Kindle Touch (5.0) Jailbreak/Root and SSH

Update Kindle 5.0.3 has fixed the hole to allow for jailbreak. Upgrading an already jailbroken Kindle Touch is fine as the update does not remove the custom key to allow custom packages. If you on 5.0.3 and have not already installed the key, there is a new jailbreak.

So long story short, we can run custom code on the Kindle Touch now but because the operating system has changed so much from Kindle 3, most Kindle modifications will not run without changes. I hope developers will jump to this device now that it’s unlocked. See the bottom of the post for download links. The directions for using are in the readme. Keep reading for technical details on how this came about.

Obtaining the root image
Before we can look for vulnerabilities in the system that would allow us to break in, we need to break into the system and obtain the files that might contain vulnerabilities. Yes, this is a chicken-and-egg problem, but fortunately Amazon is nice enough to help us with this. On every Kindle device is a TTL serial port. I found this port on the bottom of the device when the cover is opened. Fortunately, I did not even have to mess with it, as hondamarlboro and ramirami both managed to get the dump before me. Once we have the root image, it was only a matter of painstakingly looking through all the files to see possible injection vectors.

Looking for the needle

At first, I was digging deep into the system, disassembling and maping out various native libraries, looking for stack overflows (I found a couple but none could be accessed efficiently). I found the bootloader was unlocked but it would be a pain and danger for users (and even developers) to flash custom kernels and such. I also found that the Java code (the Kindle’s entire GUI is written in Java) is NOT obfuscated (which means it would be easier to reverse and later modify) and Amazon has left in many places to place plugins. For example, once someone has the time to figure things out, it would be very possible to write a EPUB extension to read EPUBs from the native reader. There are some other hidden secrets in the device too. The Kindle Touch has an accelerometer and proximity sensor (and a mic, but we know that) but they aren’t used in the software (yet). The more I looked into the system, I was aware that because it was such a huge rewrite, I had misjudged when I assumed that it would be harder to break as Amazon had years to fix the holes now. In fact, I would say that the Kindle 4 is more secure until I found out that Amazon left in SSH in diagnostics mode. Anyways, as I searched up the complexity chain from the bootloader to the kernel to the libraries to the Java interface, I found something very curious. Much of the operating system is no longer written in Java, but are now in HTML5 and Javascript. In fact, many of the interfaces on the Touch are actually web pages in disguise. For example: the password entry screen, the search bar, the browser (is just an HTML page with a frame), the Wifi selection screen, and even the music player. Obviously, these can’t all run natively in HTML and JS, or the device will be even slower (and it is pretty damn slow). What Amazon did is write a couple of Javascript hooks that are implemented by native libraries and events are read by these libraries and they perform actions accordantly. In short, Javascript will run native code. This is a goldmine, there could be many possible ways of using this to our advantage. There could be buffer overflows, heap overflows, string formatting bugs, etc. However, I didn’t have to look though much before I found a curious function: nativeBridge.dbgCmd();. It seems too good to be true. This function takes any shell command, and runs it (as root). Yup. The web browser will run as root, any command given to it. Don’t go looking for remote code execution yet (although it is highly possible), as the native bridge seems to be disabled when in web browser mode (it may be able to be bypassed, but I haven’t looked into it).

Calling the debug function

So the normal browser (as the one you can enter URLs into) can’t make use of this native bridge. However, as I’ve mentioned, a large part of the GUI in the Kindle Touch is HTML and JavaScript. All we need to do is inject some HTML into one of these and we would be all set. We need something that takes input and displays it to the user. The first thing I thought of was the media player. The Kindle displays the song title, artist, and album name in the music player, so what if we put some HTML into the ID3 tag? Yup, it works. How about some javascript? Running. Let’s try to call the debug function. It works. Well, that was a freebie.

Having some fun

That was a bit too easy and I was disappointed that I didn’t get to talk about how I whipped out IDA Pro and did some master debugging. So, let’s make things harder. We can use a MP3 with custom ID3 tags to execute any command, but how can we make this into a cool one-click solution? First of all, we should limit ourselves to one file to copy. Why make the user keep track of MP3s and shell scripts and where to put them? I took the shell script payload (which installs a developer key into the device so custom packages can be installed) and placed it into the comments section of the ID3 tag in the MP3. Then I used “dd” to extract the script, chmod it, and execute it. Now, another problem in terms of user friendliness is how to let the user know that the process was successful? I quickly whipped up an awesome looking “splash screen” and planned on displaying it while the magic is taking place. At first I tried to encode it into a variable in the shell script payload and extract it, but it was too slow and memory intensive. Instead, I took the image, raw, and appended it into the end of the MP3 (after all, the file was a bit too small). You can see the result in the video attached.

