I'm pleased to announce that I've found an easy to use code execution method for the kindle 4 non touch. It only requires putting files on the usb drive and rebooting the kindle.
This is similar to ixtab's method for the kindle touch (
https://www.mobileread.com/forums/sho...8&postcount=41) but it exploits a different file. We'll be exploiting the fact that /var/local/system/mntus.params is sourced when mounting the user share partition. This file can be overwritten by placing a slightly different version in a data.tar.gz file which is extracted by the kindle upon boot. (Those two items are handled by the /etc/init.d/userstore init script on the kindle.) Please note that mntus.params contains some information about the userstore partition which means that you have to be careful before replacing its contents. This is what it looks like here:
Code:
# auto-generated file -- do not modify!
# computed values
MNTUS_PART_START=16
MNTUS_PART_SIZE=1427448
MNTUS_PART_OFFSET=8192
# constant values
MNTUS_FATSIZE=32
The _START, _SIZE and _FATSIZE values do not seem to be used after the userstore is created. On the other hand _OFFSET is used by /usr/sbin/mntus when creating the loopback device to mount the user store partition. If that value is wrong then we lose any ability to mount that partition. Since it seems to be hardcoded to sector size (512) * numbers of sector per track (16) I think that we're pretty safe across devices. If we wanted to be extra safe we could run MNTUS_PART_OFFSET=$(($(sfdisk --show-geometry|awk '{print $6;}') * 512)) in the script to make sure that the value is ok.
Replacing the file's contents with
Code:
# auto-generated file -- do not modify!
# computed values
MNTUS_PART_START=16
MNTUS_PART_SIZE=1427448
MNTUS_PART_OFFSET=8192
# constant values
MNTUS_FATSIZE=32
if [ -e /mnt/us/RUNME.sh ]
then
sh /mnt/us/RUNME.sh > /mnt/us/RUNME.log 2>&1
fi
makes it possible to automatically execute a file called RUNME.sh on the userstore partition on boot. (There's still something I don't understand here since /mnt/us isn't supposed to already be mounted when we source that file ... but since it's sourced many times I guess that we just get lucky).
The steps to deploy this hack are thus:
* create the modified mntus.params file and put it in a system directory. chown -R 0:0 system.
* create the data.tar.gz file with: tar cvzf data.tar.gz system --transform 's#^#/var/local/#' --show-stored-names -P
* copy that file to the kindle's user store over usb
* reboot the kindle through the system menu
* create a RUNME.sh file in the user store
* reboot the kindle to execute RUNME.sh
An example RUNME.sh file could be something like:
Code:
if [ ! -e /usr/local ]
then
mntroot rw
mount /dev/mmcblk0p2 /mnt/mmc
cp -dpr /mnt/mmc/usr/local /usr/local
umount /mnt/mmc
fi
This would install usb networking and the relevant dropbear binaries from the diag partition.
I've attached a data.tar.gz file containing the RUNME.sh launcher as well as a dummy RUNME.sh script to this post. If everything runs correctly you should have "hello world!" message in a file called RUNME.log after the last reboot.