5.6.5 Jailbreak (closed-kindle) -- released!

[HarryT]

Quote:

Originally Posted by shalym

Yeah...it seems like the forum search can't handle search terms with decimals, maybe?

Shari

In your user options, you can change the search to using Google, which works enormously better . The "Search Engine" option right at the very bottom of the page.

[knc1]

Quote:

Originally Posted by Gryzor

Yes I should. I did poke around a bit but obviously not enough, apologies!

[EDIT] Huh, I just did search for 5.8.9, I get zero results for either threads or posts... weird.

Quote:

Originally Posted by shalym

Yeah...it seems like the forum search can't handle search terms with decimals, maybe?

Shari

The following works for me (tm):

Code:

https://www.google.com/#q=5.8.9+site:mobileread.com

[HarryT]

Quote:

Originally Posted by knc1

The following works for me (tm):

Code:

https://www.google.com/#q=5.8.9+site:mobileread.com

That's what you'll get "for free" if you change the site search engine to Google .

[knc1]

Quote:

Originally Posted by HarryT

That's what you'll get "for free" if you change the site search engine to Google .

I expected them to be the same also.
But they are not this morning, I tried both ways before posting.

[HarryT]

That's interesting. What results do you get if you change the search engine on the site to Google?

[knc1]

Quote:

Originally Posted by HarryT

That's interesting. What results do you get if you change the search engine on the site to Google?

"Sorry no results."

Same as the internal search engine.

[HarryT]

How very peculiar .

[knc1]

Quote:

Originally Posted by HarryT

How very peculiar .

Inspired by your question, I checked my option settings.
Sure enough, it is still set to 'google' not to 'internal'.

Bit-rot in the forum software?
Bit-mites?

[Gryzor]

Hm, could be indeed, or maybe it thinks its a number of very small strings so it can't find them or something...

[gabbia]

Jailbreak explanations?
is there like a wiki or something?
im not too well versed in javascript so a summary would be nice to use while i check it out

(this also applies to all jailbreaks)

[gabbia]

also reading 10s of pages of forum for exploit info is a pain

[knc1]

Quote:

Originally Posted by gabbia

Jailbreak explanations?
is there like a wiki or something?
im not too well versed in javascript so a summary would be nice to use while i check it out

(this also applies to all jailbreaks)

Quote:

Originally Posted by gabbia

also reading 10s of pages of forum for exploit info is a pain

Branch Delay has published.
Just not at this site.
Scroll up, you will find the link to his publication.

Note:
If reading a few pages of posts is a hardship on you, you don't even want to dream of developing an exploit such as his.

[gabbia]

alright illl scroll. although im not too sure scrolling 80 pages and developing exploits can be compared...two different kinds of skill

EDIT: can't find it. i searched through the original dev's posts.
all i can gather so far is that there is most probably some sort of overflow going on, and i can't understand ;fc-cache in the browser

EDIT2: also, there must be something going on with the long url @stage1, and also the main exploit is that magicfun i guess. just can't figure out how he gets "jb" script to execute...

EDIT3: also that html frame in "frame.html" makes no fucking sense to me..

EDIT4: from what i can gather:
- arbitrary bash commands can be executed on the device. root execution is left up to the exploit (i gather this from the fact you guys say only jb needs to be put into the device)
- there is probably an injection exploit in the browser's search feature ";fc-cache"
- the main concept is all about filling up the heap with memory until the bash script is able to write to /etc/uks/pubdevkey01.pem
- i still don't understand where the "jb" gets called nor how magicfun helps out with writing to that root protected file...also there are some things which _seem_ unnecessary to me. like that "magic string" that gets passed to magicfun...does it have to be weird unicode stuff or can it just be something else?

[gabbia]

Quote:

Originally Posted by Branch Delay

Attached.
Will potentially put up a much easier method this weekend. Also will throw up an explanation sometime in the future.

Special thanks to Cyril for the CVE/original POC, the Gateway 3DS team for a slightly enhanced heap spray, NiLuJe for way too much, and Amazon for fixing it up.

so...where can i find the poc made by Cyril?
it seems like all this info would benefit from being organized somewhere

EDIT: also im thinking what knc1 was referrring to earlier as an "explanation in another site" is probably the famous cve. i can't find it though...

[gabbia]

Quote:

Originally Posted by Branch Delay

;fc-cache was just a trick for mntroot. easy to work around, probably could find something else in a few hours. not critical

so im guessing fc-cache has something to do with running jb shell script?