How to write a jailbreak (Process, Quick Start, First Steps, etc)?

[pavel-s]

Hi,

I have a general understanding what a jailbreak actually is - as far as I can see it requires to find a vulnerability in a "binary" (or even better - in the system) that anyone can exploit (if he knows how). I also have some knowledge and experience in reverse engineering.

So, the main question is - are there any guides on MobileRead (or anywhere outside it) on how to start with writing kindle's jailbreak and where to look at? Could someone give any directions where to start? If I would be able to find a way to bypass a security in a firmware, how to integrate this knowledge with existing infrastructure (e.g. what should I do to make it possible to install KUAL, etc)?

And I know, this process requires a tremendous amount of time investment

[pavel-s]

It seems like the entry point is NiLuJe KindleTool. The quick overview of the process:

1. Download KindleTool from the snapshots page.
2. Download a firmware you are interesting in from amazon (google for kindle paperwhite 4 download update)
3. Unpack the firmware with kindletool (use "extract" command, e.g. ./kindletool extract firmware.bin firmware_unpacked)

After the extraction inside extracted folder (e.g. firmware_unpacked) you'll see the following folder structure (this is how it looks for PW4 5.12.2):

Code:

imx6sll_rex                 <- folder, containing chip firwares, etc
rootfs.img.gz               <- compressed filesystem
rootfs.img.gz.sig
update-payload.dat
update-payload.dat.sig

From here you can see into all files, folders, etc in rootfs.img.gz using any archive manager (e.g. 7z). You can also go deeper and disassemble boot images, firmwares, etc inside imx6sll_rex with any disassembler you like (e.g. IDA Pro, Radare, etc).

The forum itself contains a lot of info regarding internals of kindle software + source code for the firmware update can be downloaded from here (amazon).

For examples of how current hacks are working it's possible to unpack any hack with the same kindletool and see what is inside.

This is what I figured out so far, thanks.

[knc1]

JMTCsW:
I do not think that any of the jail breaks over the years has used the same vulnerability.
Well, other than the most general vulnerability: Lab126
<< several of my most favorite rants deleted at this point >>

• You want to have a complete Linux system from one of the more popular distributions.
  Anything else will just make your work harder and/or more confusing.
  Note: Your complete Linux system can load the Kindle's binary filesystem. It can also run ARM native code on your x86/amd64 development system.
• Additional resources:
  • KindleTool
    Required. From: NiLuJe's snapshots thread. Also available in source code form in a public repository.
  • Kindle resources
    Required. Your favorite Kindle firmware version, both binary (update_*.bin) and source code (only the public parts are posted).
  • Tools
    Your number one tool will probably be just staring off into the distance while the mind works.
    • Machine code review
      Suggested. A good tool to consider IDA Pro See: https://www.hex-rays.com/products/ida/index.shtml
    • Java bytecode review
      Suggested. Procyon Read through its Wiki page for choices. See: https://bitbucket.org/mstrobel/procy...a%20Decompiler
    • Scripting review
      Required. Get out your most powerful code documenting text processor.
      There is still a lot of readable scripting in the Kindle coding.
    • Serial port connection
      Recommended. You may never need it, but if you need it, it is already too late to install it.
    • Local networking
      Suggested. It should be possible to "net boot" the Kindle system.
• Lots of free time.
• The Amazon servers keep all prior Update_*.bin and partial source code files.
  Use them, do not Google for anything when you can get the originals from Amazon.
• Note: The 'Androidized' device/firmware combinations are still mostly unknown, the previous 'dual system boot' device/firmware combinations are better described.

[pavel-s]

That's great, thanks knc1! Could you please give links or describe a bit the process of "net boot"? Using serial port connection is also looks kind of magic for me.

[knc1]

Quote:

Originally Posted by pavel-s

That's great, thanks knc1! Could you please give links or describe a bit the process of "net boot"? Using serial port connection is also looks kind of magic for me.

