Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book Readers > Amazon Kindle > Kindle Developer's Corner

Notices

Reply
 
Thread Tools Search this Thread
Old 11-24-2011, 11:35 AM   #121
geekmaster
Carpe diem, c'est la vie.
geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.
 
geekmaster's Avatar
 
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
I sent (some of) this to the IRC channel:

Although usually reserved for emergencies, many devices can get firmware replacements by the "pin-shorting" method. Connect a boot-rom (carefully chosen) address pin to ground [at just the right time during the boot phase], to make the firmware run but fail CRC check, then device tries to load new firmware from a TFTP server (or serial port).

Although there is a risk of damaging the kindle (especially if you slip and short the wrong pins), I have successfully used this method to "unbrick" multiple WRT54G devices for myself and friends.

This may be useful for development and testing, but is not suitable as a general method for "consumer" firmware upgrades.

Last edited by geekmaster; 11-24-2011 at 11:37 AM.
geekmaster is offline   Reply With Quote
Old 11-27-2011, 03:20 AM   #122
geekmaster
Carpe diem, c'est la vie.
geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.
 
geekmaster's Avatar
 
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
The shellcode does not have to be in the stack. It could be at any known location, called from the stack smash.

I sent links in the IRC channel that show how to embed shellcode inside a web page image so that it is not visible to the casual observer. The example images show a comparison with and without embedded shellcode. In one shellcode image, the guy has a "dirty arm". The monkey images with embedded NOP Sled are impressive. Here is the link:
http://www.blackhat.com/presentation...-06-Sutton.pdf

*If* you can get a webpage to store its images into a known location (e.g. onscreen framebuffer RAM for visible web page), you could jump to shell code inside the image. I have wikipedia moderator rights and I can load image(s) to wikipedia without *other* moderator approval [but I have yet to try this]...

ASLR exploits:
http://www.ece.cmu.edu/~dbrumley/cou.../docs/aslr.pdf

Last edited by geekmaster; 11-27-2011 at 03:47 AM.
geekmaster is offline   Reply With Quote
Advert
Old 11-27-2011, 10:35 AM   #123
yifanlu
Kindle Dissector
yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.
 
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
Shellcode jumping is not a problem nor is making the shellcode. The problem is encoding memory address in utf-8 or even better finding an exploit for the touch.
yifanlu is offline   Reply With Quote
Old 11-27-2011, 11:14 AM   #124
geekmaster
Carpe diem, c'est la vie.
geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.
 
geekmaster's Avatar
 
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
You may need to adjust the address of the code you are jumping to with a nop sled, if you can control the destination address (such as in the framebuffer RAM), to make it utf-8 friendly. If you are jumping to a native instruction at a known fixed address, that may be a little harder. Due to previous messages, I suspect you are targetting an existing instruction.

If it helps, this issue of Phrack is dedicated to "Writing UTF-8 compatible shellcodes":
http://www.phrack.org/issues.html?is...&id=9&mode=txt

Of course, that method will need to be adapted to the ARM instruction set...

[I suppose I need to get my hands on a KT to really be useful here, though.]

Last edited by geekmaster; 11-27-2011 at 11:25 AM.
geekmaster is offline   Reply With Quote
Old 11-27-2011, 11:40 AM   #125
yifanlu
Kindle Dissector
yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.
 
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
Quote:
Originally Posted by geekmaster View Post
You may need to adjust the address of the code you are jumping to with a nop sled, if you can control the destination address (such as in the framebuffer RAM), to make it utf-8 friendly. If you are jumping to a native instruction at a known fixed address, that may be a little harder. Due to previous messages, I suspect you are targetting an existing instruction.

If it helps, this issue of Phrack is dedicated to "Writing UTF-8 compatible shellcodes":
http://www.phrack.org/issues.html?is...&id=9&mode=txt

Of course, that method will need to be adapted to the ARM instruction set...

[I suppose I need to get my hands on a KT to really be useful here, though.]
Thanks, but again, I don't need help with the shell code. It's easy writing utf-8 shellcode when compared to memory address. We need to find a memory address that 1) does what we want it to do and 2) can be utf-8 encoded. Meanwhile, all that is on hold, because if I find an exploit on the Kindle touch, it would work on the Kindle 4. But not the other way around.
yifanlu is offline   Reply With Quote
Advert
Old 11-27-2011, 07:16 PM   #126
geekmaster
Carpe diem, c'est la vie.
geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.
 
geekmaster's Avatar
 
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
You could do an automated search in an emulator, intercepting a reboot or lockup, and just systematically try all utf-8 addresses to see if one of them gives you control. It is possible that jumping into the middle of an instruction (or data) might surprise you. Undefined instruction opcodes might be useful too. They can have undefined behavior that depends on the chip die layout (parasitic transistors, etc.), but that undefined behavior may be beneficial in this case. Or at least, a block of random code may *eventually* lead to code that does something useful. Of course, this empirical approach is a last resort, and a planned attack using known vulnerabilities should be tried first.

