shell

Reversing Everything: Hacking the Kindle part 3: root shell and runtime system @import url('http://www.blogger.com/css/blog_controls.css'); @import url('http://www.blogger.com/dyn-css/authorization.css?targetBlogID=3815311536458072770'); #navbar-iframe { display:block } Reversing Everything Yet another reverse engineering blog Friday, December 21, 2007 Hacking the Kindle part 3: root shell and runtime system Root ShellAfter I downloaded and extracted the root fs image, I quickly ran the /etc/shadow file though John the Ripper. In a moment it displayed the root password: "fiona" (which is the codename for the Kindle, by the way). Alas, it didn't work when I tried entering into console. Also, adding "init=/bin/sh" or "single" to the kernel boot arguments didn't work either.So I started to poke around with the firmware update and after some time was able to run a script which mounted the read-write part of root filesystem and dumped the /etc/shadow from it. Unsurprisingly, it had a different password hash. Apparently the root password is changed somewhere before shipping to the end user. So I quickly adapted the script to replace the shadow file on the device with the original one.You can find that implementation in this update maker zip.kindle_update_maker-0.1.zipAfter replacing the shadow file and a reboot, I was able to get in.Output of some commands.[root@kindle root]#ls -la /drwxr-xr-x 2 root root 592 Oct 30 2007 bindrwxr-xr-x 1 root root 0 Jan 1 00:00 devlrwxrwxrwx 1 root root 7 Oct 30 2007 etc -> opt/etcdrwxr-xr-x 2 root root 3 Oct 30 2007 homedrwxr-xr-x 2 root root 3 Oct 30 2007 initrddrwxr-xr-x 2 root root 586 Oct 30 2007 liblrwxrwxrwx 1 root root 11 Oct 30 2007 linuxrc -> bin/busyboxdrwxr-xr-x 5 root root 34 Oct 30 2007 mntdrwxr-xr-x 10 root root 1024 Nov 5 2007 optdr-xr-xr-x 101 root root 0 Jan 1 15:42 procdrwxr-xr-x 2 root root 506 Oct 30 2007 sbindrwxr-xr-x 10 root root 0 Jan 1 15:42 sysdrwxrwxrwx 5 root root 0 Jan 1 15:44 tmpdrwxr-xr-x 10 root root 95 Oct 30 2007 usrdrwxr-xr-x 2 root root 55 Oct 30 2007 var[root@kindle root]# mountdevfs on /dev type devfs (rw)/dev/bml0/6 on / type squashfs (ro)/dev/stl0/8 on /opt type ext3 (rw,sync,noatime,nodiratime)/proc on /proc type proc (rw,nodiratime)sysfs on /sys type sysfs (rw)devfs on /dev type devfs (rw)usbdevfs on /proc/bus/usb type usbdevfs (rw)devpts on /dev/pts type devpts (rw)tmpfs on /tmp type tmpfs (rw)/dev/bml0/7 on /mnt/dc type squashfs (ro)[root@kindle root]# ps -A f PID TTY STAT TIME COMMAND 1 ? S 0:01 [swapper] 2 ? SN 0:00 [ksoftirqd/0] 3 ? S< 0:00 [events/0] 4 ? S< 0:00 \_ [khelper] 20 ? S< 0:10 \_ [kblockd/0] 87 ? S 0:02 \_ [pdflush] 89 ? S< 0:00 \_ [aio/0] 86 ? S 0:00 \_ [pdflush] 10 ? S 0:00 [sleepd] 33 ? S 0:00 [khubd] 88 ? S 0:00 [kswapd0] 676 ? S 0:12 [voltd] 678 ? S 0:02 [pnlcd_animate] 681 ? S 0:00 [kseriod] 710 ? S 0:00 [wantph] 709 ? S 0:00 [wanend] 721 ? S 0:00 [mmcdd] 727 ? S 0:00 [hpdetd] 740 ? Ss 0:00 init 1116 tts/2 Ss 0:00 \_ -sh 2344 tts/2 R+ 0:00 \_ ps -A f 831 ? S 0:00 [kjournald] 884 ? S 0:03 /sbin/syslogd -m 0 -b 1 -S -s 250 887 ? S 0:01 /sbin/klogd 976 ? S 0:00 [eink_fb_apt] 974 ? S 0:04 [eink_fb_udt] 975 ? S 0:00 [eink_fb_sst] 1023 ? S 0:07 [f-s-gadget] 1024 ? S 0:00 [f-s-activity] 1063 ? S 0:00 [wdtpmd] 1071 ? S 0:00 /usr/sbin/watchdogd -k 9 -t 30 1079 ? S 0:00 /usr/sbin/netwatchd -d 20 -t 5 -p www.amazon.com 1086 ? S 0:03 /usr/sbin/nomkd -v 80 -r 44 -d 23 cvm 1092 ? S 0:00 crond -l 9 -c /etc/crontab 1097 ? S 0:00 /bin/sh /usr/sbin/tphmonitor 1101 ? S 0:00 \_ /usr/sbin/tphserver -f 1119 ? S 