Our "serial port for dummies" (or words like that) is quite complete.
Other than specifics for the "Androidized" device/firmware combinations (such as the PW4 IIRC).

A couple of years old, without specific details for a Kindle client or a non-Debian server....
The general process reads like:
https://wiki.debian.org/PXEBootInstall

Hey, You have to make this stuff up as you go along, you can't expect Amazon/Lab126 to be writing e-book tutorials.

On the subject of PW4 firmware releases (not including the initial, first shipped, release):

Code:

mszick@HP8300:/usr/local/PW4$ wget https://s3.amazonaws.com/firmwaredownloads/update_kindle_all_new_paperwhite_v2_(desired version string here).bin

- - - -

mszick@HP8300:/usr/local/PW4$ ls -l
total 1522788
-rw-rw-r-- 1 mszick mszick 264050447 Nov  1  2018 update_kindle_all_new_paperwhite_v2_5.10.1.2.bin
-rw-rw-r-- 1 mszick mszick 264140829 Dec  7  2018 update_kindle_all_new_paperwhite_v2_5.10.2.bin
-rw-rw-r-- 1 mszick mszick 256324243 Mar 20  2019 update_kindle_all_new_paperwhite_v2_5.11.1.bin
-rw-rw-r-- 1 mszick mszick 257231761 May 29 04:43 update_kindle_all_new_paperwhite_v2_5.11.2.bin
-rw-rw-r-- 1 mszick mszick 258629777 Jul  5 10:52 update_kindle_all_new_paperwhite_v2_5.12.1.bin
-rw-rw-r-- 1 mszick mszick 258942008 Oct  1 05:08 update_kindle_all_new_paperwhite_v2_5.12.2.bin
mszick@HP8300:/usr/local/PW4$

That is a lot of updates for a one year old machine.
And a once every two months update schedule is a difficult thing to keep up, at least without making even one mistake that we could use.

# 16 999

[pavel-s]

Quote:

Originally Posted by knc1

Our "serial port for dummies" (or words like that) is quite complete.
Other than specifics for the "Androidized" device/firmware combinations (such as the PW4 IIRC).

A couple of years old, without specific details for a Kindle client or a non-Debian server....
The general process reads like:
https://wiki.debian.org/PXEBootInstall

Thanks for the links. Though, for someone who has little knowledge of linux internals (me included), understand "specific details for kindle" may be a hard task.

Quote:

Originally Posted by knc1

Hey, You have to make this stuff up as you go along, you can't expect Amazon/Lab126 to be writing e-book tutorials.

That would be what I call a good "customer care"

Quote:

Originally Posted by knc1

That is a lot of updates for a one year old machine.
And a once every two months update schedule is a difficult thing to keep up, at least without making even one mistake that we could use.

Yeah, especially bluetooth "stack" may be the way to go. Yesterday I reversed a bit /usr/btui - looks promising.

BTW, here is another interesting link for those are interested in this topic (kindle architecture overview, etc): Kindle Touch Hacking: The big picture | MR Wiki

Quote:

Originally Posted by knc1

# 16 999

This is quite impressive! I would prepare a bottle of champagne

[MrTick]

Personally I recommend this write-up regarding 5.6.5 jailbreak:
https://github.com/sgayou/kindle-5.6.../doc/README.md
It summarizes the jailbreak back in times when it was easy

[knc1]

Quote:

Originally Posted by MrTick

Personally I recommend this write-up regarding 5.6.5 jailbreak:
https://github.com/sgayou/kindle-5.6.../doc/README.md
It summarizes the jailbreak back in times when it was easy

Branch Delay mentioned he would do a write-up of the work he did, but I forgot to look it up.
I did just now read his link above.
He did a nice job and a lot of it is general knowledge for anyone interested.

# 17 000

[pavel-s]

Quote:

Originally Posted by MrTick

Personally I recommend this write-up regarding 5.6.5 jailbreak:
https://github.com/sgayou/kindle-5.6.../doc/README.md
It summarizes the jailbreak back in times when it was easy

Thanks a lot for the link! It's very inspiring and teaches how to think and which mindset you should have in order to make a jailbreak effectively. Must read for a quick start.

