Hacking When it Counts: Prison Locksmithing

In 1978, Tim Jenkin was a man living on borrowed time, and he knew it. A white South African in his late 20s, he had been born into the apartheid system of brutally enforced racial segregation. By his own admission, he didn’t even realize in his youth that apartheid existed — it was just a part of his world. But while traveling abroad in the early 1970s he began to see the injustice of the South African political system, and spurred on by what he learned, he became an activist in the anti-apartheid underground.

Intent on righting the wrongs he saw in his homeland, he embarked on a year of training in London. He returned to South Africa as a propaganda agent with the mission to spread anti-apartheid news and information to black South Africans. His group’s distribution method of choice was a leaflet bomb, which used a small explosive charge to disperse African National Congress propaganda in public places. Given that the ANC was a banned organization, and that they were setting off explosives in a public place, even though they only had a few grams of gunpowder, it was inevitable that Jenkin would be caught. He and cohort Steven Lee were arrested, tried and convicted;  Jenkin was sentenced to 12 years in prison, while Lee got eight.

Continue reading “Hacking When it Counts: Prison Locksmithing”

Super Mario World Jailbreak Requires no External Hardware

[SethBling] has released a Super Mario World jailbreak that allows players to install a hex editor, then write, install and run their own game mods. What’s more is this all works on unmodified cartridges and SNES hardware. No hardware hacks required.

[Seth] is quick to say he didn’t do all this alone. This mod came to be thanks to help from [Cooper Harasyn] who discovered a save file corruption glitch, [MrCheese] who optimized the hex editor, and [p4plus2] who wrote some awesome mods.

While no soldering and programming of parts are required, installing this mod still requires quite a bit of hardware. Beyond the SNES and cartridge, you’ll need two multitaps, three controllers, and clamps to hold down buttons on the controllers. Even then the procedure will take about an hour of delicate on-screen gymnastics. Once the jailbreak is installed though, it is kept in savegame C, so you only have to do it once.

What does a hex editor allow you to do? Anything you want. Mario’s powerup state can be edited, one memory location can be modified to complete a level anytime you would like. It’s not just modifying memory locations though – you can write code that runs, such as [p4plus2’s] sweet telekinesis mod that allows Mario to grab and move around any enemy on the screen.

It’s always awesome to see old video game hardware being hacked on by a new generation of hackers. We’ve seen similar work done on Super Mario Brothers 3, and an original GameBoy used to pilot a drone, just to name a couple.

Continue reading “Super Mario World Jailbreak Requires no External Hardware”

A Jailbreak For Every Kindle

[Geekmaster] wrote in to tell us about a new hack for the Amazon Kindle. It’s a jailbreak. Universal jailbreak for almost every eInk Kindle eReader eOut eThere.

This jailbreak is a pure software jailbreak for the Kindle Paperwhite 2, the Kindle Paperwhite 3, Kindle Touch, Kindle Voyage, and Kindle Oasis. If you’re keeping track, that’s any 6th, 7th, or 8th generation device, running any firmware version. Already the jailbreak has been tested by over one thousand people, after the cloud served up half a Terabyte of jailbreak image downloads. That’s extraordinarily popular for a device that hasn’t seen much action of late.

Several years ago, [Geekmaster] made a name for himself – and for [NiLuJe], [KNC1], and other developers over at the Mobileread forums – for jailbreaking the Kindle Paperwhite. This jailbreak was, and is extremely simple; just upload a file to the root directory, restart, and the Kindle is jailbroken. The latest development extends this to nearly all Kindle models, while still being as easy to deploy as the original hack from four years ago.

If you’re looking for something to do with a neat jailbroken device with an eInk screen, they make a great serial consolethermostat, and wallpaper.

iPhone Jailbreak Hackers Await $1M Bounty

According to Motherboard, some unspecified (software) hacker just won a $1 million bounty for an iPhone exploit. But this is no ordinary there’s-a-glitch-in-your-Javascript bug bounty.

On September 21, “Premium” 0day startup Zerodium put out a call for a chain of exploits, starting with a browser, that enables the phone to be remotely jailbroken and arbitrary applications to be installed with root / administrator permissions. In short, a complete remote takeover of the phone. And they offered $1 million. A little over a month later, it looks like they’ve got their first claim. The hack has yet to be verified and the payout is actually made.