0:00 /bin/sh /usr/sbin/execmonitor 1128 ? S 0:00 \_ /usr/sbin/execserver 1123 ? S 0:00 /bin/sh /opt/amazon/ebook/bin/run_framework 1169 ? S 0:00 \_ /bin/sh /opt/amazon/ebook/bin/start.sh 1173 ? SL 0:18 \_ /usr/java/bin/cvm -Xmx16m -Dsun.boot.library.path=/opt/usr/java/lib:/usr/java/lib -cp :/opt/amazon/ebook/lib/MobiCore-impl.jar:/opt/amazon/ebook/lib/MobipocketCoreReader.jar:/opt/amazon/ebook/lib/ReaderSDK.jar:/opt/amazon/ebook/lib/SearchSDK.jar:/opt/amazon/ebook/lib/framework-api.jar:/opt/amazon/ebook/lib/framework-impl.jar:/opt/amazon/ebook/lib/jdbm.jar:/opt/amazon/ebook/lib/json.jar:/opt/amazon/ebook/lib/kxml2.jar:/opt/amazon/ebook/lib/xyml.jar:/opt/amazon/ebook/booklet/AudiblePlayer.jar:/opt/amazon/ebook/booklet/AudioPlayer.jar:/opt/amazon/ebook/booklet/Browser.jar:/opt/amazon/ebook/booklet/ContentManager.jar:/opt/amazon/ebook/booklet/Demo.jar:/opt/amazon/ebook/booklet/Experimental.jar:/opt/amazon/ebook/booklet/Home.jar:/opt/amazon/ebook/booklet/MobiReader.jar:/opt/amazon/ebook/booklet/PictureViewer.jar:/opt/amazon/ebook/booklet/PrefBooklet.jar:/opt/amazon/ebook/booklet/Search.jar:/opt/amazon/ebook/booklet/XymlBooklet.jar:/opt/amazon/ebook/booklet/msp.jar:/opt/usr/java/lib/libjnisystem.jar -Ddebug=1 -Dcheck_comm_stack=true -Dhttp.keepalive.timeout=60000 -Dhttp.maxConnections=16 -Dallow_demo=false -Dawt_fb_enable=0 -Dextkeyboard=false -Dconfig=/opt/amazon/ebook/config/framework-unix.conf -DENABLE_SEARCH_INDEXING_THREAD=true -Dprintdebugtime=false com.amazon.ebook.framework.Main (around 30 cvm copies skipped) 2298 ? S 0:00 [mmcqd]As you can see, /opt is writable and so is /etc which points to it. On factory reset, the writable partition is populated from /usr/default/opt.tar.gz file.Here's the full listing of the filesystem: list.zip.Bonus contentThe main GUI and most of the back-end code is written in Java. The framework is quite elaborate and can be extended with extra "booklets".After spending some time investigating it with JAD, I found some undocumented shortcuts, features and easter eggs. Here's a more or less complete list.Picture viewerI'm not sure why Amazon didn't make it public (maybe because paging is kinda slow), but there is a basic picture viewer in Kindle.To activate it:1) make a folder called "pictures" in the root of Kindle drive or SD card. Kindle also checks for "dcim" made by cameras.2) put your pictures for a single "book" into a folder inside that. The subfolder name will be used as the "book" name. Supported formats are jpg, png, gif.3) in Home screen press Alt-Z. A new "book" should appear. Open it to view your pictures.4) In the local menu you can toggle dithering, resize to fit and full screen mode.Keyboard shortcutsVarious undocumented/underdocumented keyboard shortcuts. I italicized most interesting ones.Global keys Alt-Shift-R reboot Kindle Alt-Shift-. restart GUI Alt-Shift-G make screenshot due to an implementation bug, screenshots can only be stored on SD card, not the main storage. A gif file is saved in the card root. Shift-Sym start demo Enabled only if allow_demo=true is passed on the Java commandline. Needs a special demo script present on the SD card.Home Alt-Shift-M Minesweeper Alt-Z rescan picture directories Alt-T show timeReader Alt-B toggle bookmark Alt-T spell out time Alt-0 enable/disable slideshow Alt-1 start slideshow (if enabled) Alt-2 stop slidehow Alt-PageForward/PageBackward go to next/prev annotation or one "chunk" (1/20th of a book) forward or backwardSettings 411 show diagnostics data 511 run loopback call test 611 diagnostic data