anyway to jail break new oasis (2019)?

[makue]

Few days left before I've to send back my oasis (2019).

Just out of curiosity, has a factory firmware (5.12.0) been leaked/extracted already?

[NiLuJe]

Nope, despite a few attempts.

[knc1]

Quote:

Originally Posted by makue

Few days left before I've to send back my oasis (2019).

Just out of curiosity, has a factory firmware (5.12.0) been leaked/extracted already?

Nope.

There seems to be an effort (at least on some devices/firmwares) to "burn" the first 8K bytes of the factory firmware on start-up.
It may be difficult to "un-burn" the factory firmware, depending on just 'how' Amazon/Lab126 has decided to do the 'burn'.

[WaseemAlkurdi]

Quote:

Originally Posted by knc1

Nope.

There seems to be an effort (at least on some devices/firmwares) to "burn" the first 8K bytes of the factory firmware on start-up.
It may be difficult to "un-burn" the factory firmware, depending on just 'how' Amazon/Lab126 has decided to do the 'burn'.

Can you elaborate?
Burn the factory firmware to what exactly? (As in "burn to CD-R", "burn to flash", etc)
And what exactly prevents people from using the serial port? Have they finally "remembered" to lock down the bootloader?

[ilovejedd]

Quote:

Originally Posted by WaseemAlkurdi

Can you elaborate?
Burn the factory firmware to what exactly? (As in "burn to CD-R", "burn to flash", etc)

Burn as in overwrite the area where the header and signature for the factory firmware should be located, I would assume.

[j.p.s]

Quote:

Originally Posted by WaseemAlkurdi

And what exactly prevents people from using the serial port?

No connection to the serial port has been found on the KOA2 or, presumably, the KOA3. In addition, all teardowns of the KOA2 have been destructive.

Quote:

Originally Posted by WaseemAlkurdi

Have they finally "remembered" to lock down the bootloader?

It looks like they have on the PW4.

[knc1]

Quote:

Originally Posted by j.p.s

. . . . .

It looks like they have on the PW4.

Both recent and current models seem to have different quirks even for the same firmware version.
It may take even longer than usual to provide jailbreak(s) for each individual model/firmware version pairing.

Q: Can J.B. hire more programmers to make our hobby even more difficult?

[WaseemAlkurdi]

Quote:

Originally Posted by ilovejedd

Burn as in overwrite the area where the header and signature for the factory firmware should be located, I would assume.

So the factory firmware places its own header and signature somewhere on the eMMC and the selfsame firmware reads the signature and header to verify itself?
Or is there something I don't understand?

[WaseemAlkurdi]

Quote:

Originally Posted by j.p.s

No connection to the serial port has been found on the KOA2 or, presumably, the KOA3. In addition, all teardowns of the KOA2 have been destructive.



It looks like they have on the PW4.

aka: Lab126 employees have stumbled upon MobileRead. Sad, frankly.
So the only hope (apart from some exploit or the other, a la iPhone jailbreak) is to desolder, flash, and resolder the eMMC, possibly flashing a modified U-Boot as an unlocked bootloader and/or to bypass signature checks?
As for the destructive teardown attempts at the KOA2 ... why? They didn't use sorcery to put it together, did they?

[makue]

Tomorrow my KOA3 will take the long way home.

All in all I'm very thankfull now for all the people here in the fore- and background who granted us all a limited period of freedom and sunshine when we were able to buy and own as well our new and shiny Kindle devices. Now the winter is coming again but at least I have 2 rather new kindles a KOA2 and and a PW4 to hold on.

A very big Thank You!

Matthias

[knc1]

Quote:

Originally Posted by WaseemAlkurdi

So the factory firmware places its own header and signature somewhere on the eMMC and the selfsame firmware reads the signature and header to verify itself?
Or is there something I don't understand?

All package files with the name format of: update_*.bin have a cryptographic signature attached.
The signature uses public key (key pairs, public and private) encryption.
The Kindles only have the public key, the update_*.bin files are created with the private key.

You can read all the gory details in "KindleTool".
That utility is able to package and un-package the update_*.bin files, both Amazon and Mobileread.

Of course, Amazon does not provide us with their private key so we have to use our own key-pair.

[WaseemAlkurdi]

Quote:

Originally Posted by knc1

All package files with the name format of: update_*.bin have a cryptographic signature attached.
The signature uses public key (key pairs, public and private) encryption.
The Kindles only have the public key, the update_*.bin files are created with the private key.

You can read all the gory details in "KindleTool".
That utility is able to package and un-package the update_*.bin files, both Amazon and Mobileread.

Of course, Amazon does not provide us with their private key so we have to use our own key-pair.

Copy that.
But how does that relate to the "flashing" that the stock firmware is said to be doing on each boot?

[knc1]

Quote:

Originally Posted by WaseemAlkurdi

Copy that.
But how does that relate to the "flashing" that the stock firmware is said to be doing on each boot?

Ah, it is the "doing it to" part you have misunderstood.
What is being done is to the contents of the update package, if/when it is found on the area used for visible USB storage.

No header available on the file, file is not recoverable.
Load KindleTool and run an '--info' command against one of the .bin packages.*
That will show you what is missing when Lab126 "burns" the package header contents, contents of the package file, not of what is already installed.


* Use just the command name (kindletool) by itself to output the command description.

[WaseemAlkurdi]

Quote:

Originally Posted by knc1

Ah, it is the "doing it to" part you have misunderstood.
What is being done is to the contents of the update package, if/when it is found on the area used for visible USB storage.

No header available on the file, file is not recoverable.
Load KindleTool and run an '--info' command against one of the .bin packages.*
That will show you what is missing when Lab126 "burns" the package header contents, contents of the package file, not of what is already installed.


* Use just the command name (kindletool) by itself to output the command description.

Quote:

What is being done is to the contents of the update package, if/when it is found on the area used for visible USB storage.

So upon finding a certain updater package on a certain device, the firmware would burn (as in "destroy") the first 8 KB, which is the header? Pretty neat. A sort of blacklist.

To counter that, and provided that U-Boot isn't checking signatures or anything fancy, a single Kindle has to be manually flashed (aka write to eMMC) with manually jailbroken firmware to see what are system daemons, etc doing. Now, who's going to donate their Kindle?

[makue]

If there's an initiative to buy an OASIS 3 for testing I would donate up to 50 bucks.