[Progress] Jailbreaking Kindle 4.0 (Touch/No Keyboard)

[lapuckire]

Quote:

Originally Posted by yifanlu

Get your friend to compile it on the Mac. That's how I compiled it. I can't seem to find it right now though.

Yifanlu, please, i need your help again! I`ve tried to compile it on Mac but Terminal has written some errors and it hasn`t compiled :

Erik-Cupals-iMac:fsatboot erikcupal$ gcc -Wall -lpthread -framework CoreFoundation -framework IOKit -framework Carbon protocol.c engine.c fastboot.c usb_osx.c util_osx.c -o fastboot
engine.c: In function ‘match’:
engine.c:162: warning: unused variable ‘len’
engine.c:160: warning: unused variable ‘val’
fastboot.c: In function ‘do_oem_command’:
fastboot.c:300: warning: unused variable ‘i’
fastboot.c: In function ‘main’:
fastboot.c:414: warning: implicit declaration of function ‘fb_queue_check’
fastboot.c:417: warning: unused variable ‘pname’
fastboot.c:322: warning: unused variable ‘page_size’
fastboot.c: At top level:
fastboot.c:278: warning: ‘setup_requirements’ defined but not used
In file included from util_osx.c:29:
/System/Library/Frameworks/Carbon.framework/Headers/Carbon.h:70:35: error: SecurityHI/SecurityHI.h: No such file or directory
Erik-Cupals-iMac:fsatboot erikcupal$

What now ???

[abishur]

Quote:

Originally Posted by Meest

Hi all!

Code:

ip route add blackhole 72.21.192.0/19

How to write it to the file to save this routing after reboot?
I would appreciate if you help.
thank you guys.

Actually you can use the hosts file. Make an entry to point the desired IP to 127.0.0.1 (localhost). But blocking traffic to Amazon wouldn't let you use the store or browse the internet on your kindle. Alternatively you might be able to block the site from your router.

@6od9 Check out this thread for links to usbnetwork and read the readme file included in the zip. I've also done some step by step instructions on how to install these kinds of files earlier in this thread.

[geekmaster]

Quote:

Originally Posted by abishur

...
But blocking traffic to Amazon wouldn't let you use the store or browse the internet on your kindle.
...

Or you can just have cron periodically move or delete the log files in /var/local/logs/*.

[kingpin409]

Hi, I wanted to install a custom localization to my Kindle4 NT (https://www.mobileread.com/forums/sho...d.php?t=160796). But I have a problem - I can't update, only thing i got is screen saying that an error occured during update and error code is U007. I have installed jailbreak (https://www.mobileread.com/forums/sho...&postcount=240) and i have working SSH over WiFi.

[dionoea]

I'm pleased to announce that I've found an easy to use code execution method for the kindle 4 non touch. It only requires putting files on the usb drive and rebooting the kindle.

This is similar to ixtab's method for the kindle touch (https://www.mobileread.com/forums/sho...8&postcount=41) but it exploits a different file. We'll be exploiting the fact that /var/local/system/mntus.params is sourced when mounting the user share partition. This file can be overwritten by placing a slightly different version in a data.tar.gz file which is extracted by the kindle upon boot. (Those two items are handled by the /etc/init.d/userstore init script on the kindle.) Please note that mntus.params contains some information about the userstore partition which means that you have to be careful before replacing its contents. This is what it looks like here:

Code:

# auto-generated file -- do not modify!

# computed values
MNTUS_PART_START=16
MNTUS_PART_SIZE=1427448
MNTUS_PART_OFFSET=8192

# constant values
MNTUS_FATSIZE=32

The _START, _SIZE and _FATSIZE values do not seem to be used after the userstore is created. On the other hand _OFFSET is used by /usr/sbin/mntus when creating the loopback device to mount the user store partition. If that value is wrong then we lose any ability to mount that partition. Since it seems to be hardcoded to sector size (512) * numbers of sector per track (16) I think that we're pretty safe across devices. If we wanted to be extra safe we could run MNTUS_PART_OFFSET=$(($(sfdisk --show-geometry|awk '{print $6;}') * 512)) in the script to make sure that the value is ok.

