A Jailbreak For Every Kindle

[Geekmaster] wrote in to tell us about a new hack for the Amazon Kindle. It’s a jailbreak. Universal jailbreak for almost every eInk Kindle eReader eOut eThere.

This jailbreak is a pure software jailbreak for the Kindle Paperwhite 2, the Kindle Paperwhite 3, Kindle Touch, Kindle Voyage, and Kindle Oasis. If you’re keeping track, that’s any 6th, 7th, or 8th generation device, running any firmware version. Already the jailbreak has been tested by over one thousand people, after the cloud served up half a Terabyte of jailbreak image downloads. That’s extraordinarily popular for a device that hasn’t seen much action of late.

Several years ago, [Geekmaster] made a name for himself – and for [NiLuJe], [KNC1], and other developers over at the Mobileread forums – for jailbreaking the Kindle Paperwhite. This jailbreak was, and is extremely simple; just upload a file to the root directory, restart, and the Kindle is jailbroken. The latest development extends this to nearly all Kindle models, while still being as easy to deploy as the original hack from four years ago.

If you’re looking for something to do with a neat jailbroken device with an eInk screen, they make a great serial consolethermostat, and wallpaper.

91 thoughts on “A Jailbreak For Every Kindle

  1. Sadly, these are big downloads, and the bulk of our download capacity on all three servers is being consumed by leeches on foreign shores. We can tell because they copied our small files (the separate “single point of distribution” jailbreak file and other support files) and the support file downloads are a small fraction of from our official source. So tons of Chinese speaking folks get to benefit from our work and “borrow without returning” our bandwidth and take credit for themselves (copying my pastebin and keeping the URLs but removing the names of myself and [knc1] from it. Gee thanks China guys, but no thanks. We need to keep our servers from falling over and their IP theft and bandwidth theft is no help at all. Any suggestions how to repair this problem (we are PAYING for their download bandwidth) to keep our servers online?

    1. I am hesitant to provide a google translate link here because for legal reasons we use a pastebin with a manual “copy/paste URL” step required by the User. The Chinese pages replaced my URLs with clickable links when they copied my work (besides removing all attribution). We are trying to figure out how to force them to use their own servers for these images. My mediafire server has no way other than to keep deleting and reuploading them, and that is very very slow.

      So please enjoy these while you can, before bandwidth theft makes our servers fall over (and imposes 10 downloads per file per week) limits on my mediafire account (as it did when my “simple debricking” thread at mobileread went viral).

        1. Oops. Accidentally clicke Report instead of Reply. Reply is on the right at sites I use regularly.

          We discussed torrents and decided against it. I do not know why other than a report of bad experiences doing this in the past. Perhaps a problem when stale files need to be replaced on our servers? Torrents could potentially lead to bricked kindles in some cases when they become obsolete. We prefer a single point of distribution (now two points with the baidu servers, but geo-redirection for our backup servers is planned).

          1. I fail to see why a single point of distribution can’t link to torrent files, and state in big bold red HTML the hash of the most current files. It eludes me how the exact same file (sourced from a different path) can brick a device depending on path…

          2. We plan to retire some files. The few reported bricks came from one, and a newer version seems much more reliable. We lose such control with torrents that outlive their shelf life.

        2. Cause that would solve their problems and then what would they bitch about?

          Some people don’t like torrents because once you make them they can run off on you since they are decentralised maybe Vietnam ends up using the same old version because no translated links point to the new torrent.

          1. Sounds like there’s a need for a torrent-based Git version control system.
            Something that gets a version tag from your server, then looks for a public torrent that matches that tag.

          2. Add a read me telling people to check the site for the latest torrent.

            Not rocket science.

            If they won’t read or follow the README bricks will happen anyways.

          3. It is not uncommon for installers and software packages to “phone-home” to ensure they are up-to-date. All a torrent needs is a way to get the data for the latest version’s torrent and prompt the user to download it, if they ignore than it can either bail out, or give them a message saying any problems caused by the old installer are their problem.

