MobileRead Forums - View Single Post - [Progress] Jailbreaking Kindle 4.0 (Touch/No Keyboard)

yifanlu · 11-22-2011, 04:33 PM

Ok, here's my idea. I'm writing it down so I don't forget. Basically we can control exactly where in the memory to jump to. The shellcode is in the stack, but the location of the stack is randomized. Therefore, we need to find where the stack is before we can jump to it. My idea is that after we overflow and overwrite the first LR pointer, we use that pointer to point to some code in the memory that does MOV R0, SP. (It would be very easy if we find BLX SP, but nobody with the right mind would ever put that in their code). Then we have the stack pointer in R0. Now, since we already control the stack, we just keep overwriting it so the next LR pointer that gets poped points to an instruction that calls BLX R0. This will jump to the stack and switch to thumb mode (shorter shell code in thumb mode).

11-22-2011, 04:33 PM	#101
yifanlu Kindle Dissector Posts: 662 Karma: 475607 Join Date: Jul 2010 Device: Amazon Kindle 3	Ok, here's my idea. I'm writing it down so I don't forget. Basically we can control exactly where in the memory to jump to. The shellcode is in the stack, but the location of the stack is randomized. Therefore, we need to find where the stack is before we can jump to it. My idea is that after we overflow and overwrite the first LR pointer, we use that pointer to point to some code in the memory that does MOV R0, SP. (It would be very easy if we find BLX SP, but nobody with the right mind would ever put that in their code). Then we have the stack pointer in R0. Now, since we already control the stack, we just keep overwriting it so the next LR pointer that gets poped points to an instruction that calls BLX R0. This will jump to the stack and switch to thumb mode (shorter shell code in thumb mode).