DX(G) Develop patch for missing certificate Kindle DX

[knc1]

Quote:

Originally Posted by DeKuns

- - - -

When the device tried to connect to Amazon server for a certificate, the device send its serial number and some other related numbers. In the debug file, the server returns "file not found". All Kindle Gen 2 data might be removed either intentionally or accidently. May be this is a routine server maintanance because the early Gen 2 is now 10 years old—only Kindle DXG the latest sale is in 2014—.

Almost.
Prior to registration, the device has a "limited access" certificate.
It uses that to create the device registration (where it sends device / user specific information).
In return, it receives a "general access" certificate.
("limited" and "general" are used above to provide a sense of the process, they may not be the proper terms.)

[DeKuns]

Quote:

Originally Posted by knc1

Almost.
Prior to registration, the device has a "limited access" certificate.
It uses that to create the device registration (where it sends device / user specific information).
In return, it receives a "general access" certificate.
("limited" and "general" are used above to provide a sense of the process, they may not be the proper terms.)

I understand now. Thank you knc1. So no need for firmware 3.4.2. The problem of these factory reset unable to register is that this "general access" certificate is not in the server anymore. Is this "general access" certificate is highly encrypted? DXG is my only Kindle so I am not able to examine this "general access" certificate.

[knc1]

Quote:

Originally Posted by DeKuns

I understand now. Thank you knc1. So no need for firmware 3.4.2. The problem of these factory reset unable to register is that this "general access" certificate is not in the server anymore. Is this "general access" certificate is highly encrypted? DXG is my only Kindle so I am not able to examine this "general access" certificate.

Ah, no not on server.
It ships with a new device and is only used for set-up/registration. I.E: It is the public signature cert.

I do not recall if it is deleted after set-up, but I can see how people working on ten year old firmware might over-look such a thing (since no new ones have been sold in a decade).


So these posts make me think that certificate (the one-time set-up cert) is what is missing.


I can't think of any reason why Amazon would re-cert their system after only ten years, 20..30 years is more normal practice.
And I can't think of why the "Hi Mom, I'm sold" first time certificate would be different for different models. (It might be used differently, but would still be the same cert.)


So I think all we need is some owners of other 3G models to post file name listings of those two directory paths you posted.
Maybe the K3 (keyboard) would still have the "intro" certificate present.


Since we are only looking for the Public certificate, we should be able to post it on the forum when it is found, since, after all, it is Public.

[DeKuns]

Quote:

Originally Posted by eddie.t.h

Yesterday I successfully made a reset to factory and registered my Kindle keyboard 3 but i have wifi only device.

Thanks for the info!
So it is currently affecting Gen 1-2 only. I read here Gen 3 might inherit the same process in communicating to Amazon server:
https://www.turnkeylinux.org/blog/kindle-root

Quote:

BASE_WEBSITE_URL: http://www.amazon.com
CERT_SERVER_URL : https://fras-g7g.amazon.com/FrasProxy/
REGISTER_SERVER_URL : https://firs-g7g.amazon.com/FirsProxy/
TODO_SERVER=https://todo-g7g.amazon.com/FionaTodoListProxy/
CDE_SERVER=https://cde-g7g.amazon.com/FionaCDEServiceEngine/

If you can analyze the debug file, then could you inform here what file that Amazon send from their CERT_SERVER_URL? This is where I saw my Kindle DX stop in registration process because it received a respond from the server that the file is not found. Thanks.

[DeKuns]

Quote:

Originally Posted by knc1

Ah, no not on server.
It ships with a new device and is only used for set-up/registration. I.E: It is the public signature cert.

I do not recall if it is deleted after set-up, but I can see how people working on ten year old firmware might over-look such a thing (since no new ones have been sold in a decade).


So these posts make me think that certificate (the one-time set-up cert) is what is missing.


I can't think of any reason why Amazon would re-cert their system after only ten years, 20..30 years is more normal practice.
And I can't think of why the "Hi Mom, I'm sold" first time certificate would be different for different models. (It might be used differently, but would still be the same cert.)


So I think all we need is some owners of other 3G models to post file name listings of those two directory paths you posted.
Maybe the K3 (keyboard) would still have the "intro" certificate present.


Since we are only looking for the Public certificate, we should be able to post it on the forum when it is found, since, after all, it is Public.

Let see if we can found what file it is and whether it is public domain file. If the registration process of factory reset Kindle of Gen 3 or newer Kindle is still the same then owners of these newer Gen might also able to help.

[DiapDealer]

Quote:

Originally Posted by j.p.s

K2 was Sprint. reports of K2 connectivity loss started showing up here some time ago.

Only the early US-only version of the K2 was Sprint. The later international versions of the K2 (2009-ish) switched to ATT. I was one of the ones reporting connectivity loss (but only after a factory reset) back in 2017, but Amazon corrected whatever the problem was and I was eventually able to re-register and connect. I'd have to dig it out of the Gig-Bag-of-Retired-Gizmos-that-Lives-in-the-Bottom-of-the-Closet (and see if it will still hold a charge) to see if it can still connect.

But even back then (2007) there were many reports of DX(G)s not being able to register/connect even after the problem with the K2s was resolved.

