KindleDrip — From Your Kindle’s Email Address to Using Your Credit Card

[melksnor]

shouldn't the shell script to be run just be copying the certificate from the usb reachable place to the right location?

[NiLuJe]

@melksnor: Yep, my point exactly .

(The post I linked to does just that (and a tiny bit more, but in the same spirit of "just dump that file here for now, and let a reboot and hotfix fix it up nicely")).

[tryol]

We have root!

Here is a picture of what is ?probably? the first jailbroken Oasis 3, with KUAL open:


(It's running 5.12.4.)


Tomorrow I'll go through all the firmware versions and create images for them. I'll be making a new thread for this exploit in the upcoming days.

Thanks to everybody who helped me either here or in private!

[ilovejedd]

That's awesome. Thanks for all your hard work!

[swaschan]

Quote:

Originally Posted by tryol

We have root!

Here is a picture of what is ?probably? the first jailbroken Oasis 3, with KUAL open:


(It's running 5.12.4.)


Tomorrow I'll go through all the firmware versions and create images for them. I'll be making a new thread for this exploit in the upcoming days.

Thanks to everybody who helped me either here or in private!

What an absolute god gamer. Super excited to see where this goes.

[melksnor]

I am really impressed, would love to read a write up on how you got there!

[NiMa]

Quote:

Originally Posted by melksnor

I am really impressed, would love to read a write up on how you got there!

+1 there. I second melksnor's advice and I look forward to your write up, it seems really interesting!

[tryol]

Status update:

Seems like this won't be as easy as I thought...

I'm not sure if I talked about this already, but 1 image won't work for all the firmware version. This is because they have their global offset tables and writable/executable memory pages in different places.
I've spent the last 2 days downloading and going through each and every one of them, and categorizing them based on those two things. It seems like we'll have about ~20-30 different images if I'm planning to support everything from 5.3.0 to 5.13.3.

Once I finalized all the groups, I'll make a new post here about them and talk about which version interval each of them represent. I hope we can get enough people to test at least the most popular ones.


I've already made testing kits for some of the groups, but right now the only one that's confirmed to be working is 5.11.1 - 5.13.3.

Quote:

Originally Posted by melksnor

I am really impressed, would love to read a write up on how you got there!

Quote:

Originally Posted by NiMa

+1 there. I second melksnor's advice and I look forward to your write up, it seems really interesting!

I'm not sure what I'd write about because Yogev Bar-On's Medium post in the OP already explains how the exploit works. It only took this long to make because of my inexperience.

75% of the time I've spent on making this was basically studying stuff I didn't know. I had to learn IDA and Ghidra to reverse engineer the binaries/libraries. I had to deepen my knowledge on memory management. I also learned how to write shellcodes on different CPUs, how ELF files work, etc.

The other 25% was spent on reproducing what Yogev documented, and figuring out some of the details in the places where they - probably intentionally - left some things out.
Maybe I could write about that, but given how dangerous it could be if somebody made malicious images, - like the one Yogev demonstrated the exploit with - I think it's best if I keep quiet on that.

[tva2000hn]

Quote:

Originally Posted by tryol

Status update:

Seems like this won't be as easy as I thought...

I'm not sure if I talked about this already, but 1 image won't work for all the firmware version. This is because they have their global offset tables and writable/executable memory pages in different places.
I've spent the last 2 days downloading and going through each and every one of them, and categorizing them based on those two things. It seems like we'll have about ~20-30 different images if I'm planning to support everything from 5.3.0 to 5.13.3.

Once I finalized all the groups, I'll make a new post here about them and talk about which version interval each of them represent. I hope we can get enough people to test at least the most popular ones.


I've already made testing kits for some of the groups, but right now the only one that's confirmed to be working is 5.11.1 - 5.13.3.






I'm not sure what I'd write about because Yogev Bar-On's Medium post in the OP already explains how the exploit works. It only took this long to make because of my inexperience.

75% of the time I've spent on making this was basically studying stuff I didn't know. I had to learn IDA and Ghidra to reverse engineer the binaries/libraries. I had to deepen my knowledge on memory management. I also learned how to write shellcodes on different CPUs, how ELF files work, etc.

The other 25% was spent on reproducing what Yogev documented, and figuring out some of the details in the places where they - probably intentionally - left some things out.
Maybe I could write about that, but given how dangerous it could be if somebody made malicious images, - like the one Yogev demonstrated the exploit with - I think it's best if I keep quiet on that.

That's great to hear !! I think you only need to build the images for 5.11.1 to 5.13.3 , as everyone can still manually download the supported OS versions and sideload - upgrade it without turning wifi on ( every kindle is fully jailbroken up to PW1; and PW2 and above support OS versions 5.11.1 to 5.13.3)

[hius07]

The main difference between firmwares 5.11.* and 5.12 (and above) is an ability to block firmware ota updates: simple blocking directory vs renaming sys fles.
If a user has upgraded over 5.12 - there are no reasons not to upgrade to 5.13.3.

