Update Kindle 5.0.3 has fixed the hole to allow for jailbreak. Upgrading an already jailbroken Kindle Touch is fine as the update does not remove the custom key to allow custom packages. If you on 5.0.3 and have not already installed the key, there is a new jailbreak.
So long story short, we can run custom code on the Kindle Touch now but because the operating system has changed so much from Kindle 3, most Kindle modifications will not run without changes. I hope developers will jump to this device now that it’s unlocked. See the bottom of the post for download links. The directions for using are in the readme. Keep reading for technical details on how this came about.
Obtaining the root image
Before we can look for vulnerabilities in the system that would allow us to break in, we need to break into the system and obtain the files that might contain vulnerabilities. Yes, this is a chicken-and-egg problem, but fortunately Amazon is nice enough to help us with this. On every Kindle device is a TTL serial port. I found this port on the bottom of the device when the cover is opened. Fortunately, I did not even have to mess with it, as hondamarlboro and ramirami both managed to get the dump before me. Once we have the root image, it was only a matter of painstakingly looking through all the files to see possible injection vectors.
Looking for the needle
At first, I was digging deep into the system, disassembling and maping out various native libraries, looking for stack overflows (I found a couple but none could be accessed efficiently). I found the bootloader was unlocked but it would be a pain and danger for users (and even developers) to flash custom kernels and such. I also found that the Java code (the Kindle’s entire GUI is written in Java) is NOT obfuscated (which means it would be easier to reverse and later modify) and Amazon has left in many places to place plugins. For example, once someone has the time to figure things out, it would be very possible to write a EPUB extension to read EPUBs from the native reader. There are some other hidden secrets in the device too. The Kindle Touch has an accelerometer and proximity sensor (and a mic, but we know that) but they aren’t used in the software (yet). The more I looked into the system, I was aware that because it was such a huge rewrite, I had misjudged when I assumed that it would be harder to break as Amazon had years to fix the holes now. In fact, I would say that the Kindle 4 is more secure until I found out that Amazon left in SSH in diagnostics mode. Anyways, as I searched up the complexity chain from the bootloader to the kernel to the libraries to the Java interface, I found something very curious. Much of the operating system is no longer written in Java, but are now in HTML5 and Javascript. In fact, many of the interfaces on the Touch are actually web pages in disguise. For example: the password entry screen, the search bar, the browser (is just an HTML page with a frame), the Wifi selection screen, and even the music player. Obviously, these can’t all run natively in HTML and JS, or the device will be even slower (and it is pretty damn slow). What Amazon did is write a couple of Javascript hooks that are implemented by native libraries and events are read by these libraries and they perform actions accordantly. In short, Javascript will run native code. This is a goldmine, there could be many possible ways of using this to our advantage. There could be buffer overflows, heap overflows, string formatting bugs, etc. However, I didn’t have to look though much before I found a curious function: nativeBridge.dbgCmd();. It seems too good to be true. This function takes any shell command, and runs it (as root). Yup. The web browser will run as root, any command given to it. Don’t go looking for remote code execution yet (although it is highly possible), as the native bridge seems to be disabled when in web browser mode (it may be able to be bypassed, but I haven’t looked into it).
Calling the debug function
So the normal browser (as the one you can enter URLs into) can’t make use of this native bridge. However, as I’ve mentioned, a large part of the GUI in the Kindle Touch is HTML and JavaScript. All we need to do is inject some HTML into one of these and we would be all set. We need something that takes input and displays it to the user. The first thing I thought of was the media player. The Kindle displays the song title, artist, and album name in the music player, so what if we put some HTML into the ID3 tag? Yup, it works. How about some javascript? Running. Let’s try to call the debug function. It works. Well, that was a freebie.
Having some fun
That was a bit too easy and I was disappointed that I didn’t get to talk about how I whipped out IDA Pro and did some master debugging. So, let’s make things harder. We can use a MP3 with custom ID3 tags to execute any command, but how can we make this into a cool one-click solution? First of all, we should limit ourselves to one file to copy. Why make the user keep track of MP3s and shell scripts and where to put them? I took the shell script payload (which installs a developer key into the device so custom packages can be installed) and placed it into the comments section of the ID3 tag in the MP3. Then I used “dd” to extract the script, chmod it, and execute it. Now, another problem in terms of user friendliness is how to let the user know that the process was successful? I quickly whipped up an awesome looking “splash screen” and planned on displaying it while the magic is taking place. At first I tried to encode it into a variable in the shell script payload and extract it, but it was too slow and memory intensive. Instead, I took the image, raw, and appended it into the end of the MP3 (after all, the file was a bit too small). You can see the result in the video attached.
What’s next?
