|  02-27-2023, 06:41 AM | #1 | 
| Kindle Bricker            Posts: 120 Karma: 862608 Join Date: Sep 2022 Location: Why do you want to know? Device: PW6, PW6(dead), PW5 (brick), PW5 (brick), PW4 (brick) |  Potential New Exploit For Jailbreaking? 
			
			I tried to post this before but it was deleted or something, I'm not sure why? Perhaps this was misunderstood, this isn't a Jailbreak or anything that allows Piracy, it is merely a potential entrypoint which I found on the Kindle Store. I have discovered how to modify the Kindle Store displayed on the Kindle, this means that I can inject custom HTML+JS. You may wonder: So what? It's just a website Well, being the Kindle Store, this actually contains many... many functions which can be used to manipulate the Kindle which are NOT available in the experimental browser. For example, via the store, I was able to launch apps and communicate with LIPC messages to an extent, I believe that this could be the gateway to a new jailbreak The reason I'm posting this here is because I don't really know where to go from here lol, I'm relatively new to the jailbreaking scene for Kindles and I was wondering if anyone would like to help me with this project? See attachments for info, the applicaiton error one was an earlier version, I can now properly launch other applications | 
|   |   | 
|  02-27-2023, 07:14 AM | #2 | 
| Kindle Bricker            Posts: 120 Karma: 862608 Join Date: Sep 2022 Location: Why do you want to know? Device: PW6, PW6(dead), PW5 (brick), PW5 (brick), PW4 (brick) | 
			
			I wonder if I can somehow execute code through a WAF...
		 | 
|   |   | 
|  02-27-2023, 07:26 AM | #3 | 
| Connoisseur            Posts: 99 Karma: 909418 Join Date: Aug 2021 Location: Germany Device: PW4+Fire 7", Onyx Boox Nova Air | 
			
			how did you do it? a Man-In-The-Middle Attack by hijacking your wifi AP? hosts file? or what exactly did you do?   the question would be if the Kindle Store App / Tab has system rights or access to directorys you would need. i know / heard that a jailbreak adds developer keys to a specific file so it opens up the kindle for thirdparty code.. but since i don't know how exactly this is done someone else would have to look into this. but the thing is - if you can just run javascript, the question is if its just in the context of a normal browser or if it is having "special" access to commands. can you give us more informations about how you did it, what you did etc? | 
|   |   | 
|  02-27-2023, 08:10 AM | #4 | |
| Kindle Bricker            Posts: 120 Karma: 862608 Join Date: Sep 2022 Location: Why do you want to know? Device: PW6, PW6(dead), PW5 (brick), PW5 (brick), PW4 (brick) | Quote: 
 Javascript - Yep, the store runs in a special context in which certain Javascript functions normally nonexistent can be used So far I can: - Launch apps - Change screen orientation Untested, but in theory I can also: - Communicate with LIBC protocol to send messages to other processes Last edited by HackerDude; 02-28-2023 at 12:55 PM. | |
|   |   | 
|  02-27-2023, 08:13 AM | #5 | 
| Kindle Bricker            Posts: 120 Karma: 862608 Join Date: Sep 2022 Location: Why do you want to know? Device: PW6, PW6(dead), PW5 (brick), PW5 (brick), PW4 (brick) | 
			
			also, this is all done on a non-jailbroken device since I am on latest firmware lol
		 | 
|   |   | 
|  02-27-2023, 08:35 AM | #6 | 
| Kindle Bricker            Posts: 120 Karma: 862608 Join Date: Sep 2022 Location: Why do you want to know? Device: PW6, PW6(dead), PW5 (brick), PW5 (brick), PW4 (brick) |  Update: More JS Investigation 
			
			List of things I can access, still discovering what most of these are: - version (returns 1) - download - dev (Device-Specific stuff such as "refresheyness" of the e-ink display - popup - bkgrnd - device - winmgrUtils - bluetooth (Query and adjust Bluetooth settings) - chrome (Browser specific stuff, weird that it's named chrome) - dconfig - nat (Query and adjust network settings) - appmgr (Direct access to the appmgr, currently known: start(), back()) - todo (Does anyone know what this is?) - gestures - messaging (libc access) - uitest - localprefs - storeName I'm currently working on some JS code to properly+recursively dump more information | 
|   |   | 
|  02-27-2023, 09:23 AM | #7 | 
| Still reading            Posts: 14,926 Karma: 110507267 Join Date: Jun 2017 Location: Ireland Device: All 4 Kinds: epub eink, Kindle, android eink, NxtPaper | 
			
