Register Guidelines E-Books Today's Posts Search

Go Back   MobileRead Forums > E-Book Readers > Amazon Kindle > Kindle Developer's Corner

Notices

Reply
 
Thread Tools Search this Thread
Old 11-01-2019, 09:03 AM   #1
pavel-s
Enthusiast
pavel-s began at the beginning.
 
Posts: 35
Karma: 10
Join Date: Sep 2017
Device: PW3/4
How to write a jailbreak (Process, Quick Start, First Steps, etc)?

Hi,

I have a general understanding what a jailbreak actually is - as far as I can see it requires to find a vulnerability in a "binary" (or even better - in the system) that anyone can exploit (if he knows how). I also have some knowledge and experience in reverse engineering.

So, the main question is - are there any guides on MobileRead (or anywhere outside it) on how to start with writing kindle's jailbreak and where to look at? Could someone give any directions where to start? If I would be able to find a way to bypass a security in a firmware, how to integrate this knowledge with existing infrastructure (e.g. what should I do to make it possible to install KUAL, etc)?

And I know, this process requires a tremendous amount of time investment
pavel-s is offline   Reply With Quote
Old 11-01-2019, 10:37 AM   #2
pavel-s
Enthusiast
pavel-s began at the beginning.
 
Posts: 35
Karma: 10
Join Date: Sep 2017
Device: PW3/4
Lightbulb

It seems like the entry point is NiLuJe KindleTool. The quick overview of the process:
  1. Download KindleTool from the snapshots page.
  2. Download a firmware you are interesting in from amazon (google for kindle paperwhite 4 download update)
  3. Unpack the firmware with kindletool (use "extract" command, e.g. ./kindletool extract firmware.bin firmware_unpacked)

After the extraction inside extracted folder (e.g. firmware_unpacked) you'll see the following folder structure (this is how it looks for PW4 5.12.2):

Code:
imx6sll_rex                 <- folder, containing chip firwares, etc
rootfs.img.gz               <- compressed filesystem
rootfs.img.gz.sig
update-payload.dat
update-payload.dat.sig
From here you can see into all files, folders, etc in rootfs.img.gz using any archive manager (e.g. 7z). You can also go deeper and disassemble boot images, firmwares, etc inside imx6sll_rex with any disassembler you like (e.g. IDA Pro, Radare, etc).

The forum itself contains a lot of info regarding internals of kindle software + source code for the firmware update can be downloaded from here (amazon).

For examples of how current hacks are working it's possible to unpack any hack with the same kindletool and see what is inside.

This is what I figured out so far, thanks.
pavel-s is offline   Reply With Quote
Old 11-01-2019, 11:02 AM   #3
knc1
Going Viral
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
JMTCsW:
I do not think that any of the jail breaks over the years has used the same vulnerability.
Well, other than the most general vulnerability: Lab126
<< several of my most favorite rants deleted at this point >>
  • You want to have a complete Linux system from one of the more popular distributions.
    Anything else will just make your work harder and/or more confusing.
    Note: Your complete Linux system can load the Kindle's binary filesystem. It can also run ARM native code on your x86/amd64 development system.
  • Additional resources:
    • KindleTool
      Required. From: NiLuJe's snapshots thread. Also available in source code form in a public repository.
    • Kindle resources
      Required. Your favorite Kindle firmware version, both binary (update_*.bin) and source code (only the public parts are posted).
    • Tools
      Your number one tool will probably be just staring off into the distance while the mind works.
      • Machine code review
        Suggested. A good tool to consider IDA Pro See: https://www.hex-rays.com/products/ida/index.shtml
      • Java bytecode review
        Suggested. Procyon Read through its Wiki page for choices. See: https://bitbucket.org/mstrobel/procy...a%20Decompiler
      • Scripting review
        Required. Get out your most powerful code documenting text processor.
        There is still a lot of readable scripting in the Kindle coding.
      • Serial port connection
        Recommended. You may never need it, but if you need it, it is already too late to install it.
      • Local networking
        Suggested. It should be possible to "net boot" the Kindle system.
  • Lots of free time.
  • The Amazon servers keep all prior Update_*.bin and partial source code files.
    Use them, do not Google for anything when you can get the originals from Amazon.
  • Note: The 'Androidized' device/firmware combinations are still mostly unknown, the previous 'dual system boot' device/firmware combinations are better described.