Just because the device is jailbroken does not mean it can now magically do anything you want. What needs to happen first is that developers need to take the device and write some code for it. This first jailbreak is really for these developers. For regular users, the only use is to preemptively unlock your device now in case the method is patched in an update or something. No mods for older Kindles will work as-is on the Touch. I’ve included a VERY basic usbnetwork package that will allow you to have SSH access to the device. I think that’s as good of a starting point as anything. From there, developers should be able to rip the root filesystem, test modifications, and write useful tweaks. (And in case of a brick, read my previous post on the bootloader access). Some things I would have to see or do is GUI plugins in the device’s operating system. The Java code is easy to decompile and read as the variable names have not been stripped out (like previous models). Hopefully people can write some reader plugins (like X-Ray) or even format plugins for other ebook formats. Being a touch screen device, one could also write games or useful apps (although the speed and eink are limiting). I need to finish writing the update creation tool so developers can package their modifications.
Download
Simple usbnet update (supports wifi ssh and resetting root password)
GUI menu launcher and screen rotation hack
Demonstration
so what about my mp3 player question?
any chance to see\edit play list?
Hi! your modification worked perfectly on my Kindle touch but I’m trying to customize screensavers on my kindle 4.0.1 now and was wondering if the simple custom screensaver mod works on it. I can’t seem to get it to but that is after uninstalling it a few times and accidently installing the touch mod on it first so I’m thinking of restoring factory settings and trying from scratch again but am wondering if it works at all? I follwed the three essential steps and everything but no luck
My kindle after i restarted got frozen and never got up again i am gonna sue you if it doesnt get unfrozen im suirous freeking retard
never should have done it
Thank you very much, for the jailbrake. I installed it, and everything is perfect!…thanks again!
how do you unjailbreak kindle? PLEASE HELP ME!!!
Lols stupid Mud Saad, yah you sure are a “suirous freeking retard” :p pls threaten to sue a developer who is contributing this free of charge, and did u not read that it is primarily meant for developers, why is a “suirous freeking retard” doing playing arnd wif it…
Pingback: The Kindle, Part II: Hacking It - Justin Allen
Would this jailbreak allow me to use my Kindle Touch as a PDA to store my 3000+ addresses and calendar entries?
I think the potential of the Kindle as a simple business “Rolodex” machine has been oversighted. The fantastic screen, the lightning fast boot time, the phenomenal battery life, the simple (almost crash-free) operating system, could make it the #1 PDA, even it had to be read-only.
Currently, I am able to convert my contacts into .txt and read them as a book on the Kindle; but the search function makes it impossible to find anything. Converting into an ebook via Calibre doesn’t help.
I wasn’t able to read my calendar in html or csv or ical either – at least not in a usable way.
Hi, can u help me with stepwise and detailed instructions on how to remove ads from kindle keyboard as well as change the screen saver?
I hope to hear from you soon.
Pingback: Dealife.net » KindleTouch快速上手终极版(越狱+汉化+换字体+去广告+换屏保+横屏+SSH)
Thank you Andrew for commenting about Mud Saad. I could do better.
I meant to say I couldn’t better.
I just want to know if this works with Kindle Touch 5.0.4??? I need to rotate screen to read pdf and i’m trying everything, but until now nothing works.
Hi, Amazon released a new software version 5.1.0. Is your hack is working with this version ?
I will like to update for the FRENCH language ;o)
Thanks.
The Jailbreak is not working with the new version 5.1.0. plz fix!
Pingback: Cách tạo collection cho Kindle touch (KT): « Vinachip
a quick question, it seems to me that the guy was using a kindle touch with color display. so my question is that how did that guy do it? does it comes with kindle touch or does it have to bejail breaked first? and if so how to do it after wards.
Who are you talking about?
Yifan Lu: how long do you think it will be bfore the new jailbreak comes out?
Well, personally, I’m working more on the vita so I don’t have time for the kindle. However, hopefully, I’m not the only one working on the kindle.
Hi, your jailbreak worked perfectly for my Kindle 4NT. Thanks.
Now I’m trying to install the usbnetwork util. Though the Kindle ‘UPDATED’ fine, I cant seem to ssh or use the ; commands from the kindle… was that meant only for the Touch, or will it work for the K4 as well?
Thanks.
My device is running version 5.1 – it is the newly released Kindle Touch in the UK. I copy the data.tar.gz file to the root directory, restart the device and… nothing – the file is still there, the locale is still set to en-uk. Any ideas?
Can you disable the browser and mp3 player using this hack? I am trying to find a way to enable parental control on a 14 yr old boy
Hi everyone, I succeded to jailbroken my K touch version 5.1 (just bought here in Italy) using method 3 and after a 10 minutes of PANIC because I could not exit from Diags mode (device_info.xml file problem). Anyway I was not able to make screensaver app working, K just freezes the screen… and nothing else.
TNX to Yifan for all this nice work.
Is thre any hack throuh which i can download pdf files(or any file as a matter of fact) with kindle touch experimental browser?