Quick Kindle 3 root shell via USB

ecostin · 09-07-2010, 09:06 AM

Step 1: Statically compile netcat or similar. For the lazy, download http://rapidshare.com/files/417621092/nk.html
Step 2: Connect your K3 via USB ans copy netcat or the downloaded nk file to the root of the "Kindle" drive
Step 3: Activate the USB networking mode (;debugOn and ~usbNetwork)
Step 4: Configure your USB network link with an IP address from the 192.168.15 C class
Step 5: Type on your Kindle: ~exec /mnt/us/nk -shell -server T,5000 (or similar for netcat); Your K3 stops responding.
Step 6: Telnet from your PC to 192.168.15.244 port 5000

Now you have a root shell and can start customizing the device.

Step 7: To exit without resetting the K3, check your nk / netcat PID with "ps xa" (looking like: 4380 ? S< 0:00 /mnt/us/nk -shell -server T,5000) and kill the process. The K3 now starts responding again.

Good luck

clarknova · 09-07-2010, 09:35 AM

Wait, you can just run arbitrary code from the search window on the K3? Then, what's everyone's problem with getting in? This is easier than the K2. Could the K2 do this?

DiapDealer · 09-07-2010, 09:54 AM

I was pretty sure you were limited to typing the commands that show up with `help after the ;debugOn.

Can anyone else verify that random bash commands can be run from the search window of the K3 (like it suggests in the OP's step 5)?

ecostin · 09-07-2010, 09:58 AM

Quote:

Originally Posted by DiapDealer

I was pretty sure you were limited to typing the commands that show up with `help after the ;debugOn.

Can anyone else verify that random bash commands can be run from the search window of the K3 (like it suggests in the OP's step 5)?

Actually after ;debugOn, entering ~help lists the commands (not `help) and ~exec is one of them. Maybe amazon has decided to just let us do what we want.

DiapDealer · 09-07-2010, 10:01 AM

Well that's certainly encouraging.

clarknova · 09-07-2010, 10:09 AM

Quote:

Originally Posted by ecostin

Actually after ;debugOn, entering ~help lists the commands (not `help) and ~exec is one of them. Maybe amazon has decided to just let us do what we want.

Just confirmed that this didn't work on K2. Can someone else confirm on K3? If this is the case, the K3 is easier to hack than the K2i and up.

Awesome.

DiapDealer · 09-07-2010, 10:21 AM

Quote:

Just confirmed that this didn't work on K2.

Yeah, didn't work on my K2 either, but the ~help command did something--because my home screen changed and displayed numbers in parentheses beside all my titles--just not sure what it's doing.

Potentially great news for K3 users, though!

odfi · 09-07-2010, 10:33 AM

Quote:

Originally Posted by clarknova

Can someone else confirm on K3? If this is the case, the K3 is easier to hack than the K2i and up.

Awesome.

On my K3, when I do ;debugOn and then ~help I get a screen with :

Private shortcuts : ~changeLocale, ~disableIndexing, ~disableScreensaver, ~dumpIndexStats, ~exec, ~help, ~indexStatus, ~meminfo, ~reloadContentRoster, ~resumeScreensaver, ~startIndexing, ~stopindexing, ~usbNetwork

I haven't try to use usbNetwork for now.

hope this help.

blkhawk · 09-07-2010, 11:18 AM

that ~exec is run with root rights is something. I do not think Amazon spend much time or money on securing this device - its basically open and there are tons of ways to getting root. off the top of my head:

1) boot initrd image via serial plug and swap out the password hash in /etc/shadow
2) for some reason said root password hash is only hashed with crypt (sha1). and maybe just "luigi". so it is crackable. Other password hashes in there use md5. this also requires the serial plug.
3) the ~exec method
4) the jtag

common to all these is that no total retar^w^w non-computer savvy person would attempt them. combined with the looming release of the kdk amazon might have decided that locking down isn't really worth it and might even hurt in the long run. I think they plan to get every single person that is able to read a kindle.

DiapDealer · 09-07-2010, 11:37 AM

Quote:

Yeah, didn't work on my K2 either, but the ~help command did something--because my home screen changed and displayed numbers in parentheses beside all my titles--just not sure what it's doing.

