Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book Readers > Amazon Kindle > Kindle Developer's Corner

Notices

Reply
 
Thread Tools Search this Thread
Old 10-28-2009, 01:21 AM   #1
naclsin
Only a reader
naclsin began at the beginning.
 
naclsin's Avatar
 
Posts: 2
Karma: 10
Join Date: Oct 2009
Location: Japan
Device: kindle,Kindle2 Int.,Sony Reader(PRS-500/600)
kindle 2 international version require electronic signeture for updater

Hi.

I got a kindle2 international version.
It's farmware(Kindle Software) is Version 2.2.
This is different Kindle2 US Version.
And it can not recognize Kindle2 firmware Updater file(.bin file)

Firest.
Dev Code is Differnet.
US Ver. is 02
International Ver. is 03


2nd.
I estimate Version 2.2 firmware require signature for install.sh script.

I rewrite dev code in existing bin file. And my Kindle2 recognize it.
But, I can not install.
(In Kindle software Version 2.2-375490138)
This is a part of log dump.

091026:013617 system: I _otaupexec:defrocessing update /mnt/us/update_unicode_fonts_liberation_install.bin
091026:013617 system: I _otaupexec:def:version is "FC02"
091026:013620 system: I _otaupexec:def:update image checksum OK
091026:013624 system: E _otaupexec:def:signature does not exist for "install.sh"
091026:013624 system: E _otaupexec:def:signature verification failed

I found source code of Kindle 2.2.1.
But I can not found binary(.bin file).
Any one know where is Ver.2.2.1 bin file?
naclsin is offline   Reply With Quote
Old 10-28-2009, 01:37 AM   #2
daffy4u
I'm Super Kindle-icious
daffy4u ought to be getting tired of karma fortunes by now.daffy4u ought to be getting tired of karma fortunes by now.daffy4u ought to be getting tired of karma fortunes by now.daffy4u ought to be getting tired of karma fortunes by now.daffy4u ought to be getting tired of karma fortunes by now.daffy4u ought to be getting tired of karma fortunes by now.daffy4u ought to be getting tired of karma fortunes by now.daffy4u ought to be getting tired of karma fortunes by now.daffy4u ought to be getting tired of karma fortunes by now.daffy4u ought to be getting tired of karma fortunes by now.daffy4u ought to be getting tired of karma fortunes by now.
 
daffy4u's Avatar
 
Posts: 6,734
Karma: 2429021
Join Date: Apr 2008
Location: Long Drive, Calinadia Candafornia
Device: K1, KTSO, KFHD7, KPW1
I doubt your Kindle International needs updating but if and when it does and you want to do it manually instead of using Whispernet, you can find the .bin file on this page. If that U.S. site link doesn't work for you, search the Kindle help file on your country's Amazon site for "Kindle Software Updates".

My guess is that the Kindle Sprint and AT&T versions will probably always have different software versions because the hardware is slightly different (just as Kindle 1 and Kindle 2 U.S. do).

Please be careful, you don't want to brick your new Kindle.
daffy4u is offline   Reply With Quote
Old 10-28-2009, 08:53 PM   #3
Blog Kindle
Addict
Blog Kindle knows what's going on.Blog Kindle knows what's going on.Blog Kindle knows what's going on.Blog Kindle knows what's going on.Blog Kindle knows what's going on.Blog Kindle knows what's going on.Blog Kindle knows what's going on.Blog Kindle knows what's going on.Blog Kindle knows what's going on.Blog Kindle knows what's going on.Blog Kindle knows what's going on.
 
Blog Kindle's Avatar
 
Posts: 224
Karma: 25122
Join Date: Mar 2009
Device: Kindle 1/2/3/4/Touch/DX/Fire|PRS-600/350|Nook(color)|iPad|iPad2|EVO 4G
Yep. That's how it is. Right now I'm trying to figure out a way around it if it will be possible at all - http://blogkindle.com/2009/10/hackin...first-attempt/
Blog Kindle is offline   Reply With Quote
Old 10-29-2009, 06:46 AM   #4
clarknova
Addict
clarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with others
 
clarknova's Avatar
 
Posts: 242
Karma: 2617
Join Date: Mar 2009
Location: Greenwood, SC
Device: Kindle 2
Break in with a tarbomb.

There's a way you can break in to the K2int with a carefully crafted tarbomb. Because the update files are just tarballs that are encoded and prefixed with a header, it's an easy thing.

The update scripts (of the K1/K2/KDX, and certainly the K2int does the same) do this to unpack the bin:
Code:
extract_bundle()
{
    dd if=$1 bs=${BLOCK_SIZE} skip=1 | dm | tar -C $2 -xzvf -
}
GNU tar and BusyBox tar don't fall for tarbombs that have leading slashes or parent directory references, however, they do preserve symlinks.