Last edited by knc1; 11-01-2019 at 11:14 AM.
knc1 is offline   Reply With Quote
Old 11-01-2019, 11:31 PM   #4
pavel-s
Enthusiast
pavel-s began at the beginning.
 
Posts: 35
Karma: 10
Join Date: Sep 2017
Device: PW3/4
That's great, thanks knc1! Could you please give links or describe a bit the process of "net boot"? Using serial port connection is also looks kind of magic for me.
pavel-s is offline   Reply With Quote
Old 11-02-2019, 09:04 AM   #5
knc1
Going Viral
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
Quote:
Originally Posted by pavel-s View Post
That's great, thanks knc1! Could you please give links or describe a bit the process of "net boot"? Using serial port connection is also looks kind of magic for me.
Our "serial port for dummies" (or words like that) is quite complete.
Other than specifics for the "Androidized" device/firmware combinations (such as the PW4 IIRC).

A couple of years old, without specific details for a Kindle client or a non-Debian server....
The general process reads like:
https://wiki.debian.org/PXEBootInstall

Hey, You have to make this stuff up as you go along, you can't expect Amazon/Lab126 to be writing e-book tutorials.

On the subject of PW4 firmware releases (not including the initial, first shipped, release):
Code:
mszick@HP8300:/usr/local/PW4$ wget https://s3.amazonaws.com/firmwaredownloads/update_kindle_all_new_paperwhite_v2_(desired version string here).bin

- - - -

mszick@HP8300:/usr/local/PW4$ ls -l
total 1522788
-rw-rw-r-- 1 mszick mszick 264050447 Nov  1  2018 update_kindle_all_new_paperwhite_v2_5.10.1.2.bin
-rw-rw-r-- 1 mszick mszick 264140829 Dec  7  2018 update_kindle_all_new_paperwhite_v2_5.10.2.bin
-rw-rw-r-- 1 mszick mszick 256324243 Mar 20  2019 update_kindle_all_new_paperwhite_v2_5.11.1.bin
-rw-rw-r-- 1 mszick mszick 257231761 May 29 04:43 update_kindle_all_new_paperwhite_v2_5.11.2.bin
-rw-rw-r-- 1 mszick mszick 258629777 Jul  5 10:52 update_kindle_all_new_paperwhite_v2_5.12.1.bin
-rw-rw-r-- 1 mszick mszick 258942008 Oct  1 05:08 update_kindle_all_new_paperwhite_v2_5.12.2.bin
mszick@HP8300:/usr/local/PW4$
That is a lot of updates for a one year old machine.
And a once every two months update schedule is a difficult thing to keep up, at least without making even one mistake that we could use.

# 16 999

Last edited by knc1; 11-02-2019 at 09:28 AM.
knc1 is offline   Reply With Quote
Old 11-03-2019, 04:21 AM   #6
pavel-s
Enthusiast
pavel-s began at the beginning.
 
Posts: 35
Karma: 10
Join Date: Sep 2017
Device: PW3/4
Quote:
Originally Posted by knc1 View Post
Our "serial port for dummies" (or words like that) is quite complete.
Other than specifics for the "Androidized" device/firmware combinations (such as the PW4 IIRC).

A couple of years old, without specific details for a Kindle client or a non-Debian server....
The general process reads like:
https://wiki.debian.org/PXEBootInstall
Thanks for the links. Though, for someone who has little knowledge of linux internals (me included), understand "specific details for kindle" may be a hard task.

