Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book Readers > Amazon Kindle > Kindle Developer's Corner

Notices

Reply
 
Thread Tools Search this Thread
Old 11-20-2011, 02:52 PM   #91
yifanlu
Kindle Dissector
yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.
 
Posts: 662
Karma: 170717
Join Date: Jul 2010
Device: Amazon Kindle 3
Good news everyone, I found a usable crash. I was able to crash cvm and smash the stack. However, gdb fails to behave on the Kindle, so I'm still trying to find the exact data of the stack (so I can write a payload). It also sucks because cvm does not dump the registers and stack on crash, so I have to manually dump the memory.

Last edited by yifanlu; 11-20-2011 at 05:17 PM.
yifanlu is offline   Reply With Quote
Old 11-21-2011, 04:04 PM   #92
Qxr
Enthusiast
Qxr knows what time it isQxr knows what time it isQxr knows what time it isQxr knows what time it isQxr knows what time it isQxr knows what time it isQxr knows what time it isQxr knows what time it isQxr knows what time it isQxr knows what time it isQxr knows what time it is
 
Posts: 42
Karma: 2188
Join Date: Jan 2010
Location: Kharkov, Ukraine
Device: lbook V3, iRex DR800SG
Just would like to congratulate you with this achievement and express my respect to your skills. Thanks for all your efforts and goodwill in sharing your knowledge!
Qxr is offline   Reply With Quote
 
Advertisement
Old 11-21-2011, 06:40 PM   #93
ryran
Connoisseur
ryran plays well with othersryran plays well with othersryran plays well with othersryran plays well with othersryran plays well with othersryran plays well with othersryran plays well with othersryran plays well with othersryran plays well with othersryran plays well with othersryran plays well with others
 
Posts: 79
Karma: 2718
Join Date: Aug 2011
Device: Kindle 3G
Rock ON!
ryran is offline   Reply With Quote
Old 11-21-2011, 11:24 PM   #94
yifanlu
Kindle Dissector
yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.
 
Posts: 662
Karma: 170717
Join Date: Jul 2010
Device: Amazon Kindle 3
Ok, here's another setback. The Kindle has "randomize_va_space" enabled, meaning that the stack is at a random memory location. This means we either have to find a way around this or brute force it, meaning keep restarting the kindle until it works.
yifanlu is offline   Reply With Quote
Old 11-21-2011, 11:24 PM   #95
nealsharmon
Junior Member
nealsharmon began at the beginning.
 
Posts: 9
Karma: 16
Join Date: Nov 2011
Device: Kindle Touch WiFi
Looking forward to hearing of your results yifanlu!
nealsharmon is offline   Reply With Quote
Old 11-21-2011, 11:55 PM   #96
yifanlu
Kindle Dissector
yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.
 
Posts: 662
Karma: 170717
Join Date: Jul 2010
Device: Amazon Kindle 3
Hmm, in order to defeat thr ASLR protection, we need to find a loaded instruction that jumps to SP. knowing that's impossible, we need to find an instruction that does that indirectly. Any ideas? But I'm getting ahead of myself. I still need a working shell code.
yifanlu is offline   Reply With Quote
Old 11-22-2011, 04:39 AM   #97
dsmid
Linux devotee
dsmid ought to be getting tired of karma fortunes by now.dsmid ought to be getting tired of karma fortunes by now.dsmid ought to be getting tired of karma fortunes by now.dsmid ought to be getting tired of karma fortunes by now.dsmid ought to be getting tired of karma fortunes by now.dsmid ought to be getting tired of karma fortunes by now.dsmid ought to be getting tired of karma fortunes by now.dsmid ought to be getting tired of karma fortunes by now.dsmid ought to be getting tired of karma fortunes by now.dsmid ought to be getting tired of karma fortunes by now.dsmid ought to be getting tired of karma fortunes by now.
 
dsmid's Avatar
 
Posts: 590
Karma: 2061091
Join Date: Feb 2011
Device: Kindle 3, Kindle 4B, Kindle PW2
Quote:
Originally Posted by yifanlu View Post
I'm going to throw some ideas around about a kindle packaging system.
...
Can developers give some feedback about this?
Some time ago I was thinking about the same thing.
My conclusion was almost the same as yours, with few differences.
I'd like to have two more hooks: install.sh and uninstall.sh .
Many hacks need to write to the root partition when installed (besides installing SysV service script), install.sh would offer install-time executed shell script,
uninstall.sh would be copied to a secure place when package is installed (renamed to /opt/packages/<package name>) and run when /mnt/us/packages/<package name>/ deletion is detected.
On each start the packaging system service would compare /opt/packages/ contents with /mnt/us/packages/ and run install (a new kid on the block) or renamed uninstall script (package deleted on US).

Copying to /opt/packages/ may appear as an unnecessary abuse of the root partition but it makes sense.
The users often try to solve their problems with hacks by making a factory reset, hoping it will rollback all changes made to their Kindle. That makes the situation even worse, leaving the hacks in an inconsistent state (true support nightmare).

