Previously we have seen Amazon rolling out new firmware update for Kindle. The update included many new features for Kindle. But this manufacturers vs. jailbreakers thing is getting serious. We have seen many people saying that the new Kindle update is going to be very hard to jailbreak. Yifan has found a method to force the Kindle device to run unsigned code. The method is based on how the software update checks the digitally signed files.
By using this knowledge how software updates the files, he found how he can trick the update. Tricking the updates allowed him to run any file. He did this by exploiting the standard functionality in the Unix ‘cat’ command.
This is what developer has written on his blog:
How the Kindle updater works is that first it gets a list of all files (including files in subfolders, excluding signature files) in the update and checks it’s signature with Amazon’s public keys. If you modify any of the scripts from a previous update, the signature is broken and the Kindle won’t run it. If you add your own scripts, you can’t sign it because you don’t have Amazon’s keys, and finding them would take more then the lifespan of the universe. (SHA256 HMAC). They also use OpenSSL to check the signatures, so trying to buffer overflow or something is out of question (or is it? I haven’t looked into it). Afterwards, when all files are matched with their signatures and checked, the updater reads a “.dat” file which contains a list of all scripts, their MD5 hash and size (to verify, I don’t see the point since they were just signature checked. Maybe a sanity check?). It finds the “.dat” file using “find update*.dat | xargs” which means all the .dat file has to be is start with update and end with .dat. They don’t care what is in between. Next, they read the file using “cat” and with each entry, verify the hash and loads the script. Well, conventionally, “cat” can read multiple files if more then one filename is given in the input. This means if the update*.dat file contains spaces, then “cat” will read every “filename” separated by a space. I took a signed .dat from one of Amazon’s update. Renamed it “update loader.sig .dat” and placed my actual .dat (containing an entry to the script jailbreak.sig, a shell script renamed) in loader.sig. jailbreak.sig untars payload.sig, a renamed tgz file which contains the new keys we want to use to allow custom updates. Amazon’s updater only signature checks “update loader.sig .dat” which is valid. Then cat tries to read the files “update”, “loader.sig”, and “.dat”, one of which exists and the others silently fail. Loader.sig points to the script jailbreak.sig which the updater happily loads thinking it’s already signature checked. Jailbreak.sig, calls tar to extract payload.sig and copies the new keys to /etc/uks and installs a init.d script to allow reverting to Amazon’s keys for installing future updates. yifan Now we own the system
Download Kindle 3.1 Jailbreak
Stay connected to Veryrite.com. You dont’t need to go anywhere else to read jailbreak news.
You may also like to see:
- GeoHot To Jailbreak iPhone 5 & Sony Xperia PlayStation Phone
- Xbox Kinect Hacked To Run With Apple iPhone & iPad
- GeoHot To Jailbreak Sony Ericsson Xperia Play – Legal Jailbreak This Time