Fake Registration

[alberiv]

Hi,
I have a pw2 with fw 5.4.2.1. I applied the following mods:
1) Jailbreak
2) Usbnet
3) prevent automatic updates by placing update.bin.tmp.partial folder on user partition
4) Fake registration /var/local/java/prefs/reginfo
5) Block Amazon's ip for fake registration

modify /etc/sysconfig/iptables

iptables -I OUTPUT -m iprange --dst-range 23.0.0.0-23.15.255.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 50.16.0.0-56.19.255.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 72.21.192.0-72.21.223.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 107.20.0.0-107.23.255.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 184.72.0-184.75.255.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 204.246.160.0-204.246.191.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 205.251.192.0-205.251.255.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 207.171.160.0-207.171.191.255 -j DROP

6) Change store button to call browser instead:
modifiy /usr/share/webkit-1.0/pillow/javascripts/search_bar.js
7) Enable native drawing app:
add /usr/bin/draw.sh
modify /usr/share/webkit-1.0/pillow/debug_cmds.json

My question is: Does mod #5 also prevent automatic updates and Big Brother, doesn't it ?? so I can remove mod #3...
I got the instructions from the fake registration thread which is for fw 5.2.0 but it's working.
I don't want to install KUAL for the moment I only want these few mods
Thanks

[knc1]

Quote:

Originally Posted by alberiv

Hi,
I have a pw2 with fw 5.4.2.1. I applied the following mods:
1) Jailbreak
2) Usbnet
3) prevent automatic updates by placing update.bin.tmp.partial folder on user partition
4) Fake registration /var/local/java/prefs/reginfo
5) Block Amazon's ip for fake registration

modify /etc/sysconfig/iptables

iptables -I OUTPUT -m iprange --dst-range 23.0.0.0-23.15.255.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 50.16.0.0-56.19.255.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 72.21.192.0-72.21.223.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 107.20.0.0-107.23.255.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 184.72.0-184.75.255.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 204.246.160.0-204.246.191.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 205.251.192.0-205.251.255.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 207.171.160.0-207.171.191.255 -j DROP

6) Change store button to call browser instead:
modifiy /usr/share/webkit-1.0/pillow/javascripts/search_bar.js
7) Enable native drawing app:
add /usr/bin/draw.sh
modify /usr/share/webkit-1.0/pillow/debug_cmds.json

My question is: Does mod #5 also prevent automatic updates and Big Brother, doesn't it ?? so I can remove mod #3...
I got the instructions from the fake registration thread which is for fw 5.2.0 but it's working.
I don't want to install KUAL for the moment I only want these few mods
Thanks

There is no guarantee that #5 is all-inclusive, so leave #3 in place.

[alberiv]

thank you very much knc1, I'm glad I asked before doing something wrong.
And what about BB ? Am I safe with those rules ?

[knc1]

Quote:

Originally Posted by alberiv

thank you very much knc1, I'm glad I asked before doing something wrong.
And what about BB ? Am I safe with those rules ?

I do not have a PW2 (or any device of very recent firmware), so I can not say if the list is complete.

If that list comes from the KUAL Firewall/BBB filter script - that is the most recent listing that I have.

[alberiv]

ok thanks so it's only a matter of blocking the right address ranges

[alberiv]

for the sake of knowledge I updated the ip list, removed the update.bin.tmp.partial folder, reset iptables counters and rebooted, because I want to get rid of version 5.4.2.1 anyway.

After keeping wireless on for 30 mins I got this:

PHP Code:

Chain OUTPUT (policy ACCEPT 543 packets, 70565 bytes)
    pkts      bytes target     prot opt in     out     source               destination
    2044   622973 ACCEPT     all  --  *      lo      0.0.0.0/0            127.0.0.1
       0        0 DROP       all  --  *      *       0.0.0.0/0            23.0.0.0/12
     375    61500 DROP       all  --  *      *       0.0.0.0/0            23.20.0.0/14
       0        0 DROP       all  --  *      *       0.0.0.0/0            50.16.0.0/14
       0        0 DROP       all  --  *      *       0.0.0.0/0            54.240.0.0/12
       0        0 DROP       all  --  *      *       0.0.0.0/0            54.240.128.0/18
       0        0 DROP       all  --  *      *       0.0.0.0/0            64.208.0.0/16
       0        0 DROP       all  --  *      *       0.0.0.0/0            64.209.0.0/17
      26     1624 DROP       all  --  *      *       0.0.0.0/0            72.21.192.0/19
       0        0 DROP       all  --  *      *       0.0.0.0/0            107.20.0.0/14
      18     1080 DROP       all  --  *      *       0.0.0.0/0            176.32.96.0/21
       0        0 DROP       all  --  *      *       0.0.0.0/0            178.236.0.0/21
       0        0 DROP       all  --  *      *       0.0.0.0/0            184.72.0.0/15
       0        0 DROP       all  --  *      *       0.0.0.0/0            204.246.160.0/19
       4      304 DROP       all  --  *      *       0.0.0.0/0            205.251.192.0/18
       0        0 DROP       all  --  *      *       0.0.0.0/0            207.171.160.0/19 


Packets to 23.20.0.0/14 keep raising the others are stuck.
There are no update files in user partition, registration is ok.
I'm located in Italy.
Let's see what happens in the next few days.