Never mind my moment of brain-deadedness.

Correct me if I'm wrong, but won't ~exec with root rights allow scripts to be created that can create symlinks (and install the binaries), thereby bypassing the need to create binary update packages for the existing hacks?

I won't complain if they've made that easy, but... wow!

ecostin · 09-07-2010, 11:50 AM

Quote:

Originally Posted by DiapDealer

Never mind my moment of brain-deadedness.

Correct me if I'm wrong, but won't ~exec with root rights allow scripts to be created that can create symlinks (and install the binaries), thereby bypassing the need to create binary update packages for the existing hacks?

I won't complain if they've made that easy, but... wow!

Yes, the ~exec function is in fact an interactive shell, but with horrible output, so you'll want to get a remote shell. No need to to any other complicated things, just compile the code, install and use

DiapDealer · 09-07-2010, 12:23 PM

Quote:

Yes, the ~exec function is in fact an interactive shell, but with horrible output, so you'll want to get a remote shell.

Agreed. I was just thinking of the non-technical end-users of the existing Screensaver and Fonts hacks. Expecting them to first establish a remote shell to install the screensaver hack would be a bit much. However, typing ";debugOn" followed by a short "~exec ss-install.sh" wouldn't be nearly as hard to create instructions for.

I almost wish I had a K3 to experiment on now.

Ged_uk · 09-07-2010, 02:58 PM

I can't get my UK K3 to go into usb network, always comes up as disc mode

Probably missed something silly or UK K3 are different?
G

NiLuJe · 09-07-2010, 02:58 PM

ROFL.

Okay, will try that ASAP...

porkupan · 09-07-2010, 03:15 PM

Great find (about the ~exec command). Obviously a stupid bug, left-over from firmware debugging. Crrrrrazy stuff! A simple jailbreak script (jb_install.sh) will be something like:

Code:

#!/bin/sh
export PATH=/usr/sbin:${PATH}

_FUNCTIONS=/etc/rc.d/functions
[ -f ${_FUNCTIONS} ] && . ${_FUNCTIONS}

mntroot rw

#install key
cat <<EOF > /etc/uks/pubhackkey01.pem
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJn1jWU+xxVv/eRKfCPR9e47lP
WN2rH33z9QbfnqmCxBRLP6mMjGy6APyycQXg3nPi5fcb75alZo+Oh012HpMe9Lnp
eEgloIdm1E4LOsyrz4kttQtGRlzCErmBGt6+cAVEV86y2phOJ3mLk0Ek9UQXbIUf
rvyJnS2MKLG2cczjlQIDAQAB
-----END PUBLIC KEY-----
EOF

mntroot ro

And that's all of it!

The instructions:
1) Copy jb_install.sh into kindle's main storage
2) ;debugOn
3) ~exec /mnt/us/jb_install.sh
4) No reboot needed

09-07-2010, 09:06 AM	#1
ecostin Enthusiast Posts: 37 Karma: 160968 Join Date: Sep 2010 Location: Germany Device: PRS-500-505-700, Kindle3, KT, KPW, KPW2, KV, KOA	Quick Kindle 3 root shell via USB Step 1: Statically compile netcat or similar. For the lazy, download http://rapidshare.com/files/417621092/nk.html Step 2: Connect your K3 via USB ans copy netcat or the downloaded nk file to the root of the "Kindle" drive Step 3: Activate the USB networking mode (;debugOn and ~usbNetwork) Step 4: Configure your USB network link with an IP address from the 192.168.15 C class Step 5: Type on your Kindle: ~exec /mnt/us/nk -shell -server T,5000 (or similar for netcat); Your K3 stops responding. Step 6: Telnet from your PC to 192.168.15.244 port 5000 Now you have a root shell and can start customizing the device. Step 7: To exit without resetting the K3, check your nk / netcat PID with "ps xa" (looking like: 4380 ? S< 0:00 /mnt/us/nk -shell -server T,5000) and kill the process. The K3 now starts responding again. Good luck Last edited by ecostin; 09-07-2010 at 10:21 AM.

