Kindle Touch 5.0 Jailbreak

[yifanlu]

Quote:

Originally Posted by ixtab

Just thinking aloud:

We might actually be lucky enough for this method not to be fixed by Amazon. The mp3 bug was a serious security vulnerability which could affect inadvertent users. This one is also a vulnerability, but it's much less dangerous IMO, because it's much harder to trick an unsuspecting user into it.

As I said before, it would be nice if Amazon realized the potential of allowing users to tamper with their devices (at own risk). We already have very useful stuff around like the launcher, or the (upcoming) localization.

If all else fails, there's still usbhid mode. I'm loosely following the thread, but admit I'm too shy currently to try it out for fear of bricking the device without being able to get it back into a working state. (i.e. if things are safe to be done via USB, and recoverable by that, I'm fine to give it a go. I'm not fine with opening the device and soldering etc...)

That said, if it's possible to read/write files (or even entire partitions) via usbhid mode, then that'd probably be the way to look for a jailbreak method which is almost impossible to "close" -- or am I missing something here?

The only reason I could think of of continued jailbreak blocking is that they do not want to provide support for people who screwed up the screensaver hack or something.

[jglerner]

Quote:

Originally Posted by ixtab

Here it is.

This jailbreak should work with all versions of the Kindle Touch currently available. (5.0.0 - 5.0.3).

Instructions are contained in the archive. Please report back any issues here.

Thanks!

I acknowledge this jailbreak is working on 5.0.3.

Other than that I didn't notice any big improvements. The four button sense of reading is not working anymore,

[geekmaster]

@ixtab: I thought you were going to use tzVar instead of locale. As we discussed in PMs shortly after you discovered the tar bug, tzVar does not clobber the locale settings.

Unfortunately, locale and tzVar only work on the Touch. They do not work on the K4NT.

The only *universal* payload destination that works on both the Touch and the K4NT is the one I found that *might* survive your tar bug getting disabled (because no shared dependencies). My payload destination can be triggered using mutliple methods, and we had agreed that it could be saved until yours gets burned because the K4NT already has a developer mode method.

If the goal here is to create a single jailbreak that works on both the Touch and the K4NT, we will have to use my payload destination and trigger method, and just hope that amazon does not fix ALL the trigger mechanisms for it.

[yosoyeleze]

Hello. Anyone know if screen rotation works with the new 5.0.3 firmware? I need to landscape mode!

[blackjack13]

Quote:

Originally Posted by yosoyeleze

Hello. Anyone know if screen rotation works with the new 5.0.3 firmware? I need to landscape mode!

lipc-set-prop com.lab126.winmgr orientationLock L

[ixtab]

Quote:

Originally Posted by geekmaster

@ixtab: I thought you were going to use tzVar instead of locale. As we discussed in PMs shortly after you discovered the tar bug, tzVar does not clobber the locale settings.

Yeah, I had thought about using tzVar for a moment as well. But IMO this may cause even more problems (on my Kindle, the file doesn't even exist, and I have no idea what should go in there or how it is used). I think "resetting" the locale to the factory defaults is a good compromise, because a) the file always exists, with predictable contents;
b) normally, when you apply the jailbreak, you didn't even have a chance to customize the locale yet (changing locales needs our WIP localization package, which in turn requires a jailbreak);
and c) there is an easy way to get back to fully localized.

Quote:

Originally Posted by geekmaster

Unfortunately, locale and tzVar only work on the Touch. They do not work on the K4NT.

The only *universal* payload destination that works on both the Touch and the K4NT is the one I found that *might* survive your tar bug getting disabled (because no shared dependencies). My payload destination can be triggered using mutliple methods, and we had agreed that it could be saved until yours gets burned because the K4NT already has a developer mode method.

If the goal here is to create a single jailbreak that works on both the Touch and the K4NT, we will have to use my payload destination and trigger method, and just hope that amazon does not fix ALL the trigger mechanisms for it.

As far as I understood, yifanlu has an idea about K4NT. I cannot be of any help with that device. So yeah, let's keep a stack of possible exploits for later, and keep looking for others while we have full access

[geekmaster]

Quote:

Originally Posted by ixtab

As far as I understood, yifanlu has an idea about K4NT. I cannot be of any help with that device. So yeah, let's keep a stack of possible exploits for later, and keep looking for others while we have full access

I did tell yifanlu the details of my payload destination and trigger methods, but he may have found others as well, and he should soon be able to test whatever he may have found in the gpl source code now that he ordered a K4NT.

The K4NT should have even more possible payload destinations than are found in the Touch, because root is writable by default on the K4NT (no need to do "mntroot rw" despite the warning after shell login). I only tested this on the version 4.0, so it still needs to be tested on 4.0.1.