[knc1]

PHP Code:

NetRange:       23.20.0.0 - 23.23.255.255
CIDR:           23.20.0.0/14
OriginAS:       AS16509
NetName:        AMAZON-EC2-USEAST-10
NetHandle:      NET-23-20-0-0-1
Parent:         NET-23-0-0-0-0
NetType:        Direct Assignment
Comment:        The activity you have detected originates from a dynamic hosting environment.
Comment:        For fastest response, please submit abuse reports at http://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse
Comment:        For more information regarding EC2 see:
Comment:        http://ec2.amazonaws.com/
- - - - -
OrgName:        Amazon.com, Inc.
OrgId:          AMAZO-4
Address:        Amazon Web Services, Elastic Compute Cloud, EC2
Address:        1200 12th Avenue South
City:           Seattle
StateProv:      WA
PostalCode:     98144
Country:        US
- - - - - 


[alberiv]

Quote:

Originally Posted by knc1

PHP Code:

NetRange:       23.20.0.0 - 23.23.255.255
CIDR:           23.20.0.0/14
OriginAS:       AS16509
NetName:        AMAZON-EC2-USEAST-10
NetHandle:      NET-23-20-0-0-1
Parent:         NET-23-0-0-0-0
NetType:        Direct Assignment
Comment:        The activity you have detected originates from a dynamic hosting environment.
Comment:        For fastest response, please submit abuse reports at http://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse
Comment:        For more information regarding EC2 see:
Comment:        http://ec2.amazonaws.com/
- - - - -
OrgName:        Amazon.com, Inc.
OrgId:          AMAZO-4
Address:        Amazon Web Services, Elastic Compute Cloud, EC2
Address:        1200 12th Avenue South
City:           Seattle
StateProv:      WA
PostalCode:     98144
Country:        US
- - - - - 


yes of course I got the list from the BBB filter, I didn't log all the activity.
Maybe there are other addresses going through the firewall, but it seems the ones pw get updates from are among those blocked.
What I would like to know ultimately is if I can block registration, updates and bbb in one shot by simply adding some firewall rules.

[knc1]

Quote:

Originally Posted by alberiv

- - - -

What I would like to know ultimately is if I can block registration, updates and bbb in one shot by simply adding some firewall rules.

Short answer: In general, yes.

Longer answer:
The firmware for the Kindles is missing many of the iptable modules you would want to use.

For instance my using the "drop" target when the "reject" target would be much more appropriate (no time-out waits done by sender).
The "reject" target module is one that wasn't included with the Kindle builds.
Duh. . . . .
Thanks to Lab126, again.

I did build (nearly complete) sets of iptable modules for the common most Kindle kernels (at the time I built them).

There is a set of them attached to one of my threads somewhere here.

And more information about the process in a public repo.
(My Internet connection is semi-dead at the moment, I will add links once I can check them.)

[alberiv]

Quote:

Originally Posted by knc1

I did build (nearly complete) sets of iptable modules for the common most Kindle kernels (at the time I built them).

Very interesting, I tried to use the log feature of iptables to track all the addresses going out wlan0 but the module is missing. I'll use my router to do that...

Using only netstat I found out a strange thing: the phd and todo processes contacted a local (italian) third party server
212.52.97.15:53 phd
217.171.163.134:443 todo

I can't explain this

[knc1]

Quote:

Originally Posted by alberiv

Very interesting, I tried to use the log feature of iptables to track all the addresses going out wlan0 but the module is missing. I'll use my router to do that...

Using only netstat I found out a strange thing: the phd and todo processes contacted a local (italian) third party server
212.52.97.15:53 phd
217.171.163.134:443 todo

I can't explain this

Todo uses a secure connection?
Amazon must not trust us all that much.

whois -H ip
will give you the CIDR to block for your list.

The add-in modules are part of the Kual-System project.
https://bitbucket.org/twobob/kual-system/overview

The /extensions sub-tree is of the pre-built binaries (as they would appear on the Kindle in this plan).

The /tools sub-tree has supplemental files - .config files, scripts to set the environment variables for the cross-compiler that was used, etc.

There should be a thread or two around here on the "KUAL-System" project also.

**Nothing** done in the project for the PW2 kernel/firmware.

It is one of those (many) public projects that will continue when someone gets the time and interest to continue it.

twobob has approximately 0.00% hobby time now;
I have just barely enough to answer a few questions on this forum.

[alberiv]

before going through the 5.4.0 downgrade procedure I updated to 5.4.3.1 to give it a try...first impressions surely better than 5.4.2.1, I'll keep it for now.
Jailbreak survived.

After that I was able to log (and block) this bastard through my router:

after a reboot it keeps contacting the following 2 ip addresses (forever) which are third party unknown addresses (maybe amazon has some mirrors local servers housed at those providers)

PHP Code:

IN=br0 OUT=ppp0 SRC=192.168.1.106 DST=212.52.97.15 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=44201 DF PROTO=UDP SPT=36351 DPT=53 LEN=40
IN=br0 OUT=ppp0 SRC=192.168.1.106 DST=193.70.152.15 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=44401 DF PROTO=UDP SPT=44898 DPT=53 LEN=40 


Without letting these packets through the firewall the wireless appears disconnected on the kindle (no wi-fi icon and signal bars empty)

I set the wireless off after that and kept the router drop rules, new firmware never had a chance to go out on the internet yet.

[knc1]

Those are DNS requests.

Perhaps modify resolv.conf (or re-direct in router) those to your local DNS server.

[alberiv]

jesus christ I must be crazy those are my ISP's dns
I didn't realize because dhcp usually gives router's address as dns and relay queries..

Well, after letting through those 2 dns addresses things get even stranger:
I left the wireless on for 30 mins and rebooted a few times, the only traffic
generated was towards 1 of the 2 addresses and goes on and on.
Usually registration is checked on reboot (sorry I forgot about firewall rules on kindle ) wifi icon displays correctly now...

so the BBB list is complete and I guess it should prevent registration, updates and BB

Sorry to keep this thread long you can delete some messages