Kindle Touch (5.0) Jailbreak/Root and SSH

Update Kindle 5.0.3 has fixed the hole to allow for jailbreak. Upgrading an already jailbroken Kindle Touch is fine as the update does not remove the custom key to allow custom packages. If you on 5.0.3 and have not already installed the key, there is a new jailbreak.

So long story short, we can run custom code on the Kindle Touch now but because the operating system has changed so much from Kindle 3, most Kindle modifications will not run without changes. I hope developers will jump to this device now that it’s unlocked. See the bottom of the post for download links. The directions for using are in the readme. Keep reading for technical details on how this came about.

Obtaining the root image
Before we can look for vulnerabilities in the system that would allow us to break in, we need to break into the system and obtain the files that might contain vulnerabilities. Yes, this is a chicken-and-egg problem, but fortunately Amazon is nice enough to help us with this. On every Kindle device is a TTL serial port. I found this port on the bottom of the device when the cover is opened. Fortunately, I did not even have to mess with it, as hondamarlboro and ramirami both managed to get the dump before me. Once we have the root image, it was only a matter of painstakingly looking through all the files to see possible injection vectors.

Looking for the needle

At first, I was digging deep into the system, disassembling and maping out various native libraries, looking for stack overflows (I found a couple but none could be accessed efficiently). I found the bootloader was unlocked but it would be a pain and danger for users (and even developers) to flash custom kernels and such. I also found that the Java code (the Kindle’s entire GUI is written in Java) is NOT obfuscated (which means it would be easier to reverse and later modify) and Amazon has left in many places to place plugins. For example, once someone has the time to figure things out, it would be very possible to write a EPUB extension to read EPUBs from the native reader. There are some other hidden secrets in the device too. The Kindle Touch has an accelerometer and proximity sensor (and a mic, but we know that) but they aren’t used in the software (yet). The more I looked into the system, I was aware that because it was such a huge rewrite, I had misjudged when I assumed that it would be harder to break as Amazon had years to fix the holes now. In fact, I would say that the Kindle 4 is more secure until I found out that Amazon left in SSH in diagnostics mode. Anyways, as I searched up the complexity chain from the bootloader to the kernel to the libraries to the Java interface, I found something very curious. Much of the operating system is no longer written in Java, but are now in HTML5 and Javascript. In fact, many of the interfaces on the Touch are actually web pages in disguise. For example: the password entry screen, the search bar, the browser (is just an HTML page with a frame), the Wifi selection screen, and even the music player. Obviously, these can’t all run natively in HTML and JS, or the device will be even slower (and it is pretty damn slow). What Amazon did is write a couple of Javascript hooks that are implemented by native libraries and events are read by these libraries and they perform actions accordantly. In short, Javascript will run native code. This is a goldmine, there could be many possible ways of using this to our advantage. There could be buffer overflows, heap overflows, string formatting bugs, etc. However, I didn’t have to look though much before I found a curious function: nativeBridge.dbgCmd();. It seems too good to be true. This function takes any shell command, and runs it (as root). Yup. The web browser will run as root, any command given to it. Don’t go looking for remote code execution yet (although it is highly possible), as the native bridge seems to be disabled when in web browser mode (it may be able to be bypassed, but I haven’t looked into it).

Calling the debug function

So the normal browser (as the one you can enter URLs into) can’t make use of this native bridge. However, as I’ve mentioned, a large part of the GUI in the Kindle Touch is HTML and JavaScript. All we need to do is inject some HTML into one of these and we would be all set. We need something that takes input and displays it to the user. The first thing I thought of was the media player. The Kindle displays the song title, artist, and album name in the music player, so what if we put some HTML into the ID3 tag? Yup, it works. How about some javascript? Running. Let’s try to call the debug function. It works. Well, that was a freebie.

Having some fun

That was a bit too easy and I was disappointed that I didn’t get to talk about how I whipped out IDA Pro and did some master debugging. So, let’s make things harder. We can use a MP3 with custom ID3 tags to execute any command, but how can we make this into a cool one-click solution? First of all, we should limit ourselves to one file to copy. Why make the user keep track of MP3s and shell scripts and where to put them? I took the shell script payload (which installs a developer key into the device so custom packages can be installed) and placed it into the comments section of the ID3 tag in the MP3. Then I used “dd” to extract the script, chmod it, and execute it. Now, another problem in terms of user friendliness is how to let the user know that the process was successful? I quickly whipped up an awesome looking “splash screen” and planned on displaying it while the magic is taking place. At first I tried to encode it into a variable in the shell script payload and extract it, but it was too slow and memory intensive. Instead, I took the image, raw, and appended it into the end of the MP3 (after all, the file was a bit too small). You can see the result in the video attached.