I have not looked for additional exploits after discovering that the K4NT root is writable. Perhaps we should inject the developer key directly with the tar bug without relying on a script (in case the script execution gets disabled).

Clearly, the Touch MP3 exploit has come and gone and it is time to use the next one (your locale payload injected with the tar bug). I will defer to yifanlu's judgement about when the time is right to use each of the remaining known exploits.

[yifanlu]

Quote:

Originally Posted by geekmaster

each of the remaining known exploits.

AFAIK, the tar bug is the last exploit we have. We have many payloads for this exploit, but nothing else.

[geekmaster]

Quote:

Originally Posted by yifanlu

AFAIK, the tar bug is the last exploit we have. We have many payloads for this exploit, but nothing else.

You are kidding, right? Or trolling? I choose to take your bait once again:

The tar bug that ixtab uses is dependent on the busybox file installed on the main partition. As we discussed on the IRC channel, mine does not depend on that file, and may survive repairing the busybox file that ixtab's exploit depends on. Must we expose all the details now, after you mildly chastised ixtab for releasing his details while the MP3 exploit still worked? I see no point in arguing over definitions here, to the point of guaranteeing that amazon is sure to patch both ixtab's and my methods.

There was a discussion about releasing my method as a universal jailbreak that works on both the Touch and the K4NT, unlike the current Touch-only version. But that would reduce its probability to remain viable after ixtab's method goes away (especially since you claim to not know any other exploits).

And besides, even if my exploit gets burned along with ixtab's, we will still have unlocked fastboot mode (as documented by rastik), and how can you NOT call that an exploit when it allows us to install whatever we choose on our kindles?

And even if all of the above methods stop working, there is another way that has been tested and documented. You just need to know where to look.

Plus, if your "stack smash" still works, I can (probably) use it with my (untested) shellcode that defeats ASLR. This line of research was put on hold when you announced your MP3 exploit. Of course, that would require mutual cooperation. What are the chances of that?

[yifanlu]

I've said this many times before. We have payloads. Not exploits. The tar bug is an exploit. Using it in various ways are different payloads. I don't troll, I like to point out misinformation so they don't get spread and raise expectations.

The fastboot/USB download is NOT an exploit. It's a door left open on purpose (or by accident) for developers. An exploit is using a bug in some code to execute unsigned code.

If amazon fixes the tar bug. They FIX the tar bug, not just one specific payload. Now there is the chance that your payload will still work (actually, seeing amazon's record, it's a high chance) but we can't depend on it. For example, the pervious update fixed two other payloads for the mp3 bug including one that allows HTML injection on the device name.

Anything else is beyond my knowledge, which is why I started out with "AFAIK"

[geekmaster]

Quote:

Originally Posted by yifanlu

I've said this many times before. We have payloads. Not exploits. The tar bug is an exploit. Using it in various ways are different payloads. I don't troll, I like to point out misinformation so they don't get spread and raise expectations.

The fastboot/USB download is NOT an exploit. It's a door left open on purpose (or by accident) for developers. An exploit is using a bug in some code to execute unsigned code.

If amazon fixes the tar bug. They FIX the tar bug, not just one specific payload. Now there is the chance that your payload will still work (actually, seeing amazon's record, it's a high chance) but we can't depend on it. For example, the pervious update fixed two other payloads for the mp3 bug including one that allows HTML injection on the device name.

Anything else is beyond my knowledge, which is why I started out with "AFAIK"

"Exploit" is a big word with a lot of meaning (even in the computer security industry). A door left open on purpose or by accident may be exploited by those who wish to use it to their own advantage. For example, even in many high security environments, the back or side door is often kept unlocked for the convenience of cigarette smokers who can no longer smoke inside. Exploring such unlocked doors more often than not brings you to areas with no security, no guards and no cameras (inside the firewall, so to speak). It helps to dress the part, and to carry a clipboard. People avoid eye contact when they think you are there to watch THEM. Social engineering is a fine example of a human behavior exploit. I used this many times for "legimate" purposes. And while on the subject of "inside the firewall", my parts have begun arriving for three of these:
http://www.minipwner.com/index.php/w...-the-minipwner

I have some well-publicized and well-known computer exploits behind me, from the days when your parents were still children. I have become very careful in what I do and where I publish my "adventures" since the creation of the DMCA and the Patriot Act (and caution comes with age and maturity as well). I have only used my "geekmaster" handle since I first "exploited" the Geek Squad logo to suit my own purposes shortly after they were founded in 1994, and I have been very low-key about it. I still own two of the original black Geek Squad T-shirts acquired strictly for "social engineering" purposes.

