MobileRead Forums - View Single Post - [Progress] Jailbreaking Kindle 4.0 (Touch/No Keyboard)

geekmaster · 11-27-2011, 07:16 PM

You could do an automated search in an emulator, intercepting a reboot or lockup, and just systematically try all utf-8 addresses to see if one of them gives you control. It is possible that jumping into the middle of an instruction (or data) might surprise you. Undefined instruction opcodes might be useful too. They can have undefined behavior that depends on the chip die layout (parasitic transistors, etc.), but that undefined behavior may be beneficial in this case. Or at least, a block of random code may *eventually* lead to code that does something useful. Of course, this empirical approach is a last resort, and a planned attack using known vulnerabilities should be tried first.

Undefined instructions may behave different in an software emulator though, so an ICE (In-Circuit Emulator is really needed to exploit them). Again, this is just another option to explore if a usable instruction sequence cannot be found at a utf-8 compatible address.

So, it appears that we are waiting for you to get your hands on a spare KT then?

11-27-2011, 07:16 PM	#126
geekmaster Carpe diem, c'est la vie. Posts: 6,433 Karma: 10773668 Join Date: Nov 2011 Location: Multiverse 6627A Device: K1 to PW3	You could do an automated search in an emulator, intercepting a reboot or lockup, and just systematically try all utf-8 addresses to see if one of them gives you control. It is possible that jumping into the middle of an instruction (or data) might surprise you. Undefined instruction opcodes might be useful too. They can have undefined behavior that depends on the chip die layout (parasitic transistors, etc.), but that undefined behavior may be beneficial in this case. Or at least, a block of random code may eventually lead to code that does something useful. Of course, this empirical approach is a last resort, and a planned attack using known vulnerabilities should be tried first. Undefined instructions may behave different in an software emulator though, so an ICE (In-Circuit Emulator is really needed to exploit them). Again, this is just another option to explore if a usable instruction sequence cannot be found at a utf-8 compatible address. So, it appears that we are waiting for you to get your hands on a spare KT then? Last edited by geekmaster; 11-27-2011 at 08:29 PM.