So it might be enough to have just two magic images: for 5.11.2 (the last 5.11.*) and for 5.13.3 (the last jailbreakable) for all models starting from PW3 and newer (except PW4).
No need for PW4 images at all (well, not urgent).

The latest update for PW2 and KT2 is 5.12.2.1.1, highly likely with closed vulneability, need to be tested. 5.12.2 is good for sure.

[cabcool]

I'm only a dumb end-user, but I've been following these forums for a while in hopes of a jailbreak for my PW3 running 5.12.2.

If I'm not misunderstanding, that's what this exploit might be able to do?

Then I would like to help out if it's useful.

[Akirainblack]

@tryol Is it worth releasing what you have working for the latest firmwares, just so that there are some of us who've done this and can then help those that struggle?
I've a Voyage on 5.13.1 which I'd love to get jailbroken and am more than happy to help others once I know the process.

[tryol]

Quote:

Originally Posted by tva2000hn

That's great to hear !! I think you only need to build the images for 5.10.3 to 5.13.3 , as everyone can still manually download the supported OS versions and sideload - upgrade it without turning wifi on ( every kindle is fully jailbroken up to PW1; and PW2 and above support OS versions 5.10.3 to 5.13.3)

Since only I got my first kindle a few months ago, I didn't get to experience the older firmwares. I assumed that some newer versions have issues or remove/change features that make people not want to upgrade to them. That's why I planned to support versions below 5.12.2.1.1, plus I also wanted to support KT and PW which are way below that. Seems like 5.10.3 - 5.13.3 is enough then, at least for the initial thread.

Quote:

Originally Posted by hius07

The main difference between firmwares 5.11.* and 5.12 (and above) is an ability to block firmware ota updates: simple blocking directory vs renaming sys files.

I've started using your KUAL script that renames the system files but I'm still scared to turn airplane mode off. Has it been tested extensively enough? (I'm on 5.12.4.)

Quote:

Originally Posted by hius07

So it might be enough to have just two magic images: for 5.11.2 (the last 5.11.*) and for 5.13.3 (the last jailbreakable) for all models starting from PW3 and newer (except PW4).
No need for PW4 images at all (well, not urgent).

The latest update for PW2 and KT2 is 5.12.2.1.1, highly likely with closed vulneability, need to be tested. 5.12.2 is good for sure.

The image for group 5.10.3-5.13.3 SHOULD work for any device in that range, there is no such thing as a 5.11.2, 5.13.3 or PW4 image. I'm planning to test that "SHOULD" though before I make the image public.

Quote:

Originally Posted by cabcool

I'm only a dumb end-user, but I've been following these forums for a while in hopes of a jailbreak for my PW3 running 5.12.2.

If I'm not misunderstanding, that's what this exploit might be able to do?

Then I would like to help out if it's useful.

Quote:

Originally Posted by Akirainblack

@tryol Is it worth releasing what you have working for the latest firmwares, just so that there are some of us who've done this and can then help those that struggle?
I've a Voyage on 5.13.1 which I'd love to get jailbroken and am more than happy to help others once I know the process.

I'll PM you both soon, 5.12.2 and 5.13.1 are versions I haven't explicitly tested yet, and I want to before I make the new thread.
If anybody else wants to help with testing, PM me with your device and firmware version! Untested firmwares preferred, especially the 2 extremities; 5.10.3 and 5.13.3.


The working firmware/device combinations for firmware versions (5.10.3 - 5.13.3) that got tested so far (constantly updated):

Spoiler:

5.13.3: KOA2
5.13.2: PW3
5.13.1: KV
5.12.5: KOA3
5.12.4: KT4, KOA3
5.12.3: KOA2
5.12.2.1.1 PW2 (PW2/KT2 exclusive firmware)
5.12.2.1: PW2 (PW2/KT2 exclusive firmware)
5.12.2: KT2, KT4, PW3
5.12.1.1: KOA3 (KOA3 exclusive firmware)
5.12.1: KOA2
5.11.2: KOA2
5.11.1.1: KOA2
5.11.1: PW4 (PW4 exclusive firmware)
5.10.3: KV

Once I get enough data I'll make it public for everybody.

[hius07]

Great, thanks!

Regarding block OTA. You can test it as follows: download your version of the firmware (5.12.4, right?) and put it to the device usb-root. Non-blocked device should be able to upgrade (to the same vesion). Your device should not.

I maintain Kindle cyrillic forum (4pda.ru), I hope we can find any combination of device/firmware for testing.

[hius07]

Also you can try Kindle firewall to block Amazon sites
https://www.mobileread.com/forums/sh....php?p=2425330