A very beginners look at an update binary by a beginner

[natalieclem]

This is a log of my understanding of Kindle and my journey in learning. I'm doing this mostly to put down what I'm doing but also share it with this forum and hopefully others curious with their kindle. I hope to share knowledge with others and collaborate (mostly what I assume is going to be me saying oh there's a thing, whatever could it be and shrug!)
This reads more as a collection of notes than anything else, but I hope to use this post as my notes!

So if you're super well versed with Kindles and Linux systems etc, I doubt you'll get much out of this, nothing you couldn't find yourself/already know. And I'm not saying everything (or even anything aha) here is correct or valid, just what I understand. So I doubt this will be of worth to the vast majority but that won't stop me aha.

If you want to try to look around yourself (I recommend it for anyone interested) I will first recommend reading up on how linux came to be and a basic understanding of how it works. I am still in this phase! I am still learning with so much ahead of me.

This post is what inspired me and to some level helped along the way so thanks to everyone over there.


Keep in mind, I have very little knowledge in this area and this is just to have an explore and satisfy my curiosity.

I'm using an install of Kali Linux just because it has some preinstalled tools and I can keep things contained.

As I have a Kindle Oasis 3 (champagne edition no less ) on the latest version, I'll be looking at the 5.12.4 update binary located here and the source code located here.
This update apparently does what I could only describe as "stuff" to the Aa menu. This is probably a poor update to analyze as it will only be changing these things but it also includes
Performance improvements, bug fixes, and other general enhancements.
So I assume we'll see artifacts from whatever those include.

So with the .bin at hand the first thing I do is use the wonderful kindletool from here to extract the update. The contents is shown here:

/imx7d_zelda
update-payload.dat.sig
update-payload.dat
rootfs.img.gz
rootfs.img.gz.sig

I then used binwalk -e (one of my most used commands aha!) on both rootfs.img.gz and /imx7d_zelda/bios.img
This provided me with what I can only assume to look like parts of the linux file system, so of course my monkey brain decided to combine these them leaving the original files intact to form a more unified collection of files and folders, some files had to be replaced but I charged on ahead.
In this combined folder which is what I'll be looking at from now on so I don't know whether its from x or y

Perhaps a bad idea as they must have different functions but it's something I'll look at later, the root file system image being the bigger of the two, perahps the boot image is the one being copied over to the rfs with all the bios.bin, u-boot.bin, s-bios.bin taking the helm.

Code:

128 32cd69453ae89bd2e5fa66344261e287 imx7d_zelda/bios.bin 0 bios.bin
128 322ee9057792cf0184b2e6498f91de32 imx7d_zelda/s-bios.bin 0 s-bios.bin
128 f4ab484f20889edaa1361b99c9cae45b imx7d_zelda/u-boot.bin 3 bootloader_bin
128 f6271d5f28c37978c72adf62bb9a2879 imx7d_zelda/boot.img 87 update_image_boot
128 a1ad9694926e79419325211bb742b3c5 rootfs.img.gz 2005 update_image_rootfs

This seems to be the "mapping" from the update to the actual system's files, which then takes it further.

Anyway back to the files.

First I look at /app/
The file ./bin/INFO says this;

Code:

This is a file from JunoDummyPackage. JunoDummyPackage should never be consumed in reality.

What JunoDummyPackage is, I have no clue. I only know its referenced a few times and its on version 1.0.1.0.
"Juno" seems to be Amazon's way of making certain things for kindle OS?
A few files in /app/bin refer to Juno, ARNApplication, KindleSDK and KPPcore. I assume these are Lab126's own tools and SDKs to develop for the kindle.

Moving onto /app/bin a few executables and a framerTool.sh script which curiously just seems to

Code:

DISPLAY=:0.0 /app/bin/framerView /mnt/us/framer &

My bash isn't all that but it seems to, well be a tool for something else.

Next I looked at screenControl in Ghidra. Since I have no idea how I'd even start looking at this in the flow of how KindleOS operates I have to just view it as a single executable.
Ghidra nicely decompiles all of the strings in this and we can see it is mostly just HTML. I have read (if I remember where I'll include a link) that in earlier kindleOS' the majority of the UI was based on Java with some HTML. This seems to be filled with quite a lot of HTML being appended onto a GString. My favorite line being

Code:

g_string_append(puVar5,"a {color: hotpink; text-decoration: none;}\n");

Because hot pink isn't enough of a text decoration! I assume this is for dev purposes when they emulate (?) a kindle on their fancy RGB screens.
In this decompiled C file I'm skipping past a whole bunch of selections based on the parameters because I see most of this code as a black box with the lid open, in a pitch black room. Little things like
iVar3 = cJSON_GetStringItem(uVar4,"niceName",0);
make me like to look round these things.

As there was a *lot* of HTML present here, I might try to collect them and try to see what it may look like, but I'm not sure the value of this other than curiosity!

# This now moves onto me analyzing a few jailbreaks
Again, this is just my understanding and I'm using this just to put down on what I understand

From what I can understand from past jailbreaks, a successful kindle jailbreak seems to be to deliver a modified signature in the form of a .keystore and a .pem into the kindle's trusted list of allowed signatures for updates, this then allows a community made update to the kindle which then can modify the kindle's system and allow for persistent root access on the kindle to then install further tools etc.

A more recent jailbreak seen here. My understanding is (a great read up is here though, this is just my beginners understanding!) that by using a combination of factory firmware (which by oversight allowed the unsigned signature to be used) and a flaw in the way busybox (a collection of Unix utilities) handles absolute paths to put the pubdevkey01.pem into /etc/uks . Other jailbreaks use other flaws in the kindle system to deliver the key


Anyway, for now I will put this down because I realized the time! Apologies for any mistakes/spelling errors I shall try to fix these, but I will end up continuing in another post. But that's for another evening
A big thank you to everyone on this forum, your explanations and work on here are very much appreciated.

[NiLuJe]

Sidebar: the rootfs is just what it says on the tin. Gunzip it, and loop mount it ro.

[knc1]

"oversight in the Kindle's system" ???
Ah, come on now, everyone (at Amazon) knows there is no such things as "errors" or "oversights" in the Kindle's build system produced by Lab126.


Well, other than for the first ten years or so that we have been training the Lab126 techs.

[JSWolf]

Quote:

Originally Posted by knc1

"oversight in the Kindle's system" ???
Ah, come on now, everyone (at Amazon) knows there is no such things as "errors" or "oversights" in the Kindle's build system produced by Lab126.


Well, other than for the first ten years or so that we have been training the Lab126 techs.

Just major screw-ups.

[NiLuJe]

Quote:

Originally Posted by natalieclem

factory firmware (which by oversight allowed the unsigned signature to be used)

Not quite. Those are official packages, they're left untouched, and as such are signed properly, hence why they pass the sigcheck.

The only thing that's relaxed is the device check, but, again, that's just because of the nature of the package: factory updates are Platform-bound, not Device-bound like OTA updates.