Potential New Exploit For Jailbreaking?

[Bluebotlabs]

I tried to post this before but it was deleted or something, I'm not sure why? Perhaps this was misunderstood, this isn't a Jailbreak or anything that allows Piracy, it is merely a potential entrypoint which I found on the Kindle Store.

I have discovered how to modify the Kindle Store displayed on the Kindle, this means that I can inject custom HTML+JS.
You may wonder: So what? It's just a website

Well, being the Kindle Store, this actually contains many... many functions which can be used to manipulate the Kindle which are NOT available in the experimental browser.

For example, via the store, I was able to launch apps and communicate with LIPC messages to an extent, I believe that this could be the gateway to a new jailbreak

The reason I'm posting this here is because I don't really know where to go from here lol, I'm relatively new to the jailbreaking scene for Kindles and I was wondering if anyone would like to help me with this project?

See attachments for info, the applicaiton error one was an earlier version, I can now properly launch other applications

[Bluebotlabs]

I wonder if I can somehow execute code through a WAF...

[Kusuri]

how did you do it? a Man-In-The-Middle Attack by hijacking your wifi AP? hosts file? or what exactly did you do?

the question would be if the Kindle Store App / Tab has system rights or access to directorys you would need. i know / heard that a jailbreak adds developer keys to a specific file so it opens up the kindle for thirdparty code.. but since i don't know how exactly this is done someone else would have to look into this.

but the thing is - if you can just run javascript, the question is if its just in the context of a normal browser or if it is having "special" access to commands. can you give us more informations about how you did it, what you did etc?

[Bluebotlabs]

Quote:

Originally Posted by Kusuri

how did you do it? a Man-In-The-Middle Attack by hijacking your wifi AP? hosts file? or what exactly did you do?

the question would be if the Kindle Store App / Tab has system rights or access to directorys you would need. i know / heard that a jailbreak adds developer keys to a specific file so it opens up the kindle for thirdparty code.. but since i don't know how exactly this is done someone else would have to look into this.

but the thing is - if you can just run javascript, the question is if its just in the context of a normal browser or if it is having "special" access to commands. can you give us more informations about how you did it, what you did etc?

How I did it - I am keeping this private at the moment until I fine-tune it a bit more, but it is pretty unreliable at the moment and needs a bunch of network tweaks xD

Javascript - Yep, the store runs in a special context in which certain Javascript functions normally nonexistent can be used

So far I can:
- Launch apps
- Change screen orientation

Untested, but in theory I can also:
- Communicate with LIBC protocol to send messages to other processes

[Bluebotlabs]

also, this is all done on a non-jailbroken device since I am on latest firmware lol

[Bluebotlabs]

List of things I can access, still discovering what most of these are:

- version (returns 1)
- download
- dev (Device-Specific stuff such as "refresheyness" of the e-ink display
- popup
- bkgrnd
- device
- winmgrUtils
- bluetooth (Query and adjust Bluetooth settings)
- chrome (Browser specific stuff, weird that it's named chrome)
- dconfig
- nat (Query and adjust network settings)
- appmgr (Direct access to the appmgr, currently known: start(), back())
- todo (Does anyone know what this is?)
- gestures
- messaging (libc access)
- uitest
- localprefs
- storeName

I'm currently working on some JS code to properly+recursively dump more information

[Quoth]

Doesn't the Kindle Suduko also use fact that the Web browser has stuff in it so the Amazon Kindle Store works "better"?

[Bluebotlabs]

Interestingly, unless I include a large portion of the original code, the Kindle complains that the store failed to load, so it probably relies on a JS function call of sorts, I'll investigate this further but the code is heavily obfuscated so it's a pain to go through

[Bluebotlabs]

Quote:

Originally Posted by Quoth

Doesn't the Kindle Suduko also use fact that the Web browser has stuff in it so the Amazon Kindle Store works "better"?

No, the web browser itself doesn't have anything in it apart from some Kindle patches

This is specific to the store and potentially other build-in Web Applications (WAFs)
The browser normally doesn't have these JavaScript functions available to it

[luketheduke]

Quote:

Originally Posted by Kusuri

how did you do it? a Man-In-The-Middle Attack by hijacking your wifi AP? hosts file? or what exactly did you do?

IIRC, you can modify the `store.html` file (is that what its called?) located in `/mnt/us/` somewhere.

MITM would probably not work due to the kindle using HTTPS.

[luketheduke]

Quote:

Originally Posted by Bluebotlabs

I wonder if I can somehow execute code through a WAF...

Used to be able to with `nativeBridge.dbgCmd`. Removed awhile ago, though.

[Bluebotlabs]

Quote:

Originally Posted by luketheduke

IIRC, you can modify the `store.html` file (is that what its called?) located in `/mnt/us/` somewhere.

I can't say, but you're a little far off...
don't forget, I had to do a bunch of networking stuff too, but it isn't ARP spoofing

[Bluebotlabs]

Quote:

Originally Posted by luketheduke

Used to be able to with `nativeBridge.dbgCmd`. Removed awhile ago, though.

Is there any sort of WAF documentation anywhere?

[JSWolf]

Quote:

Originally Posted by Bluebotlabs

List of things I can access, still discovering what most of these are:

- version (returns 1)
- download
- dev (Device-Specific stuff such as "refresheyness" of the e-ink display
- popup
- bkgrnd
- device
- winmgrUtils
- bluetooth (Query and adjust Bluetooth settings)
- chrome (Browser specific stuff, weird that it's named chrome)
- dconfig
- nat (Query and adjust network settings)
- appmgr (Direct access to the appmgr, currently known: start(), back())
- todo (Does anyone know what this is?)
- gestures
- messaging (libc access)
- uitest
- localprefs
- storeName

I'm currently working on some JS code to properly+recursively dump more information

Could you modify things so downloads from Amazon only arrive in single file KF8 and not KFX?

[Bluebotlabs]

Quote:

Originally Posted by JSWolf

Could you modify things so downloads from Amazon only arrive in single file KF8 and not KFX?

no, that's not really how it works