Potential New Exploit For Jailbreaking?

[HackerDude]

Anyways, I just extracted the firmware and found a goldmine or information
This can do... A LOT

If anyone has WAF docs that would be nice...

Will update later

[luketheduke]

Quote:

Originally Posted by Bluebotlabs

Is there any sort of WAF documentation anywhere?

https://www.mobileread.com/forums/sh...d.php?t=180229

and

https://www.mobileread.com/forums/sh...d.php?t=195781


Unfortunately, most of it is a bit outdated.

In fact, I'm surprised that the Store app hasn't been ported to the new React Native KPP framework that Amazon has begun using.

[HackerDude]

Quote:

Originally Posted by luketheduke

Used to be able to with `nativeBridge.dbgCmd`. Removed awhile ago, though.

Actually... thinking about this it might maybe ish work, I highly doubt it though
Looking through the code dbgCmd is still kinda ish functional for debug commands but very... very nerfed (bc only debug commands)

[snake218]

Thanks for your work, I'm relatively new to the Paperwhite, recently acquired a PW3 and a PW4, sadly both with latest firmware. This new method looks promising.

[HackerDude]

Quote:

Originally Posted by snake218

Thanks for your work, I'm relatively new to the Paperwhite, recently acquired a PW3 and a PW4, sadly both with latest firmware. This new method looks promising.

Ummmm, what new method lol
Sorry to disapoint but I'm still quite far from having a full jailbreak

On the other hand, I also made a fancy launcher for web apps and I think that this new method may be able to do a few of the things that people mainly use jailbreaks for

At the moment my main priority is:
- Making it persistent (store has a habit of updating xD)
- Diescting the code more to understand what causes the loading error
- Implementing a back button (this is not a joke I have to reboot every time I do something dumb)

[luketheduke]

Quote:

Originally Posted by Bluebotlabs

- Implementing a back button (this is not a joke I have to reboot every time I do something dumb)

You might be able to setup a back button with this.

[HackerDude]

Quote:

Originally Posted by luketheduke

You might be able to setup a back button with this.

Well... that was easy lol (I mean, I haven't tried it yet...)

I think the end-goal of this won't be a full jailbreak for now since command execution is... "hard" (I still can't do it lol)
But once I crack persistence I should be able to replace the store entirely... fullscreen KWebBrew with WAF support anyone?

[HackerDude]

Btw, doing some digging I was able to find the following methods in window.nativeBridge:

Code:

accessHasharrayProperty
cancelPendingDismiss
createFlashTrigger
clearFlashTrigger
dbgCmd
devcapInitialize
devcapIsAvailable
devcapGetInt
devcapGetString
dismissChrome
dismissMe
flash
getAppId
getDynamicConfigValue
getIntLipcProperty
getScreenSize
getStringLipcProperty
getVisibilityEvents
getWindowPosition
hideKb
hideMe
isBricked
isMaxPasswordAttemptPolicyEnabled
logDbg
logDbgNum
logInfo
logString
logTime
logWarn
logError
messagePillowCase
raiseChrome
redraw
registerClientParamsCallback
registerEventsWatchCallback
setAcceptFocus
setIntLipcProperty - nativeBridge.setLipcProperty("com.lab126.system", "deviceLocaleSelected", "");
setLipcProperty
setWindowPosition
setWindowSize
setWindowTitle
showDialog
showKb
showMe
subscribeToEvent

along with some wierd stuff with:

Code:

debugFormat
createDebugBridge

also for lipc stuff

Code:

setIntLipcProperty
getIntLipcProperty
getStringLipcProperty
accessHasharrayProperty

finally some additional functions that aren't above:

Code:

checkFileFlag(filename) - Checks if file exists
sendLipcEvent - nativeBridge.sendLipcEvent("com.lab126.pillow","bootSplashInit", "");
recordDeviceMetric - nativeBridge.recordDeviceMetric("com.lab126.oobe", "changeLocale", that.selectedLanguageWidget.id, 1, 0, METRIC_PRIORITY_LOW, METRIC_TYPE_COUNTER);
deleteDemoModeFlagFile() - No arguments, delete demo mode file

There's so much stuff too scattered around the forum and firmware
Honestly, the number of functions is insane, and this isn't even all of them lol

don't even ask me what isBricked is supposed to be for...