If the package registry is protected from factory reset, the packaging system would be able to finish the uninstallation procedure of all hacks and make the Kindle clean of all hacks as desired (with the exception of the packaging system/jailbreak)
dsmid is offline   Reply With Quote
Old 11-22-2011, 05:31 AM   #98
Lorphos
Librie lab rat
Lorphos plays well with othersLorphos plays well with othersLorphos plays well with othersLorphos plays well with othersLorphos plays well with othersLorphos plays well with othersLorphos plays well with othersLorphos plays well with othersLorphos plays well with othersLorphos plays well with othersLorphos plays well with others
 
Lorphos's Avatar
 
Posts: 29
Karma: 2760
Join Date: Dec 2004
Location: Dortmund, Germany
Device: Tolino Shine
randomize_va_space picks one of only 8192 locations. Perhaps it can still be defeated? A format-string bug would be the ticket.
Lorphos is offline   Reply With Quote
Old 11-22-2011, 08:43 AM   #99
yifanlu
Kindle Dissector
yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.
 
Posts: 662
Karma: 170717
Join Date: Jul 2010
Device: Amazon Kindle 3
Quote:
Originally Posted by dsmid View Post
Some time ago I was thinking about the same thing.
My conclusion was almost the same as yours, with few differences.
I'd like to have two more hooks: install.sh and uninstall.sh .
Many hacks need to write to the root partition when installed (besides installing SysV service script), install.sh would offer install-time executed shell script,
uninstall.sh would be copied to a secure place when package is installed (renamed to /opt/packages/<package name>) and run when /mnt/us/packages/<package name>/ deletion is detected.
On each start the packaging system service would compare /opt/packages/ contents with /mnt/us/packages/ and run install (a new kid on the block) or renamed uninstall script (package deleted on US).

Copying to /opt/packages/ may appear as an unnecessary abuse of the root partition but it makes sense.
The users often try to solve their problems with hacks by making a factory reset, hoping it will rollback all changes made to their Kindle. That makes the situation even worse, leaving the hacks in an inconsistent state (true support nightmare).

If the package registry is protected from factory reset, the packaging system would be able to finish the uninstallation procedure of all hacks and make the Kindle clean of all hacks as desired (with the exception of the packaging system/jailbreak)
Could you give an example of rootfs usage other than copying an init script? I would rather manually implement anything that requires access to rootfs than let all scripts modify it. That's one of the main problems I have, after a while, I don't know what files on thr FS are modified. Especially since I lost the uninstaller scripts.

Quote:
Originally Posted by Lorphos View Post
randomize_va_space picks one of only 8192 locations. Perhaps it can still be defeated? A format-string bug would be the ticket.
I was thinking something along the lines of 1) push location of an instruction that copes SP pointer to another register, and pops stack into pc and 2) push location of instruction that jumps to said register. Then when the overflow runs it does two jumps.

Last edited by yifanlu; 11-22-2011 at 08:46 AM.
yifanlu is offline   Reply With Quote
Old 11-22-2011, 05:19 PM   #100
Ceuse
Member
Ceuse knows what time it isCeuse knows what time it isCeuse knows what time it isCeuse knows what time it isCeuse knows what time it isCeuse knows what time it isCeuse knows what time it isCeuse knows what time it isCeuse knows what time it isCeuse knows what time it isCeuse knows what time it is
 
Posts: 24
Karma: 2016
Join Date: Oct 2011
Device: Kindle 4 Non Touch & Kindle Keyboard
Quote:
Originally Posted by yifanlu View Post
Good news everyone, I found a usable crash.
Did i tell you that i love you


keep on rocking. sadly i cant halp you with my crapy vbscript knolage
Ceuse is offline   Reply With Quote
Old 11-22-2011, 05:33 PM   #101
yifanlu
Kindle Dissector
yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.
 
Posts: 662
Karma: 170717
Join Date: Jul 2010
Device: Amazon Kindle 3
Ok, here's my idea. I'm writing it down so I don't forget. Basically we can control exactly where in the memory to jump to. The shellcode is in the stack, but the location of the stack is randomized. Therefore, we need to find where the stack is before we can jump to it. My idea is that after we overflow and overwrite the first LR pointer, we use that pointer to point to some code in the memory that does MOV R0, SP. (It would be very easy if we find BLX SP, but nobody with the right mind would ever put that in their code). Then we have the stack pointer in R0. Now, since we already control the stack, we just keep overwriting it so the next LR pointer that gets poped points to an instruction that calls BLX R0. This will jump to the stack and switch to thumb mode (shorter shell code in thumb mode).
yifanlu is offline   Reply With Quote
Old 11-22-2011, 08:49 PM   #102
yifanlu
Kindle Dissector
yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.
 
Posts: 662
Karma: 170717
Join Date: Jul 2010
Device: Amazon Kindle 3
Bad news everyone. I finally got my Kindle Touch in the mail, and so far, it looks like that exploit I found on the K3 and K4 does NOT work on the Touch. It may need some modifications or it may be fixed, but so far, I don't know as I can't get a log dump or anything. If anyone can dump the Kindle Touch rootfs, I would love to take a look.
yifanlu is offline   Reply With Quote
Old 11-22-2011, 09:22 PM   #103
James D
Junior Member
James D began at the beginning.
 
