Potential New Exploit For Jailbreaking?

[luketheduke]

Quote:

Originally Posted by Bluebotlabs

Do you by any chance know the last firmware version that did not use React Native?

All versions above 5.13.7 use React Native code. It was included as a part of the new UI update. The `tools` folder was removed in 5.14 IIRC.

Why do you need to know?

[HackerDude]

Quote:

Originally Posted by luketheduke

All versions above 5.13.7 use React Native code. It was included as a part of the new UI update. The `tools` folder was removed in 5.14 IIRC.

Why do you need to know?

Oh cool, thanks!
I want to see the JS source for the Home Screen and settings so that I can look at more examples of pillow function calls

[HackerDude]

Dangit, it's made in Java lol

well I suppose I can probalby get a bit of info from it :\
The problem with the React Native ones is that they're virtually impossible to decompile back into JS because they use Hermes which compiles it into bytecode

[luketheduke]

Quote:

Originally Posted by Bluebotlabs

Dangit, it's made in Java lol

well I suppose I can probalby get a bit of info from it :\
The problem with the React Native ones is that they're virtually impossible to decompile back into JS because they use Hermes which compiles it into bytecode

Had the same problem. This helped a lot.

Also, 5.13.7 contained some uncompiled javascript and examples in `/app/tools/demoApp/js/demoApp.js`.

Quote:

Originally Posted by Bluebotlabs

Oh cool, thanks!
I want to see the JS source for the Home Screen and settings so that I can look at more examples of pillow function calls

Unfortunately, the JS probably doesn't actually call the pillow functions, but the React Native `Native Modules.`

Not 100% sure though.

[RuggedPineapple]

Quote:

Originally Posted by Bluebotlabs

- chrome (Browser specific stuff, weird that it's named chrome)

Not weird at all. Chrome in terms of web browsers in a term that dates back to the 90s and was around long before Google was, even pre-firefox Mozilla had options that began with chrome.(whatever) for visual tweaks. The Chrome browser was named after the phrase, not the other way around. Chrome is what browser developers call the UI of the browser thats not the actual web page being displayed but the core app. All the bars at top and bottom, buttons, toolbars added it... When Chrome launched it was not uncommon to see a third of the screen taken up with browser chrome. The browser name is because its first big innovation, before even javascript compilation, was its stripped down, minimalist UI that left so much more space for the content.

[luketheduke]

Quote:

Originally Posted by RuggedPineapple

Not weird at all. Chrome in terms of web browsers in a term that dates back to the 90s and was around long before Google was, even pre-firefox Mozilla had options that began with chrome.(whatever) for visual tweaks. The Chrome browser was named after the phrase, not the other way around. Chrome is what browser developers call the UI of the browser thats not the actual web page being displayed but the core app. All the bars at top and bottom, buttons, toolbars added it... When Chrome launched it was not uncommon to see a third of the screen taken up with browser chrome. The browser name is because its first big innovation, before even javascript compilation, was its stripped down, minimalist UI that left so much more space for the content.

Thanks for this!
I guess you learn something new every day!

[avni]

this seems promising hopefully you will make the full jailbreak. Just wondering
will this work in 5.15.11 since this seems to be the most promising idea for a jailbreakon 5.15.11

[HackerDude]

Quote:

Originally Posted by avni

this seems promising hopefully you will make the full jailbreak. Just wondering
will this work in 5.15.11 since this seems to be the most promising idea for a jailbreakon 5.15.11

I recently got a Kindle Paperwhite 11th gen, can confirm it works on 5.15.11

I plan on releasing this (soon-ish) (by August at the LATEST)

It DOES NOT allow for direct code execution or piracy

However, it does let you create cool homebrew for Kindles, similar to how KWebBrew does, the installation process has been extensively streamlined from the early days of unplugging your router halfway through the load

[HackerDude]

Quote:

Originally Posted by avni

this seems promising hopefully you will make the full jailbreak. Just wondering
will this work in 5.15.11 since this seems to be the most promising idea for a jailbreakon 5.15.11

Also one more thing, whilst this does not currently allow for a full jailbreak, it may be a path to code execution

More research is definitely needed...