What’s next?

Just because the device is jailbroken does not mean it can now magically do anything you want. What needs to happen first is that developers need to take the device and write some code for it. This first jailbreak is really for these developers. For regular users, the only use is to preemptively unlock your device now in case the method is patched in an update or something. No mods for older Kindles will work as-is on the Touch. I’ve included a VERY basic usbnetwork package that will allow you to have SSH access to the device. I think that’s as good of a starting point as anything. From there, developers should be able to rip the root filesystem, test modifications, and write useful tweaks. (And in case of a brick, read my previous post on the bootloader access). Some things I would have to see or do is GUI plugins in the device’s operating system. The Java code is easy to decompile and read as the variable names have not been stripped out (like previous models). Hopefully people can write some reader plugins (like X-Ray) or even format plugins for other ebook formats. Being a touch screen device, one could also write games or useful apps (although the speed and eink are limiting). I need to finish writing the update creation tool so developers can package their modifications.

Download

Download the jailbreak here

Simple custom screensaver mod

Simple usbnet update (supports wifi ssh and resetting root password)

GUI menu launcher and screen rotation hack

Demonstration

193 thoughts on “Kindle Touch (5.0) Jailbreak/Root and SSH

  1. It really would be nice to see if someone was working on a unrestricted web browser; are there any in progress

  2. Yes! That is the thing which pissed me totally off. I have been surprised that 3G is not working only after I opened the box. And I guess I am not alone.

  3. Your screensaver mod ‘by design’ does not work for the ad sponsored Kindle. I purchased a Kindle outside USA and Amazon does not allow me to pay the extra to remove ads (even though I am more than happy to). Are you planning to release a screen saver mod to work on all Kindle touch?

  4. does this work for kt 5.0.3?
    If so, does this include screen rotation?
    Is there an easy way to get landscape mode on latest software?

  5. A screen saver mod? just learn about Linux file system and permissions, and you’ll figure out what files and permissions to change to get rid of ads.

  6. K-Man, if you have been clever enough to obtain a Touch with ads outside of USA, then you are clever enough to work out how to pay to remove them legally.

  7. @people who want a hack to remove the ads:
    Pay the damn $40.

    You promised Amazon that you would look at their ads for a lower price. Amazon doesn’t have to offer the lower price. I’m hoping that they bill anyone who removes the ads themselves.

  8. In player, instead of a button inscription:” <button type="button style=widt… "

    Kindle touch wi-fi, firmware 5.0.3

  9. @K-Man: I actually had the same problem. I just chatted with Amazon support and they were able to do it for me (charging my debit card, of course).

  10. @neuro: Helpful advice – thanks. I will try support. Will yifan’s screensaver mod now work on yours?
    @carol: harsh!

  11. Hi – this is probably an uncommon request to a hacker, but I know that there are many parents concerned about lack of parental controls on kindle wifi (i have the $79 version). Any simple hack to disable wifi or experimental browser? Thanks!

  12. Having a router password or blocking the mac address works well for at home, however not for public hotspots (or neighbor’s signals).

  13. Thank for all your information… I’m not a tech expert by any means but this has helped a lot. I was wondering, I just today made the upgrade to 5.0.3 and it required me to move a file directly to the “root”? not within any folders. Is there a way to downgrade to 5.0.1? How would I go about this? Thank you!

  14. So, correct me if I’m wrong, but I just want to clarify; when you have a computer that is connected to the internet, with the usbnet ssh hack you can plug the Kindle into the computer and get a connection through the usb cord? If so, wouldn’t that be much slower?

    A similar question, enterprise and peer-to-peer networks. Is there any way to connect to those? Would that be how the usbnet ssh hack is used?

    Thanks, and sorry for the load of questions

  15. @Parker:
    No. You would be able to control your kindle with the computer its plugged into.

    As for the enterprise and p2p networks: i really don’t know. :P

  16. Pingback: PTSec – Portal de Segurança Português » Top Ataques Web 2011

  17. Thanks for your effort. How do I install the screen-savers? You give the format but no instruction on what to do next.

  18. Will there be a homebrew appstore for the kindle touch?

    Also im ready to start coding apps but i need to know how to install/run HTML/JS/CSS documents all help would be appreciated.

    the mp3 file exploite how do i make my own?