And yeah, exploiting the browser/java may be much easier than looking at BT implementation (my mistake).

[MrTick]

Quote:

Originally Posted by pavel-s

exploiting the browser/java may be much easier

Note that the browser is now sandboxed (runs in a hermetic environment) and it'll be much harder to get outside of this 'box'.

[knc1]

Here is one tool worth considering:
https://ghidra-sre.org/
Check out the 6 minute video on that page also.

Not in response to the recurring complaints of our (USA) National Security Agency getting into everyone's business...
But here they have gone "Open Source" and released their software tools in a GitHub repository.

Yes Virginia, NSA has gone open source:
https://code.nsa.gov/

(Actually, NSA has been a long time contributor to the Open Source movement, including the Linux project.)

= = = = = Later = = = = =

What could go wrong with Busybox (PW4-5.12.2)?
Not much, that should be fairly solid, if Lab126 hasn't "improved it".



Well, Phooey! That picture came out way too small...
The actual error message is:



The point is that this bit of NSA software is worth looking into, not that Lab126 managed to screw-up their build system using one of the most solid program's in OS existence.
Yeah! Lab126.

- - - - - -

And: Yes! NiLuJe, this program also de-compiles (to C).

[pavel-s]

Quote:

Originally Posted by knc1

Well, Phooey! That picture came out way too small...
The actual error message is:

@knc1, Does it mean that it can be exploited? I'm pretty new to this could you "unpack" it a bit?

The most closest I found is this "buffer overflow" chapter from "Computer Security: A Hands-on Approach"

[knc1]

Quote:

Originally Posted by pavel-s

@knc1, Does it mean that it can be exploited? I'm pretty new to this could you "unpack" it a bit?

The most closest I found is this "buffer overflow" chapter from "Computer Security: A Hands-on Approach"

I do not have the slightest idea.

I only noted that the analysis routines automatically found something very difficult to find without any help from me.
AND
It is about $2,000/year cheaper than IDA Pro.

[pavel-s]

Yeah, IDA Pro is the priciest software on the market. Binary Ninja costs 600$, while Ghidra and Radare are free. Ghidra is a bit less intuitive for me comparing to IDA Pro. It's much easier to read assembly in IDA, especially in "graph" mode. Though, generated C++ code, probably cleaner in Ghidra.

Quote:

Originally Posted by knc1

Here is one tool worth considering:
https://ghidra-sre.org/
Check out the 6 minute video on that page also.

Also, it would be great to try the "shared project" feature in Ghidra. For example, it would be possible to reverse engineer almost the entire kindle binary by multiple MobileRead users. And it may be much faster than reversing it on our own.

[knc1]

Quote:

Originally Posted by pavel-s

. . . . .

Also, it would be great to try the "shared project" feature in Ghidra. For example, it would be possible to reverse engineer almost the entire kindle binary by multiple MobileRead users. And it may be much faster than reversing it on our own.

That was one of the things that caught my eye.
Something that "we" have never done other than simple cooperation.


Another thing, Ghidra can evaluate code paths with binary comparisons.
Also, Ghidra can be scripted.
My thoughts are leading towards ::
Once a single firmware version is done in its entirety, only Ghidra scripted "next" versions have to be evaluated by a person.
Anything the "same" would only be handled by the script reporting.
Now that might be either impractical or not possible, but it is the direction of my thoughts.

Another thought to check into ::
Maybe it is possible to host the Ghidra server on one of Amazon's free, supercomputer clouds.
Ref: https://aws.amazon.com/free/?all-fre...sort-order=asc

Or maybe one of the smaller, several million core, machines:
https://www.top500.org/list/2019/06/
(Amazon has stopped listing their supercomputers on that (voluntary) list.)

PS: 500 of the top 500 machines run Linux.