[HackerDude]

Quote:

Originally Posted by luketheduke

https://www.mobileread.com/forums/sh...d.php?t=180229

and

https://www.mobileread.com/forums/sh...d.php?t=195781


Unfortunately, most of it is a bit outdated.

In fact, I'm surprised that the Store app hasn't been ported to the new React Native KPP framework that Amazon has begun using.

Ah! I didn't see your message burried under the rest, this is SUPER useful, thanks! IMO, I don't think Kindle's will ever use React Native, or any form of React for that matter since the webkit engine is too old (React Native needs an actual rendering engine just like React does)
And even if they somehow update that, it'll break compatability with old devices

Also, I'm pretty sure lab126's devs are pretty used to coding in pre-ES5 era by now

[luketheduke]

Quote:

Originally Posted by Bluebotlabs

IMO, I don't think Kindle's will ever use React Native, or any form of React for that matter since the webkit engine is too old (React Native needs an actual rendering engine just like React does)

Actualy, the home screen and settings app are written in React Native.

Amazon introduced this when they began rolling out the UI update a bit ago.

In fact, I was able to run my own React Native by bundles copying the executable and patching out the bundle name to point to my own. It seems Amazon has built a whole UI framework for there Kindles in React Native.

Check this out.

In 5.14.xx they removed the `/app/demoApp/` folder that contained some of the code, but it's easy enough to add back by extracting it from the earlier updates.

EDIT:
ReactJS also runs in the Webkit Browser. https://github.com/ngxson/hobby-kindle-waf

[luketheduke]

Does staying in airplane mode fix persistence?

[HackerDude]

Quote:

Originally Posted by luketheduke

Does staying in airplane mode fix persistence?
.

hahahahaha lol no, if only...
the store won't launch AT ALL with airplane mode, I have a custom network setup stopping it from connecting which seems to work

I think it should be possible to disable this check... maybe...


Luckily it works without being connected to WiFi too
Right now I'm just trying to figure out how much of the original code I can purge before it complains (which it does lol)

[HackerDude]

Quote:

Originally Posted by luketheduke

Actualy, the home screen and settings app are written in React Native.

Amazon introduced this when they began rolling out the UI update a bit ago.

In fact, I was able to run my own React Native by bundles copying the executable and patching out the bundle name to point to my own. It seems Amazon has built a whole UI framework for there Kindles in React Native.

Check this out.

In 5.14.xx they removed the `/app/demoApp/` folder that contained some of the code, but it's easy enough to add back by extracting it from the earlier updates.

EDIT:
ReactJS also runs in the Webkit Browser. https://github.com/ngxson/hobby-kindle-waf

!!!
That's pretty cool!
Do you know where I can find the homescreen etc source in an update file? I've checked in a few locations already...

[HackerDude]

Quote:

Originally Posted by luketheduke

Actualy, the home screen and settings app are written in React Native.

Amazon introduced this when they began rolling out the UI update a bit ago.

In fact, I was able to run my own React Native by bundles copying the executable and patching out the bundle name to point to my own. It seems Amazon has built a whole UI framework for there Kindles in React Native.

Check this out.

In 5.14.xx they removed the `/app/demoApp/` folder that contained some of the code, but it's easy enough to add back by extracting it from the earlier updates.

EDIT:
ReactJS also runs in the Webkit Browser. https://github.com/ngxson/hobby-kindle-waf

btw, it was actually in /app/tools/
the entire tools dir was removed in newer updates

Also, it's nice to see that kterm was used by the developers XD
or maybe it was made by them... /j

[HackerDude]

Quote:

Originally Posted by luketheduke

Actualy, the home screen and settings app are written in React Native.

Amazon introduced this when they began rolling out the UI update a bit ago.

Do you by any chance know the last firmware version that did not use React Native?