Back when I was your age, I was a founding member of the "Malicious Users Group" a/k/a MUG. It was university-sponsored, and the university even bought the pizzas during our all-night hacking sessions. Our group had about 40 members (by invitation only). My user ID was MUG0002. The only caveat was that we allow the university to monitor our "sponsored" hacking sessions, and we were to report all vulnerabilites found during those official sessions so they could "harden" their system. Great times were had by all (except the poor university computer center programmers who had to keep fixing the same problems over and over again).

Our domain was a little-known computer access point with a handful of "glass teletypes" that connected at 300bps, when all the other students had to use ASR-33 teletypes that only did 110bps (10 characters per second). Of course, it was still fun to use a teletype now and then, if only to make the 40-some other teletypes in the room go dead silent while mine chattered away printing out startrek game maps, while locking out even the computer operators. This was done by escalating priveleges above what even computer operators and systems administrators had.

During a consulting gig at a large well-known "big-iron computing" company, I became buddies with the director of technical support when he came to me white-faced, saying "you didn't REALLY delete the systems validations file did you?". He was afraid to reboot the mainframe for routine maintenance, fearing it might not come up again. I showed him how a lowly user could insert official messages into the system logs. He was relieved.

One of my projects was featured on the cover of Scientific American, but my boss stole all the credit. This may be a contributing factor for my feeling violated when people claim credit for my ideas.

Anyway, enough fun for now. I know what an exploit is. Perhaps I helped to define it.

P.S. There were exploits before code signing even existed.

[yifanlu]

Calling someone a troll is like calling someone a racist. The term is overused so much it loses it's intended meaning and becomes a generic insult. Anything that uses "the unintended expanding of absolute paths by default when extracting tar files on the kindle" is what I call "the tar bug" and as I've said amazon will MOST LIKELY but not DEFINEATLY fix all use of this bug when they release a patch, so we should focus on finding new bugs instead of more uses for this one. Let ixtab have the credit for this one and we should all move on to looking for new bugs.

Now if I am wrong and your exploit makes no use of any variation of the tar bug, I sincerely apologize and hold my peace. Otherwise, I stand by my statement that we only have one exploit right now.

[geekmaster]

Quote:

Originally Posted by yifanlu

Calling someone a troll is like calling someone a racist. The term is overused so much it loses it's intended meaning and becomes a generic insult. Anything that uses "the unintended expanding of absolute paths by default when extracting tar files on the kindle" is what I call "the tar bug" and as I've said amazon will MOST LIKELY but not DEFINEATLY fix all use of this bug when they release a patch, so we should focus on finding new bugs instead of more uses for this one. Let ixtab have the credit for this one and we should all move on to looking for new bugs.

Now if I am wrong and your exploit makes no use of any variation of the tar bug, I sincerely apologize and hold my peace. Otherwise, I stand by my statement that we only have one exploit right now.

You are welcome to your narrow viewpoint and narrow definition of the word, if it suits your purpose. I have much larger goals in life, which require broader definitions that more closely match what the dictionaries have to say. To each his own...

I have used the tar bug in the past, and I have found long-repaired security loopholes show up all over again in code rewrites, which is why I suggested to you when we were discussing UTF-8 shellcodes to use your stack smash, before I had my own kindle Touch to test with, that perhaps you should test the tar root path bug "just in case". I took your word for it when you told me "that was fixed long ago". By the time I got my Touch, you had already released you MP3 exploit, so no need to test it then. When you said in the IRC channel right after ixtab announced his tar bug discovery and I mentioned our previous discussion, you said "but we BOTH agreed that it could not work". Actually, I learned long ago to never agree to anything without reading the fine print and testing everything myself. Because I had not Touch to test with during our previous discussion, it is absurd to claim that I could have agreed to such a thing. This is a hard rule that I rarely violate.

I am sorry about the Troll thing, but it seems that when I ask legitimate questions you have no time to answer me, but you are quick to challenge things that I post. This is irksome because I come from a different time than you, and word meanings evolve over time, and my experience gives me a much broader viewpoint than yours, which affects which definitions of technical jargon I choose to use. To me, arguing word definitions without supporting evidence or technical merit is akin to "trolling". Regarding word meanings, how can "troll" be akin to "racist" as you claimed above? Which ethnicity descended from Trolls? I have read many thousands of books, and I am not aware of any...

[yifanlu]

Sorry, I lost track of the meaning of the argument. If I ever purposely ignored a "legitimate" question of yours, I apologize. I do have things to do beyond kindles and am by no means a kindle oracle. Let's get back on track. What we should be talking about isn't what is and isn't an exploit but the best way to jailbreak both the kindle 4 and the kindle touch.

[ixtab]

Whooooo....

folks, calm down, please. Personal attacks won't get this any further, on the contrary. Please try to stay as constructive as you both have been until now. We've got technical challenges to solve... and BTW it's more fun to reverse-engineer than to write disgruntled replies.

Get a beer, or two, or five... cheers!