[knc1]

Quote:

Originally Posted by DeKuns

- - - - -
If you can analyze the debug file, then could you inform here what file that Amazon send from their CERT_SERVER_URL? This is where I saw my Kindle DX stop in registration process because it received a respond from the server that the file is not found. Thanks.

This is what the FF message says (the CA's certificate used to sign the Amazon certificate has expired, at least the CA certificate for Gutenburg on my machine is expired - so this might be fixed just by retriving Gutenburg's current public cert):

[DeKuns]

Quote:

Originally Posted by knc1

This is what the FF message says (the CA's certificate used to sign the Amazon certificate has expired, at least the CA certificate for Gutenburg on my machine is expired - so this might be fixed just by retriving Gutenburg's current public cert):

Thanks kcn1, that is exactly what I think of at the beginning. However, Chrome browser also listed all Amazon related registration servers have invalid certificate. These:

Quote:

CERT_SERVER_URL : https://fras-g7g.amazon.com/FrasProxy/
REGISTER_SERVER_URL : https://firs-g7g.amazon.com/FirsProxy/

Do Amazon move their registrations servers while not updating from which URL classic factory reset Kindle should get its certificates? We need debug file from a newer generation Kindle to analyse from which server they get their certificates after performing a factory reset.

DiapDealer probably could help us see differences between his hopefully still connected Kindle 2 with mine factory reset Kindle DX.

I hope it is only a matter of missing some public domain files in certain directories and I hope these files can easily patched to specific SN, ICCID, and ESN.

[knc1]

Only that would break the signature of the certificate (unless you have Amazon's private key to sign the patched file with).

The search bar "dump messages" command is very old - was available even on series 2 devices:
;dm

[knc1]

Quote:

Originally Posted by knc1

Only that would break the signature of the certificate (unless you have Amazon's private key to sign the patched file with).

The search bar "dump messages" command is very old - was available even on series 2 devices:
;dm

I just checked the root certificates on my desktop PC (which is current) -
Gutenburg must be out of business - name never appears and google could not help me find their web-site.
BUT -
Amazon is also a "trusted root ca" and there are at least 4 or 5 root certificates for Amazon.


Hmm...
Maybe Amazon forgot to update the older firmwares when Gutenburg died.

[DeKuns]

Quote:

Originally Posted by knc1

I just checked the root certificates on my desktop PC (which is current) -
Gutenburg must be out of business - name never appears and google could not help me find their web-site.
BUT -
Amazon is also a "trusted root ca" and there are at least 4 or 5 root certificates for Amazon.


Hmm...
Maybe Amazon forgot to update the older firmwares when Gutenburg died.

Akh.. Amazon excuse is better like that rather than they did it intentionally. Anyway, DiapDealer has brought his K2 from death. It is still connected and sync with Amazon. His/Her K2 was never been factory reset after Amazon allowed a brief window time to re-register Gen 1-2 Kindle in 2017. So there is something in a non-factory reset Gen 1-2 Kindle that enables them to still connect to Amazon. Would that probably the 'missing' certificate?

DiapDealer is active in another thread: https://www.mobileread.com/forums/sh...=320147&page=2

[knc1]

Quote:

Originally Posted by DeKuns

Akh.. Amazon excuse is better like that rather than they did it intentionally. Anyway, DiapDealer has brought his K2 from death. It is still connected and sync with Amazon. His/Her K2 was never been factory reset after Amazon allowed a brief window time to re-register Gen 1-2 Kindle in 2017. So there is something in a non-factory reset Gen 1-2 Kindle that enables them to still connect to Amazon. Would that probably the 'missing' certificate?

DiapDealer is active in another thread: https://www.mobileread.com/forums/sh...=320147&page=2

Right.
I don't know if my system firmware backup script will work on a K2, I only tested on touchscreen devices.
But the K2 is old enough, someone MUST have written (and posted) some such utility.

[DeKuns]

Amazon has fix over the 3G, just by now! My Kindle DX is now 100% registered from the device. They hear us. I will make study what actually they did. By looking the ;dm, I can initially report they might re-route where my Kindle should get the certificate definitely not from fras-g7g.amazon.com. I can see in the debug file that Amazon seemed to update what we have suspect as 'expired' gutenberg certificate.

[DiapDealer]

Quote:

Originally Posted by DeKuns

Amazon has fix over the 3G, just by now. My Kindle DX is now 100% registered from the device. They hear us. I will make study what actually they did. By looking the ;dm, I can initially report they might re-route where my Kindle should get the certificate.

That's very similar to what happened back in 2017 with my K2US. Couldn't register over 3G; complaints were made, and then I could register over 3G.

[eddie.t.h]

Quote:

Originally Posted by DeKuns

Thanks for the info!
So it is currently affecting Gen 1-2 only. I read here Gen 3 might inherit the same process in communicating to Amazon server:
https://www.turnkeylinux.org/blog/kindle-root



If you can analyze the debug file, then could you inform here what file that Amazon send from their CERT_SERVER_URL? This is where I saw my Kindle DX stop in registration process because it received a respond from the server that the file is not found. Thanks.

Unfortunately, the debug file does not contain anything about registration. Maybe too much time has passed. In the location /var/local/java/prefs/certs I have two files: client.p12 client.pem
client.pem looks like a normal ssh key but from what I see it contains the device serial number, motherboard number, etc.
client.p12 is totally unreadable.