[bulltricks]

Can this method access the content database at http://localhost:9101 ?
Or is there a CORS or similar that blocks localhost ports?

[HackerDude]

Quote:

Originally Posted by bulltricks

Can this method access the content database at http://localhost:9101 ?
Or is there a CORS or similar that blocks localhost ports?

I believe it can
If you could give me any info on how the content database works that would be great! Since I'm not too sure myself how it works, etc

[snake218]

Quote:

Originally Posted by Bluebotlabs

I recently got a Kindle Paperwhite 11th gen, can confirm it works on 5.15.11

I plan on releasing this (soon-ish) (by August at the LATEST)

It DOES NOT allow for direct code execution or piracy

However, it does let you create cool homebrew for Kindles, similar to how KWebBrew does, the installation process has been extensively streamlined from the early days of unplugging your router halfway through the load

Great news! Thanks for your effort.
Sorry if is a dumb question, this will allow install koreader?
Thanks.

[HackerDude]

Quote:

Originally Posted by snake218

Great news! Thanks for your effort.
Sorry if is a dumb question, this will allow install koreader?
Thanks.

Unfortunately not, this isn't an actual jailbreak, it's just somewhat similar to one

[GeorgeYellow]

So I think I understand parts of this, from your description.

There are cached entries in

Code:

.active_content_sandbox/store/resource/LocalStorage/https_www.amazon.com_0.localstorage

To actually use try this you need a special captive portal.
It needs to answer

Code:

/kindle-wifi/wifistub-eink.html

with an HTML file that contains the magic string

Code:

81ce4465-7167-4dcb-835b-dcc9e44c112a

.
Everything else is ignored.

If you don't have this string, it triggers captive portal detection, and you can't actually access the store.

However, with all this, I've only gotten to replace the store a handful of times..

1. There seems to be another cache (?), so the only sure way to see an update is to reboot!?!
2. Each time, I've found I need to update the cache times (to be later than the internal cache)
3. I wasn't able to inject pages that aren't elsewhere - eg, I can't add the KU advertisement page ("/kindle-dbs/hz/subscribe/ku" ) - but it still displays top bar
4. Webkit seems to be very sensitive to errors - if there's a javascript error, you see nothing?

Aside from the caching and the rebooting, you know Amazon is going to fix the "bouncing on the \"bed\" " bug.

[HackerDude]

Quote:

Originally Posted by GeorgeYellow

So I think I understand parts of this, from your description.

There are cached entries in

Code:

.active_content_sandbox/store/resource/LocalStorage/https_www.amazon.com_0.localstorage

To actually use try this you need a special captive portal.
It needs to answer

Code:

/kindle-wifi/wifistub-eink.html

with an HTML file that contains the magic string

Code:

81ce4465-7167-4dcb-835b-dcc9e44c112a

.
Everything else is ignored.

If you don't have this string, it triggers captive portal detection, and you can't actually access the store.

However, with all this, I've only gotten to replace the store a handful of times..

1. There seems to be another cache (?), so the only sure way to see an update is to reboot!?!
2. Each time, I've found I need to update the cache times (to be later than the internal cache)
3. I wasn't able to inject pages that aren't elsewhere - eg, I can't add the KU advertisement page ("/kindle-dbs/hz/subscribe/ku" ) - but it still displays top bar
4. Webkit seems to be very sensitive to errors - if there's a javascript error, you see nothing?

Aside from the caching and the rebooting, you know Amazon is going to fix the "bouncing on the \"bed\" " bug.

Interesting method, Mesquito, as I'm calling it does not utilise the captive portal, this is an interesting method though.

I am aware that Amazon can, and will probably fix it withing weeks, or even days of release, but as it is literally NOT a security threat in my opinion it would only be spiting the community

Mesquito itself has safeguards for a lot of the issues with direct cache replacement