[ixtab]

I think I just found an alternative way of jailbreaking the device. I actually stumbled upon this while looking for a way to de-brick a KT which is not showing any UI, but is at least capable of booting up to the point of announcing itself as a USB device.

So here's how it goes:
- /etc/upstart/filesystems.conf contains a line to extract, and then delete, /mnt/us/data.tar.gz if present
- this file can be made to contain absolute path locations. ("tar cvfzP").
- This alone only allows us to write to whatever is already mounted read-write. But that includes, for example, "/var/local/system/locale".
- The locale file in turn is sourced from pretty much everywhere ("source /var/local/system/locale"), and can contain shell code.

I'm attaching a proof-of-concept exploit. *RENAME* RUNME.sh.txt to RUNME.sh, then just copy both files to /mnt/us (or even just into the root folder via USB drive). Then reboot. The result should be:
- Three new files in /mnt/us/, namely RUNME.{done,out,err}. For reasons completely obscure to me, sometimes the .out file stays empty, even though it shouldn't. May just be a FS syncing problem though. In any case, the actual execution DID take place in all cases (for me).
- For the proof-of-concept, a copy of /opt/amazon/ebook/config/locales/default.properties has been made as "jb.properties".

As said, this may not only be useful for jailbreaking, but also for de-bricking devices which don't properly get the UI running anymore. As long as USB drive access works, this method should also work. For a bricked device, the reboot is achieved by long-pressing (30 secs?) the power button.

Let me know if this is reproducible.

UPDATE: For newbies: This is NOT a jailbreak! DO NOT USE THIS UNLESS YOU KNOW WHY AND HOW TO USE IT CORRECTLY!