09-07-2010, 03:15 PM	#15
porkupan Fanatic Posts: 556 Karma: 1057213 Join Date: Sep 2006 Location: North Eastern U.S. Device: Sony Reader	Great find (about the ~exec command). Obviously a stupid bug, left-over from firmware debugging. Crrrrrazy stuff! A simple jailbreak script (jb_install.sh) will be something like: Code: #!/bin/sh export PATH=/usr/sbin:${PATH} _FUNCTIONS=/etc/rc.d/functions [ -f ${_FUNCTIONS} ] && . ${_FUNCTIONS} mntroot rw #install key cat <<EOF > /etc/uks/pubhackkey01.pem -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJn1jWU+xxVv/eRKfCPR9e47lP WN2rH33z9QbfnqmCxBRLP6mMjGy6APyycQXg3nPi5fcb75alZo+Oh012HpMe9Lnp eEgloIdm1E4LOsyrz4kttQtGRlzCErmBGt6+cAVEV86y2phOJ3mLk0Ek9UQXbIUf rvyJnS2MKLG2cczjlQIDAQAB -----END PUBLIC KEY----- EOF mntroot ro And that's all of it! The instructions: 1) Copy jb_install.sh into kindle's main storage 2) ;debugOn 3) ~exec /mnt/us/jb_install.sh 4) No reboot needed Last edited by porkupan; 09-07-2010 at 03:45 PM. Reason: grammar; single-file change per clarknova

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
PRS-600 Serial console (i.e. shell) over USB	Xaphiosis	Sony Reader Dev Corner	6	08-22-2010 11:06 PM
PRS-900 Any luck getting a root shell? or debug mode?	raisinbrain	Sony Reader	0	01-05-2010 11:33 PM
Hacks can you get a shell on your kindle?	svakanda	Amazon Kindle	4	02-27-2009 10:37 AM
Getting a root shell	guylhem	Sony Reader Dev Corner	4	02-27-2009 05:24 AM
iLiad Can't Connect via USB after Dev Access Shell Install	jfrey	iRex Developer's Corner	4	02-20-2008 12:20 PM

09-07-2010, 09:35 AM	#2
clarknova Addict Posts: 241 Karma: 2617 Join Date: Mar 2009 Location: Greenwood, SC Device: Kindle 2	Wait, you can just run arbitrary code from the search window on the K3? Then, what's everyone's problem with getting in? This is easier than the K2. Could the K2 do this?

09-07-2010, 09:54 AM	#3
DiapDealer Grand Sorcerer Posts: 28,272 Karma: 203719142 Join Date: Jan 2010 Device: Nexus 7, Kindle Fire HD	I was pretty sure you were limited to typing the commands that show up with `help after the ;debugOn. Can anyone else verify that random bash commands can be run from the search window of the K3 (like it suggests in the OP's step 5)?

09-07-2010, 10:01 AM	#5
DiapDealer Grand Sorcerer Posts: 28,272 Karma: 203719142 Join Date: Jan 2010 Device: Nexus 7, Kindle Fire HD	Well that's certainly encouraging.

09-07-2010, 11:18 AM	#9
blkhawk Bit Wrangler Posts: 31 Karma: 93324 Join Date: Sep 2010 Device: Oasis	that ~exec is run with root rights is something. I do not think Amazon spend much time or money on securing this device - its basically open and there are tons of ways to getting root. off the top of my head: 1) boot initrd image via serial plug and swap out the password hash in /etc/shadow 2) for some reason said root password hash is only hashed with crypt (sha1). and maybe just "luigi". so it is crackable. Other password hashes in there use md5. this also requires the serial plug. 3) the ~exec method 4) the jtag common to all these is that no total retar^w^w non-computer savvy person would attempt them. combined with the looming release of the kdk amazon might have decided that locking down isn't really worth it and might even hurt in the long run. I think they plan to get every single person that is able to read a kindle.

09-07-2010, 02:58 PM	#13
Ged_uk Enthusiast Posts: 30 Karma: 10 Join Date: Jan 2008 Device: K3-3G, HTC HD2	I can't get my UK K3 to go into usb network, always comes up as disc mode Probably missed something silly or UK K3 are different? G

09-07-2010, 02:58 PM	#14
NiLuJe BLAM! Posts: 13,501 Karma: 26047188 Join Date: Jun 2010 Location: Paris, France Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E	ROFL. Okay, will try that ASAP...