MobileRead Forums - View Single Post - KindleDrip — From Your Kindle’s Email Address to Using Your Credit Card

fonix232 · 02-17-2021, 01:36 PM

Quote:

Originally Posted by tryol

No, it's still 1 image but it's split into multiple tiles. I'm not sure how that works exactly, I didn't really look into how the JXR format works. I just threw this together "quickly".

I've been thinking and theorethically this exploit is doable with just 1 tile (that means 1 absolute-write primitive). Unfortunately that would only give us 15*16 (240) bytes for the shellcode... I wonder if that's enough.

If I did it with more than 1 tile, that would give us 240+(n-1)*256 bytes of space where n is the number of tiles. I don't have any experience with shellcode or kindle jailbreaking so it's hard to make a guess on how much space we need. I'd prefer if 240 bytes was enough because I'm not sure how hard it would be to make it work with multiple tiles. Does anybody have an idea?

I think NiLuJe's solution would be the most straightforward. However I'd warn against publishing the source code (or the original image!) of the exploit - while we are using it for good (although, arguably, from Amazon's point of view!), people could employ it to create more malicious implementations, implementations that could snatch Amazon account details from unsuspecting Kindles stuck on older firmware versions (e.g. because there's no 5.13.4 update for that specific model). Which is why I didn't even start a repository. Having such a tool available publicly would just give black hat hackers an even easier way to exploit devices. However, if you can do the below suggestion (the call is much less than 240 bytes), that's practically a highway to jailbreakland in a brand new Model X.

Also, quite funny that the exploitable payload is exactly the size of a tweet!

Quote:

Originally Posted by NiLuJe

Assuming that's post privilege escalation, the shellcode basically only needs to call `sh /mnt/us/jb.sh` (or something similar, c.f., @BranchDelay's JB).

That's actually a great idea. Originally I was thinking a more direct approach (injecting the developer certificate into the system partition, which in return would allow flashing the jailbreak), but this is actually more applicable via the existing jailbreak guides.