service call c/e/s 126 Lab126 team membersFont List J show/hide justification optionsPicture viewer Alt-Shift-0 set current picture as screensaver F toggle fullscreen modeMinesweeper I,J,K,L up,left,down,right M mark mine R restart Space open cell Scroll move cursor up/down Alt-Scroll move cursor left/right H return to Home screenText input Alt-Backspace clear all Alt-H/Alt-J move cursor (the following don't work in search field for some reason) Alt-6 ? Alt-7 , Alt-8 : Alt-9 " Alt-0 'Browser It seems there is a location capability (GPS?) in the CDMA module. I cannot check it as I'm not in USA but the following shortcuts are programmed inside the browser. Alt-1 show current location in google maps Alt-2 find gas station nearby Alt-3 find restaurants nearby Alt-4 Alt-5 find custom keyword nearby Alt-D dump debug info to the log and toggle highlight default item Alt-Z toggle zone drawing and show logAudio Player Alt-F next Alt-P play/stopSearch commandsThese command work in the search field. You can enter only beginning of the command if that's enough for it to be unique.Public commands (always available)@help@web@wiki/@wikipedia@store@timeSemiprivate (available but not mentioned in @help);dumpMessages dump current debug log into the "documents" directory;debugOn set log level=2 and enable private commands;debugOff set log level=1 and disable private commandsPrivate commandsNote: following commands are clearly not intended for end users. Some of them may damage your Kindle and void your warranty. Enter at your own risk.`help list private commands`7777 set version to TOPmk-xyz-77770 (to disable OTA updates?)`voltLog enable/disable voltage table debug`batteryLoggingDelay set battery logging delay (in seconds)`pppStop close WAN PPP connection`disableIndexing`logOpenFiles`startIndexing`dumpBattery`indexStatus`compliance`einkAdjustments `allocate [MB]`log611`reloadContentRoster`indexForever`downloadIndex`consumeMemory`terminal`checkForUpdate`applyUpdate`stopIndexing`processNowNow`processTodo`countUnmergedDownloadedIndexes`dumpIndexStats`memInfo Posted by Igor Skochinsky at 16:54 Labels: amazon, hacking, java, kindle, linux, shortcuts 54 comments: Anonymous said... Thanks, Igor, you _rule_. 21 December, 2007 18:53 Anonymous said... A masterpiece of reverse engineering. Ranks up there with rld-sfrt IMHO.Rolf 21 December, 2007 22:41 Flash Sheridan said... >>> It seems there is a location capability (GPS?) in the CDMA module. I cannot check it as I'm not in USA but the following shortcuts are programmed inside the browser.Alt-1 show current location in google maps<<>>Font ListJ show/hide justification options<< 1079 ? S 0:00 /usr/sbin/netwatchd -d 20 -t 5 -p www.amazon.comAchtung! There’s something evil in the process list. 27 January, 2008 18:13 Erik said... for the curious 'terminal has no noticable effect. could be you have to have one of the other functions on for it to do anything. 30 January, 2008 05:15 Anonymous said... I see the "J" command for revealing justification in the font list, but it's not working for me. Suddenly my book starting formatting in center justified text mode and I can't seem to get it back to left or full justification. 