Firmware Update Kindle Firmware 5.16.2.1

[bulltricks]

There are two exploits that work on 5.16.2.1 that I am waiting (and waiting, and waiting) for Amazon to formally close so I can disclose the write-up and let folks have at it.

One of the exploits requires specific corruption of the FAT file-system.
This is being mitigated in the 5.16.3 family by converting from mass storage to MTP..

The other exploit is at the Javascript level As far as I can tell, it is still present in 5.16.3 -- it will need to be fixed on all devices in parallel, and it really needs to be fixed.

Now, with that said, I'm not a Jailbreak writer.

All these exploits do is give you the ability to execute arbitrary code as root.

There are additional pieces that needs to be done so the Kindle Jailbreak Framework works. This has to be done with some degree of caution because something the Framework does can cause a boot loop if a certain file doesn't get +x permissions.

Which is a long way of saying, if you want a jailbroken Kindle stay on the firmware it came with, and impatiently wait.

[innocenat]

Quote:

Originally Posted by bulltricks

One of the exploits requires specific corruption of the FAT file-system.
This is being mitigated in the 5.16.3 family by converting from mass storage to MTP..

Oh so this is the main reason for MTP. I don't buy the argument that Amazon went MTP to lock down the device more, and this is a much more reasonable explanation. Thank you.

[j.p.s]

Quote:

Originally Posted by innocenat

Oh so this is the main reason for MTP. I don't buy the argument that Amazon went MTP to lock down the device more, and this is a much more reasonable explanation. Thank you.

Blocking jailbreaks is a form of locking down.

[innocenat]

Quote:

Originally Posted by j.p.s

Blocking jailbreaks is a form of locking down.

Fixing security problems are always what every developer should do. I want my device to be secured.

[reminon]

Quote:

Originally Posted by bulltricks

There are two exploits that work on 5.16.2.1 that I am waiting (and waiting, and waiting) for Amazon to formally close so I can disclose the write-up and let folks have at it.

One of the exploits requires specific corruption of the FAT file-system.
This is being mitigated in the 5.16.3 family by converting from mass storage to MTP..

The other exploit is at the Javascript level As far as I can tell, it is still present in 5.16.3 -- it will need to be fixed on all devices in parallel, and it really needs to be fixed.

Now, with that said, I'm not a Jailbreak writer.

All these exploits do is give you the ability to execute arbitrary code as root.

There are additional pieces that needs to be done so the Kindle Jailbreak Framework works. This has to be done with some degree of caution because something the Framework does can cause a boot loop if a certain file doesn't get +x permissions.

Which is a long way of saying, if you want a jailbroken Kindle stay on the firmware it came with, and impatiently wait.

Would it be ok to assume that it works on 5.16.1? Judging from context clues, I wager that you meant up to 5.16.2.1, but someone will ask anyway.

[Stanner]

May be, this almost common Linux vulnerability can be used for new JB?
https://blog.qualys.com/vulnerabilit...e-glibcs-ld-so

[Frogm4n]

> This vulnerability was introduced in April 2021 (glibc 2.34)

This is a very narrow window of vulnerability, esp. for production embedded devices. Amazon does not use glibc in these devices. I just checked the most recent 5.16.3.1 code for the Scribe and Amazon uses klibc_1.5.25. So they use an old version even of that (current klibc is 2.0.10).

https://www.amazon.com/gp/help/custo...deId=200203720

https://en.wikipedia.org/wiki/Klibc

EDIT: I guess I could be misreading what they use klibc for. It may not be for the userland on a fully booted kernel. In any case, Amazon isn't using bleeding edge versions, nor even "fresh" versions.

[bulltricks]

Quote:

Originally Posted by reminon

Would it be ok to assume that it works on 5.16.1? Judging from context clues, I wager that you meant up to 5.16.2.1, but someone will ask anyway.

The exploit closed in 5.16.3 seems to have been around for quite some time .. it seems to range from 5.14.x. until 5.16.3, and quite possibly older.

[reminon]

Quote:

Originally Posted by bulltricks

The exploit closed in 5.16.3 seems to have been around for quite some time .. it seems to range from 5.14.x. until 5.16.3, and quite possibly older.

Not to be on the eta wen team, but does 5.16.3.1 satisfy your remaining requirements for disclosure? Also, do you think a Bluetooth exploit like bleedingtooth could be adapted?

[Adscn]

Quote:

Originally Posted by bulltricks

There are two exploits that work on 5.16.2.1 that I am waiting (and waiting, and waiting) for Amazon to formally close so I can disclose the write-up and let folks have at it.

One of the exploits requires specific corruption of the FAT file-system.
This is being mitigated in the 5.16.3 family by converting from mass storage to MTP..

The other exploit is at the Javascript level As far as I can tell, it is still present in 5.16.3 -- it will need to be fixed on all devices in parallel, and it really needs to be fixed.

Now, with that said, I'm not a Jailbreak writer.

All these exploits do is give you the ability to execute arbitrary code as root.

There are additional pieces that needs to be done so the Kindle Jailbreak Framework works. This has to be done with some degree of caution because something the Framework does can cause a boot loop if a certain file doesn't get +x permissions.

Which is a long way of saying, if you want a jailbroken Kindle stay on the firmware it came with, and impatiently wait.

Any news about the exploit? Wondering whether 5.16.3.1 fixes that or not.