Replacing the file's contents with

Code:

# auto-generated file -- do not modify!

# computed values
MNTUS_PART_START=16
MNTUS_PART_SIZE=1427448
MNTUS_PART_OFFSET=8192

# constant values
MNTUS_FATSIZE=32

if [ -e /mnt/us/RUNME.sh ]
then
        sh /mnt/us/RUNME.sh > /mnt/us/RUNME.log 2>&1
fi

makes it possible to automatically execute a file called RUNME.sh on the userstore partition on boot. (There's still something I don't understand here since /mnt/us isn't supposed to already be mounted when we source that file ... but since it's sourced many times I guess that we just get lucky).

The steps to deploy this hack are thus:
* create the modified mntus.params file and put it in a system directory. chown -R 0:0 system.
* create the data.tar.gz file with: tar cvzf data.tar.gz system --transform 's#^#/var/local/#' --show-stored-names -P
* copy that file to the kindle's user store over usb
* reboot the kindle through the system menu
* create a RUNME.sh file in the user store
* reboot the kindle to execute RUNME.sh

An example RUNME.sh file could be something like:

Code:

if [ ! -e /usr/local ]
then
  mntroot rw
  mount /dev/mmcblk0p2 /mnt/mmc
  cp -dpr /mnt/mmc/usr/local /usr/local
  umount /mnt/mmc
fi

This would install usb networking and the relevant dropbear binaries from the diag partition.

I've attached a data.tar.gz file containing the RUNME.sh launcher as well as a dummy RUNME.sh script to this post. If everything runs correctly you should have "hello world!" message in a file called RUNME.log after the last reboot.

[yifanlu]

Quote:

Originally Posted by dionoea

I'm pleased to announce that I've found an easy to use code execution method for the kindle 4 non touch. It only requires putting files on the usb drive and rebooting the kindle.

This is similar to ixtab's method for the kindle touch (https://www.mobileread.com/forums/sho...8&postcount=41) but it exploits a different file. We'll be exploiting the fact that /var/local/system/mntus.params is sourced when mounting the user share partition. This file can be overwritten by placing a slightly different version in a data.tar.gz file which is extracted by the kindle upon boot. (Those two items are handled by the /etc/init.d/userstore init script on the kindle.) Please note that mntus.params contains some information about the userstore partition which means that you have to be careful before replacing its contents. This is what it looks like here:

Code:

# auto-generated file -- do not modify!

# computed values
MNTUS_PART_START=16
MNTUS_PART_SIZE=1427448
MNTUS_PART_OFFSET=8192

# constant values
MNTUS_FATSIZE=32

The _START, _SIZE and _FATSIZE values do not seem to be used after the userstore is created. On the other hand _OFFSET is used by /usr/sbin/mntus when creating the loopback device to mount the user store partition. If that value is wrong then we lose any ability to mount that partition. Since it seems to be hardcoded to sector size (512) * numbers of sector per track (16) I think that we're safely safe across devices. If we wanted to be extra safe we could run MNTUS_PART_OFFSET=$(($(sfdisk --show-geometry|awk '{print $6;}') * 512)) in the script to make sure that the value is ok.

Replacing the file's contents with

Code:

# auto-generated file -- do not modify!

# computed values
MNTUS_PART_START=16
MNTUS_PART_SIZE=1427448
MNTUS_PART_OFFSET=8192

# constant values
MNTUS_FATSIZE=32

if [ -e /mnt/us/RUNME.sh ]
then
        sh /mnt/us/RUNME.sh > /mnt/us/RUNME.log 2>&1
fi

makes it possible to automatically execute a file called RUNME.sh on the userstore partition on boot. (There's still something I don't understand here since /mnt/us isn't supposed to already be mounted when we source that file ... but since it's sourced many times I guess that we just get lucky).

