Fake-register your Paperwhite 5.2.x to use collections and other blocked features

[Panopticon]

Amazon needlessly limits the functionality of your unregistered Kindle Paperwhite, such as disabling the Collections and Wikipedia widget features.

To unlock all of your Kindle's functionality you either have to register (and grant them access to juicy analytics) or trick the Kindle into thinking it's registered.

The following process is only for developers who are comfortable with SSH, SCP, and the possibility of bricking their devices. Someone better than myself can make this into a more streamlined process. I've only done this on my own Kindle Paperwhite Wi-Fi running 5.2.0 (1729740065).

Overview:
Like previous versions, the /var/local/java/prefs/reginfo file must be populated with your account credentials. This file can be created locally and sent to your Kindle via SSH/scp.

Unlike previous versions Amazon will remotely unregister your Kindle whenever it phones home, which happens periodically and whenever you connect to Wi-Fi. To prevent this I've added iptables rules that run as soon as an interface is brought up. Note that I've created a blacklist of individual IPs...I currently believe that this list isn't comprehensive, and more work needs to be done by developers to add to it or create a more robust solution.

Procedure:

Update:
Twobob and knc1 replied with some excellent comments on this procedure. Notably the individual IP addresses can be replaced with ranges of IPs, which will all but guarantee the device will never communicate with Amazon's update servers, and there's an existing iptables configuration file that can be used as the target for iptables-save.

I've updated the relevant steps to include these better procedures.

0. Pray to your personal God that you don't create a foolish iptables rule that locks you out of USB networking.

1. Jailbreak

2. Enable USB networking and set your SSH password

3. Go into airplane mode

4. Plug in USB and connect. You'll have to set your IP address to something in the 192.168.15.x range (not 254)

5. Create a reginfo file on your local computer that fits the following template:

Code:

#Tue Oct 09 08:30:44 GMT+12:56 2012
givenName=NAME
deviceName=NAME's Kindle
userName=RANDOM NAME
deviceEmailAddress=FAKE@EMAIL.com

6. Push this to your device over scp. The destination directory is /var/local/java/prefs/

Code:

scp reginfo root@192.168.15.254:/var/local/java/prefs/

You must also prevent your Kindle from deleting this file! (It loves to delete the fake registration information whenever it can.)

In the SSH session, run:

Code:

chmod 444 /var/local/java/prefs/reginfo
chown root:root /var/local/java/prefs/reginfo
chattr +i /var/local/java/prefs/reginfo

The chattr sets a flag that marks the file as immutable...it cannot be changed unless you run chattr -i.


7. Reboot and verify that your Kindle thinks it's registered. Don't proceed if this step doesn't work.

It's now necessary to prevent your Kindle from phoning home with Amazon's servers.

Deprecated instructions:

Spoiler:

I've determined these IPs by letting my Kindle sync and then checking its active connections...As such, I can guarantee that this isn't an inclusive list and it's probably dependent on your locale. Thus your Kindle may still spontaneously de-register until developers have fully populated this list of Amazon servers. (Alternatively, maybe we can figure out a domain to block.)

8. Enable USB networking again and SSH into the device

9. Start adding iptables rules in the shell. If at this point you totally screw up, you can reboot and your changes won't be saved.

iptables -I inserts a rule and iptables -D deletes one.

Code:

iptables -I OUTPUT -m iprange --dst-range 23.0.0.0-23.15.255.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 50.16.0.0-56.19.255.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 72.21.192.0-72.21.223.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 107.20.0.0-107.23.255.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 184.72.0-184.75.255.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 204.246.160.0-204.246.191.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 205.251.192.0-205.251.255.255 -j DROP
iptables -I OUTPUT -m iprange --dst-range 207.171.160.0-207.171.191.255 -j DROP

Thanks to knc1 and Twobob for the IP address ranges!

Deprecated instructions:

Spoiler:

Code:

iptables -I OUTPUT -d 72.21.194.114 -j DROP
iptables -I OUTPUT -d 72.21.203.200 -j DROP
iptables -I OUTPUT -d 72.21.211.191 -j DROP
iptables -I OUTPUT -d 72.21.214.149 -j DROP
iptables -I OUTPUT -d 72.21.214.150 -j DROP
iptables -I OUTPUT -d 72.21.215.58 -j DROP

These commands instruct your Kindle's firewall to silently drop all outbound requests to those destinations. Again, there may be other Amazon auth servers that will have to be discovered via trial and error.

