5.6.5 Jailbreak (closed-kindle) -- released!

[Branch Delay]

This software-only jailbreak only works for Kindle firmware version 5.6.5.
If you have a later firmware version, this jailbreak won't work.
If you have firmware version 5.6.5 or earlier, switch to aeroplane mode immediately, to make sure you don't get auto-updated before installing the jailbreak.

Instructions
If your Kindle firmware is earlier than 5.6.5, manually update to firmware version 5.6.5. See either this post or the spoiler tag at the bottom of this very post for links to the firmware update for the different models of Kindle.

Download the jb.zip file attached to this post. Unzip it, and you will have a folder 'jb' containing four files, 'jb', 'jb.html', 'index.html', 'frame.html'

Connect your Kindle to your computer via USB and copy the four files to the top level of your Kindle. Eject your Kindle.

Open the 'experimental browser' on your kindle and enter the address

Code:

file:///mnt/us/index.html

and then follow the instructions on the screen. When your Kindle complains about being in aeroplane mode, just cancel the warning, DO NOT turn on wifi.

Once you get the "Jailbreak succeeded!" message in the title bar, the first stage has worked. It's now necessary to add the code that will preserve the jailbreak in most circumstances. This is described in this post, but the instructions are also included here for convenience.

Download the JailBreak-1.15.N-FW-5.x-hotfix.zip file attached to this post, and unpack it.
Connect your Kindle to your computer again and copy the 'Update_jailbreak_hotfix_1.15.N_install.bin' file to the root directory of your Kindle.

Now, eject & unplug your Kindle, and go to [HOME] -> [MENU] > Settings -> [MENU] > Update Your Kindle.

Your Kindle should do a software update and then restart.

Now the jailbreak and hotfix are safely installed, you can delete the five files, 'jb', 'jb.html', 'index.html', 'frame.html' and 'Update_jailbreak_bridge_1.15.N_install.bin' from the root of your Kindle.

You will now probably want to install Kindle Unified Application Launcher (KUAL) and the MobileRead Package Installer (MRPI), since being able to install third-party software is the entire point of the jailbreak.
You'll want to use up-to-date versions of those from the Snapshots thread.

And then you'll be able to install any of the cool additions available in the developers' forum.

(Once the hotfix is also installed, you can turn off Aeroplane mode, and allow your Kindle to update to the latest firmware without worrying that the jailbreak will be erased. You'll need to reinstall any of the 'cool additions', but the jailbreak and hotfix will remain installed and won't need reinstalling.)

These instructions are derived from the simple install instructions in this post and this post.

Old instructions:

Spoiler:

[added by pdurrant]
First set of instructions and download at this post. Quite complex, so early adopters only, IMO.

Step by step instructions for simpler method now at this post by mj52.





FAQ by eschwartz: Read this at least once
Q: How do I prepare for this?
A:

1. Put your device in Airplane mode.
2. Update your Kindle to fw5.6.5
   • For the PW2: Update instructions Direct firmware link
   • For the PW3: Update instructions Direct firmware link
   • For the KT2: Update instructions Direct firmware link
   • For the KV: Update instructions Direct firmware link
3. Sit back and wait for a simplified jailbreak to be assembled, or get the current version HERE.

Q: Will this work on any other firmware version?
A: No.

Q: What do I do if my Kindle already came with a newer version of the firmware?
A: Newly purchased devices will not ship with the latest firmware. So even when an updated firmware is released, you should still be able to jailbreak.

Q: Will this work on the __insert_device_name_here__?
A: If it runs fw5.6.5. It has been tested and works on the PW2, PW3, KT2, and KV, so that's all of them.
English, Chinese, French, Italian and German have been tested, in case the language matters.

[NiLuJe]

Yup, congrats are in order! .

Guinea pigged my PW2 for science!

As for blocking updates, the folder trick *might* still be usable. AFAICT, the base temp file name has changed (/mnt/us/update.bin.tmp -> /mnt/us/update.bin), and the system *might* only be killing the old filename? Not quite sure where the .partial came from and if that's still in the cards though, so, pure conjecture here .


In any case, massive thanks to Branch Delay for persevering, and being successful in the end

[knc1]

Let me try to say the same thing in different words:

If you intend to use the soon to be released jailbreak for firmware 5.6.5 - -
You **must** prevent your Kindle from updating away from 5.6.5.

The best way to be sure of that is to keep the Kindle in 'airplane' mode.

- - - -

The delay between the announcement and the release is to give Amazon/Lab126 enough time to issue a 'fix' for the JB vector found.
The last time this sort of problem was found and reported, they issued a 'fix' within days.

[Rizla]

Congrats on your hard work. Amazon doesn't deserve you

[AcidWeb]

Congratulations.