      1. Require a captcha to download the first file, log the ip of that machine, and only allow further downloads from ip’s that clear step 1. Everyone else gets a tiny gif that says “your attempting to install a pirated version”

        1. Not a problem now. The Chinese KindleFere.com site is now using baidu servers. They said they would never have used our server links if they knew we (the other guys at least) were paying for the bandwidth ourselves. We hope they will send us server log data so we can track how many jailbreaks have been installed (a huge jump in traffic since this was posted to hackaday). We suspect including Chinese users that thousands of kindles have been jailbreaked (jailbroken?) already, and only a few bricks (mostly repaired by reinstalling) have been reported. The Chinese website is our partner (not adversary) now.

    2. geo-block.

      when I ran my own webserver at home, I would not tolerate china connecting to me. in fact, almost all connections were hack attempts. so, I reverse map the IP to a geo and then just block it via firewall rules.

      china is a problem. I feel for you ;(

      1. We are working on blocks too, but now the Chinese are serving their own copies of our jailbreak images, thanks to these hackaday posts. And besides, we have Chinese friends in our community, and we want to share with them.

        1. Next time tell the NSA before you do a release and they may give you a huge amount of money to make a few changes to a second special copy and then show you how to serve up that copy only to certain IP ranges. Poetic justice, and profit.

      1. I use mediafire (50 GB storage, unlimited bandwidth, no ads, and free) and it works just fine (other than that temporary limit for bandwidth overconsumption on the “simple debricking” images). I could share a signup link here and get even more free storage, but I have only used about 5GB of that initial 50GB for years, and that is enough for me). The other members running servers actually pay for their bandwidth, and their choices are theirs to make, but I am sure they will read your post at some time in the near future. Thanks for the suggestion.

  2. “That’s extraordinarily popular for a device that hasn’t seen much action of late.” That is because until now, most folks were not prepared to peel the front bezel off their kindle and remove a ton of tiny screws, then find the tiny close-together TTL serial port pads and solder tiny wires onto them (without solder-bridging or lifting those pads from excess heat). Not to mention that 1.8v USB serial adapters are hard to google because of all the 1.8m long adapter cables for other (wrong) TTL voltage levels, and the one we recommend being all-too-often out of stock. Too much bravery to do that (and we have not yet found such pads on the Kindle Oasis yet (which this jailbreak also supports, though our hack collection for it is still a work in progress). And at the price involved, with no serial port for recovery, an Oasis would become a GOLD brick if following bad instruction (I hope not too many Chinese Oasis owners suffer than fate).

    1. I just got a message from [knc1], the jailbreak author who put a YEAR of work into this jailbreak process (the last jailbreak step by [Branch Delay] was relatively trivial in this case). He asked me to post a “thank you” here (IMHO it is his turn for “15-minutes of fame”). Here is a full quote of his message to me:

      “Nice read, tried to thank them but ran into technical problems.
      Tell them thanks for me (and that I am busy, not that I am too dumb to post my own comment).”

        1. I realize that [NiLuJe] discovered the hidden images, but [knc1] realized that they could be used to jailbreak our kindles, and who put in the long hours to develop a method to use them as we do now. Others helped to, and we all know [NiLuJe] is the driving force whose collection of hacks even makes the jailbreak useful. Thanks [NiLuJe] (and I gave him credit back in the PW1 jailbreak post here too). Sorry if we misunderstood each other [Harbor23].

        2. @Harbor23: We have a relatively large mobileread community (often nearly 1,000 visitors at most any time of day) and our Kindle Developer’s Corner is often the most viewed (with the calibre forum close on its heels). The community is very large, and only a relatively small portion of this community were involved in this effort (four in our private group, in fact). But most of the work shared by knc1, NiLuJe, and Brach Delay, though a lot of them used my efforst as a pillar for their work (i.e. the “simple debricking” thread). So giving everybody credit for the work would be like giving you credit for brushing my teeth, IMHO. However, I do wish to thank all our members for keeping our forum popular, which pays the bills that let our “brain children” live (hopefully) well into the future. Credit where credit due.