But we have little doubt that the hack, if it’s actually been done, is worth the money. The NSA alone has a $25 million annual budget for buying 0days and usually spends that money on much smaller bits and bobs. This hack, if it works, is huge. And the NSA isn’t the only agency that’s interested in spying on folks with iPhones.

Indeed, by bringing something like this out into the open, Zerodium is creating a bidding war among (presumably) adversarial parties. We’re not sure about the ethics of all this (OK, it’s downright shady) but it’s not currently illegal and by pitting various spy agencies (presumably) against each other, they’re almost sure to get their $1 million back with some cream on top.

We’ve seen a lot of bug bounty programs out there. Tossing “firmname bug bounty” into a search engine of your choice will probably come up with a hit for most firmnames. A notable exception in Silicon Valley? Apple. They let you do their debugging work for free. How long this will last is anyone’s guess, but if this Zerodium deal ends up being for real, it looks like they’re severely underpaying.

And if you’re working on your own iPhone remote exploits, don’t be discouraged. Zerodium still claims to have money for two more $1 million payouts. (And with that your humble author shrugs his shoulders and turns the soldering iron back on.)

Amazon Fire TV Update Bricks Hacked Devices

The Amazon Fire TV is Amazon’s answer to all of the other streaming media devices on the market today. Amazon is reportedly selling these devices at cost, making very little off of the hardware sales. Instead, they are relying on the fact that most users will rent or purchase digital content on these boxes, and they can make more money in the long run this way. In fact, the device does not allow users to download content directly from the Google Play store, or even play media via USB disk. This makes it more likely that you will purchase content though Amazon’s own channels.

We’re hackers. We like to make things do what they were never intended to do. We like to add functionality. We want to customize, upgrade, and break our devices. It’s fun for us. It’s no surprise that hackers have been jail breaking these devices to see what else they are capable of. A side effect of these hacks is that content can be downloaded directly from Google Play. USB playback can also be enabled. This makes the device more useful to the consumer, but obviously is not in line with Amazon’s business strategy.

Amazon’s response to these hacks was to release a firmware update that will brick the device if it discovers that it has been rooted. It also will not allow a hacker to downgrade the firmware to an older version, since this would of course remove the root detection features.

This probably doesn’t come as a surprise to most of us. We’ve seen this type of thing for years with mobile phones. The iPhone has been locked to the Apple Store since the first generation, but the first iPhone was jailbroken just days after its initial release. Then there was the PlayStation 3 “downgrade” fiasco that resulted in hacks to restore the functionality. It seems that hackers and corporations are forever destined to disagree on who actually owns the hardware and what ownership really means. We’re locked in an epic game of cat and mouse, but usually the hackers seem to triumph in the end.

One Kindle launcher to rule them

kindle-launcher

Ask around and chances are you can find a friend or family member that still has their early generation Kindle but doesn’t use it anymore. There are quite a number of different things you can do with them, and now there’s a single Launcher that works for all models of hacked Kindles. KUAL is the Kindle Unified Application Launcher.

Loading the launcher on your device does require that it be Jailbroken/Rooted, but that’s really the entire point, right? Once on your device the system is easy to configure. Menus themselves can be customized by editing the XML and JSON pair for each list. The screenshot on the left illustrates some of the applications you might want to run. We could see a VNC viewer being useful, and everyone likes to have games — like Doom II or the entire Z-machine library — on hand when they unexpectedly get stuck somewhere. But MPlayer? Does anyone actually use their ePaper device to watch videos?

Getting root on a Sony TV

The Sony Bravia series of HDTVs are a great piece of kit; they’re nice displays that usually have enough inputs for the craziest home theatre setups. These TVs also run Linux, but until now we haven’t seen anything that capitalizes on the fact these displays are wall-mounted Linux boxen. [Sam] sent in an exploit to root any Bravia TV – hopefully the first step towards replacing our home media server.

The exploit itself is a regular buffer overflow initialized by a Python script. The script sets up a Telnet server on any Sony Bravia with a USB port, and provides complete root access. [Sam] was able to get a Debian install running off a USB drive and all the Debian programs run correctly.

If you have a Bravia you’d like to test [Sam]’s script on, you’ll need a USB network adapter for the TV and a Telnet client to explore your TV’s file system. Right now there’s not much to do with a rooted Bravia, but at least now running XMBC or other media server on a TV is possible.

If anyone would like to start porting XMBC to a Bravia TV, [Sam] says he’s more than willing to help out. We’re not aware of any HDTV modding communities on the Internet, so if you’re part of one post a link in the comments.