How the Kindle Touch jailbreak was discovered

The Kindle Touch has been rooted! There’s a proof video embedded after the break, but the best part about this discovery is that [Yifan Lu] wrote in-depth about how he discovered and exploited a security hole in the device.

The process begins by getting a dump of the firmware. If you remove the case it’s not hard to find the serial port on the board, which he did. But by that time someone else had already dumped the image and uploaded it. We guess you could say that [Yifan] was shocked by what he found in the disassembly. This a ground-up rewrite compared to past Kindle devices and it seems there’s a lot to be hacked. The bootloader is not locked, but messing around with that is a good way to brick the device. The Javascript, which is the language used for the UI, is not obfuscated and Amazon included many hooks for later plugins. Long story short, hacks for previous Kindles won’t work here, but it should be easy to reverse engineer the software and write new ones.

Gaining access to the device is as easy as injecting some HTML code into the UI. It is then run by the device as root (no kidding!). [Yifan] grabbed an MP3 file, changed its tag information to the HTML attack code, then played the file on the device to exploit the flaw. How long before malicious data from illegally downloaded MP3 files ends up blanking the root file system on one of these?

Continue reading “How the Kindle Touch jailbreak was discovered”

Kindle Fire cover from a Moleskine journal

[Kevin Haw] is the proud owner of a brand new Kindle Fire. But to protect the investment he wanted a nice looking case and decided that DIY was the way to go. He ended up repurposing a Moleskine journal as a table cover.

You can do this one yourself in under an hour. Most of the pages in these journals are sewn in place and [Kevin] started by cutting the strings with a hobby knife. Once removed, he used a utility knife to separate the pages that were glued to the cover; this leaves you in the state seen above.

Obviously this unfinished look just won’t do. [Kevin] used some red duct tape duct tape to cover the unsightly spine. This adds strength, and does the job of cleaning up the area, but we might have also applied felt (or microfiber cloth) to the entire inside area for a bit more finished look. The final part is mounting the tablet which was accomplished with adhesive Velcro strips. These can be removed from the back of the Kindle Fire later on if you decided to use a different enclosure.

I am root! — Kindle Fire edition

Amazon’s new tablet reader, the Kindle Fire has been rooted. Early this morning [Death2All110] posted the steps he took to gain root access to his device (which is so fresh out of the box it still smells new). The heavy lifting is done by a package called SuperOneClick which aims to root all manner of phones and devices running Android.

There’s a bit more than the one click necessary, but not by much. Using the Android Developer Bridge in conjunction with the SDK you need to put in a value that will be recognized as the VID. From there, turn on the ability to install apps from unknown developers, re-enumerate the device on your PC and run the one-click package.

What can you do with this? Well, it completely opens up the Android OS so that you can bend it to your will. We haven’t seen any demonstrations yet, but it should be even better than what we saw done with the Sony PRS-T1.

[Addictive Tips via Reddit]

More FrankenKindle progress

[Glenn] sent us an update on his FrankenKindle project. You might remember this hack from back in July. [Glenn] is modding the device to make it easier for his sister, who has Cerebral Palsy, to use.

The latest revision adds a case for the hardware. The silver button pad is what remains of the V.Reader (a children’s toy), having had the screen portion hacked off. The case provides a stable base for the reader and buttons, holding them at a nice angle for easy use. There’s just a bit of cable routing that needs to be finished to protect some fragile connections. The picture above does show the circuit board to the side, but there is a place for it around back.

In the video after the break [Glenn] mentions that the response to keypresses is a little sluggish. Sure, some of this is Kindle’s own delay when refreshing the ePaper display. But we can’t help but think the code running on the Teensy could also be optimized. We’ve asked him to post his code if he wants some tips, so check back and help out if you can.

We do have one feature suggestion for him. The Kindle keyboard no longer functions because that flat cable coming out the side is what connects to it. It’s quite easy to add a PS/2 keyboard port to a microcontroller. That would be a nice addition to the FrankenKindle as it would make things like shopping for books a bit easier.

Continue reading “More FrankenKindle progress”

FrankenKindle: building an alternate Kindle keyboard

If you’ve ever thought the Kindle keyboard was a bit cramped you’re not alone. [Glenn’s] been working on developing an external keyboard for the Kindle for quite some time. It may not make easier for everyone to use, but he’s motivated to improve usability for his sister who has Cerebral Palsy.

We see a lot of keyboard hacks that solder straight to the pads under the buttons, but for a compact device like the Kindle this would really mess things up. Instead of going that route, [Glenn] sourced a 20-pin Flexible Flat Cable and breakout board that match the internal Kindle connector. The prototype seen above uses a TS3A5017 serial multiplexer chip to simulate the keyboard button presses. That multiplexer is driven by a Teensy++ microcontroller board which is monitoring a larger set of buttons on the V.Reader seen above. Check out the video after the break for a brief demonstration, then look around at the rest of [Glenn’s] blog posts to view different steps of the development cycle.

Continue reading “FrankenKindle: building an alternate Kindle keyboard”

Run Kindle 3 firmware on Kindle 2 hardware

After about six weeks of testing [Yifanlu] has released a stable version of the Kindle 3 firmware for use with Kindle 2 hardware. Everything seems to be working just fine with the patched firmware. We immediately jumped to the conclusion that the upgrade must run pretty slow on the older hardware. [Yifanlu] addresses that assumption in his post. The Kindle 2 hardware is not as fast as the Kindle 3, but it sounds like the upgraded firmware is no slower than the stock firmware was on the older units.

Since the firmware is proprietary, the upgrade method requires that you own both Kindle 2 and Kindle 3. Three scripts will pull the firmware image from the older hardware, copy it over to the new hardware and patch it at the same time, then copy the fully patched package back to the old hardware for use.

After the break you can see a video of a Kindle DX running 3.1 firmware. There’s also a link to the Reddit post where commenters have linked to pre-compiled versions of the patched package.

Continue reading “Run Kindle 3 firmware on Kindle 2 hardware”

Kindle 3.1 Jailbreak

kindle_3_1_jailbreak

In the constant battle of manufacturers vs. jailbreakers, the turnaround time between a new software release and a new jailbreak seems to be getting shorter and shorter. [Yifan] noticed that a recent Kindle update broke a previous method of running unsigned code and started the search for a new workaround.

He eventually found a way to force the Kindle to run unsigned code based upon how the software update checked for digitally signed files. With that knowledge in hand, he discovered that he could trick the updater to run any file he wanted by exploiting the standard functionality found in the Unix ‘cat’ command.

On his site, [Yifan] provides more details, source code, and a compiled update file that performs the jailbreak for you. Much like the previous jailbreaks we have featured, it is perfectly legal to do, but you do risk voiding your warranty during the process.

[Picture via Amazon.com]