Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book Readers > Amazon Kindle > Kindle Developer's Corner

Notices

Reply
 
Thread Tools Search this Thread
Old 09-07-2010, 09:06 AM   #1
ecostin
Member
ecostin will become famous soon enoughecostin will become famous soon enoughecostin will become famous soon enoughecostin will become famous soon enoughecostin will become famous soon enoughecostin will become famous soon enough
 
Posts: 22
Karma: 650
Join Date: Sep 2010
Device: PRS-500-505-700, Kindle3
Quick Kindle 3 root shell via USB

Step 1: Statically compile netcat or similar. For the lazy, download http://rapidshare.com/files/417621092/nk.html
Step 2: Connect your K3 via USB ans copy netcat or the downloaded nk file to the root of the "Kindle" drive
Step 3: Activate the USB networking mode (;debugOn and ~usbNetwork)
Step 4: Configure your USB network link with an IP address from the 192.168.15 C class
Step 5: Type on your Kindle: ~exec /mnt/us/nk -shell -server T,5000 (or similar for netcat); Your K3 stops responding.
Step 6: Telnet from your PC to 192.168.15.244 port 5000

Now you have a root shell and can start customizing the device.

Step 7: To exit without resetting the K3, check your nk / netcat PID with "ps xa" (looking like: 4380 ? S< 0:00 /mnt/us/nk -shell -server T,5000) and kill the process. The K3 now starts responding again.

Good luck

Last edited by ecostin; 09-07-2010 at 10:21 AM.
ecostin is offline   Reply With Quote
Old 09-07-2010, 09:35 AM   #2
clarknova
Addict
clarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with others
 
clarknova's Avatar
 
Posts: 242
Karma: 2617
Join Date: Mar 2009
Location: Greenwood, SC
Device: Kindle 2
Wait, you can just run arbitrary code from the search window on the K3? Then, what's everyone's problem with getting in? This is easier than the K2. Could the K2 do this?
clarknova is offline   Reply With Quote
 
Enthusiast
Old 09-07-2010, 09:54 AM   #3
DiapDealer
Grand Sorcerer
DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.
 
DiapDealer's Avatar
 
Posts: 8,767
Karma: 39536849
Join Date: Jan 2010
Device: Nexus 7, Kindle Fire HD
I was pretty sure you were limited to typing the commands that show up with `help after the ;debugOn.

Can anyone else verify that random bash commands can be run from the search window of the K3 (like it suggests in the OP's step 5)?
DiapDealer is online now   Reply With Quote
Old 09-07-2010, 09:58 AM   #4
ecostin
Member
ecostin will become famous soon enoughecostin will become famous soon enoughecostin will become famous soon enoughecostin will become famous soon enoughecostin will become famous soon enoughecostin will become famous soon enough
 
Posts: 22
Karma: 650
Join Date: Sep 2010
Device: PRS-500-505-700, Kindle3
Quote:
Originally Posted by DiapDealer View Post
I was pretty sure you were limited to typing the commands that show up with `help after the ;debugOn.

Can anyone else verify that random bash commands can be run from the search window of the K3 (like it suggests in the OP's step 5)?
Actually after ;debugOn, entering ~help lists the commands (not `help) and ~exec is one of them. Maybe amazon has decided to just let us do what we want.
ecostin is offline   Reply With Quote
Old 09-07-2010, 10:01 AM   #5
DiapDealer
Grand Sorcerer
DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.
 
DiapDealer's Avatar
 
Posts: 8,767
Karma: 39536849
Join Date: Jan 2010
Device: Nexus 7, Kindle Fire HD
Well that's certainly encouraging.
DiapDealer is online now   Reply With Quote
Old 09-07-2010, 10:09 AM   #6
clarknova
Addict
clarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with othersclarknova plays well with others
 
clarknova's Avatar
 
Posts: 242
Karma: 2617
Join Date: Mar 2009
Location: Greenwood, SC
Device: Kindle 2
Quote:
Originally Posted by ecostin View Post
Actually after ;debugOn, entering ~help lists the commands (not `help) and ~exec is one of them. Maybe amazon has decided to just let us do what we want.
Just confirmed that this didn't work on K2. Can someone else confirm on K3? If this is the case, the K3 is easier to hack than the K2i and up.