  3. My comment was embedded in another comment (see above for additional details). The jailbreak author who donated a year of effort to bring us this universal jailbreak (installing our custom app installation key) [knc1] said “thank you” for posting his jailbreak here at Hackaday.

  4. Oops. I accidentally reported a comment. Also, I hope the post I just made (revealing a personal detail I wish to share) did not get lost. I contained TWO URLs, so it went into moderation. I hope it did not just fall into the bit bucket (though I recovered a copy and stored it on my disk just in case). I hope it gets published (even if an editor is required to make some changes for policy reasons).

    On another note, this jailbreak is a work-in-progress, so it is worth checking back and reading the latest instruction each time before jailbreaking your kindle (just to avoid rare device-bricking possibilities). [knc1] and others are busy answering questions and working on new hacks (and one kind soul is working on a “UX splash screen” for this jailbreak to make it “hackaday worthy”). For our OWN use in the kindle hacker community, we prefer KISS (just invisibly install the jailbreak key). The “real world” likes “eye candy” feedback to know it actually did something. ;-)

  5. It seems the Chinese folks who hijacked our works read hackaday! After I posted that we know about them, I got this message from [knc1] (the one we all can thank for this universal jailbreak method):

    “Please post an acknowledgement comment at hackaday that the Chinese (KindleFere.com) has taken immediate action to start hosting the images for China their selves.

    See most recent version of jb top post.”

    1. Now, I appeal to the HONOR of the folks at KindleFere.com, please stop dishonoring yourself and add credit here for your copies of geekmaster’s list of URLs, and for knc1’s universal jailbreak method. Thank you in advance for “saving face” and correcting your disgraceful actions.

      1. Sorry if my posts seem silly at times — my condition (health and “being aspie”) affects my rational choices. I try to do my best and i only hope that some of what I post has value to others and that my post offend as few people as possible. Is requesting attribution from KindleFere.com unreasonable?

        Thanks for the great fun I had reading hackaday for all these years!

      2. Oops. That post was obsolete when I posted it as a reply to the post already acknowleding the KindleFere update. Sorry — variable awareness is a side-effect of my current health and I will continue to do the best I can (even if I seem childish at times). I hope to be useful to the hacker community as long as I can. Sorry for looking silly, or abusive, or however my posts are taken (and beware that I had no such awkward intentions). Thanks.

  6. I was designing a “native mode” (i.e. C program) KUAL clone to add KUAL support to my K1 (original Kindle). It seems we may also need that to support KUAL on the new Oasis which has been confirmed to have no kindlet (active document) support. I may complete that task if I have enough time, but others are more than welcome to beat me to it. We surely need an Oasis KUAL clone to launch our custom apps (still being ported to the Kindle Oasis [KOA, campground edition, LOL).

    1. Lol, most people won’t get that joke but I thought it was hilarious. KOA is awesome.
      I’ve never used a Kindle but this article turned out much more interesting than I expected; I might grab a few. :)

  7. FWIW I gave The Onion the idea for their “I’m like a chocoholic, but for booze” article. I suggested that, as an article name, in an email I sent them years ago, about a month or two before they ran the story. I gave them the outline, the idea for the story, though that’s kind of obvious. Of course they wrote the story themselves, it sort-of writes itself once you have the headline, it’s a basic joke.

    I used to read The Onion regularly, before they fucked the formatting up and went all “content provider” or whatever. Used to be a web site. Don’t bother any more.

    Anyway, did the fuckers thank me? Did they arse. I once emailed them asking them nicely to say “thank you”, I got nowt. Bastards! I did say in the initial email they could have all rights etc. I’m not legally entitled to a thank-you. But that’s all I wanted.

    And now they sell T-shirts with the chocoholic for booze thing as a slogan! Those should be my millions of T-shirt dollars!