[rogerinnyc]

Congrats indeed. A few (maybe naive) questions:

1. Are you not releasing it now because of liability concerns -- and you think those will go away if you give Lab 126 the opportunity to patch it first? Just wondering...I'm used to the iPhone jailbreak universe, where they release exploits immediately after a new ios release, before it can be patched.
2. From the thread, I presume no one has tested it, but any thoughts on whether this would work on a Kindle Voyage with 5.6.5? If so, I might order one now and keep wifi off!
3. And am I correct that to install screensaver and font hacks, we would continue to use MrInstaller?

Thanks.

[knc1]

1) Everything here is intended to be under the user's (owner's) control. Those things are released when they work.

This is different, in that it could be used without the owner's knowledge.
That makes it a potential risk to the security of the device.
Things such as that (security risks) we (Mobileread) report to the vendor, giving them a chance to correct the problem.

This pre-release announcement is to warn owners not to just accept the next OTA update (which is expected to fix the problem) if they intend to use this 'closed Kindle' way to jailbreak it.

So it might be called a 'liability' but not in the typical monetary sense.
More in the ethical sense.
It would be very irresponsible to put the millions of Kindles out there at risk to remote exploitation.

2) It was tested (not by me - I was only an interested bystander) on the devices listed above.
If you don't see the KV mentioned, that means it wasn't tested on a KV.
It was tested on a PW3 - which is not that much different than a KV (you lose a few things that few people feel are required).

3) This only changes the way our (Mobileread) signature certificate is installed on the machine.
(Currently only possible over the serial port.)
Nothing else changes.

= = = =

Use the "thread tools" drop-down box above to subscribe to this thread.
You will then receive the posts to this thread (which will include the details on release).
Make sure your personal profile isn't set to 'weekly batch' if you want to hear about it when it happens.

[Branch Delay]

1. Releasing 0days with no vendor notification isn't a very professional thing to do and I don't really share the "us vs them" mentality the Apple jailbreak scene has. They have their reasons.

2. I hope it works, but I honestly have no idea. Bought a PW3 to test and I don't really want to spend extra money on more Kindles just to test a jailbreak 100 people (tops) are going to use. But yes, the fact that it worked on the PW3 is promising. I could crowd-source more testing, but it'd eventually leak. See #1.

3. I'll defer to knc1/nijule on that one. No clue. MrInstaller runs fine on my pw3 though.

[dhdurgee]

I would be happy to test this on my KT2 to confirm if it works with 5.6.5 there or not.

Dave

PS: If you are in contact with Lab126 could you bring their SSL vulnerability to their attention.

[NiLuJe]

Yep, as knc1 mentioned, that won't change how custom packages are installed once the device is jailbroken . The fact that Kindlets started working (again) across the board on 'new' devices with FW 5.6.5 was a good news in that respect .

[eschwartz]

Congrats are in order

Thread stickied and title changed, in the hope that people will be more likely to see it.

[jscris]

Happy dance!

[stupidhaiku]

Big congrats! I was hoping someone would be able to crack this nut. Would test on a KV if needed but I get the security concern. Great job and thanks for your hard work!

[hfpop]

Quote:

Originally Posted by NiLuJe

As for blocking updates, the folder trick *might* still be usable. AFAICT, the base temp file name has changed (/mnt/us/update.bin.tmp -> /mnt/us/update.bin), and the system *might* only be killing the old filename? Not quite sure where the .partial came from and if that's still in the cards though, so, pure conjecture here .

I wonder, but this is as well, an educated guess, whether the file is created by Amazon as update.bin.partial, and it stays with that name while downloading. As soon as this is done, the file is renamed to update.bin and the install begins.

If this is so, two folders created would possibly solve the blocking updates problem: /mnt/us/update.bin.partial and /mnt/us/update.bin .

[knc1]

Keep in mind this is FAT32 (case preserved, case insensitive) -

Study of the file system contents after the initial factory update completes shows the filename in-use was:
UPDATE~1.BIN
(the 8.3 format name of a long file name and no long file name found).

And that FAT-32 is not an inode based system, mounted into a file system tree that expects an inode based system -

Translation: The driver munges up the missing information during read/write of a file or directory name.
What you see is not always what is recorded on the media.

How that munging is done and what gets munged depends on what options where passed to the VFAT driver when the FAT file system was mounted.

In the case of USB storage viewed from the outside (USB cable) it gets a little bit more obscure, you are looking at the media through two drivers (plus whatever is on the PC end of the cable):
/mnt/us -> fuse driver -> /mnt/base-us -> VFAT driver -> media

**BUT** an uppercase, 8.3 format name using the characters from 7-bit ASCII **should** pass through that mess un-touched *in name* (the drivers will still fake up the ownership, permissions, and times).

Making directory names is cheap - -
Add "UPDATE~1.BIN" to the list of directory names your going to make in the root of USB storage.

- - - -

Which may just force the OTA updater to use: UPDATE~2.BIN (or UPDATE~?.BIN in its look-up. I haven't done any testing on if it can handle that situation).