Kindle 3.1 Jailbreak

I was bored one weekend and decided to jailbreak the new Kindle firmware. It was time consuming to find bugs, but not difficult. Unlike the iPhone, the Kindle doesn’t really have security. They have a verified FS and signed updates and that’s it, but I will still call my jailbreak an “exploit” just to piss you off. Previous Kindle 3 jailbreaks worked (AFAIK, I haven’t really looked into it) by tricking the Kindle into running a custom script by redirecting a signed script using a syslink. This worked because the updater scans only “files” that do not end with “.sig” (signature files to validate the file). They fixed this now by scanning all non-directorys that do no end with “.sig”. This is the first bug I’ve exploited. Part one is getting the files into the update, which I did by conventionally renaming them to “.sig” even though they’re not signature files. Part two is harder, getting the unsigned script to run.

How the Kindle updater works is that first it gets a list of all files (including files in subfolders, excluding signature files) in the update and checks it’s signature with Amazon’s public keys. If you modify any of the scripts from a previous update, the signature is broken and the Kindle won’t run it. If you add your own scripts, you can’t sign it because you don’t have Amazon’s keys, and finding them would take more then the lifespan of the universe. (SHA256 HMAC). They also use OpenSSL to check the signatures, so trying to buffer overflow or something is out of question (or is it? I haven’t looked into it). Afterwards, when all files are matched with their signatures and checked, the updater reads a “.dat” file which contains a list of all scripts, their MD5 hash and size (to verify, I don’t see the point since they were just signature checked. Maybe a sanity check?). It finds the “.dat” file using find update*.dat | xargs which means all the .dat file has to be is start with update and end with .dat. They don’t care what is in between. Next, they read the file using “cat” and with each entry, verify the hash and loads the script. Well, conventionally, “cat” can read multiple files if more then one filename is given in the input. This means if the update*.dat file contains spaces, then “cat” will read every “filename” separated by a space. I took a signed .dat from one of Amazon’s update. Renamed it “update loader.sig .dat” and placed my actual .dat (containing an entry to the script jailbreak.sig, a shell script renamed) in loader.sig. jailbreak.sig untars payload.sig, a renamed tgz file which contains the new keys we want to use to allow custom updates. Amazon’s updater only signature checks “update loader.sig .dat” which is valid. Then cat tries to read the files “update”, “loader.sig”, and “.dat”, one of which exists and the others silently fail. Loader.sig points to the script jailbreak.sig which the updater happily loads thinking it’s already signature checked. Jailbreak.sig, calls tar to extract payload.sig and copies the new keys to /etc/uks and installs a init.d script to allow reverting to Amazon’s keys for installing future updates. Now we own the system again!

tl;dr:

A download to the jailbreak can be found here. Directions are provided in the readme file. Use it at your own risk (I’m not responsible if you somehow brick it) and note that it most likely will void your warranty. Make sure to uninstall all custom updates before you uninstall the jailbreak, as after uninstalling the jailbreak, you cannot run custom packages until you jailbreak again. Directions for switching between custom updates and Amazon updates can be found in the readme file.

Comments

  1. Bob

    Awesome!

    “This means if the update*.dat file contains spaces, then “cat” will read every “filename” separated by a space.” ;)

  2. […] In the constant battle of manufacturers vs. jailbreakers, the turnaround time between a new software release and a new jailbreak seems to be getting shorter and shorter. [Yifan] noticed that a recent Kindle update broke a previous method of running unsigned code and started the search for a new workaround. […]

  3. Question, Have you found that the updated firmware has broken any functionality it had in the last? e.g. reading any form of book, pdf, html, txt, mobi, prc, awz, etc. and or accepting documents where drm does not exist?

    thanks

  4. Nicely done! Injections like that are hacking basics but coders are every day more ignorant fortunately :) You spared me a few bucks to buy one.

  5. Nope, I think Amazon secretly doesn’t care for jailbreaks and such. Because on iPhone, PS3, etc, the main problem with unsigned code is piracy, but on the Kindle 1) there are hardly any pirated ebooks and most of which are in PDF (hard to read) or ePub. And 2) People can already read drm-free books without jailbreaking. The only reason to block jailbreaks is so users don’t do anything stupid and call amazon for support.

  6. Seth

    I’m not sure what you mean by “there are hardly any pirated ebooks”. I have about 30,000 ebooks, and nearly half are in the Kindle .mobi format. I’ve had my Kindle for about 8 months and I have never (nor do I expect to) paid for any ebook.

