PW5 How to create a jailbreak?

[AllanDaemon]

I got my first e-reader, a KPW5SE, 11th gen. It came with FW 5.15.1

I found out that Kindle, without jailbreak, sucks. And I'm out of the refund time...

I see that there is no jailbreak for those new versions.

I would like to, instead of I keep waiting for someone to do something, if I can help with anything.

So, how does one create a jailbreak for this version? Or is there anything I can do to help?

Background: I have a CS degree and some experience in reverse engineering binaries from when I was in high school.

[Quoth]

If you have to ask, this is the wrong place.

[CitizenStile]

Unlike Quoth, I think you are absolutely in the right place AND you have the right attitude. Unfortunately I do not have much experience myself in uncovering jailbreaks. There are a few projects that you could also help with like Mosquito which is a web app that runs in place of the amazon store and you could develop applications within that space.

[bulltricks]

Jailbreaking, or even attempting to jailbreak embedded devices is a fun challenge, and you can learn quite a bit even if you are not successful.

From my standpoint, you end up needing three pieces:
1. The exploit - this is what gets you in the door to execute arbitrary code on the device
2. The persistence - so that after reboot, your code runs ... this takes caution because if you mess this up, the device can be toast without hardware intervention (which either isn't implemented, or isn't documented) on modern Kindles. KUAL will do this piece for you, which is why you can find people with jailbroken newer versions
3. The ecosystem - Fortunately, this is largely done for you, by using the existing KUAL - but there are necessary changes as some things change (for example, the location of the signing keys)


In general, and somewhat paradoxically, the best way to jailbreak a Kindle is to start with a jailbroken kindle. Amazon's position as market leader has led to a software ecosystem that has barely budged, so you are likely to be able to get an older device at say, a thirft store, that has the old version of the firmware; or be amenable to a hardware jailbreak -- then, with proper persistence can result in having a shell on a Kindle with the newest firmware, and 'gdb'

You can also use KindleTool to rip apart the firmware files, and extract the root file system - this is a Linux system. If you look around, you can even find instructions to run this with qemu or similar

Then, it's a matter of exploit hunting, which is both fun and frustrating. A good 'start' is looking at previous jaibreak write-ups to see where people have looked, and what they found.

From a rough high level breakdown ..
1. There are the bash scripts on startup - these have been picked over fairly well, but you can still find some unexpected behavior . The days of 'simple' jailbreak here seem to be gone

2. Linux binaries - here is where you look for 'system' or 'popen' in the many many binaries - this is where Ghidra comes in, to see whether something (eg, contents of a file in the user file system) can lead to a parameter to system

3. As a special case of Linux binaries, Webkit has had many vulnerabilities, and the Kindle version tends to be out-of-date. You may be able to use an old vulnerability -- but then you need to get out of the sandbox.. LIPC (Amazon specific IPC) can be a good way to escape the sandbox (see Kindledrip)

4. Then, there are Java binaries - Java can still shell out, and many of the Java applications use files in the user accessible storage I haven't dug into this much though

5. At an even higher level, there's Javascript -- if you can get execution control (eg, Mesquito), you have access to LIPC .. There's multiple javascript wrappers on the Kindle - the wap framework (mesquite) which restricts access to the LIPC API, and then there's the Pillow framework, which can do any LIPC accesses). Then you can look through the list of LIPC calls (which you can get if you already have a shell, but people have documented many of these) to see how to get execution..

[Quoth]

And the people saying I'm wrong have how many years programming, finding vulnerabilities and then installing computer viruses, trojans and root kits?

Basically you have to be more expert and experienced than the Kindle programmers and they also have to have made mistakes. Even if you rate your time in cents per hour it's cheaper to go buy a Kobo or Android eink. Neither needs rooted / jailbroken and mostly they already do what people are using Kindle Jailbreaks for.

It's going to get harder to jailbreak a Kindle.

[JSWolf]

It's entirely possible that there could never again be a jailbreak for a Kindle with the current firmware.

Don't buy a Kindle in the hopes of jailbreaking it especially when they now come with too late a firmware version. And don't buy a Kindle if you don't like it the way it comes. It won't get any better.

[bulltricks]

Quote:

Originally Posted by Quoth

Basically you have to be more expert and experienced than the Kindle programmers and they also have to have made mistakes.

Completely disagree with you here - this is the great asymmetry of security in general. The Lab129/Kindle Programmers have to be perfect all the time, every time... and not just in their code, but with every upstream library they bring in.

Meanwhile, someone looking for an exploit just has to find one (or, for some of these, two).

Quote:

Originally Posted by JSWolf

It's entirely possible that there could never again be a jailbreak for a Kindle with the current firmware.

There are at least two jailbreak vulnerabilities in the current firmware, one of them so significant that Amazon is releasing new firmware for a 9 year old device.

With that said, the only thing that prevents new code being used for jailbreaks is feature stagnation...

Quote:

Originally Posted by JSWolf

Don't buy a Kindle in the hopes of jailbreaking it especially when they now come with too late a firmware version. And don't buy a Kindle if you don't like it the way it comes. It won't get any better.

Sadly, I have to agree with this.
Buy a kindle if you want to mess with it - you can buy them used or refurb for cheap, there's a wealth of information about the ecosystem.

Unfortunately, the choices by Amazon to make newer Kindle's disposable are incompatible with significant home brew development in the future.

[JSWolf]

But until someone finds a vulnerability and releases a hack for it, it may as well remain closed.

[Quoth]

Quote:

Originally Posted by JSWolf

It's entirely possible that there could never again be a jailbreak for a Kindle with the current firmware.

Don't buy a Kindle in the hopes of jailbreaking it especially when they now come with too late a firmware version. And don't buy a Kindle if you don't like it the way it comes. It won't get any better.

Yes.
Also I'm not against "jailbreaking" or open systems. Just trying to put some realistic points.

[Quoth]

Quote:

Originally Posted by bulltricks

Completely disagree with you here - this is the great asymmetry of security in general. The Lab129/Kindle Programmers have to be perfect all the time, every time... and not just in their code, but with every upstream library they bring in.

You didn't really read what I wrote. I wrote they have to make a mistake or mistakes.

And the Linux, libraries etc get bugs fixed.