11-24-2011, 11:35 AM | #121 |
Carpe diem, c'est la vie.
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
|
I sent (some of) this to the IRC channel:
Although usually reserved for emergencies, many devices can get firmware replacements by the "pin-shorting" method. Connect a boot-rom (carefully chosen) address pin to ground [at just the right time during the boot phase], to make the firmware run but fail CRC check, then device tries to load new firmware from a TFTP server (or serial port). Although there is a risk of damaging the kindle (especially if you slip and short the wrong pins), I have successfully used this method to "unbrick" multiple WRT54G devices for myself and friends. This may be useful for development and testing, but is not suitable as a general method for "consumer" firmware upgrades. Last edited by geekmaster; 11-24-2011 at 11:37 AM. |
11-27-2011, 03:20 AM | #122 |
Carpe diem, c'est la vie.
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
|
The shellcode does not have to be in the stack. It could be at any known location, called from the stack smash.
I sent links in the IRC channel that show how to embed shellcode inside a web page image so that it is not visible to the casual observer. The example images show a comparison with and without embedded shellcode. In one shellcode image, the guy has a "dirty arm". The monkey images with embedded NOP Sled are impressive. Here is the link: http://www.blackhat.com/presentation...-06-Sutton.pdf *If* you can get a webpage to store its images into a known location (e.g. onscreen framebuffer RAM for visible web page), you could jump to shell code inside the image. I have wikipedia moderator rights and I can load image(s) to wikipedia without *other* moderator approval [but I have yet to try this]... ASLR exploits: http://www.ece.cmu.edu/~dbrumley/cou.../docs/aslr.pdf Last edited by geekmaster; 11-27-2011 at 03:47 AM. |
Advert | |
|
11-27-2011, 10:35 AM | #123 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
Shellcode jumping is not a problem nor is making the shellcode. The problem is encoding memory address in utf-8 or even better finding an exploit for the touch.
|
11-27-2011, 11:14 AM | #124 |
Carpe diem, c'est la vie.
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
|
You may need to adjust the address of the code you are jumping to with a nop sled, if you can control the destination address (such as in the framebuffer RAM), to make it utf-8 friendly. If you are jumping to a native instruction at a known fixed address, that may be a little harder. Due to previous messages, I suspect you are targetting an existing instruction.
If it helps, this issue of Phrack is dedicated to "Writing UTF-8 compatible shellcodes": http://www.phrack.org/issues.html?is...&id=9&mode=txt Of course, that method will need to be adapted to the ARM instruction set... [I suppose I need to get my hands on a KT to really be useful here, though.] Last edited by geekmaster; 11-27-2011 at 11:25 AM. |
11-27-2011, 11:40 AM | #125 | |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
Quote:
|
|
Advert | |
|
11-27-2011, 07:16 PM | #126 |
Carpe diem, c'est la vie.
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
|
You could do an automated search in an emulator, intercepting a reboot or lockup, and just systematically try all utf-8 addresses to see if one of them gives you control. It is possible that jumping into the middle of an instruction (or data) might surprise you. Undefined instruction opcodes might be useful too. They can have undefined behavior that depends on the chip die layout (parasitic transistors, etc.), but that undefined behavior may be beneficial in this case. Or at least, a block of random code may *eventually* lead to code that does something useful. Of course, this empirical approach is a last resort, and a planned attack using known vulnerabilities should be tried first.
Undefined instructions may behave different in an software emulator though, so an ICE (In-Circuit Emulator is really needed to exploit them). Again, this is just another option to explore if a usable instruction sequence cannot be found at a utf-8 compatible address. So, it appears that we are waiting for you to get your hands on a spare KT then? Last edited by geekmaster; 11-27-2011 at 08:29 PM. |
11-27-2011, 09:38 PM | #127 | |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
Quote:
|
|
11-28-2011, 01:00 AM | #128 |
Junior Member
Posts: 3
Karma: 10
Join Date: Nov 2011
Device: Kindle 4
|
Given I can follow some of the ideas in this thread, but that I have no actual experience with the software or the hacking, this may be a stupid question. What are the chances that Amazon actually ported an older version or special fork of Android for the Kindle touch if you're seeing that it's so different, in order to maintain some slight app cross over between the Kindle Touch and the Kindle fire?
|
11-28-2011, 07:41 AM | #129 | |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
Quote:
|
|
11-28-2011, 08:27 AM | #130 |
Junior Member
Posts: 3
Karma: 1126
Join Date: Nov 2011
Device: Kindle Touch
|
Donated
Just gave $5 to the "Yuifan Kindle Destruction Fund". I got no beef with Amazon selling subsidized thingymabobs, but I dislike them trying to tell me what to do with it once I own it.