  7. Kranu

    Yup, I’ve seen torrents titled “the top 1000 amazon kindle books mobi” floating around the internet with plenty of seeds/peers. I’ve never had the heart to take one though, because Amazon barely (if at all) makes any profits from the Kindle hardware itself. The company is relying on the fact that users will buy books from them; that is where they will profit. It’s just like printers: sell the printer cheap (often for under $20 if you buy it with a new computer) but make the ink super expensive. Except Amazon is less evil and sells most ebooks at a reasonable price :)

  8. Mike Frisco

    The jailbreak hurts no one. It adds features for users, hasn’t lost Amazon any money, and - most importantly - doesn’t (currently) facilitate piracy. Kindle’s open nature means you can get books from anywhere in any format, convert them, and view them. That’s by design.

    The undiscovered country here is .azw2 files - Kindle Apps. Those CANNOT be obtained through means other than Amazon directly. Amazon will not care about jailbreaks until someone figures how to pirate those.

  9. Abragan

    A clarification please - I am in Spain and use a Kindle 3 Wifi & 3G purchased from Amazon US (wasn’t allowed to purchase from UK - Amazon breaking EU trading rules?). Is this classed as a “Non-US/Canada model” or “US/Canada model”?

  10. As a matter of fact, I do know how to get the Kindle wifi chip to enter Ad-Hoc hosting mode. However, if you are talking about using the Internet for free, that is against amazon’s terms of use, and if enough people do it, they can just delete the internet feature.

  11. Megan

    Any update on this hack? I keep getting a U007 error when I try to install it. I have version 3.1 on my Kindle. I’m trying to enable SSH access eventually, but I have not been able to successfully install this hack nor a usbnetwork hack. I’ve been using a few of the mobileread forums for instructions. Any input would be great.

  12. Anarchy99

    Any chance that you could mail me the procedure to take a K3 wifi and turn the Ad Hoc host on so I can boost my wifi signal in my house? Also would you possibly send me a link for a UsbNetwork hack for my K3? I hav been searching and cannot seem to find one anywhere.

    Thanks

  13. It’s possible to use the kindle to redirect the usbnetwork to wifi adhoc host. However, you need to compile a custom kernel with bridge and/or iptables masquerade enabled. It is also possible to set the wifi chip into master (router) mode. It’s a bit complicated, and I may write about it one day. For now, I’m afraid you can research this on your own.

  14. Giorgio

    Hi! I don’t know if you’re informed latest firmware (3.2.1) breaks current jailbreaking methods. I’d like to know if you’re interested in releasing a new version of your hack. Thank you!

  15. Kitri

    Its interesting to note that there are people who are worried about how amazon is making profits. I’m not worried at all and if anyone would like to donate some of their pirated book collection to me they are welcome to do so, I’m a pauper compared to the mighty amazon and I have no qualms about not buying books from them after having been tempted to buy the kindle :)

  16. It’s not just amazon, but the authors who write the books. Although they get paid little for ebooks, it shows support for their work so they are encouraged to write more.

  17. Kenn R

    After fubaring my UK wifi Kindle I gratefully received another (a day later!) only to discover I couldn’t get rid of the dead poets’ society in the screensavers, yup 3.2.1 but not ad driven. Your jailbreak resolved that (thanks and kudos in equal and large but indeterminate amounts). But…

    Not a great problem, but when sorted by collections the kindle used to show (even in vanilla) the most recent books first, but no longer. Slightly annoying trying to find the last book. Is it an effect of the 3.2.1 jailbreak or the large-ish amounts of txt non-drm books I have?

    Still, thanks much for your inordinately helpful efforts.

  18. Zsolt

    Hi!

    Can you please publicate the 0.3 version of the jailbreak?

    I found a how-to which included this version from your installer. Everything is works fine now, but the uninstaller wasn’t packed. I would keep it for the future, if i may remove the hack. Can you please put it to your website (or mail me?)

    Many thanks for your great work!

  19. nolana

    I am new to this all, I want to know where to find free mobi files!! Someone please tell me where to go and what to do! I have looked for hours with no return. Someone please throw this dog a bone!

    ngriffin@wcsd.k12.ms.us

  20. Razvan

    Hi,

    I just myself a KT. But I can’t download any game from Amazon because I’m not from US. Is there anyway in which I can install the free ones without having an US bank account ?

    Thank you, Razvan

Leave a Comment

Your email address will not be published. Required fields are marked *

Loading...