Undefined instructions may behave different in an software emulator though, so an ICE (In-Circuit Emulator is really needed to exploit them). Again, this is just another option to explore if a usable instruction sequence cannot be found at a utf-8 compatible address.

So, it appears that we are waiting for you to get your hands on a spare KT then?

Last edited by geekmaster; 11-27-2011 at 08:29 PM.
geekmaster is offline   Reply With Quote
Old 11-27-2011, 09:38 PM   #127
yifanlu
Kindle Dissector
yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.
 
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
Quote:
Originally Posted by geekmaster View Post
You could do an automated search in an emulator, intercepting a reboot or lockup, and just systematically try all utf-8 addresses to see if one of them gives you control. It is possible that jumping into the middle of an instruction (or data) might surprise you. Undefined instruction opcodes might be useful too. They can have undefined behavior that depends on the chip die layout (parasitic transistors, etc.), but that undefined behavior may be beneficial in this case. Or at least, a block of random code may *eventually* lead to code that does something useful. Of course, this empirical approach is a last resort, and a planned attack using known vulnerabilities should be tried first.

Undefined instructions may behave different in an software emulator though, so an ICE (In-Circuit Emulator is really needed to exploit them). Again, this is just another option to explore if a usable instruction sequence cannot be found at a utf-8 compatible address.

So, it appears that we are waiting for you to get your hands on a spare KT then?
Basically. I need a nand dump before I can do any more. I thought the Touch and the Kindle 4 would be similar but I was wrong, they are more different than K4 and K3. Different binaries, different libraries, and different java frameworks. Everything.
yifanlu is offline   Reply With Quote
Old 11-28-2011, 01:00 AM   #128
theholyraptor
Junior Member
theholyraptor began at the beginning.
 
Posts: 3
Karma: 10
Join Date: Nov 2011
Device: Kindle 4
Given I can follow some of the ideas in this thread, but that I have no actual experience with the software or the hacking, this may be a stupid question. What are the chances that Amazon actually ported an older version or special fork of Android for the Kindle touch if you're seeing that it's so different, in order to maintain some slight app cross over between the Kindle Touch and the Kindle fire?
theholyraptor is offline   Reply With Quote
Old 11-28-2011, 07:41 AM   #129
yifanlu
Kindle Dissector
yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.
 
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
Quote:
Originally Posted by theholyraptor View Post
Given I can follow some of the ideas in this thread, but that I have no actual experience with the software or the hacking, this may be a stupid question. What are the chances that Amazon actually ported an older version or special fork of Android for the Kindle touch if you're seeing that it's so different, in order to maintain some slight app cross over between the Kindle Touch and the Kindle fire?
Well, anything could be possible, but we have the source code for the open bootloader and kernel and they're much like the other kindles than android.
yifanlu is offline   Reply With Quote
Old 11-28-2011, 08:27 AM   #130
gnurkel
Junior Member
gnurkel can extract oil from cheesegnurkel can extract oil from cheesegnurkel can extract oil from cheesegnurkel can extract oil from cheesegnurkel can extract oil from cheesegnurkel can extract oil from cheesegnurkel can extract oil from cheesegnurkel can extract oil from cheesegnurkel can extract oil from cheese
 
Posts: 3
Karma: 1126
Join Date: Nov 2011
Device: Kindle Touch
Donated

Just gave $5 to the "Yuifan Kindle Destruction Fund". I got no beef with Amazon selling subsidized thingymabobs, but I dislike them trying to tell me what to do with it once I own it.

Go, destroy, hack, root!
gnurkel is offline   Reply With Quote
Old 11-28-2011, 08:59 AM   #131
geekmaster
Carpe diem, c'est la vie.
geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.
 
geekmaster's Avatar
 
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
Talking

Quote:
Originally Posted by gnurkel View Post
Just gave $5 to the "Yuifan Kindle Destruction Fund". I got no beef with Amazon selling subsidized thingymabobs, but I dislike them trying to tell me what to do with it once I own it.

Go, destroy, hack, root!
Thanks gnurkel!

We need a sticky on the "sacrificial kindle fund", so it is more visible!

The sticky should request a donation of a kindle touch with a broken screen, or funds to apply toward the purchase of a new kindle touch, for the purposes of potentially destructive investigation in pursuit of a jailbreak. It should peridiocally be updated to show funds collected so far, and remaining funds needed. And, of course, it needs a paypal link like the one I posted earlier in this thread.