Awesome.
clarknova is offline   Reply With Quote
Old 09-07-2010, 10:21 AM   #7
DiapDealer
Grand Sorcerer
DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.
 
DiapDealer's Avatar
 
Posts: 8,767
Karma: 39536849
Join Date: Jan 2010
Device: Nexus 7, Kindle Fire HD
Quote:
Just confirmed that this didn't work on K2.
Yeah, didn't work on my K2 either, but the ~help command did something--because my home screen changed and displayed numbers in parentheses beside all my titles--just not sure what it's doing.

Potentially great news for K3 users, though!
DiapDealer is online now   Reply With Quote
Old 09-07-2010, 10:33 AM   #8
odfi
Junior Member
odfi began at the beginning.
 
Posts: 7
Karma: 10
Join Date: Sep 2010
Device: kindle 3
Quote:
Originally Posted by clarknova View Post
Can someone else confirm on K3? If this is the case, the K3 is easier to hack than the K2i and up.

Awesome.
On my K3, when I do ;debugOn and then ~help I get a screen with :


Private shortcuts : ~changeLocale, ~disableIndexing, ~disableScreensaver, ~dumpIndexStats, ~exec, ~help, ~indexStatus, ~meminfo, ~reloadContentRoster, ~resumeScreensaver, ~startIndexing, ~stopindexing, ~usbNetwork

I haven't try to use usbNetwork for now.

hope this help.
odfi is offline   Reply With Quote
Old 09-07-2010, 11:18 AM   #9
blkhawk
Bit Wrangler
blkhawk is on a distinguished road
 
blkhawk's Avatar
 
Posts: 15
Karma: 72
Join Date: Sep 2010
Device: Kindle 3
Cool

that ~exec is run with root rights is something. I do not think Amazon spend much time or money on securing this device - its basically open and there are tons of ways to getting root. off the top of my head:

1) boot initrd image via serial plug and swap out the password hash in /etc/shadow
2) for some reason said root password hash is only hashed with crypt (sha1). and maybe just "luigi". so it is crackable. Other password hashes in there use md5. this also requires the serial plug.
3) the ~exec method
4) the jtag

common to all these is that no total retar^w^w non-computer savvy person would attempt them. combined with the looming release of the kdk amazon might have decided that locking down isn't really worth it and might even hurt in the long run. I think they plan to get every single person that is able to read a kindle.
blkhawk is offline   Reply With Quote
Old 09-07-2010, 11:37 AM   #10
DiapDealer
Grand Sorcerer
DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.
 
DiapDealer's Avatar
 
Posts: 8,767
Karma: 39536849
Join Date: Jan 2010
Device: Nexus 7, Kindle Fire HD
Quote:
Yeah, didn't work on my K2 either, but the ~help command did something--because my home screen changed and displayed numbers in parentheses beside all my titles--just not sure what it's doing.
Never mind my moment of brain-deadedness.

Correct me if I'm wrong, but won't ~exec with root rights allow scripts to be created that can create symlinks (and install the binaries), thereby bypassing the need to create binary update packages for the existing hacks?

I won't complain if they've made that easy, but... wow!

Last edited by DiapDealer; 09-07-2010 at 11:38 AM. Reason: update
DiapDealer is online now   Reply With Quote
Old 09-07-2010, 11:50 AM   #11
ecostin
Member
ecostin will become famous soon enoughecostin will become famous soon enoughecostin will become famous soon enoughecostin will become famous soon enoughecostin will become famous soon enoughecostin will become famous soon enough
 
Posts: 22
Karma: 650
Join Date: Sep 2010
Device: PRS-500-505-700, Kindle3
Quote:
Originally Posted by DiapDealer View Post
Never mind my moment of brain-deadedness.

Correct me if I'm wrong, but won't ~exec with root rights allow scripts to be created that can create symlinks (and install the binaries), thereby bypassing the need to create binary update packages for the existing hacks?