Posts: 6
Karma: 10
Join Date: Nov 2011
Device: Kindle Touch
If it is offtopic then please sorry
Quote:
Originally Posted by geekmaster View Post
Regarding claim #1: You must agree to Amazon Terms of Service when you register an account with them. You cannot get 3G access on an unregistered kindle.
Regarding claim #2: Do you have any proof to backup your claims?
My 3G in the USA still lets me web browse anywhere. I just tried it. Perhaps 3G has been restricted in other countries OR some users have had their Amazon accounts restricted due to excessive bandwidth consumption. Can anybody here verify whether or not a renamed kindle "keyboard" has restricted 3G?
I repeat I did not agreed on any terms. I have not bought it yet. And I will not buy 3G version for Wikipedia only.
Proofs for what I claimed? I claimed about Touch version. About Kindle Keyboard I wrote that I think that it is also restricted.
Anyway I may tell you why do I have a feeling* that new Kindle Keyboard, not the previously called Kindle 3 3G.
"Use of Wireless Connectivity. Your Kindle uses wireless connectivity to allow you to shop for and download Digital Content from the Kindle Store. In general, we do not charge you for this use of wireless connectivity. Your Kindle may use wireless connectivity to make other services available to you for which we may charge you a fee, such as personal file download and subscriptions when you are located in another country.
Your Conduct. You may use the wireless connectivity provided by us only in connection with the Service. You may not use the wireless connectivity for any other purpose. "
I have no idea whether same terms and conditions were for buying Kindle 3 3G but this is what I read for Kindle Keyboard. So basically buying this Kindle you agree with this terms and conditions (Hmmm. I guess I already heard these 2 words somewhere... Didn't you tell me smth about this?)

*Hint: Think but not sure.

Last edited by James D; 11-22-2011 at 09:34 PM.
James D is offline   Reply With Quote
Old 11-22-2011, 10:42 PM   #104
geekmaster
Всё гениальное просто.
geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.
 
geekmaster's Avatar
 
Posts: 5,070
Karma: 6789001
Join Date: Nov 2011
Location: Щедрость не имеет пределов.
Device: *.*
The TOS look the same as for the 3G.

I did not mean to step on any toes. Sorry...
geekmaster is offline   Reply With Quote
Old 11-23-2011, 03:42 AM   #105
dsmid
Linux devotee
dsmid ought to be getting tired of karma fortunes by now.dsmid ought to be getting tired of karma fortunes by now.dsmid ought to be getting tired of karma fortunes by now.dsmid ought to be getting tired of karma fortunes by now.dsmid ought to be getting tired of karma fortunes by now.dsmid ought to be getting tired of karma fortunes by now.dsmid ought to be getting tired of karma fortunes by now.dsmid ought to be getting tired of karma fortunes by now.dsmid ought to be getting tired of karma fortunes by now.dsmid ought to be getting tired of karma fortunes by now.dsmid ought to be getting tired of karma fortunes by now.
 
dsmid's Avatar
 
Posts: 590
Karma: 2061091
Join Date: Feb 2011
Device: Kindle 3, Kindle 4B, Kindle PW2
Quote:
Originally Posted by yifanlu View Post
Could you give an example of rootfs usage other than copying an init script? I would rather manually implement anything that requires access to rootfs than let all scripts modify it. That's one of the main problems I have, after a while, I don't know what files on thr FS are modified. Especially since I lost the uninstaller scripts.
For example the freedownload hack needs to modify /opt/amazon/ebook/config/wrs.ini, the localization hacks need to inject translation strings into /opt/amazon/ebook/ JARs, the webpatch hack needs to replace libwebkit.so .
I admit everything can be done with mount-binds instead of root fs modification and many hacks do it like that. Couldn't even the jailbreak just mount-bind the keys instead of overwriting them ?

Nevertheless, the package system should provide an API (shell functions) to make the root fs modification/mount-bind-overlay easy, safe and traceable.
Actually you can't stop anybody from modifying the root fs but at least you can offer hackers a convenient API that allows them to do it properly.
All changes to the root fs would then be registered in one place and there would be a generic restore-all procedure.
That's way more important than the install.sh and uninstall.sh hooks.
dsmid is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
No Progress bar on the Touch... grizedale Amazon Kindle 13 09-29-2011 06:02 PM
Questions about jailbreaking a Kindle 3 daviesgeek Kindle Developer's Corner 0 09-13-2011 03:09 PM
Touch screen vs keyboard e-ink only Zarich Which one should I buy? 24 03-05-2011 07:47 AM
Which Kindle do I need for jailbreaking? chas0039 Kindle Developer's Corner 6 11-10-2010 11:04 PM


All times are GMT -4. The time now is 07:31 AM.


MobileRead.com is a privately owned, operated and funded community.