Quote:
Originally Posted by knc1 View Post
Hey, You have to make this stuff up as you go along, you can't expect Amazon/Lab126 to be writing e-book tutorials.
That would be what I call a good "customer care"

Quote:
Originally Posted by knc1 View Post
That is a lot of updates for a one year old machine.
And a once every two months update schedule is a difficult thing to keep up, at least without making even one mistake that we could use.
Yeah, especially bluetooth "stack" may be the way to go. Yesterday I reversed a bit /usr/btui - looks promising.

BTW, here is another interesting link for those are interested in this topic (kindle architecture overview, etc): Kindle Touch Hacking: The big picture | MR Wiki

Quote:
Originally Posted by knc1 View Post
# 16 999
This is quite impressive! I would prepare a bottle of champagne
pavel-s is offline   Reply With Quote
Old 11-05-2019, 08:18 AM   #7
MrTick
Enhtusiast
MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.
 
MrTick's Avatar
 
Posts: 53
Karma: 2340139
Join Date: Dec 2018
Device: K3 DxG PW1 KV PW4
Personally I recommend this write-up regarding 5.6.5 jailbreak:
https://github.com/sgayou/kindle-5.6.../doc/README.md
It summarizes the jailbreak back in times when it was easy
MrTick is offline   Reply With Quote
Old 11-05-2019, 05:25 PM   #8
knc1
Going Viral
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
Quote:
Originally Posted by MrTick View Post
Personally I recommend this write-up regarding 5.6.5 jailbreak:
https://github.com/sgayou/kindle-5.6.../doc/README.md
It summarizes the jailbreak back in times when it was easy
Branch Delay mentioned he would do a write-up of the work he did, but I forgot to look it up.
I did just now read his link above.
He did a nice job and a lot of it is general knowledge for anyone interested.

# 17 000
knc1 is offline   Reply With Quote
Old 11-05-2019, 09:13 PM   #9
pavel-s
Enthusiast
pavel-s began at the beginning.
 
Posts: 35
Karma: 10
Join Date: Sep 2017
Device: PW3/4
Quote:
Originally Posted by MrTick View Post
Personally I recommend this write-up regarding 5.6.5 jailbreak:
https://github.com/sgayou/kindle-5.6.../doc/README.md
It summarizes the jailbreak back in times when it was easy
Thanks a lot for the link! It's very inspiring and teaches how to think and which mindset you should have in order to make a jailbreak effectively. Must read for a quick start.

And yeah, exploiting the browser/java may be much easier than looking at BT implementation (my mistake).
pavel-s is offline   Reply With Quote
Old 11-06-2019, 04:09 AM   #10
MrTick
Enhtusiast
MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.MrTick ought to be getting tired of karma fortunes by now.
 
MrTick's Avatar
 
Posts: 53
Karma: 2340139
Join Date: Dec 2018
Device: K3 DxG PW1 KV PW4
Quote:
Originally Posted by pavel-s View Post
exploiting the browser/java may be much easier
Note that the browser is now sandboxed (runs in a hermetic environment) and it'll be much harder to get outside of this 'box'.
MrTick is offline   Reply With Quote
Old 11-06-2019, 03:16 PM   #11
knc1
Going Viral
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
SRE - Tools

Here is one tool worth considering:
https://ghidra-sre.org/
Check out the 6 minute video on that page also.

Not in response to the recurring complaints of our (USA) National Security Agency getting into everyone's business...
But here they have gone "Open Source" and released their software tools in a GitHub repository.

Yes Virginia, NSA has gone open source:
https://code.nsa.gov/

(Actually, NSA has been a long time contributor to the Open Source movement, including the Linux project.)

= = = = = Later = = = = =

What could go wrong with Busybox (PW4-5.12.2)?
Not much, that should be fairly solid, if Lab126 hasn't "improved it".



Well, Phooey! That picture came out way too small...
The actual error message is:



The point is that this bit of NSA software is worth looking into, not that Lab126 managed to screw-up their build system using one of the most solid program's in OS existence.
Yeah! Lab126.

- - - - - -

And: Yes! NiLuJe, this program also de-compiles (to C).