What’s next?

Just because the device is jailbroken does not mean it can now magically do anything you want. What needs to happen first is that developers need to take the device and write some code for it. This first jailbreak is really for these developers. For regular users, the only use is to preemptively unlock your device now in case the method is patched in an update or something. No mods for older Kindles will work as-is on the Touch. I’ve included a VERY basic usbnetwork package that will allow you to have SSH access to the device. I think that’s as good of a starting point as anything. From there, developers should be able to rip the root filesystem, test modifications, and write useful tweaks. (And in case of a brick, read my previous post on the bootloader access). Some things I would have to see or do is GUI plugins in the device’s operating system. The Java code is easy to decompile and read as the variable names have not been stripped out (like previous models). Hopefully people can write some reader plugins (like X-Ray) or even format plugins for other ebook formats. Being a touch screen device, one could also write games or useful apps (although the speed and eink are limiting). I need to finish writing the update creation tool so developers can package their modifications.

Download

Download the jailbreak here

Simple custom screensaver mod

Simple usbnet update (supports wifi ssh and resetting root password)

GUI menu launcher and screen rotation hack

Demonstration

195 thoughts on “Kindle Touch (5.0) Jailbreak/Root and SSH

  1. Hi! your modification worked perfectly on my Kindle touch but I’m trying to customize screensavers on my kindle 4.0.1 now and was wondering if the simple custom screensaver mod works on it. I can’t seem to get it to but that is after uninstalling it a few times and accidently installing the touch mod on it first so I’m thinking of restoring factory settings and trying from scratch again but am wondering if it works at all? I follwed the three essential steps and everything but no luck :(

  2. My kindle after i restarted got frozen and never got up again i am gonna sue you if it doesnt get unfrozen im suirous freeking retard :( never should have done it

  3. Thank you very much, for the jailbrake. I installed it, and everything is perfect!…thanks again!

  4. Lols stupid Mud Saad, yah you sure are a “suirous freeking retard” :p pls threaten to sue a developer who is contributing this free of charge, and did u not read that it is primarily meant for developers, why is a “suirous freeking retard” doing playing arnd wif it…

  5. Pingback: The Kindle, Part II: Hacking It - Justin Allen

  6. Would this jailbreak allow me to use my Kindle Touch as a PDA to store my 3000+ addresses and calendar entries?

    I think the potential of the Kindle as a simple business “Rolodex” machine has been oversighted. The fantastic screen, the lightning fast boot time, the phenomenal battery life, the simple (almost crash-free) operating system, could make it the #1 PDA, even it had to be read-only.

    Currently, I am able to convert my contacts into .txt and read them as a book on the Kindle; but the search function makes it impossible to find anything. Converting into an ebook via Calibre doesn’t help.

    I wasn’t able to read my calendar in html or csv or ical either – at least not in a usable way.

  7. Hi, can u help me with stepwise and detailed instructions on how to remove ads from kindle keyboard as well as change the screen saver?
    I hope to hear from you soon.

  8. Pingback: Dealife.net » KindleTouch快速上手终极版(越狱+汉化+换字体+去广告+换屏保+横屏+SSH)

  9. I just want to know if this works with Kindle Touch 5.0.4??? I need to rotate screen to read pdf and i’m trying everything, but until now nothing works.

  10. Hi, Amazon released a new software version 5.1.0. Is your hack is working with this version ?
    I will like to update for the FRENCH language ;o)

    Thanks.

  11. Pingback: Cách tạo collection cho Kindle touch (KT): « Vinachip

  12. a quick question, it seems to me that the guy was using a kindle touch with color display. so my question is that how did that guy do it? does it comes with kindle touch or does it have to bejail breaked first? and if so how to do it after wards.

  13. Well, personally, I’m working more on the vita so I don’t have time for the kindle. However, hopefully, I’m not the only one working on the kindle.

  14. Hi, your jailbreak worked perfectly for my Kindle 4NT. Thanks.
    Now I’m trying to install the usbnetwork util. Though the Kindle ‘UPDATED’ fine, I cant seem to ssh or use the ; commands from the kindle… was that meant only for the Touch, or will it work for the K4 as well?
    Thanks.

  15. My device is running version 5.1 – it is the newly released Kindle Touch in the UK. I copy the data.tar.gz file to the root directory, restart the device and… nothing – the file is still there, the locale is still set to en-uk. Any ideas?

