How to write a jailbreak (Process, Quick Start, First Steps, etc)?

[pavel-s]

Quote:

Originally Posted by knc1

That was one of the things that caught my eye.
Another thing, Ghidra can evaluate code paths with binary comparisons.

Sounds interesting. What is this feature for?

Quote:

Originally Posted by knc1

Once a single firmware version is done in its entirety, only Ghidra scripted "next" versions have to be evaluated by a person.
Anything the "same" would only be handled by the script reporting.
Now that might be either impractical or not possible, but it is the direction of my thoughts.

It would be nice at least to try to dig in this direction.

Quote:

Originally Posted by knc1

Or maybe one of the smaller, several million core, machines:
https://www.top500.org/list/2019/06/
(Amazon has stopped listing their supercomputers on that (voluntary) list.)

PS: 500 of the top 500 machines run Linux.

Today I spin-up a small VM with Ubuntu 16 in my google cloud trial account (though it expires in 40 days) and successfully started a ghidra server (a piece of cake). I haven't tried to add users to it but I'll back to it in a day or two. Then I can publish a repository and send credentials to interested people.

@knc1 Could you recommend a firmware we could try first? PW4-12.2.2?

[knc1]

Quote:

Originally Posted by pavel-s

......

@knc1 Could you recommend a firmware we could try first? PW4-12.2.2?

I was going to start with the PW4 (5.10.1.2 .. 5.12.2) but only because it is fairly recent.
My only other recent model is the KOA2 - which is next to impossible to open if required.

[pavel-s]

Quote:

Originally Posted by knc1

I was going to start with the PW4 (5.10.1.2 .. 5.12.2) but only because it is fairly recent.
My only other recent model is the KOA2 - which is next to impossible to open if required.

That's cool because I'm also highly interested in PW4

Finally, I managed to configure the ghidra server. The active repository is pw4-5.12.2. It may make sense to preserve the original firmware paths. Later I will think about backups, migrations, etc. For anyone interested you can PM me (and later other people who will be able to add new users to the repository) for credentials and other access info.

Thanks

[pavel-s]

Coming back to the original topic. Does anybody aware of what kind of binaries and for what kind of architecture are files bios.bin/s-bios.bin/u-boot.bin inside imx6sll_rex/ directory inside update_xxx.bin?

[knc1]

Bare metal.
If asking how they are packaged ...
It might be something Android related if not u-image, and the u-boot file should always be u-image.

[pavel-s]

Thanks, that helps to understand what is u-boot.bin

However, it's still unclear (1) for what type of a chip the rest of binaries are, (2) how to disassemble them. And (3) what is the process of booting (the big picture).

I have some experience with PIC micro-controllers and soldering-related stuff. So, I hope, I'll be able to tell more after tools for disassembling kindle and serial/usb board arrive.

Update 1:
Interestingly, here is what binwalk says about bios.bin (original image):

[philipz]

?

https://threatpost.com/amazon-kindle...cution/150003/

[NiLuJe]

Slightly clickbait-ish. Last I checked, lab126 used much older uboot builds, and heavily customized ones at that . That said, it'd take someone much more familiar with that to make a decisive announcement .

[philipz]

For completeness into record:

https://securityboulevard.com/2019/1...in-das-u-boot/

https://the-parallax.com/2019/12/06/...curity-pacsec/

[knc1]

The sky is falling, the sky is falling (or some semi-tech blogger has too little to do):

https://nvd.nist.gov/vuln/detail/CVE-2019-13103

https://nvd.nist.gov/vuln/detail/CVE-2019-13104