10. Run iptables -L and verify that these entries exist. Run something like

iptables -D OUTPUT -m iprange --dst-range 207.171.160.1-207.171.191.254 -j DROP

Deprecated instructions:

Spoiler:

iptables -D OUTPUT -d 72.21.194.114 -j DROP

if you want to remove a rule.

11. In the SSH session run iptables-save (first by itself to verify that it spits out a list of rules) then run:

Code:

iptables-save > /etc/sysconfig/iptables

This produces a file that contains the current state of your firewall, and it will be automatically loaded.

Deprecated instructions:

Spoiler:

Code:

iptables-save > /etc/iptables.conf

This produces a file that contains the current state of your firewall, and can be loaded to restore this state.

We're going to instruct the Kindle to load these rules whenever it connects to a network.

12. Set the permissions on that file by running these commands in your SSH shell:

Code:

chmod 644 /etc/iptables.conf
chown root:root /etc/iptables.conf

13. Create a local file called iptables:

Code:

#!/bin/sh
         
# Note: if bad rules are inadvertently (or purposely) saved it could block
# access to the server except via a local shell.               
                            
# Paths verified only on Kindle 5.2.0			                               
RESTORE=/usr/sbin/iptables-restore                         
STAT=/bin/stat                    
IPSTATE=/etc/iptables.conf
                          
test -x $RESTORE || exit 0
test -x $STAT || exit 0   
                       
# Check permissions and ownership (rw------- for root)
if test `$STAT --format="%a" $IPSTATE` -ne "600"; then
  echo "Permissions for $IPSTATE must be 600 (rw-------)"
  exit 0                                                 
fi      
  
# Since only the owner can read/write to the file, we can trust that it is
# secure. We need not worry about group permissions since they should be  
# zeroed per our previous check; but we must make sure root owns it.    
if test `$STAT --format="%u" $IPSTATE` -ne "0"; then                
  echo "The superuser must have ownership for $IPSTATE (uid 0)"
  exit 0                                                       
fi      
  
# Now we are ready to restore the tables
$RESTORE < $IPSTATE

14. On your local machine, use scp to push this file to the Kindle, in the directory /etc/network/if-pre-up.d/iptables:

Code:

scp iptables root@192.168.15.244:/etc/network/if-pre-up.d/

The scripts inside that directory are run whenever an interface is activated. Thus your "iptables" script will be executed automatically, and your firewall will revert to the state you've saved in /etc/iptables.conf.

Thus, you can see that if you want to make future changes to your firewall, you must update the iptables.conf file using

Code:

iptables-save > /etc/iptables.conf

15. In your SSH session, set the permissions on the iptables file:

Code:

chmod 755 /etc/network/if-pre-up.d/iptables
chown root:root /etc/network/if-pre-up.d/iptables

16. Finally, turn airplane mode off and connect to a WiFi network.

17. Verify that your Kindle still appears to be registered. If step 7 worked but your Kindle has now de-registered, it's because it's chosen a new Amazon auth server. If you wish to help this hack you may now:

a. Run

Code:

netstat -n

in your SSH session. Find any "ESTABLISHED" connections to suspicious-looking IPs.

b. Block these IP addresses with iptables. If all is well (you didn't lock yourself out) update your saved firewall rules.

c. Reboot. If it worked, please post the IP address(es) you added here!

Your Kindle now believes it's registered, and it's prevented from discovering the truth thanks to the Kindle's firewall.

[twobob]

Yeah. I spotted this hack the other day.
Nicely documented. appreciate the effort gone into that.

I would follow this up to step 8... and then maybe amend it. (notes later on this thread) you fixed it

Re the overall vibe: Not sure I, personally, 100% support it, but I couldn't say exactly why.

EDIT: Actually I can think why. Fairly certain this would only assist in the obfuscating of stolen devices. To that end I can't support it.

also: That complete range will block most everything. including the shop. just so you all know.

