02-27-2023, 06:41 AM | #1 |
Connoisseur
Posts: 83
Karma: 1170
Join Date: Sep 2022
Location: Why do you want to know?
Device: Bricked PW5
|
Potential New Exploit For Jailbreaking?
I tried to post this before but it was deleted or something, I'm not sure why? Perhaps this was misunderstood, this isn't a Jailbreak or anything that allows Piracy, it is merely a potential entrypoint which I found on the Kindle Store.
I have discovered how to modify the Kindle Store displayed on the Kindle, this means that I can inject custom HTML+JS. You may wonder: So what? It's just a website Well, being the Kindle Store, this actually contains many... many functions which can be used to manipulate the Kindle which are NOT available in the experimental browser. For example, via the store, I was able to launch apps and communicate with LIPC messages to an extent, I believe that this could be the gateway to a new jailbreak The reason I'm posting this here is because I don't really know where to go from here lol, I'm relatively new to the jailbreaking scene for Kindles and I was wondering if anyone would like to help me with this project? See attachments for info, the applicaiton error one was an earlier version, I can now properly launch other applications |
02-27-2023, 07:14 AM | #2 |
Connoisseur
Posts: 83
Karma: 1170
Join Date: Sep 2022
Location: Why do you want to know?
Device: Bricked PW5
|
I wonder if I can somehow execute code through a WAF...
|
Advert | |
|
02-27-2023, 07:26 AM | #3 |
Connoisseur
Posts: 99
Karma: 909418
Join Date: Aug 2021
Location: Germany
Device: PW4+Fire 7", Onyx Boox Nova Air
|
how did you do it? a Man-In-The-Middle Attack by hijacking your wifi AP? hosts file? or what exactly did you do?
the question would be if the Kindle Store App / Tab has system rights or access to directorys you would need. i know / heard that a jailbreak adds developer keys to a specific file so it opens up the kindle for thirdparty code.. but since i don't know how exactly this is done someone else would have to look into this. but the thing is - if you can just run javascript, the question is if its just in the context of a normal browser or if it is having "special" access to commands. can you give us more informations about how you did it, what you did etc? |
02-27-2023, 08:10 AM | #4 | |
Connoisseur
Posts: 83
Karma: 1170
Join Date: Sep 2022
Location: Why do you want to know?
Device: Bricked PW5
|
Quote:
Javascript - Yep, the store runs in a special context in which certain Javascript functions normally nonexistent can be used So far I can: - Launch apps - Change screen orientation Untested, but in theory I can also: - Communicate with LIBC protocol to send messages to other processes Last edited by Bluebotlabs; 02-28-2023 at 12:55 PM. |
|
02-27-2023, 08:13 AM | #5 |
Connoisseur
Posts: 83
Karma: 1170
Join Date: Sep 2022
Location: Why do you want to know?
Device: Bricked PW5
|
also, this is all done on a non-jailbroken device since I am on latest firmware lol
|
Advert | |
|
02-27-2023, 08:35 AM | #6 |
Connoisseur
Posts: 83
Karma: 1170
Join Date: Sep 2022
Location: Why do you want to know?
Device: Bricked PW5
|
Update: More JS Investigation
List of things I can access, still discovering what most of these are:
- version (returns 1) - download - dev (Device-Specific stuff such as "refresheyness" of the e-ink display - popup - bkgrnd - device - winmgrUtils - bluetooth (Query and adjust Bluetooth settings) - chrome (Browser specific stuff, weird that it's named chrome) - dconfig - nat (Query and adjust network settings) - appmgr (Direct access to the appmgr, currently known: start(), back()) - todo (Does anyone know what this is?) - gestures - messaging (libc access) - uitest - localprefs - storeName I'm currently working on some JS code to properly+recursively dump more information |
02-27-2023, 09:23 AM | #7 |
the rook, bossing Never.
Posts: 12,276
Karma: 89531599
Join Date: Jun 2017
Location: Ireland
Device: All 4 Kinds: epub eink, Kindle, android eink, NxtPaper11
|
Doesn't the Kindle Suduko also use fact that the Web browser has stuff in it so the Amazon Kindle Store works "better"?
|
02-27-2023, 09:30 AM | #8 |
Connoisseur
Posts: 83
Karma: 1170
Join Date: Sep 2022
Location: Why do you want to know?
Device: Bricked PW5
|
Interestingly, unless I include a large portion of the original code, the Kindle complains that the store failed to load, so it probably relies on a JS function call of sorts, I'll investigate this further but the code is heavily obfuscated so it's a pain to go through
|
02-27-2023, 09:35 AM | #9 | |
Connoisseur
Posts: 83
Karma: 1170
Join Date: Sep 2022
Location: Why do you want to know?
Device: Bricked PW5
|
Quote:
This is specific to the store and potentially other build-in Web Applications (WAFs) The browser normally doesn't have these JavaScript functions available to it |
|
02-27-2023, 12:08 PM | #10 | |
Connoisseur
Posts: 86
Karma: 25554
Join Date: Sep 2022
Device: PW3, PW2, KT2, 2xKT, 2xK3G
|
Quote:
MITM would probably not work due to the kindle using HTTPS. Last edited by luketheduke; 02-27-2023 at 12:20 PM. |
|
02-27-2023, 12:10 PM | #11 |
Connoisseur
Posts: 86
Karma: 25554
Join Date: Sep 2022
Device: PW3, PW2, KT2, 2xKT, 2xK3G
|
Used to be able to with `nativeBridge.dbgCmd`. Removed awhile ago, though.
|
02-27-2023, 12:20 PM | #12 | |
Connoisseur
Posts: 83
Karma: 1170
Join Date: Sep 2022
Location: Why do you want to know?
Device: Bricked PW5
|
Quote:
I can't say, but you're a little far off... don't forget, I had to do a bunch of networking stuff too, but it isn't ARP spoofing Last edited by Bluebotlabs; 02-28-2023 at 01:01 PM. |
|
02-27-2023, 12:21 PM | #13 | |
Connoisseur
Posts: 83
Karma: 1170
Join Date: Sep 2022
Location: Why do you want to know?
Device: Bricked PW5
|
Quote:
|
|
02-27-2023, 12:40 PM | #14 | |
Resident Curmudgeon
Posts: 76,055
Karma: 134368292
Join Date: Nov 2006
Location: Roslindale, Massachusetts
Device: Kobo Libra 2, Kobo Aura H2O, PRS-650, PRS-T1, nook STR, PW3
|
Quote:
|
|
02-27-2023, 12:45 PM | #15 |
Connoisseur
Posts: 83
Karma: 1170
Join Date: Sep 2022
Location: Why do you want to know?
Device: Bricked PW5
|
|
Tags |
exploit, jailbreak |
Thread Tools | Search this Thread |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Local root exploit in Calibre | splat | Calibre | 29 | 11-05-2011 10:03 PM |
Adobe Reader 9 new exploit in the wild | doctorow | News | 2 | 02-20-2009 03:38 PM |
iLiad Huge exploit found in 2.7 | arivero | iRex Developer's Corner | 86 | 11-26-2006 04:49 PM |
Adobe Acrobat subject to remote exploit | Alexander Turcic | News | 3 | 09-16-2006 05:29 AM |
Serious exploit in Greasemonkey 0.4 | Alexander Turcic | Lounge | 2 | 07-19-2005 04:59 AM |