How the Kindle Touch jailbreak was discovered

The Kindle Touch has been rooted! There’s a proof video embedded after the break, but the best part about this discovery is that [Yifan Lu] wrote in-depth about how he discovered and exploited a security hole in the device.

The process begins by getting a dump of the firmware. If you remove the case it’s not hard to find the serial port on the board, which he did. But by that time someone else had already dumped the image and uploaded it. We guess you could say that [Yifan] was shocked by what he found in the disassembly. This a ground-up rewrite compared to past Kindle devices and it seems there’s a lot to be hacked. The bootloader is not locked, but messing around with that is a good way to brick the device. The Javascript, which is the language used for the UI, is not obfuscated and Amazon included many hooks for later plugins. Long story short, hacks for previous Kindles won’t work here, but it should be easy to reverse engineer the software and write new ones.

Gaining access to the device is as easy as injecting some HTML code into the UI. It is then run by the device as root (no kidding!). [Yifan] grabbed an MP3 file, changed its tag information to the HTML attack code, then played the file on the device to exploit the flaw. How long before malicious data from illegally downloaded MP3 files ends up blanking the root file system on one of these?

[via Reddit]

Comments

  1. BLuRry says:

    Hacking with audio. It’s like SnowCrash man… That white noise will fry your brain. :-D

  2. If you are interested in how this came about, here is the thread showing its evolution:

    http://www.mobileread.com/forums/showthread.php?t=151537

  3. And here is the thread that made it all possible:

    http://www.mobileread.com/forums/showthread.php?t=158894

  4. Huhwhut says:

    It was visual data not audio in Snowcrash.

  5. No One says:

    So /that’s/ how the Decepticons hacked the NSA in Transformers!

  6. Jason says:

    Also, the source code is available from Amazon Here

  7. loueney says:

    I’m sorry i don’t understand why you wouldn’t just go with a nook simple touch. It is already rooted, easy to use, and offers more than this device even without root… Please enlighten me.

  8. FaultyWarrior says:

    Where have we seen a flaw just like this before? hmm, Android 1.0 seems about right… Type “reboot” into an sms message, hit enter, and the phone reboots. Sounds pretty close to this… Way to go Amazon! :clapping monkey:

  9. Johan says:

    Amazon is probably working on a patch as we speak. The kindle is auto updating so the filesystem wiping MP3 would have a limited lifespan.

  10. micmast says:

    The site appears to be taken down, somebody got a mirror?

  11. bob says:

    BitDefender has blocked this website because it has been reported as a potential phishing site.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,693 other followers