Well done for the hard work anyway. : )

[Panopticon]

Damn, has someone already done this? I could've saved some time

[twobob]

hmm yeah. I could go hunt it down. It wasn't as beautifully documented - nor did it have the iptables details IIRC. but in essence yes. (it might have even been via the wiki?)

But so what. nicely typed up.

ASIDE: I generally use -A for my iptables stuff.

Quote:

--append -A chain Append to chain

since the existing table is permissive rather than exclusive (but it does DROP unmatched rules obviously), the end of the chain is fine.

meh small point. horses for courses

[knc1]

There is already a table for the saved rules: /etc/sysconfig/iptables. Put your saved rules in that table, no additional scripting required.

Search for one of my early threads about "Chatty Katie" - it includes the IP ranges you want to block.

[Panopticon]

Quote:

Originally Posted by knc1

There is already a table for the saved rules: /etc/sysconfig/iptables. Put your saved rules in that table, no additional scripting required.

Search for one of my early threads about "Chatty Katie" - it includes the IP ranges you want to block.

Awesome, good tip, knc. I'll update my post as soon as I can look into that. I'm about to step out!

[twobob]

yeah - what he said.

https://www.mobileread.com/forums/sho...d.php?t=167675 is an example of handy data

and for we noobs:

Quote:

[root@kindle fonts]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:40317
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state ESTABLISHED
ACCEPT all -- localhost.localdomain anywhere
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere localhost.localdomain

so just amend that one probably

EDIT:

Note from Knc1

Quote:

Originally Posted by knc1

<add> a note about removing that Amazon "push port" and that the very lax "ACCEPT" rule as shown for ssh should only be used with public key authentication.

So yup. The port 40317 is Amazon specific. lord only knows what it's for quite honestly. one could posit remote support. I'll leave that there. It could be nerfed easily.

The SSH rule really is a bit of a whore, IIRC Niluje has nailed has nailed it down on the device with IP -> IP rules in the config.

But if you are allowing SSH access from everywhere. think about the implications of that. Usually "No implications that matter" but that doesn't mean it never applies. A public key is a good idea and that's what I use.

Thanks Knc1

[knc1]

Quote:

Originally Posted by twobob

hmm yeah. I could go hunt it down. It wasn't as beautifully documented - nor did it have the iptables details IIRC. but in essence yes. (it might have even been via the wiki?)

But so what. nicely typed up.

ASIDE: I generally use -A for my iptables stuff.


since the table is permissive rather than exclusive, the end of the chain is fine.
meh small point. horses for courses

Don't bother - I wrote the Chatty Katie thread.
Someone else (cscat?) wrote the Kindle iptables version.
Either of those threads has the IP address ranges to block.

[knc1]

Quote:

Originally Posted by twobob

yeah - what he said.

https://www.mobileread.com/forums/sho...d.php?t=167675 is an example of handy data

Yup, that is the one for doing the blocking in your router.

But the destination IP address ranges are the same to be blocked in the Kindle's file that saves iptable rules between boots.

The path and name I posted above in **this thread** is for firmware 5.2.0

Faking out the registration file is still an addition to the old posted information.

[twobob]

"not as beautifully documeted"
Yeah, I meant the registration hack thingy I saw


This idea is a great conglomeration of TOS abusing and tin-hat ideas all-in-one though. In that way it intrigues me.

However, TO BE CLEAR: I would register my device and be done with it. end of. : )
OP can do what they want.

[knc1]

*Fixed*

[twobob]

err yeah. ACCEPT is your friend

[knc1]

Hmm...
Browsing that /etc/sysconfig/* set of files shows a few things that I will want to "personalize" if I should ever own a Kpw.

Good ol' lab126 was nice enough to put comments on the things they changed to help "lock down" this firmware image.

?? You want to harden the firmware system from end-user alteration - then include comments on what was done in the file ??
Ah, come on now, that is <deleted - its a "family" site>

[twobob]

well. I think that's very considerate of them

[knc1]

Quote:

Originally Posted by twobob

well. I think that's very considerate of them

I can almost channel down to the offices and hear that conversation's echos:

Manager, SysConfig: "I see that you have not met your quota this month."
Jr Code Cutter: "But sir, I wrote 1,996 lines of scripting."
Manager, SysConfig: "go write a few more lines of comments so we can bill this thing."

Or a situation similar to that.