			Doesn't the Kindle Suduko also use fact that the Web browser has stuff in it so the Amazon Kindle Store works "better"?
		 | 
|   |   | 
|  02-27-2023, 09:30 AM | #8 | 
| Kindle Bricker            Posts: 120 Karma: 862608 Join Date: Sep 2022 Location: Why do you want to know? Device: PW6, PW6(dead), PW5 (brick), PW5 (brick), PW4 (brick) | 
			
			Interestingly, unless I include a large portion of the original code, the Kindle complains that the store failed to load, so it probably relies on a JS function call of sorts, I'll investigate this further but the code is heavily obfuscated so it's a pain to go through
		 | 
|   |   | 
|  02-27-2023, 09:35 AM | #9 | |
| Kindle Bricker            Posts: 120 Karma: 862608 Join Date: Sep 2022 Location: Why do you want to know? Device: PW6, PW6(dead), PW5 (brick), PW5 (brick), PW4 (brick) | Quote: 
 This is specific to the store and potentially other build-in Web Applications (WAFs) The browser normally doesn't have these JavaScript functions available to it | |
|   |   | 
|  02-27-2023, 12:08 PM | #10 | |
| Connoisseur            Posts: 87 Karma: 25608 Join Date: Sep 2022 Device: PW3, PW2, KT2, 2xKT, 2xK3G | Quote: 
 MITM would probably not work due to the kindle using HTTPS. Last edited by luketheduke; 02-27-2023 at 12:20 PM. | |
|   |   | 
|  02-27-2023, 12:10 PM | #11 | 
| Connoisseur            Posts: 87 Karma: 25608 Join Date: Sep 2022 Device: PW3, PW2, KT2, 2xKT, 2xK3G | 
			
			Used to be able to with `nativeBridge.dbgCmd`. Removed awhile ago, though.
		 | 
|   |   | 
|  02-27-2023, 12:20 PM | #12 | |
| Kindle Bricker            Posts: 120 Karma: 862608 Join Date: Sep 2022 Location: Why do you want to know? Device: PW6, PW6(dead), PW5 (brick), PW5 (brick), PW4 (brick) | Quote: 
  I can't say, but you're a little far off... don't forget, I had to do a bunch of networking stuff too, but it isn't ARP spoofing Last edited by HackerDude; 02-28-2023 at 01:01 PM. | |
|   |   | 
|  02-27-2023, 12:21 PM | #13 | |
| Kindle Bricker            Posts: 120 Karma: 862608 Join Date: Sep 2022 Location: Why do you want to know? Device: PW6, PW6(dead), PW5 (brick), PW5 (brick), PW4 (brick) | Quote: 
 | |
|   |   | 
|  02-27-2023, 12:40 PM | #14 | |
| Resident Curmudgeon            Posts: 80,677 Karma: 150249619 Join Date: Nov 2006 Location: Roslindale, Massachusetts Device: Kobo Libra 2, Kobo Aura H2O, PRS-650, PRS-T1, nook STR, PW3 | Quote: 
 | |
|   |   | 
|  02-27-2023, 12:45 PM | #15 | 
| Kindle Bricker            Posts: 120 Karma: 862608 Join Date: Sep 2022 Location: Why do you want to know? Device: PW6, PW6(dead), PW5 (brick), PW5 (brick), PW4 (brick) | |
|   |   | 
|  | 
| Tags | 
| exploit, jailbreak | 
| Thread Tools | Search this Thread | 
| 
 | 
|  Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post | 
| Local root exploit in Calibre | splat | Calibre | 29 | 11-05-2011 10:03 PM | 
| Adobe Reader 9 new exploit in the wild | doctorow | News | 2 | 02-20-2009 03:38 PM | 
| iLiad Huge exploit found in 2.7 | arivero | iRex Developer's Corner | 86 | 11-26-2006 04:49 PM | 
| Adobe Acrobat subject to remote exploit | Alexander Turcic | News | 3 | 09-16-2006 05:29 AM | 
| Serious exploit in Greasemonkey 0.4 | Alexander Turcic | Lounge | 2 | 07-19-2005 04:59 AM |