  19. im kinof scared i got a kindle jan.25th and i want some books that are not on the store already so i found it on epub but im worried if its gonna work because all my previous hack attempts (wii psp ipod) failed miserably and i have the kindle touch with adds do i need to cancel adds first most of all is it safe can i still get books from the store and finally can amazon find out and can i get in trouble

  20. Hi,
    in a few hours we will get our new KT3G. I think it will have the FW 5.0.1. Did I understand right, the recommended process would be:
    1. use the official update to 5.0.3
    2. use kt-jailbreak-503.zip
    3. use kindle_launcher_1.0.1.zip
    and I shouldn’t use the older kindle_jailbreak_1.1.zip, right?
    Thanks for your great job…
    MJ

  21. Sorry I’m not able to edit my last post.
    Now I have updated the KT3G to 5.0.3
    and tried the kt-jailbreak-503.zip, by copying the data.tar.gz directly into the root directory + 2 restarts, but I can’t see the jailbreak screen. Is there any other (safe) possibility to check whether it is jailbreaked or not?
    MJ

  22. I used kt-jailbreak-503.zip on my new kindle touch. but I cannot figure out how to “install” kindle_launcher_1.0.1.zip. all I want is screen rotation for pdf file. Anyone could help? thanks in advance.

  23. Hi Yifan, thanks for your work. I installed jailbraker and launcher to be able to rotate to landscape view. all is working great. I realise however that my wi-fi is no longer working since. I have a network and password, but while it finds the network, the password is not accepted as valid, hence I remain disconnected. Could this be attributed to the install I did? Any idea how to fix it?

  24. Yifan–Thanks for your work! The screensaver is great, but how can I get the pictures to cycle every few minutes? Any help would be greatly appreciated!

  25. Great work.

    I’m looking into removing the ads from my new Kindle Touch.

    Not because they annoy me so much or because I want to rob Amazon – just cause it can be done.

  26. In case of custom screen saver installation will I have only my pictures appear or the native Kindle pictures will also appear?
    Thanks!

  27. I too am looking to delete the web browser or remove the wifi connection as a form of parental control. The internet connection at home isn’t a problem, but I would like to let my daughter take it to school again. I hesitate to manually remove any hardware – any ideas for how to disable web browsing?

  28. Pingback: Vota por las principales técnicas de hacking web de 2011 | Sevilla Sec&Beer

  29. @daryle b:
    Press ‘Menu’
    Press ‘Settings’
    Press ‘Menu’
    Press ‘Device Info’
    And look at firmware version.

  30. is there any way to get MP3 player with playlist\songlist in Kindle Touch?
    Standard MP3 player doesnt show the songs – only allows to click Next :(
    thanks

  31. Pingback: Top Web Hacking Techniques of 2011 | MYH3R3

  32. Pingback: Interface Android Cell Phone via Amazon Kindle Touch (androidscreencast.jnlp) : Neal Harmon

  33. When i read my ebooks in landscape mode, the right side of the margins have a extra ‘blank space’ which cuts the last word of each sentence. Anyone else have the same issue? and any idea how to correct it?

  34. hi everyone!
    I just used the 5.0.3 jailbreak on my new KT and I’m now trying to use the usbnetwork to get my hands on an ssh session. I followed the readme filebut when it says “The IP for the Kindle will always be 192.168.15.244″, well I just couldn’t ping any device on that IP. So what I checked out the logs on my wifi router and discovered that my dhcp gave the kindle the ip 192.168.1.2 (the .1 being my router and the kindle being the only device actually connected). So I went on doing the ;un password myrootpassword and tried an ssh [email protected].1.2 but the ssh server keeps telling me “Permission denied” when I enter myrootpassword…

    Am I doing it wrong ?

  35. S.O.S.
    I Copy the file into my touch,but mp3 player show sth. like <button type-"button style="width…"..I tried again and again,even I Reset to Fcatory Defaults ,but it show the same~
    How to sovle it?help pls~

  36. 27/2/2012. file mp3 xoay ngang màn hình không còn hoạt động được nữa. Chán thật.

  37. Brilliant. While the Kindle Touch screensavers are an order of magnitude better than the creepy dead authors, it still feels great to have a bit of customization! The jailbreak went perfectly (5.0.1) and the screensaver hack also went perfectly! Thanks so much! You ROCK!

  38. Pingback: Jailbreak per Kindle Touch!

Leave a Reply