Go, destroy, hack, root! |
11-28-2011, 08:59 AM | #131 | |
Carpe diem, c'est la vie.
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
|
Quote:
We need a sticky on the "sacrificial kindle fund", so it is more visible! The sticky should request a donation of a kindle touch with a broken screen, or funds to apply toward the purchase of a new kindle touch, for the purposes of potentially destructive investigation in pursuit of a jailbreak. It should peridiocally be updated to show funds collected so far, and remaining funds needed. And, of course, it needs a paypal link like the one I posted earlier in this thread. Okay, I started a new "Kindle Touch Jailbreak Support Team" thread. Yifan: please review it and request any changes you think are necessary. I hope the extra exposure gets you a Kindle Touch ASAP. Last edited by geekmaster; 11-28-2011 at 09:22 AM. |
|
12-01-2011, 07:27 PM | #132 |
Member
Posts: 17
Karma: 1124
Join Date: Dec 2011
Device: Kindle Touch
|
Hello everyone.
I'm new here. I just wanted to let you know that maybe it is possible to took the storage chip of the Kindle and some how to read it. Take a look in this link: http://www.techrepublic.com/blog/itd...ch-screen/3086 You will see the specifications of Kindle. Kindle has 4GB SanDisk SDIN5C2-4G NAND Flash memory module I made a little search about this chip, i found: http://omapworld.com/iNAND_e_MMC_4_4...ata_sheet_v1_0[1].pdf I just need to verify if it is possible to connect this chip to external reader. This maybe can give us all the filesystem of kindle. Please tell me what do you think about it. p.s: If someone knows something or have an idea, I don't care to take apart my Kindle and try it even I just got it today. I want to see it jb. WoW !!! eMMC to MMC support 4.41 ! http://cm-tech.en.alibaba.com/produc...ion_Board.html Last edited by ramirami; 12-01-2011 at 07:50 PM. |
12-01-2011, 07:55 PM | #133 |
Kindle Dissector
Posts: 662
Karma: 475607
Join Date: Jul 2010
Device: Amazon Kindle 3
|
I thought it doing that when the kindle 4 came out. Problem is: http://t.co/RLyydgtc
Look at the size of the Chip in relation to the quarter. The solder pads are like 5 hairs thick and I don't have industrial reheating tools and prototype boards. I tried contacting the seller of that board you posted a month ago and got no response. |
12-01-2011, 08:19 PM | #134 | |
Member
Posts: 17
Karma: 1124
Join Date: Dec 2011
Device: Kindle Touch
|
Quote:
We must get this emmc2mmc converter and see if it works. we need to see where can we get it from. |
|
12-01-2011, 08:34 PM | #135 | |
Member
Posts: 17
Karma: 1124
Join Date: Dec 2011
Device: Kindle Touch
|
Quote:
She asked me what is the socket type I need: AA/AB/AC/BA I told her I will send her the datasheet of the flash drive. She also said it costs 360$ !! |
|
Thread Tools | Search this Thread |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
No Progress bar on the Touch... | grizedale | Amazon Kindle | 13 | 09-29-2011 05:02 PM |
Questions about jailbreaking a Kindle 3 | daviesgeek | Kindle Developer's Corner | 0 | 09-13-2011 02:09 PM |
Touch screen vs keyboard e-ink only | Zarich | Which one should I buy? | 24 | 03-05-2011 06:47 AM |
Which Kindle do I need for jailbreaking? | chas0039 | Kindle Developer's Corner | 6 | 11-10-2010 10:04 PM |