  16. Can you disable the browser and mp3 player using this hack? I am trying to find a way to enable parental control on a 14 yr old boy

  17. Hi everyone, I succeded to jailbroken my K touch version 5.1 (just bought here in Italy) using method 3 and after a 10 minutes of PANIC because I could not exit from Diags mode (device_info.xml file problem). Anyway I was not able to make screensaver app working, K just freezes the screen… and nothing else.
    TNX to Yifan for all this nice work.

  18. Is thre any hack throuh which i can download pdf files(or any file as a matter of fact) with kindle touch experimental browser?

  19. Hello

    I’ve tried the jailbreak using the data.tar.gz file that I’ve copied at root’s Kindle
    After rebooting, the jailbreak’s process was going on, but last very much
    After 1 hour, no change in the progress bar
    I turn my KT off and since that moment, it always go on reboot without any error message

    Using hard reset don’t work
    Using diags mode allows me to access KT in USB mode

    I’ve tried again the data.tar.gz jailbreak, but it doesn’t work any more.
    Idem for trying to uninstall jailbreak using update_jailbreak_1.1_k5_uninstall.bin

    No result, my KT keeps on rebooting

    Have you some idea to reset my KT or anything else so I can use it again

    Thanks

  20. Thanks, Eric, for your answer and URL

    But I did that already many times :
    - my KT doesn’t reacte more
    - it acts like ignoring the RUNME.sh
    I’ve already try to copy KT’slogfiles tu /mnt/us to see what’s happening, with no result
    And I got attention with the case sensitive of the RUNME.sh file
    The only way to access my KT is using Mfgtool to put it in Fast/Diags/Normal Mode

    Any other idea ?

  21. hello,I had try your program to jailbreak my kindle.But when I try to update my kindle from 5.0.0 to 5.0.3,I forget to return my kindle.
    There are something wrong with my kindle.It stoped at Diags Modle.
    When I choose D)、D)、Q) to restart my kindle,it will stop at the home page of Diags Modle.
    What can i do with it?

  22. @Tom:
    I know it’s been a little while, but if you’re still having the problem, maybe this can help.

    I had the exact same issue. Once you’ve done everything you need to in Diags Mode, hook your kindle up to your computer (I believe there’s an option in the Diags menu to have it act as a USB.)
    Simply delete the .txt that you used to set it to Diags Mode in the first place. Restart your kindle, and voila.

  23. Linux/arm device running some modified Linux? Is there any way to set HOSTS rights to read/write and edit/save this file? =)

    the possibility of blocking as many companies as I can from spying; as well as No ad’s on or cheaper systems sounds nice.

  24. Pingback: Asalto al kindle « Mbpfernand0's Blog

  25. Could you please write a post on how to type in a keyboard in a linux PC and watch things show-up on my kindle via ssh? Much appreciated

  26. I did the ENABLE_DIAGS thing, and I couldnt get my Kindle out of diagnostics. It is now frozen and i cannot do ANYTHING.It wont even light up when I push the power button. Plz help.(it said device_info.xml not found when I tryed to disable diagnostics.)0-o

  27. Pingback: Kindle touch 越狱 | BG2BYD's BLOG

  28. For the 5.1 people.

    “But after running one of the tests (I ran a few without checking so I don’t know which one exactly) the xml is created and you can exit diagnostics. If you want, I can enter diagnostics and try the tests one by one to see which one creates the file.

    I also deleted the ENABLE_DIAGS file in USB mode while experimenting how to disable diagnostics but I believe that is optional.

    http://www.mobileread.com/forums/showthread.php?t=175182&page=3

  29. Pingback: Jailbrake, como quitar la publicidad en Kindle Touch « Hermandad del metal

  30. Pingback: Top Ten Web Hacking Techniques of 2011 | RIS

  31. In my opinion one of the most important options the kindle doesn´t have is the possibility to create subfolders, or to exchange folders via your explorer directly (and keep the folders on your kindle)…
    Is there a way to do that? Any USB Stick can do that, why doesn´t the Kindle?
    I have to arrange about 400 PDF Files and with the ordinary “collections” it absolutely doesn´t work…
    Thanks for any help!

    I know this is no Kindle Touch Forum for ordinary questions, but i thought i might just ask the developers :)

  32. Pingback: Kumpulan Teknik Web Hacking « Rh15c's Blog

  33. Pingback: Remove Ads on Kindle Touch : Pat Hartl

  34. Pingback: Top Ten Web Hacking Techniques of 2011 | Tech Tricks

Leave a Reply