Okay, I started a new "Kindle Touch Jailbreak Support Team" thread. Yifan: please review it and request any changes you think are necessary. I hope the extra exposure gets you a Kindle Touch ASAP.

Last edited by geekmaster; 11-28-2011 at 09:22 AM.
geekmaster is offline   Reply With Quote
Old 12-01-2011, 07:27 PM   #132
ramirami
Member
ramirami can extract oil from cheeseramirami can extract oil from cheeseramirami can extract oil from cheeseramirami can extract oil from cheeseramirami can extract oil from cheeseramirami can extract oil from cheeseramirami can extract oil from cheeseramirami can extract oil from cheeseramirami can extract oil from cheese
 
Posts: 17
Karma: 1124
Join Date: Dec 2011
Device: Kindle Touch
Hello everyone.
I'm new here.
I just wanted to let you know that maybe it is possible to took the storage chip of the Kindle and some how to read it.
Take a look in this link:
http://www.techrepublic.com/blog/itd...ch-screen/3086

You will see the specifications of Kindle.
Kindle has 4GB SanDisk SDIN5C2-4G NAND Flash memory module

I made a little search about this chip, i found:

http://omapworld.com/iNAND_e_MMC_4_4...ata_sheet_v1_0[1].pdf

I just need to verify if it is possible to connect this chip to external reader.

This maybe can give us all the filesystem of kindle.

Please tell me what do you think about it.

p.s: If someone knows something or have an idea, I don't care to take apart my Kindle and try it even I just got it today. I want to see it jb.


WoW !!!

eMMC to MMC support 4.41 !

http://cm-tech.en.alibaba.com/produc...ion_Board.html

Last edited by ramirami; 12-01-2011 at 07:50 PM.
ramirami is offline   Reply With Quote
Old 12-01-2011, 07:55 PM   #133
yifanlu
Kindle Dissector
yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.yifanlu ought to be getting tired of karma fortunes by now.
 
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
I thought it doing that when the kindle 4 came out. Problem is: http://t.co/RLyydgtc

Look at the size of the Chip in relation to the quarter. The solder pads are like 5 hairs thick and I don't have industrial reheating tools and prototype boards. I tried contacting the seller of that board you posted a month ago and got no response.
yifanlu is offline   Reply With Quote
Old 12-01-2011, 08:19 PM   #134
ramirami
Member
ramirami can extract oil from cheeseramirami can extract oil from cheeseramirami can extract oil from cheeseramirami can extract oil from cheeseramirami can extract oil from cheeseramirami can extract oil from cheeseramirami can extract oil from cheeseramirami can extract oil from cheeseramirami can extract oil from cheese
 
Posts: 17
Karma: 1124
Join Date: Dec 2011
Device: Kindle Touch
Quote:
Originally Posted by yifanlu View Post
I thought it doing that when the kindle 4 came out. Problem is: http://t.co/RLyydgtc

Look at the size of the Chip in relation to the quarter. The solder pads are like 5 hairs thick and I don't have industrial reheating tools and prototype boards. I tried contacting the seller of that board you posted a month ago and got no response.
Okey so basically you have disoldered chip.

We must get this emmc2mmc converter and see if it works.
we need to see where can we get it from.
ramirami is offline   Reply With Quote
Old 12-01-2011, 08:34 PM   #135
ramirami
Member
ramirami can extract oil from cheeseramirami can extract oil from cheeseramirami can extract oil from cheeseramirami can extract oil from cheeseramirami can extract oil from cheeseramirami can extract oil from cheeseramirami can extract oil from cheeseramirami can extract oil from cheeseramirami can extract oil from cheese
 
Posts: 17
Karma: 1124
Join Date: Dec 2011
Device: Kindle Touch
Quote:
Originally Posted by yifanlu View Post
I thought it doing that when the kindle 4 came out. Problem is: http://t.co/RLyydgtc

Look at the size of the Chip in relation to the quarter. The solder pads are like 5 hairs thick and I don't have industrial reheating tools and prototype boards. I tried contacting the seller of that board you posted a month ago and got no response.
Dude I called them and I talked with someone.
She asked me what is the socket type I need:
AA/AB/AC/BA
I told her I will send her the datasheet of the flash drive.
She also said it costs 360$ !!
ramirami is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
No Progress bar on the Touch... grizedale Amazon Kindle 13 09-29-2011 05:02 PM
Questions about jailbreaking a Kindle 3 daviesgeek Kindle Developer's Corner 0 09-13-2011 02:09 PM
Touch screen vs keyboard e-ink only Zarich Which one should I buy? 24 03-05-2011 06:47 AM
Which Kindle do I need for jailbreaking? chas0039 Kindle Developer's Corner 6 11-10-2010 10:04 PM


All times are GMT -4. The time now is 10:36 PM.


MobileRead.com is a privately owned, operated and funded community.