Kindle Touch (K5) has been rooted!

[Barty]

http://www.the-digital-reader.com/20...it-runs-html5/

sorry if this is old news, but I don't see it here. The Touch has been rooted. Turns out K5 is written mostly in HTML5/Javascript, as opposed to Java on previous models. This means old hacks won't work, but it should be easier to write new hacks. The page says it should be possible to add epub support to the reader. Maybe add covers to the home screen, since it's just a web page apparently.

I hate Java but HTML5/Javascript I can deal. Dang, too bad I can't use the touch. Maybe I need to rig something up...

[pbook]

...and you can see the development right here:
https://www.mobileread.com/forums/sho...d.php?t=151537
people of this forum did excellent job!

https://www.mobileread.com/forums/sho...d.php?t=158894

[JSWolf]

I thought the new Kindles were K4 models of various flavors and not K5. So why is the K4 touch being called the K5 touch?

[yifanlu]

Technically the Kindle Touch can be called the "Kindle 5" Amazon never really gave numbers to any of the devices. However, Kindle 1 ran 1.0, K2 & DX ran 2.0, K3 ran 3.0, K4 (no keyboard) ran 4.0. The Touch runs 5.0.

[HarryT]

Quote:

Originally Posted by JSWolf

I thought the new Kindles were K4 models of various flavors and not K5. So why is the K4 touch being called the K5 touch?

It's the firmware version. The Kindle non-touch has v4.x firmware; the Kindle Touch has v5.x firmware.

[kacir]

It is very scary.
Random mp3 can carry payload to do nasty things to the device. I wonder how many mp3 files designed to hijack your device are being distributed on the net at the moment.

Can metadata in an e-book carry similar payload?

[HarryT]

Quote:

Originally Posted by kacir

It is very scary.
Random mp3 can carry payload to do nasty things to the device. I wonder how many mp3 files designed to hijack your device are being distributed on the net at the moment.

Can metadata in an e-book carry similar payload?

Not to the best of my knowledge, but the simple answer is not to get MP3 files (or eBooks) from untrustworthy sources.

[kacir]

Quote:

Originally Posted by HarryT

Not to the best of my knowledge, but the simple answer is not to get MP3 files (or eBooks) from untrustworthy sources.

I believe you do remember Sony Rootkit scandal. Official, stamped (that is, not burned) CDs from Sony BMG label were, at the time just before scandal, as trustworthy source as they get. And yet ...

It only takes one distributor of audiobooks (just as an example) to get "creative" with protecting their "Intellectual Property" and you can get very nasty stuff installed on your Kindle.

There are *so* many relatively trustworthy sources of legal mp3s, e-books, audiobooks and other stuff. Such as http://www.jamendo.com/en/ . I have discovered lots of great music through that site. Music that is NOT distributed by MAFIAA members.


I consider this ability to run arbirtary code as root on device just by opening an mp3 file (and God knows what else!) to be a severe security risk.

[HarryT]

Quote:

Originally Posted by kacir

It only takes one distributor of audiobooks (just as an example) to get "creative" with protecting their "Intellectual Property" and you can get very nasty stuff installed on your Kindle.

Even if the Kindle had a buffer overflow "exploit" in its MP3 player (and I've never heard anyone say that it does), do you really think that anyone is going to go to the trouble of adding code to an MP3 file which will execute on the extremely obscure ARM Freescale processor that the Kindle uses? I really, REALLY doubt it myself.

[abookreader]

Great job Yifanlu and everybody else up there in the Developers forum who was messing around with it. I lurked off and on with your discussions in interest but most of your talk goes way beyond my comprehension.

Good job

[kacir]

Quote:

Originally Posted by HarryT

Even if the Kindle had a buffer overflow "exploit" in its MP3 player (and I've never heard anyone say that it does), do you really think that anyone is going to go to the trouble of adding code to an MP3 file which will execute on the extremely obscure ARM Freescale processor that the Kindle uses? I really, REALLY doubt it myself.

Harry. Please go and have a look how this hack was done.
This is no obscure buffer overflow exploit.
http://yifan.lu/2011/12/10/kindle-to...kroot-and-ssh/

Mp3 file contains tags. Such as name of singer or name of song. Those tags are displayed by player "application" that is, in reality, just a web browser window in disguise. Most of the menus and applications on Kindle touch are in fact HTML 5 pages with Java script and CSS. So the author of the hack simply inserted some Java script code into the mp3 tag and the browser happily displayed the tag - executing the Java script code (function called nativeBridge.dbgCmd(); that can execute any shell script as root) in the process without sanitising input.

[HarryT]

Thanks for that. It's interesting, but it doesn't worry me, because in order to do any harm, there would need to be a malicious script on your Kindle for the Javascript to execute. Javascript cannot create script files (or, indeed, any files).

[yifanlu]

If an attacker wants to do something malicious, you would first have to download an MP3 from them. The XSS only works with the artist, title, or album field, all of which are easily seen from a modern operating system. If you're really worried, all you have to do is check those three fields before loading any downloaded music unto your Kindle. If you see <script> in any of the fields, don't use it.

Now of course, that's if the attacker is using the same exploit. There's no telling what other holes amazon left in the device.

[guspasho]

This sounds very exciting but a Kindle Touch is such a limited device. It isn't a tablet like the Fire. What can you do with a jailbroken Kindle (except the obvious-remove ads for free)? Has anyone made improvements to the interface of other Kindles that have been jailbroken? That would interest me.

[yifanlu]

Well, the device is only been freed for a day. Developers aren't magicians.