    Anyway it’s not quite the same thing as your situation, and sorry to hear about the brain cancer. With the effort users have made to archive everything ever put onto floppy disk, for every computer, and with those archives ending up in further archives, might be a small part of your brain will be immortalised in those few K of machine code, forever.

    That’s an interesting artefact of digital data, the flawless, unlimited copies possible. I think that’s a new type of thing to mankind. If it’s tended, replicated, data could outlast any number of pyramids. Anyway there’s further down that tangent I could go, but I’ll leave it for now.

    1. At least my full legal name will be on Mars (with a backup copy) for a very long time. ;) And FYI, the guy who patented the sliding window Y2K agorithm and made millions used EXACTLY THE SAME method down to the last detail that I had place in hundreds of programs at my first programming job about 30 years before Y2K (probably before he was born). I have tons of stories to tell, but my favorite sites (looking at you MR) delete them as “off topic” before my Dev Corner hacker friends can read them (nobody visits “the lounge”). I need a place to share my work and my life stories that will survive for generations long after my death.

    2. @Greenaum: Not brain cancer (at least not yet). Bone cancer (which does not respond to chemo, radiation, or pain killers). Another “extreme experience” I get to enjoy. ;-)

        1. Ah, I mean the problem of not being able to install any of our after-market add-ins.
          Still no graphical launcher menu for the Oasis. But now that Oasis owners can have something to launch . . . .

          1. Working on it. Today is a “doctor free” day, so I might make some more progress on it. I am not accustomed to needing so much sleep just to get by. I used my gmplay eink video player code as a base BECAUSE it works on all eink kindles (even the K1), so it should “just work” when I release it (though I still need to test the touchscreen event handler code on multiple kindle models). A relatively trivial project over all, but “life and death” keep getting in the way. Coming to a kindle near you RSN…

  8. [knc1] reports “No numbers from China tonight, but they usually have twice as many installs a day as we have.
    That should add up to almost 3,000 installs in the first week.”

  9. The Chinese website is sending their users to our thread for support. Not onliy does that more than triple our workload, but it adds a ‘Google Translate’ language barrier. I think we have figured out that “Downstairs siege lion black hello” means “”Downgrade succeed after a long time.”

    1. Actually, it looks like the support load is getting lighter rather than heavier. Not sure if timezone effects or the increasing more comprehensive jailbreak instructions. Despite the huge download traffic. I wonder how many THOUSANDS of kindles have been waiting for a jailbreak that did not involve opening the kindle and heating up the soldering iron? And just how many kindles are there in China anyway? All good. These thousands of jailbreaks will sure stimulate new traffic in our forum anyway, new customers for our hacks and custom apps (giving us a reason to build even more) just like the good old days. :-)

  10. Very nice. However, the title of the article on HAD is misleading. The jailbreak isn’t for every Kindle reader — it appears to apply only to eInk readers. I was initially quite excited as I picked up a Kindle Fire HD 6 new for $60 with the intention of jailbreaking it. Of course, now that I have it, I see that jailbreaking the Fires, especially the 6″ Fires, is pretty difficult to navigate.

      1. knc1, do you mean that if there had been a Kindle Fire in the picture he would have been an idiot to think that it would work on eInk Kindles?
        The title says it’s for “Every Kindle”. It’s not.

  11. Nice work but I’ve had code execution on the fire forever. These devices are so boring nobody cares it’s just a ARM tablet with primitive/restricted software. The Fire uses Trustzone for some binary and content signing. That’s the most interesting security on it.

    1. Thanks for the backhanded compliments. How many of those (well over 3,000) folks who have downloaded our jailbreak images do you consider “nobody”? We are very interested in our eink devices. Besides only using battery while changing pages on the eink, eink technology itself is quite fascinating (and it is the best kind of display outdoors or in direct sunlight, plus many other benefits). The main benefit I appreciate is that they are extremely easy on the eye in the wee hours of a the night during a marathon coding session (unlike light-emitting display). And earlier eink Kindle devices even have free unlimited 3G internet (in the USA).