I won't complain if they've made that easy, but... wow!
Yes, the ~exec function is in fact an interactive shell, but with horrible output, so you'll want to get a remote shell. No need to to any other complicated things, just compile the code, install and use
ecostin is offline   Reply With Quote
Old 09-07-2010, 12:23 PM   #12
DiapDealer
Grand Sorcerer
DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.
 
DiapDealer's Avatar
 
Posts: 8,767
Karma: 39536849
Join Date: Jan 2010
Device: Nexus 7, Kindle Fire HD
Quote:
Yes, the ~exec function is in fact an interactive shell, but with horrible output, so you'll want to get a remote shell.
Agreed. I was just thinking of the non-technical end-users of the existing Screensaver and Fonts hacks. Expecting them to first establish a remote shell to install the screensaver hack would be a bit much. However, typing ";debugOn" followed by a short "~exec ss-install.sh" wouldn't be nearly as hard to create instructions for.

I almost wish I had a K3 to experiment on now.
DiapDealer is online now   Reply With Quote
Old 09-07-2010, 02:58 PM   #13
Ged_uk
Enthusiast
Ged_uk began at the beginning.
 
Posts: 30
Karma: 10
Join Date: Jan 2008
Device: K3-3G, HTC HD2
I can't get my UK K3 to go into usb network, always comes up as disc mode
Probably missed something silly or UK K3 are different?
G
Ged_uk is offline   Reply With Quote
Old 09-07-2010, 02:58 PM   #14
NiLuJe
BLAM!
NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.
 
NiLuJe's Avatar
 
Posts: 4,643
Karma: 4440239
Join Date: Jun 2010
Location: Paris, France
Device: Kindle 2i, 3g, 4, 5w, PW & PW2
ROFL.

Okay, will try that ASAP...
NiLuJe is online now   Reply With Quote
Old 09-07-2010, 03:15 PM   #15
porkupan
Fanatic
porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.porkupan ought to be getting tired of karma fortunes by now.
 
porkupan's Avatar
 
Posts: 554
Karma: 1057213
Join Date: Sep 2006
Location: North Eastern U.S.
Device: Sony Reader
Great find (about the ~exec command). Obviously a stupid bug, left-over from firmware debugging. Crrrrrazy stuff! A simple jailbreak script (jb_install.sh) will be something like:
Code:
#!/bin/sh
export PATH=/usr/sbin:${PATH}

_FUNCTIONS=/etc/rc.d/functions
[ -f ${_FUNCTIONS} ] && . ${_FUNCTIONS}

mntroot rw

#install key
cat <<EOF > /etc/uks/pubhackkey01.pem
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJn1jWU+xxVv/eRKfCPR9e47lP
WN2rH33z9QbfnqmCxBRLP6mMjGy6APyycQXg3nPi5fcb75alZo+Oh012HpMe9Lnp
eEgloIdm1E4LOsyrz4kttQtGRlzCErmBGt6+cAVEV86y2phOJ3mLk0Ek9UQXbIUf
rvyJnS2MKLG2cczjlQIDAQAB
-----END PUBLIC KEY-----
EOF

mntroot ro
And that's all of it!

The instructions:
1) Copy jb_install.sh into kindle's main storage
2) ;debugOn
3) ~exec /mnt/us/jb_install.sh
4) No reboot needed

Last edited by porkupan; 09-07-2010 at 03:45 PM. Reason: grammar; single-file change per clarknova
porkupan is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
PRS-600 Serial console (i.e. shell) over USB Xaphiosis Sony Reader Dev Corner 6 08-22-2010 11:06 PM
PRS-900 Any luck getting a root shell? or debug mode? raisinbrain Sony Reader 0 01-05-2010 11:33 PM
Hacks can you get a shell on your kindle? svakanda Amazon Kindle 4 02-27-2009 10:37 AM
Getting a root shell guylhem Sony Reader Dev Corner 4 02-27-2009 05:24 AM
iLiad Can't Connect via USB after Dev Access Shell Install jfrey iRex Developer's Corner 4 02-20-2008 12:20 PM


All times are GMT -4. The time now is 07:40 PM.


MobileRead.com is a privately owned, operated and funded community.