[KT 5.1.0] Web jailbreak

[NiLuJe]

@mmatej: It *should* remove the jailbreak update key (pubdevkey01.pem), but not the kindlet keystore .

I never tried it, so I'm not sure why yifan's package didn't seem to do anything, but it should have removed the updater key. The only potential issues I see with it is that it won't run on some European 3G Touch, the target OTA is a bit low (but still high enough), and it relies on legacy helper functions for progress handling, but none of that should prevent it from removing a single puny file . [Unless the updater system does some black magic in the background with its public keys...]

[mmatej]

Quote:

Originally Posted by cyclops0000

so.... it would be possible to use this exploit to disable ota updates?
now to figure out how...

Yes, it would be possible to do anything the device is capable of, because you get root privileges with it. Why do you need to disable updates by exploiting it?
Looks like someone has started creating "the Botnet"...

[mmatej]

Quote:

Originally Posted by NiLuJe

@mmatej: It *should* remove the jailbreak update key (pubdevkey01.pem), but not the kindlet keystore .

I never tried it, so I'm not sure why yifan's package didn't seem to do anything, but it should have removed the updater key. The only potential issues I see with it is that it won't run on some European 3G Touch, the target OTA is a bit low (but still high enough), and it relies on legacy helper functions for progress handling, but none of that should prevent it from removing a single puny file . [Unless the updater system does some black magic in the background with its public keys...]

If you mean by the "progress handling" updating the progress bar, then there may be something wrong with it. I have European KT (no 3G) and it's not updating the progress bar while installing the unjailbreak package. Maybe it crashes before it removes the key.

[cyclops0000]

Quote:

Originally Posted by mmatej

Yes, it would be possible to do anything the device is capable of, because you get root privileges with it. Why do you need to disable updates by exploiting it?
Looks like someone has started creating "the Botnet"...

maaaaayyyybbbbeeee.....
not really...
just figured it woud be a (maybe)easier way to disble ota to keep amazon from pushing updates to break the jailbreak
or maybe i want to make the first kindle key/touchlogger
hehehthough a vnc kind of thing for kindle would be quite awesome...

[mmatej]

Quote:

Originally Posted by cyclops0000

maaaaayyyybbbbeeee.....
not really...
just figured it woud be a (maybe)easier way to disble ota to keep amazon from pushing updates to break the jailbreak
or maybe i want to make the first kindle key/touchlogger
hehehthough a vnc kind of thing for kindle would be quite awesome...

You can disable ota updates manually when you have SSH access. You DON'T need the exploit to do this. FYI, I've now obfuscated the "triggering" code. If you wanted to copy scripts and transform it into the bad code, you would be out of luck.

[NiLuJe]

@mmatej: Nope, if it crashed, you wouldn't get the 'update successful' checkmark . And, yes, I meant progress bar handling, but it's just a hint given to the UI, it doesn't really hurt (The simple usbnet package does the same thing, for example).

[cyclops0000]

Quote:

Originally Posted by mmatej

You can disable ota updates manually when you have SSH access. You DON'T need the exploit to do this. FYI, I've now obfuscated the "triggering" code. If you wanted to copy scripts and transform it into the bad code, you would be out of luck.

well yeah, i know that you can disable it via ssh, it justs seems like it would be more user friendly for some people to use a script for disabling ota updates, rather than mcking about in the filesystem...
and i did not intend to write malicious code of any sorts...
not even too make a kindle rendition of the squid virus :P

[mmatej]

Quote:

Originally Posted by cyclops0000

well yeah, i know that you can disable it via ssh, it justs seems like it would be more user friendly for some people to use a script for disabling ota updates, rather than mcking about in the filesystem...
and i did not intend to write malicious code of any sorts...
not even too make a kindle rendition of the squid virus :P

Then why not make update package which disables ota update? Update packages are more user-friendly than changing files via SSH and it should not be that hard to create.

[mmatej]

Quote:

Originally Posted by NiLuJe

@mmatej: Nope, if it crashed, you wouldn't get the 'update successful' checkmark . And, yes, I meant progress bar handling, but it's just a hint given to the UI, it doesn't really hurt (The simple usbnet package does the same thing, for example).

So why it doesn't remove the key if it's successful? It's a big mystery for me...

[NiLuJe]

@mmatej: Figured it out. Because the uninstall script isn't marked as an update script, so it isn't run by the update system. Hence nothing actually happening . (ID 128 instead of 129 in the bundlefile).

(For the curious: because it's a .sh and yifan's original kindletool wasn't marking .sh files as scripts, only .ffs).

[mmatej]

Quote:

Originally Posted by NiLuJe

@mmatej: Figured it out. Because the uninstall script isn't marked as an update script, so it isn't run by the update system. Hence nothing actually happening . (ID 128 instead of 129 in the bundlefile).

(For the curious: because it's a .sh and yifan's original kindletool wasn't marking .sh files as scripts, only .ffs).

Thanks for figuring it out. I don't know much about update packages / updating process on Kindle.

[thomass]

you can also add the version numbers for the hacks.

[mmatej]

Quote:

Originally Posted by thomass

you can also add the version numbers for the hacks.

done

[ixtab]

Woah... guys, it's not like I want to spoil the party. This is indeed a very nice project, and I'm seriously impressed (honest!).

However, it will necessarily come to an end, rather sooner than later. After all, you're exploiting a serious security flaw on the Kindle, which is on Amazon's radar, and which either has been fixed with that ominous 5.1.1 FW (which we're all craving for, but noone seems to have been able to publish yet), or will be fixed soon.

In fact, I don't understand at all how, a month after the publishing of such a gaping vulnerability (and they *were* alerted to it), Amazon can still not give a fuck about their customers', and their own security. I'm seriously puzzled.

The point is ... this security hole should have actually been closed yesterday - but it hopefully (from a security standpoint) will be closed soon.

All IMO of course, but just before you spend too much effort...

... just sayin'.

PS: just to make that clear again: I really DO appreciate your work -- I'm just wondering whether the effort will be well-spent in the long run.

[mmatej]

Quote:

Originally Posted by ixtab

...

You are right, Amazon is very late about this issue. Maybe if we created "the Botnet", long time mentioned, but never really made, Amazon would react very quickly.
BTW, does Amazon know about this web jailbreak? As far as I know, it's the first practical use of the exploit. Maybe I should show off them
And about that effort... I know that with the next FW released, it won't work. But I've learned a lot of things from this project, so it wasn't that useless.