Kindle Browser Patch

[hardfloat]

I have developed a patch for the built-in web browser on armhf Kindle devices (firmware >= 5.16.3). It provides the following features:
- Remove the restriction on what kind of filetypes you can download
- Remove the restriction on what protocols you can browse, enabling the use of file://

Check it out here.

[hardfloat]

Typo, it's actually only for >= 5.16.4

[BionicGecko]

This is awesome! Just tested on my Oasis 3 and it works great

Makes it possible to download KFX and AZW3 files from something like Calibre-Web or COPS. This makes the browser much more useful!

[kaspar]

Nice work. Is there any way to enable landscape mode? Would be useful on the Scribe's big screen.

[kaspar]

I found this:

https://www.mobileread.com/forums/sh...84&postcount=8

I will try and report back.

[bricker]

Quote:

Originally Posted by hardfloat

I have developed a patch for the built-in web browser on armhf Kindle devices (firmware >= 5.16.3). It provides the following features:
- Remove the restriction on what kind of filetypes you can download
- Remove the restriction on what protocols you can browse, enabling the use of file://

Check it out here.

incredible. how does this work on a technical level? how did you find what to replace in the binary?

[hardfloat]

Quote:

Originally Posted by bricker

incredible. how does this work on a technical level? how did you find what to replace in the binary?

After identifying kindle_browser as the primary binary, I disassembled it using Ghidra. I searched for the string "azw3", because the browser must have that string in memory at some point in order to compare whether the file you are downloading matches one of the allowed extensions. I searched for x-refs to the string to find this code:

Code:

  FUN_00036b7e(auStack_6c,".azw1");
  FUN_00036b7e(auStack_60,".azw2");
  FUN_00036b7e(auStack_54,".azw3");
  FUN_00036b7e(auStack_48,&DAT_000323a4);
  FUN_00036b7e(auStack_3c,".mobi");
  FUN_00036b7e(auStack_30,&DAT_0002f676);
  iVar10 = 0;
  do {
    if (iVar10 == 0x54) {
      bVar1 = false;
      goto LAB_0004d7d0;
    }
    base::BasicStringPiece<>::BasicStringPiece((char *)&uStack_90);
    iVar7 = base::FilePath::MatchesExtension((GURL *)aFStack_84,uStack_90,uStack_8c);
    iVar10 = iVar10 + 0xc;
  } while (iVar7 == 0);
  bVar1 = true;
LAB_0004d7d0:

which is essentially a for loop checking each extension to see if it matches, and if after checking all of them if it still hasn't matched, it sets the bVar1 to false, indicating our extension is not in the allowed list.

I patched it to:

Code:

FUN_00036b7e(auStack_6c,".azw1");
  FUN_00036b7e(auStack_60,".azw2");
  FUN_00036b7e(auStack_54,".azw3");
  FUN_00036b7e(auStack_48,&DAT_000323a4);
  FUN_00036b7e(auStack_3c,".mobi");
  FUN_00036b7e(auStack_30,&DAT_0002f676);
  iVar10 = 0;
  do {
    if (iVar10 == 0x54) {
      bVar1 = true;                   <-- PATCH
      goto LAB_0004d7d0;
    }
    base::BasicStringPiece<>::BasicStringPiece((char *)&uStack_90);
    iVar7 = base::FilePath::MatchesExtension((GURL *)aFStack_84,uStack_90,uStack_8c);
    iVar10 = iVar10 + 0xc;
  } while (iVar7 == 0);
  bVar1 = true;
LAB_0004d7d0:

so that in the case where no extension in the list matches, it still returns true instead of false.

old:

Code:

0004d7ce 00 25           movs       r5,#0x0

new:

Code:

0004d7ce 01 25           movs       r5,#0x1

Next, I searched for strings "http" and https", but the only thing I could find was this import from libchromium.so:

Code:

/* GURL::SchemeIsHTTPOrHTTPS() const */

undefined4 __thiscall GURL::SchemeIsHTTPOrHTTPS(GURL *this)

{
  size_t sVar1;
  int iVar2;
  undefined4 uVar3;
  
  sVar1 = strlen("http");
  iVar2 = FUN_018d3db8(this,&DAT_00840f1b,sVar1);
  if (iVar2 != 0) {
    return 1;
  }
  sVar1 = strlen("https");
  uVar3 = FUN_018d3db8(this,"https",sVar1);
  return uVar3;
}

I tried patching it to:

Code:

/* GURL::SchemeIsHTTPOrHTTPS() const */

undefined4 __thiscall GURL::SchemeIsHTTPOrHTTPS(GURL *this)

{
  size_t sVar1;
  int iVar2;
  undefined4 uVar3;
  
  sVar1 = strlen("http");
  iVar2 = FUN_018d3db8(this,&DAT_00840f1b,sVar1);
  
  return 1;              <-- PATCH

  sVar1 = strlen("https");
  uVar3 = FUN_018d3db8(this,"https",sVar1);
  return uVar3;
}

We removed the if statement, and simply executed the return.

old:

Code:

018d3e04 08 b1           cbz        this,LAB_018d3e0a

new:

Code:

018d3e04 00 bf           nop

The installation script does 3 things:
- Copies the browser binaries from system directories to a new directory in /mnt/us
- Patches them
- Updates /var/local/appreg.db so that the browser launch command executed when you open the browser from the GUI points to the new, patched browser instead.

[BionicGecko]

Thanks for this detailed overview and for sharing your thought process, this was very informative.

[kaspar]

Do you think you could similarly patch the Bluetooth manager to allow any device (a keyboard) instead of only audio devices? Obviously more work would be required after that, but it would be a great start.

[juegos]

What would file:// allow you to do? Thank you!

[DNSB]

Quote:

Originally Posted by juegos

What would file:// allow you to do? Thank you!

File:// lets you open a local file in a web browser. Firefox has Open file in it's file menu to allow browsing to a file or you can type ctrl-O and browse that way. For Chrome and Edge, you need to type ctrl-O, browse to the file and then open it. I find it useful when looking a downloaded HTML file or testing a file before uploading it. File:// requires you to know the path to the file so you would have to type file://d:/downloads/abenigy.html to open the file.

At one point when Edge supported displaying ePub files, I used ctrl-O to browse to and open the ePub but gave on using Edge since the renderer was not anything to write home about.