Jailbreaking the International Kindle
I was quite close to publishing similar findings myself but Jean-Yves Avenard beat me to it. It is now possible to create custom updates for International Kindle that runs firmware 2.2.* Fortunately there is no need for hardware changes…
A little background information first. A while back Igor Skochinsky found serial console connector on Kindle 1 and reverse engineered scripts that Kindle uses to update it’s firmware. Since Amazon is paying for it’s wireless traffic they don’t push full firmware dumps as updates but rather compressed linux patches that only change the things that need to be changed and are relatively small. In Kindle 2 same scripts were used. The only thing that changed was device ID. This was to safeguard against installing update for wrong Kindle device rather than to prevent custom update installation altogether. Kindle DX was a similar story.
However it all changed when Kindle 2 International came out. There was a device ID change as well but updates still failed to install. Using debug commands that still worked (you need to type then in the home screen search box – they are quite harmless will not break your Kindle):
Amonng other housekeeping messages it returned the folloing lines:
091021:102422 EXT3 FS on mmcblk0p1, internal journal
091021:102422 system: I _otaupexec:def:processing update /mnt/us/update_tool.bin
091021:102422 system: I _otaupexec:def:version is “FC02”
091021:102422 system: I _otaupexec:def:update image checksum OK
091021:102422 system: E _otaupexec:def:signature does not exist for “tool.sh”
091021:102422 system: E _otaupexec:def:signature verification failed
So it looked like Amazon was signing update packages now. Worst case scenario would have been usage of asymmetric encryption keys like RSA that would be impossible to break until we have working full-scale quantum computers. Best case would be Amazon using something simple – like tar file scrambling that they are using to “encrypt” the whole update file.
I was trying to break into the Kindle via serial console that can be exposed by sliding the top plastic cover off the device but fried my Kindle in the process.
While I was waiting for the new device to arrive, mobileread.com member clarknova suggested using a tarbomb to break into the new Kindle. He assumed that new Kindle would still use the old code to extract files from the update before verifying the signatures. It proved to be true. A tarbomb exploits the fact that linux tar would extract anything that is given to it and might put it somewhere where package receiver didn’t intent it to go. For example older versions would honor relative paths, so if tarball contained file ../../etc/rc5.d/S00kill-code and most likely user would try to unpack the file in /home/username, the malicious file would go into /etc/rc5.d/ and get executed on the startup. While version of tar that is installed on Kindle discards parent directory references, it allows to unpack a symlink that points anywhere in the filesystem. This allowed to craft an update that would still fail to install but in the process would deposit a startup script that would unlock further access to Kindle internals.
Unfortunately Amazon did use the asymmetric encryption to sign the packages. Fortunately there is a very nice way around. Kindle doesn’t use just one key to verify the signature – it enumerates all key files in /etc/uks directory and if any of the keys yields a positive signature validation – the file passes the test. So Jean-Yves Avenard created a tarbomb that would add extra public key to that directory. He also modified Igor’s script to use corresponding private key to sign all the files in the package.
Nice thing about this mod is that it doesn’t change any files in Kindle filesystem, it just adds. So it will not cause checksum conflicts when installing official Amazon updates in the future. However if you use this jailbreak mod to install other updates like Unicode Font Hack, screensaver, savory, etc that DO change files then standard rules apply – official updates will fail and you’ll need to revert the hacks, install official update manually and then reinstall the hacks. Although I doubt that we’ll see many official Amazon updates anytime soon. I’ll make a separate post on this topic at some other time.
I’m pretty sure that in the next version of the device (International Kindle DX perhaps or whatever comes next), Amazon will fix this vulnerability and serial console might be required to install things on Kindle or perhaps some other security exploit. But for now here are specifics:
You can download the “jailbreak” update here. I’ve tested it on my Kindle and it works perfectly. It also contains the updated script to create your own packages. However I would strongly advise you to do it only if you really-really need to, really-really know that you are doing and are willing to brick your device. Several people were known to irreversible brick their Kindle eBook readers by experimenting with them. I bricked two so far trying to create unicode font hack – one US Kindle 2 a while back another Kindle 2 International recently.
So if you are not sure about what are you doing – stick to pre-canned hacks from verified sources that have been tested to work and have uninstallers available. These are relatively safe though again there is always a chance of something going wrong and hacking the Kindle absolutely does void the warranty.
I’ve tested the pre-canned screensaver hack that can be downloaded here and it does work perfectly.
To avoid having to jailbreak Kindle multiple times and creating potentially conflicting hacks I recommend to all Kindle modders out there to use Jean-Yves Avenard’s packager and private/public key pair for creating Internaional Kindle hacks. I’m going to use it for Unicode Font Hack myself.
Right after publishing this post I’m going to reorganize the Unicode Font Hack a bit and release a new version for all Kindle versions including the international one. Stay tuned!