Originally Posted by eureka
PW updates are recovery updates, meaning theirs validity is also checked with key contained in kernel image.
That's exactly what I wanted to verify. Because I dimly remembered the keys also being present in the kernel (that's the reason why some(?) official updates also work(ed?) when choosing "restart" instead of "update", while ours don't [error 003]).
So I used my Touch, downgraded it to (stock) 5.1.2, and removed the production keys. BTW, the Touch is really a bliss in that regard, because with USB downloader mode available now, it's almost impossible to permanently brick the device, or to lock yourself out... While I'm still treating my Paperwhite much like a raw egg.
Anyway, here are the results, trying to install the official 5.3.2 update on a stock 5.1.2 firmware with only the pubprodkey*.pem files removed:
- Update your Kindle: error 007, as expected. Update file is deleted.
- Restart: device reboots normally (without any error and without deleting the update file).
The conclusion is... well, it's that there is no conclusion. Removing those keys might work for preventing updates (at least for the update that I tested, it seemed to work), or it might not (because there are other update types which might still be installed because the kernel can verify them). I'm not adventurous enough to risk bricking my Paperwhite.
So... use eureka's method to disable OTA updates, or use iptables, or simply keep your device in airplane mode and/or unregistered. We didn't find the "golden" solution to unwanted updates yet.