      You are free to have such a uninforrmed opinion (and even to embarrass yourself in public by expressing it), but your (anti-eink) fanboy comments may be more welcome in a Fire (or other android device) forum.

    2. @xorpunk: I am sorry that you are offended by the ARM processor in our eink Kindle devices. Would you be less upset if these devices were x86-based? Or is Arduino more your style?

    3. “3,000” on a fortune 500 content device after at least five days of having backlinks on major niche domains.. Your comments are less than a day old.. I was clearly wrong..

      No technical feats regarding these devices. They have massive attack surface with all the unsigned content loaders and no memory protection..

      1. Just a small technical note on the custom Linux OS used by the grayscale Kindles:
        There are no “loaders of unsigned content”, anything that touches the system files MUST be signed.
        That is what makes getting our signature certificate added to the Kindle’s key pool so much fun.

  12. We have an estimate based on download counts of well over 4,000 jailbreaks now (and more if you consider that some downloads are used to jailbreak multiple kindles, and some files may be cached on intermediate servers). In addition, the jailbreak page has had almost 31,000 visitors. A lot of kindles have been waiting for this jailbreak, since amazon began locking down their firmware awhile ago.

    1. And of course, the Chinese vesion of the jailbreak page has probably had far more visitors than we have at mobileread.com. Perhaps 100,000 visitors (or page views) overall. As Brian said, “That’s extraordinarily popular”.

  13. Im addition to installing the jailbreak key, the latest version of the jailbreak now installs a short book called “You are Jailbroken”. This provides visual feedback that the jailbreak actually did something. The next step in the process is to install custom apps that are signed with our custom jailbreak key (available in our forum).

  14. Game over.
    Every Kindle model from the K2 to the most recent ‘Kindle Basic’ (KT3) can be jailbroken. (the k1 did not require it).
    The thread this article links to now has directions (links) to any of the earlier touchscreen model jailbreaks not covered by the thread linked above.

  15. FYI, we are well over 5,000 jailbreak installs using this method now (based on downloaded support files from OUR servers). There may be many more than that which we cannot track. And support issues have been very minimal compared to the sheer volume of successful jailbreaks using this method. The instructions have been continuously refined to simply them and avoid problems, and they are pretty much a “done deal” now (though new serial number prefixes keep being discovered that need tweaks to hack installation files).

    1. And the latest Rescue Pack (RP) has also been tested successfully on the KOA (Kindle Oasis) too. The RP restores “diags” functionality (with SSH) to your kindle to make debricking possible. Highly recommended. The Coward’s Rescue Pack (CRP) should work too, but needs testing on a KOA. CRP boots to diags if the kindle USB jack sees external power while rebooting. These two hacks are great insurance against bricking a kindle if you mess something up while poking around in your rooted device (especially for adventurous developers).

  16. Five weeks, about 68,000 reads of the instructions, any real jail break numbers unknowable.
    Nearly a week without user problems that required an edit of the directions.

    The rush is over. My best guess is a nice, steady, 75 … 100 devices a day.
    Nothing compared to the number of (grayscale) Kindles that Amazon ships but pretty good for such a specialized audience.

    1. Unknowable because there are translated copies of these instructions in multiple languages now, with copies of the download files as well. A quick google search for sites with linkbacks finds Chinese, Italian, Russian, and other languages (with varying degrees of translation quality). Almost all support requests come from folks who appear to have followed such foreign language intructions, but even then, quite rare considering the number of people who have downloaded the files. In almost all cases, the failed jailbreak was caused by skipping or swapping steps in the jailbreak procedure, and starting over usually fixes the problem. Overall, quite a successful situation.

      Though I was quite surprise at the sheer magnitude of pent-up demand for a jailbreak that did not require opening the kindle and attaching wires to the tiny TTL serial port pads inside the kindle. We are over that hump and into the “long tail” period of jailbreak frequency now. Many hacks are being updated to work on the newest kindles, and fresh talent has been attracted to kindle hack development once again. New hacks are being created at this time — a good thing for folks who want freedom to explore and extend their devices.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s