Last edited by knc1; 11-07-2019 at 09:26 AM.
knc1 is offline   Reply With Quote
Old 11-08-2019, 02:25 AM   #12
pavel-s
Enthusiast
pavel-s began at the beginning.
 
Posts: 35
Karma: 10
Join Date: Sep 2017
Device: PW3/4
Quote:
Originally Posted by knc1 View Post
Well, Phooey! That picture came out way too small...
The actual error message is:


@knc1, Does it mean that it can be exploited? I'm pretty new to this could you "unpack" it a bit?

The most closest I found is this "buffer overflow" chapter from "Computer Security: A Hands-on Approach"
pavel-s is offline   Reply With Quote
Old 11-08-2019, 03:46 AM   #13
knc1
Going Viral
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
Quote:
Originally Posted by pavel-s View Post
@knc1, Does it mean that it can be exploited? I'm pretty new to this could you "unpack" it a bit?

The most closest I found is this "buffer overflow" chapter from "Computer Security: A Hands-on Approach"
I do not have the slightest idea.

I only noted that the analysis routines automatically found something very difficult to find without any help from me.
AND
It is about $2,000/year cheaper than IDA Pro.
knc1 is offline   Reply With Quote
Old 11-08-2019, 11:56 AM   #14
pavel-s
Enthusiast
pavel-s began at the beginning.
 
Posts: 35
Karma: 10
Join Date: Sep 2017
Device: PW3/4
Yeah, IDA Pro is the priciest software on the market. Binary Ninja costs 600$, while Ghidra and Radare are free. Ghidra is a bit less intuitive for me comparing to IDA Pro. It's much easier to read assembly in IDA, especially in "graph" mode. Though, generated C++ code, probably cleaner in Ghidra.

Quote:
Originally Posted by knc1 View Post
Here is one tool worth considering:
https://ghidra-sre.org/
Check out the 6 minute video on that page also.
Also, it would be great to try the "shared project" feature in Ghidra. For example, it would be possible to reverse engineer almost the entire kindle binary by multiple MobileRead users. And it may be much faster than reversing it on our own.
pavel-s is offline   Reply With Quote
Old 11-08-2019, 12:12 PM   #15
knc1
Going Viral
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
Quote:
Originally Posted by pavel-s View Post
. . . . .

Also, it would be great to try the "shared project" feature in Ghidra. For example, it would be possible to reverse engineer almost the entire kindle binary by multiple MobileRead users. And it may be much faster than reversing it on our own.
That was one of the things that caught my eye.
Something that "we" have never done other than simple cooperation.


Another thing, Ghidra can evaluate code paths with binary comparisons.
Also, Ghidra can be scripted.
My thoughts are leading towards ::
Once a single firmware version is done in its entirety, only Ghidra scripted "next" versions have to be evaluated by a person.
Anything the "same" would only be handled by the script reporting.
Now that might be either impractical or not possible, but it is the direction of my thoughts.

Another thought to check into ::
Maybe it is possible to host the Ghidra server on one of Amazon's free, supercomputer clouds.
Ref: https://aws.amazon.com/free/?all-fre...sort-order=asc

Or maybe one of the smaller, several million core, machines:
https://www.top500.org/list/2019/06/
(Amazon has stopped listing their supercomputers on that (voluntary) list.)

PS: 500 of the top 500 machines run Linux.

Last edited by knc1; 11-08-2019 at 12:59 PM.
knc1 is offline   Reply With Quote
Reply

Tags
hacking, jailbreak kindle, jailbreaking


Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Kindle Touch v5.1.2 -- Jailbreak steps please passerby314 Kindle Developer's Corner 5 01-10-2013 02:44 PM
start 'fetch news' process from the command prompt poldem Calibre 2 03-17-2011 11:35 AM
Delayed write and Quick TAG Editing Giuseppe Chillem Calibre 0 11-08-2010 05:17 PM
DR800 How to start a background process? CoolDragon iRex 1 04-29-2010 04:16 PM


All times are GMT -4. The time now is 02:02 PM.


MobileRead.com is a privately owned, operated and funded community.