So if we write a startup script that will execute arbitrary code on boot:
Code:
#!/bin/sh

EXEC=/mnt/us/exec.sh

_FUNCTIONS=/etc/rc.d/functions
[ -f ${_FUNCTIONS} ] && . ${_FUNCTIONS}

check_exec()
{
  if [ -e $EXEC ]; then
    /bin/sh $EXEC
    exit 0
  fi
}

case "$1" in
  start)
    check_exec
    ;;
  stop)
    ;;
  *)
    msg "Usage: $0 (start|stop)" W >&2
    exit 1
    ;;
esac

exit 0
We can call this S90arbitrary_code. If this is in the rc5.d directory, then it will execute (hopefully before framework, so this also gives us limited anti-brick capabilities) on startup. At which point it would look for a shell script in the root of the USB partition and execute it if it exists. Now we just need to craft the tarball on a unix machine:
Code:
# mkdir foo
# cd foo
# ln -s /etc/rc5.d bar
  #### We've just created bar which is a symlink to /etc/rc5.d
# tar cvf /tmp/bomb.tar bar
  #### Now we've added the bar symlink to /tmp/bomb.tar
# rm bar
  #### unlink bar
# mkdir bar
# cd bar
# ... create the S90arbitrary_code file ...
# chmod 755 S90arbitrary_code
   #### make it executable.
# cd ..
# tar rvf /tmp/bomb.tar bar/S90arbitrary_code
   #### append the script to the tarball.
# gzip /tmp/bomb.tar
This leaves us with /tmp/bomb.tar.gz which contains two files, bar, a symlink to /etc/rc5.d and bar/S90arbitrary_code. When unpacked it will create the symlink first, and then extract S90arbitrary_code to where that symlink points (/etc/rc5.d).

So if you then scramble the tarball (see igorsk's page), and prepend the necessary 64 byte update header, then the K2int will end up creating the /etc/rc5.d/S90arbitrary_code startup script for you when it tries to run the update. The update will fail, but it won't matter. Any code you place into a file called "exec.sh" on the USB partition of your K2int will be executed after startup (and on each reboot).

Needless to say, this isn't for everyone, and has a potential for damage. But if someone with a K2int wants in badly enough without wanting to wait for a serial console or an official update bin, then this will work, and hopefully allow them to get an image of the firmware and see what the new signature routines in the /usr/sbin/otaup script are.

Update: I just tested this on my K2(US) and it works perfectly, so it should work just as well on the K2(International).

Last edited by clarknova; 10-29-2009 at 08:36 AM.
clarknova is offline   Reply With Quote
Old 10-29-2009, 10:08 AM   #5
naclsin
Only a reader
naclsin began at the beginning.
 
naclsin's Avatar
 
Posts: 2
Karma: 10
Join Date: Oct 2009
Location: Japan
Device: kindle,Kindle2 Int.,Sony Reader(PRS-500/600)
Oh! Thanks great idea.

I will try it.

And thanks, thanks...
naclsin is offline   Reply With Quote
Old 10-29-2009, 12:50 PM   #6
clarknova
Addict
clarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with others
 
clarknova's Avatar
 
Posts: 242
Karma: 2617
Join Date: Mar 2009
Location: Greenwood, SC
Device: Kindle 2
Ok, I've rolled the above into a K2(international) package. The update will purposely fail, as stated above. Initially, the exec.sh should probably be something simple like:
Code:
ls -l /etc/rc5.d > /mnt/us/lslog.txt
rm /mnt/us/exec.sh
Just to verify it worked and generates and "lslog.txt".

Then the following exec.sh could be used:
Code:
ROOTDEV=$(df | awk '/ \/$/{print $1}')
dd if=${ROOTDEV} | gzip -c -- - > /mnt/us/root.img.gz
# remove script so it doesn't do this every time it restarts.
rm /mnt/us/exec.sh
After restarting the kindle, this will cause the boot process to take anywhere between 10-30 minutes as it makes an image of the root filesystem. Once you have the image you can gunzip it on a linux box and mount it as a loop device and take a look at what's changed in the update scripts, and see if the signature can be faked...
Attached Files
File Type: bin update_k2-int-tarbomb.bin (443 Bytes, 198 views)
clarknova is offline   Reply With Quote
Old 10-29-2009, 06:05 PM   #7
Blog Kindle
Addict
Blog Kindle knows what's going on.Blog Kindle knows what's going on.Blog Kindle knows what's going on.Blog Kindle knows what's going on.Blog Kindle knows what's going on.Blog Kindle knows what's going on.Blog Kindle knows what's going on.Blog Kindle knows what's going on.Blog Kindle knows what's going on.Blog Kindle knows what's going on.Blog Kindle knows what's going on.
 
Blog Kindle's Avatar
 
Posts: 224
Karma: 25122
Join Date: Mar 2009
Device: Kindle 1/2/3/4/Touch/DX/Fire|PRS-600/350|Nook(color)|iPad|iPad2|EVO 4G
clarknova, thanks for the great idea! I'll give it a try right away.
Blog Kindle is offline   Reply With Quote
Old 10-30-2009, 01:24 AM   #8
freedomtw
Junior Member
freedomtw began at the beginning.
 
