MobileRead Forums - View Single Post - Kindle 3.1 software for Kindle 2, 2i, & DX (under construction)

yifanlu · 04-02-2011, 10:25 PM

Progress report:
One of the things I want to do is allow the Kindle to create it's own update. So the Kindle 3 can generate the Kindle 2 update using its own files. (Otherwise, you have to copy all the files from the K3 to your computer and make an update with kindle_update_tool.py). The hard thing about creating a K3 update is Amazon's "encryption" method (left shift 4 OR right shift 4 & 0xff ^ 0x7a). Igor wrote the nice kindle_update_tool.py, but it would be stupid to port python to Kindle just for this one thing. So what I did was disassemble amazon's "dm" (decrypt update) and modified it to a new file "md" (encrypt update). Here's the changes

DM (from Amazon, comment by me):

Code:

		BL	getchar // get byte to modify
		EOR	R3, R0,	#0x7A // R3 = R0 ^ 0x7A
		CMN	R0, #1 // if !(R0 == 1), we are at the end of the file ...
		MOV	R0, R3,LSR#4 // R0 = R3 >> 4
		AND	R0, R0,	#0xF // R0 = R0 & 0xF
		ORR	R0, R0,	R3,LSL#4 // R0 = R0 | R3 << 4
		BNE	loc_8470 // ... then jump to end of program
		MOV	R0, #0 // clear R0 register
		ADD	SP, SP,	#4 // don't care
		LDMFD	SP!, {PC} // don't care

MD (by me, comment by me):

Code:

		BL	getchar // get byte to modify
		CMN	R0, #1 // if byte is 0x01, then ...
		MOV	R3, R0,LSR#4 // set R0 to R0 >> 0x4
		AND	R3, R3,	#0xF // set R4 to R4 & 0xF
		ORR	R3, R3,	R0,LSL#4 // set R3 to R3 | ( R0 << 0x4 )
		EOR	R0, R3,	#0x7A // set R0 to R3 ^ 0x7A
		BNE	loc_8470 // ... exit program
		MOV	R0, #0 // clear register R0
		ADD	SP, SP,	#4 // don't care
		LDMFD	SP!, {PC} // don't care

Now we can create updates from the Kindle directly.

If you want to try it out, here's the patch from dm to md: http://yifan.lu/files/md.bspatch

MD5 values:
dm: 6725ac822654b97355facd138f86d438
md.bspatch: 64404f7f82b0a1ba3561cdf12e9cbd18
md: 3b650bcf4021b41d70796d93e1aad658

Usage: bspatch /path/to/dm md /path/to/md.bspatch

You can play around with encryption, decryption by:
echo 'hello world' | md > hello.bin
cat hello.bin | dm
You should see you message back.

EDIT: Here's a script that will run on the Kindle and convert a tar.gz into an update package http://pastebin.com/2L4pqhsw

04-02-2011, 10:25 PM	#3
yifanlu Kindle Dissector Posts: 662 Karma: 475607 Join Date: Jul 2010 Device: Amazon Kindle 3	Progress report: One of the things I want to do is allow the Kindle to create it's own update. So the Kindle 3 can generate the Kindle 2 update using its own files. (Otherwise, you have to copy all the files from the K3 to your computer and make an update with kindle_update_tool.py). The hard thing about creating a K3 update is Amazon's "encryption" method (left shift 4 OR right shift 4 & 0xff ^ 0x7a). Igor wrote the nice kindle_update_tool.py, but it would be stupid to port python to Kindle just for this one thing. So what I did was disassemble amazon's "dm" (decrypt update) and modified it to a new file "md" (encrypt update). Here's the changes DM (from Amazon, comment by me): Code: BL getchar // get byte to modify EOR R3, R0, #0x7A // R3 = R0 ^ 0x7A CMN R0, #1 // if !(R0 == 1), we are at the end of the file ... MOV R0, R3,LSR#4 // R0 = R3 >> 4 AND R0, R0, #0xF // R0 = R0 & 0xF ORR R0, R0, R3,LSL#4 // R0 = R0 \| R3 << 4 BNE loc_8470 // ... then jump to end of program MOV R0, #0 // clear R0 register ADD SP, SP, #4 // don't care LDMFD SP!, {PC} // don't care MD (by me, comment by me): Code: BL getchar // get byte to modify CMN R0, #1 // if byte is 0x01, then ... MOV R3, R0,LSR#4 // set R0 to R0 >> 0x4 AND R3, R3, #0xF // set R4 to R4 & 0xF ORR R3, R3, R0,LSL#4 // set R3 to R3 \| ( R0 << 0x4 ) EOR R0, R3, #0x7A // set R0 to R3 ^ 0x7A BNE loc_8470 // ... exit program MOV R0, #0 // clear register R0 ADD SP, SP, #4 // don't care LDMFD SP!, {PC} // don't care Now we can create updates from the Kindle directly. If you want to try it out, here's the patch from dm to md: http://yifan.lu/files/md.bspatch MD5 values: dm: 6725ac822654b97355facd138f86d438 md.bspatch: 64404f7f82b0a1ba3561cdf12e9cbd18 md: 3b650bcf4021b41d70796d93e1aad658 Usage: bspatch /path/to/dm md /path/to/md.bspatch You can play around with encryption, decryption by: echo 'hello world' \| md > hello.bin cat hello.bin \| dm You should see you message back. EDIT: Here's a script that will run on the Kindle and convert a tar.gz into an update package http://pastebin.com/2L4pqhsw Last edited by yifanlu; 04-03-2011 at 04:56 PM.