 0x4 bytes certificate number: 0 = pubdevkey01.pem, 1 = pubprodkey01.pem, 2 = pubprodkey02.pem (first one does not exist, second two are same as older kindles) 0x38 byte unknown: I think this is random/garbage data. Someone test this by taking a 4.0 kindle. Downloading the 4.0.1 update, and changing the 0x38 bytes of data from offset 0x8 to 0x40 to 00 or random digits. I need to know for sure so we can ignore this space 0x100 / 0x80 byte signature depending on the size of the certificate as noted by the certificate number. This is used to validate the second part of the file (below). If validation is passed, the next part is extracted and run. 0x4 byte update type: FC04 means signed update ... same as older updates The new Kindle updater script also has more information on the usage of various fields of the headers and I'll be writing an updated "kindle_update_tool.py" sometime in the future. Also, I'll be gone for the next few days or maybe a week or so, so sorry.

10-26-2011, 10:34 AM	#53
bartveld Evangelist Posts: 413 Karma: 1477913 Join Date: Jan 2006 Location: Netherlands Device: KA1, Galaxy S8, Galaxy Tab A 10.1, ReMarkable	I haven't got the faintest idea what you guys are babbling on about and am deeply impressed by it. I fervently hope you are succesful for I want a Kindle Touch as soon as it's available in my country, BUT with all the hacks I've grown used to on my old Kindle. So please, go on babbling!

10-26-2011, 06:21 PM	#54
rng29a Junior Member Posts: 1 Karma: 10 Join Date: Oct 2011 Device: Kindle 4	Hi all, nice to see that there is already so much progress. I made a preliminary kindle_update_tool.py with yifanlu's instructions so others can have a look at the extracted firmware: https://gist.github.com/1318051

10-27-2011, 03:04 PM	#56
Sir Alex Groupie Posts: 157 Karma: 1777 Join Date: Sep 2010 Location: Minsk, Belarus Device: Kindle 4	I have got rootfs for 4.0 and 4.0.1 firmwares. If somebody interested in, ask in PM.

10-27-2011, 04:03 PM	#57
yifanlu Kindle Dissector Posts: 662 Karma: 475607 Join Date: Jul 2010 Device: Amazon Kindle 3	I won't be home for a while, but on my free time, I'm planning to rewrite the kindle update tool from scratch because I don't like how some parts of it are implemented. Also, I forgot to mention how the FC04 update format works (the part after the SP01 signature): 0x4 byte header "FC04" 0x8 bytes source version (used to be 4 bytes) 0x8 bytes target version (used to be 4 bytes) 0x2 bytes number of devices supported for each device: 0x2 bytes device id of each supported device end for each 0x2 bytes critical update flag + 1 byte padding 0x32 byte md5 hash "munged" (dm) 0x2 bytes number of metadata for each metadata: 0x2 bytes string length that amount of bytes string metadata "munged" (dm) end for each

10-28-2011, 09:06 PM	#58
yifanlu Kindle Dissector Posts: 662 Karma: 475607 Join Date: Jul 2010 Device: Amazon Kindle 3	https://github.com/yifanlu/KindleTool Here's the new update tool that I'm writing. It's written in pure C. My first "real" experience with C. Not anywhere near done. I'm just finished with extraction and haven't touched on creation. My goal is for it to be 1) lightweight (no need to download python), 2) fast (300MB update extracted in 5 seconds. took 5 minutes with the python tool), 3) portable (hopefully will work on osx, windows, linux, and arm-linux (on the kindle itself). I know the python tool is "good enough", but I constantly find problems with it, like slow extraction times on 300mb recovery updates. I also hope that some other experienced developers can help so I'm putting it on github.

10-31-2011, 05:18 PM	#60
NiLuJe BLAM! Posts: 13,477 Karma: 26012494 Join Date: Jun 2010 Location: Paris, France Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E	Ha! Nice find! And the screensaver stuff is in there as far back as in a Kindle 2 (at least on 2.5.x)! It automatically tag them with the 'Slide and release power switch to wake' black bar on the bottom (at least on a K2). Couldn't get the framework to pick up a config file from /mnt/us/system instead of /var/local/java/prefs though (just in case it might be doable without a jailbreak, like the alt font family).