newer Kindle firmware can't use 'awk', so jb hotfix fails

[bulltricks]

In the process of trying to install the jailbreak hotfix kit manually (to get the firmware update persistence), I ran into something rather strange.

Using a reverse shell on the Kindle, I attempted to execute the install / dispatch scripts ("Update" doesn't work because of the firmware version), and noticed a segmentation fault.

Attempting to investigate further leads to:

Running "awk -h" by itself results in a "Segmentation fault"
Running '/usr/bin/awk -h' or 'busybox awk -h' results in the expected output (showing command-line options
Running 'which awk' shows '/usr/bin/awk' , and as this is a busybox shell, there isn't a function overriding it (as far as I can tell)

While this points to a workaround (changing the scripts), I'm REALLY curious as to whats going on here
Especially since factory scripts use 'awk' (not /usr/bin/awk) and as far as I can tell, they don't hit these faults

[NiLuJe]

Which device is that, and on which FW version?

[NiLuJe]

As for the actual failure, try strace-ing it, I would assume there's a conflicting busybox build somewhere in the PATH (or they botched a forkless busybox build, awk is a noexec applet).

[bulltricks]

Quote:

Originally Posted by NiLuJe

As for the actual failure, try strace-ing it, I would assume there's a conflicting busybox build somewhere in the PATH (or they botched a forkless busybox build, awk is a noexec applet).

This is a KT4 with 5.15.1.1, using a reverse shell (/bin/sh -i piped to netcat )

The difference seems to be how the applet is being reached - if it is reached through /usr/bin/awk (which symlinks to busybox) then it works, but if it's being ran from /bin/sh, it segfaults.

The strangest thing is this:

Code:

prctl(PR_SET_NAME, "awk\0\0\0\0\0\334\222\242\0\304\222\242\0") = 0

It has to be something to do with the shell, because awk seems to have ran fine in the startup scripts!



Failing:

Code:

execve("/bin/sh", ["sh", "-c", "awk -h"], [/* 7 vars */]) = 0
...
open("/var/local/system/locale", O_RDONLY) = 6
lseek(6, 0, SEEK_END)                   = 34
mmap2(NULL, 34, PROT_READ|PROT_WRITE, MAP_PRIVATE, 6, 0) = 0x76f91000
brk(0)                                  = 0xa29000
brk(0xa4a000)                           = 0xa4a000
munmap(0x76f91000, 34)                  = 0
close(6)                                = 0
open("/var/local/system/tzVar", O_RDONLY) = -1 ENOENT (No such file or directory)
prctl(PR_SET_NAME, "sh\0-c\0awk -h\0SHL") = 0
getuid32()                              = 0
getpid()                                = 18153
rt_sigaction(SIGCHLD, {0x576b8, ~[RTMIN RT_1], SA_RESTORER, 0x76ddaf00}, NULL, 8) = 0
getppid()                               = 18151
uname({sysname="Linux", nodename="kindle", ...}) = 0
stat64("/var/local", {st_mode=S_IFDIR|S_ISGID|0775, st_size=3072, ...}) = 0
stat64(".", {st_mode=S_IFDIR|S_ISGID|0775, st_size=3072, ...}) = 0
rt_sigaction(SIGINT, NULL, {SIG_IGN, [], 0}, 8) = 0
rt_sigaction(SIGQUIT, NULL, {SIG_IGN, [], 0}, 8) = 0
rt_sigaction(SIGTERM, NULL, {SIG_DFL, [], 0}, 8) = 0
prctl(PR_SET_NAME, "awk\0\0\0\0\0\334\222\242\0\304\222\242\0") = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=0xc3833} ---

Successful:

Code:

execve("/bin/sh", ["/bin/sh", "-c", "/usr/bin/awk -h"], [/* 7 vars */]) = 0 
...
execve("/usr/bin/awk", ["/usr/bin/awk", "-h"], [/* 7 vars */]) = 0                          
brk(0)                                  = 0x1987000                                         
uname({sysname="Linux", nodename="kindle", ...}) = 0                                        
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x76f96000      
access("/etc/ld.so.preload", R_OK)      = 0    
...
open("/var/local/system/locale", O_RDONLY) = 6
lseek(6, 0, SEEK_END)                   = 34
mmap2(NULL, 34, PROT_READ|PROT_WRITE, MAP_PRIVATE, 6, 0) = 0x76f93000
brk(0)                                  = 0x1987000
brk(0x19a8000)                          = 0x19a8000
munmap(0x76f93000, 34)                  = 0
close(6)                                = 0
open("/var/local/system/tzVar", O_RDONLY) = -1 ENOENT (No such file or directory)
prctl(PR_SET_NAME, "awk\0-h\0SHLVL=3\0O") = 0
getuid32()                              = 0
write(2, "/usr/bin/awk: invalid option -- "..., 36/usr/bin/awk: invalid option -- 'h'
) = 36

[NiLuJe]

Yeah, looks like forkless shenanigans blowing up.

I don't quite recall how that's implemented and what the limitations are, but I haven't had any issues with it over "real" SSH shells, FWIW (as long as said shell is ash from the same busybox build, I mean; otherwise it's no longer forkless ;p).

[RuggedPineapple]

Quote:

Originally Posted by NiLuJe

Yeah, looks like forkless shenanigans blowing up.
(as long as said shell is ash from the same busybox build, I mean; otherwise it's no longer forkless ;p).

Out of curiosity, Im wondering if calling the shell directly through busybox by passing it the sh argument does anything different then using the symlink in this case. Might be something weird in the PATH.