The steps to deploy this hack are thus:
* create the modified mntus.params file and put it in a system directory. chown -R 0:0 system.
* create the data.tar.gz file with: tar cvzf data.tar.gz system --transform 's#^#/var/local/#' --show-stored-names -P
* copy that file to the kindle's user store over usb
* reboot the kindle through the system menu
* create a RUNME.sh file in the user store
* reboot the kindle to execute RUNME.sh

An example RUNME.sh file could be something like:

Code:

if [ ! -e /usr/local ]
then
  mntroot rw
  mount /dev/mmcblk0p2 /mnt/diag
  cp -dpr /mnt/diag/usr/local /usr/local
fi

This would install usb networking and the relevant dropbear binaries from the diag partition.

I've attached a data.tar.gz file containing the RUNME.sh launcher as well as a dummy RUNME.sh script to this post. If everything runs correctly you should have "hello world!" message in a file called RUNME.log after the last reboot.

There are bunches of ways of using the "data.tar.gz" absolute path bug. I think ixtab should be the one to release the next jailbreak though, because he found the bug and deserves the attention that it will bring.

[dionoea]

Quote:

Originally Posted by yifanlu

There are bunches of ways of using the "data.tar.gz" absolute path bug. I think ixtab should be the one to release the next jailbreak though, because he found the bug and deserves the attention that it will bring.

Sure I just wanted to provide one such way for us kindle non touch users (as I hadn't seen any published yet)

[seaniko7]

@dionoea, have you tested this method?

I've been trying to execute script from edited mntus.params about week ago without luck...

[dionoea]

Quote:

Originally Posted by seaniko7

@dionoea, have you tested this method?

I've been trying to execute script from edited mntus.params about week ago without luck...

I've tested with the provided data.tar.gz and RUNME.sh and it worked fine. Maybe you need to make sure that you did a complete reboot?

[seaniko7]

Somehow full reboot (holding power button for 30s) did not work. After rebooting from settings script worked fine.

[dionoea]

Quote:

Originally Posted by seaniko7

Somehow full reboot (holding power button for 30s) did not work. After rebooting from settings script worked fine.

Yeah, that's what I meant. The "hold power button" method doesn't seem to be very reliable to get a complete reboot.

[geekmaster]

I have another tar exploit that triggers when wireless is turned on. It works on the k4nt and the touch. ixtab had others have the complete details (they PM'd me). ixtab's initial announcement on the irc channel sent me on an immediate quest to find all variations I could on all my different kindle models. Mine may (hopefully) survive the defeat of ixtab's method by an update (no common dependencies, but you never know how thorough the next update will be, you know?)

[geekmaster]

After some firmware update one of these days (especially if too much "theft of free 3G" crap gets published), we are going to have to graduate out of this "script kiddie" stuff and get back to stack smashes and defeating ASLR (Address Space Layout Randomization) and writing UTF-8 compatible assembly language exploits (the adult stuff). Perhaps amazon left all this "low hanging fruit" here intentionally to encourage a free community support environment for kindle owners.

[SharonK]

I have a question I'm hoping someone will answer. I'm pretty good with computers, but this is outside my realm of knowledge. I ran the jailbreak so that I can put on my own screen savers. And I understand the process for putting the screen savers on. However, is there any problem with putting music on my Kindle Touch now? I imagine not, but just wanted to make sure there wasn't a problem with the jailbreak being there. I image it will just sit there. Am I correct?

[efindel]

Quote:

Originally Posted by SharonK

I have a question I'm hoping someone will answer. I'm pretty good with computers, but this is outside my realm of knowledge. I ran the jailbreak so that I can put on my own screen savers. And I understand the process for putting the screen savers on. However, is there any problem with putting music on my Kindle Touch now? I imagine not, but just wanted to make sure there wasn't a problem with the jailbreak being there. I image it will just sit there. Am I correct?

There's no reason why it should interfere, but... why not try it and see? It'd only take a few minutes to copy an MP3 to the KT and see if it plays.