KindleDrip — From Your Kindle’s Email Address to Using Your Credit Card

[jp12323]

Quote:

Originally Posted by tryol

First of all:
I'm pretty new here so I'm not sure how openly this stuff should be discussed. If I'm going too far, I'd like to ask one of the mods to delete this message!

I managed to pull off the external code exection part of the exploit, and with that, (hopefully) the hard part of it is over. I won't be able to progress any further without a cracked kindle though, so I hope fonix232 can help me out with that. (PM'd you!)

As for sharing the jailbreak - if I manage to make it work, no promises - I've thought about multiple ways that would make it hard for anybody to get access to the modified image. Unfortunately, this would require me hosting it on a website, meaning that people would have to risk getting an automatic update by turning on their wifi.

Alternatively I could publish the image file so people could host their own web server locally to access it, but that'd make it really easy for bad actors to use it for scary things.


I'm open to ideas. If anyone can think of a better way to share it, please let me know!

Did you need more than 1 tile/1 absolute write primitive?

[tryol]

Quote:

Originally Posted by jp12323

Did you need more than 1 tile/1 absolute write primitive?

Yes. 1 is needed for writing the shellcode and 1 for spraying GOT for its address. I figured out how to do that though so it's not a problem anymore. Right now i'm working with 25 tiles that allows me to completely overwite all of the GOT.


So far i've only managed to make it work with the JPEGRX reference app, not mesquite (the web browser on Kindles).
Unfortunately even though yparitcher helped me with finding the correct memory addresses, it seems like the JPEGRX library that mesquite got compiled with differs from the reference one (the one i'm using).

Right now i'm trying to make mesquite run with QEMU on my Debian VM to be able to debug the image. If anybody can help me with that I'd appreciate it!

[fonix232]

Quote:

Originally Posted by tryol

First of all:
I'm pretty new here so I'm not sure how openly this stuff should be discussed. If I'm going too far, I'd like to ask one of the mods to delete this message!

I managed to pull off the external code exection part of the exploit, and with that, (hopefully) the hard part of it is over. I won't be able to progress any further without a cracked kindle though, so I hope fonix232 can help me out with that. (PM'd you!)

As for sharing the jailbreak - if I manage to make it work, no promises - I've thought about multiple ways that would make it hard for anybody to get access to the modified image. Unfortunately, this would require me hosting it on a website, meaning that people would have to risk getting an automatic update by turning on their wifi.

Alternatively I could publish the image file so people could host their own web server locally to access it, but that'd make it really easy for bad actors to use it for scary things.


I'm open to ideas. If anyone can think of a better way to share it, please let me know!

Nice work! I've replied to your PM.

As for hosting I'd recommend GitHub. Its free, and with GitHub Pages you can get a proper website up and running, hosting the image, in no time. I've set up a repo and once we get the image working, I'll write up a guide as well.

Also, automatic updates can be disabled relatively easily - I'm talking about the "update bin partial" folder name trick.

[dhdurgee]

Quote:

Originally Posted by fonix232

Nice work! I've replied to your PM.

As for hosting I'd recommend GitHub. Its free, and with GitHub Pages you can get a proper website up and running, hosting the image, in no time. I've set up a repo and once we get the image working, I'll write up a guide as well.

Also, automatic updates can be disabled relatively easily - I'm talking about the "update bin partial" folder name trick.

The folder trick does NOT work with the later firmware releases and nothing but airplane mode works with the most recent release.

Dave

[hius07]

This blocking OTA method works so far
https://www.mobileread.com/forums/sh...d.php?t=327879

[jp12323]

https://i.imgur.com/xfOnpdX.png
...took a look at libjpegXR.so in IDA and realized that there was no way I'd be able to do this exploit. Some windows RE'ing experience doesn't make me remotely qualified lol

Hope someone here can help with mesquite & priv escalation, would love to finally have a working jailbreak for the oasis 2

[ilovejedd]

Quote:

Originally Posted by hius07

This blocking OTA method works so far
https://www.mobileread.com/forums/sh...d.php?t=327879

That only works if you're already jailbroken.

[fonix232]

Quote:

Originally Posted by dhdurgee

The folder trick does NOT work with the later firmware releases and nothing but airplane mode works with the most recent release.

Dave

Good to know. I've followed the above linked guide and disabled the services. Took a few looks around, looking for obvious URLs or configs to allow some DNS-based blocking, but alas no luck.

[j.p.s]

Quote:

Originally Posted by fonix232

Good to know. I've followed the above linked guide and disabled the services. Took a few looks around, looking for obvious URLs or configs to allow some DNS-based blocking, but alas no luck.

If you are willing to use IP blocking instead of URL blocking you might want to look at:
https://www.mobileread.com/forums/sh...d.php?t=205925

[fonix232]

Quote:

Originally Posted by j.p.s

If you are willing to use IP blocking instead of URL blocking you might want to look at:
https://www.mobileread.com/forums/sh...d.php?t=205925

I have DNS based filtering set up on all my devices, either via the router's DNS settings, or directly through the device. So for me, blocking by domain is a bit easier.

Once we have the domain names, it's also relatively straightforward to use the hosts file instead of firewall hacks to disable OTAs.

[Akirainblack]

Have you made any progress with this?
The suspense is all but killing me!

[tryol]

Quote:

Originally Posted by Akirainblack

Have you made any progress with this?
The suspense is all but killing me!

Unfortunately I've been hard stuck for many days now.
I managed to make the image parse on 3 different versions of the reference code, but I can't seem to be able to do the same on Amazon's version of the JPEGXR library.

I've reverse engineered the (.jxr) parsing code in their library for the most part, but I can't find any differences from the reference code except for the lack of asserts and the way in which the image is stored in memory (which I already accounted for).
Seems like that something stops the image before or while it's parsing, so I can't write anything to memory.

I didn't have much time for the past few days so I couldn't progress any further, but I'm definitely not giving up yet.

[tryol]

Update:
I managed to figure out a few days ago why my image wasn't parsing, and ever since then it's been smooth sailing. Right now I'm writing / testing the shellcode that'll do the PE, so this shouldn't take long now.

I'm new to the Kindle jailbreaking scene, I only got my first Kindle a few months ago, so I'm not sure what would need to be done after the PE.

Quote:

Originally Posted by NiLuJe

Assuming that's post privilege escalation, the shellcode basically only needs to call `sh /mnt/us/jb.sh` (or something similar, c.f., @BranchDelay's JB).

I've checked on BranchDelay's JB and they explicitly say in the OP that it won't work on any firmware above 5.6.5.

Is there a more up-to-date jailbreak that works on all devices? What would I need to do in order to get my Oasis 3 jailbroken? (This is all post-PE obviously.)

[NiLuJe]

BD's *exploit* won't work above 5.6.5. There's nothing against running a script on a noexec mount like that to bypass the binfmt handler, this isn't ChromeOS .

[NiLuJe]

By which I mean, you can make roughly the same assumptions as a serial JB.