Posts: 1
Karma: 10
Join Date: Oct 2009
Device: Kindle 2 Intl
clarknova,

Great hack! With that, I got root access to my K2 (international) by putting usbnetworking and telnetd/dropbear into it. Thanks.
freedomtw is offline   Reply With Quote
Old 02-04-2010, 09:36 AM   #9
iQQ
Member
iQQ began at the beginning.
 
Posts: 13
Karma: 10
Join Date: Feb 2006
Quote:
Originally Posted by clarknova View Post
There's a way you can break in to the K2int with a carefully crafted tarbomb. Because the update files are just tarballs that are encoded and prefixed with a header, it's an easy thing.

The update scripts (of the K1/K2/KDX, and certainly the K2int does the same) do this to unpack the bin:
Code:
extract_bundle()
{
    dd if=$1 bs=${BLOCK_SIZE} skip=1 | dm | tar -C $2 -xzvf -
}
GNU tar and BusyBox tar don't fall for tarbombs that have leading slashes or parent directory references, however, they do preserve symlinks.

So if we write a startup script that will execute arbitrary code on boot:
Code:
#!/bin/sh

EXEC=/mnt/us/exec.sh

_FUNCTIONS=/etc/rc.d/functions
[ -f ${_FUNCTIONS} ] && . ${_FUNCTIONS}

check_exec()
{
  if [ -e $EXEC ]; then
    /bin/sh $EXEC
    exit 0
  fi
}

case "$1" in
  start)
    check_exec
    ;;
  stop)
    ;;
  *)
    msg "Usage: $0 (start|stop)" W >&2
    exit 1
    ;;
esac

exit 0
We can call this S90arbitrary_code. If this is in the rc5.d directory, then it will execute (hopefully before framework, so this also gives us limited anti-brick capabilities) on startup. At which point it would look for a shell script in the root of the USB partition and execute it if it exists. Now we just need to craft the tarball on a unix machine:
Code:
# mkdir foo
# cd foo
# ln -s /etc/rc5.d bar
  #### We've just created bar which is a symlink to /etc/rc5.d
# tar cvf /tmp/bomb.tar bar
  #### Now we've added the bar symlink to /tmp/bomb.tar
# rm bar
  #### unlink bar
# mkdir bar
# cd bar
# ... create the S90arbitrary_code file ...
# chmod 755 S90arbitrary_code
   #### make it executable.
# cd ..
# tar rvf /tmp/bomb.tar bar/S90arbitrary_code
   #### append the script to the tarball.
# gzip /tmp/bomb.tar
This leaves us with /tmp/bomb.tar.gz which contains two files, bar, a symlink to /etc/rc5.d and bar/S90arbitrary_code. When unpacked it will create the symlink first, and then extract S90arbitrary_code to where that symlink points (/etc/rc5.d).

So if you then scramble the tarball (see igorsk's page), and prepend the necessary 64 byte update header, then the K2int will end up creating the /etc/rc5.d/S90arbitrary_code startup script for you when it tries to run the update. The update will fail, but it won't matter. Any code you place into a file called "exec.sh" on the USB partition of your K2int will be executed after startup (and on each reboot).

Needless to say, this isn't for everyone, and has a potential for damage. But if someone with a K2int wants in badly enough without wanting to wait for a serial console or an official update bin, then this will work, and hopefully allow them to get an image of the firmware and see what the new signature routines in the /usr/sbin/otaup script are.

Update: I just tested this on my K2(US) and it works perfectly, so it should work just as well on the K2(International).
Great! Can you please just make a tarbomb for me and let the attached bin file can be run with reboot? It's for DXi.
Attached Files
File Type: bin update_ufh_uninstall-kdxi.bin (3.1 KB, 172 views)
iQQ is offline   Reply With Quote
Old 02-10-2010, 10:33 PM   #10
jyavenard
Zealot
jyavenard has a complete set of Star Wars action figures.jyavenard has a complete set of Star Wars action figures.jyavenard has a complete set of Star Wars action figures.jyavenard has a complete set of Star Wars action figures.
 
Posts: 141
Karma: 383
Join Date: Sep 2009
Device: Kindle 2
Quote:
Originally Posted by iQQ View Post
Great! Can you please just make a tarbomb for me and let the attached bin file can be run with reboot? It's for DXi.
You're around 6 months behind now search for the thread "how to package software for Kindle international"
jyavenard is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Sell Kindle 2 (International Version) with Accessories bear4hunter Flea Market 3 07-08-2010 03:21 PM
Kindle DX is getting International Version. dafire Amazon Kindle 23 01-12-2010 06:21 AM
Kindle International Version and Price Drop Kali Yuga News 1 10-07-2009 09:52 AM
English version of a blog on electronic ink trends and usages tebaldo News 0 09-19-2007 08:00 AM
WSJ Electronic Version More Profitable Bob Russell News 2 04-15-2005 09:57 PM


All times are GMT -4. The time now is 07:17 AM.


MobileRead.com is a privately owned, operated and funded community.