02 February, 2008 18:58 idle said... hi,congratulations for your achievements... do u know about mobipocket .mbp (notes related to books) format? I have a very long .mbp file of a book that somehow the reader saved one day in such a way that it can't read it anymore... any hint of any kind (structure of this file), would be greatly appreciated.aWRsZWxvb3BAaG90bWFpbC5jb20= 03 February, 2008 01:54 Anonymous said... I found a program to unprotect protected mobipocket books:http://pastebin.com/m40582493 07 February, 2008 20:00 ryan dunn said... The google maps features don't work, not because I'm not getting a location, but because the location it sends to google maps is in longitude and latitude, and google doesn't seem to understand this information.perhaps amazon coders are hoping google will realize this data should be functional and start letting them send it. 14 February, 2008 21:11 Some idiot said... Hm... as someone else asked, how might one restore the old screensavers? Or failing that, purge the user's images? They don't go in the Kindle's "drive" portion of memory, and... the image I selected is quite undesirable, in retrospect. 20 February, 2008 02:12 idle said... hi,I finally ended up coding a mobipocket notes (mbp) exporter in order to solve my little problem...(In case someone wanna give it a try: http://www.angelfire.com/ego2/idleloop/mbp_reader.html ) 31 March, 2008 18:08 Post a Comment Older Post Home Subscribe to: Post Comments (Atom) Blog Archive ▼ 2007 (9) ▼ December (7) Hacking the Kindle part 3: root shell and runtime ... Hacking the Kindle part 2: bootloader and firmware... Hacking the Kindle part 1: getting the console Sony Reader PRS-505 disassembly Kindle disassembly and internals Mobipocket books on Kindle Kindle boot log ► November (2) Embiid Publishing Welcome разделы бюро похоронный услуга калибровка цвет полноцвет кружок развальцовка подогреватель система дымоудаления уличный барбекю холодильный агрегат метробонд охота пиранья кулер бесшумный жаростойкий краска мурано светоотражающий краска цвет город kiev apartaments service договор суррогатный мать сушильный машина electrolux антенна гуп ритуал сборный доставка полиолефиновая пленка штангенциркуль охота зверь варочный поверхность hansa мистер бин двухтарифные электросчетчик автоматический отправка писем outlook ваза 2114 крот dr корпоративный иностранный 5440.11 (крышка) время ярославль отбеливание белье восстановление информация lucent definity продать кайт красный площадь гум холодный зеркало арочный конструкция монитор видеодомофона, монитор, видеодомофон заказать флаг ножной пластырь комнатный перегородка герб вышивка стелаж пищеблок затенение витрина snr светоотражающий краска красный площадь васильевский спуск охота легавый конвейер арочный конструкция mobil gargoyle купить мобильник международный конкурс бюро похоронный услуга купить архиватор грунт стяжка покупка кострома вышивка флаг органический растворитель развальцовка подогреватель телефонный анкетирование gislaved отзыв ротационный rvg хоссе карерас билет скребковый конвейер восстановление потенция серверные корпус консольный переключатель прайс эфирный антенна гайковерт решетка окон конвейер шнековый бестраншейный облицовка доставка хим. реагент антенна акустомагнитные macintosh проект электропроводка шапка доставка кулер бесшумный анимация 3d график букмекерский контора фаворит protherm асбест резка жаростойкий краска автошкола система перемешивание сканер штрихкодов велюкс корвет-телеком гипсокартон мва факультет психология билет ммдм нард короткий спецобувь производитель стоматологический услуга система дымоудаления креатин устройство плавный пуск вымпел заказ braas антенна добрый тепло длинный нард гильза цилиндр внутренний перегородка 100 девчонка одна лифт автоподъемник бюро переводчик автоматический резка ливнесборные решетка нужный билет жаропрочный фарфор revol управление ярославль шелковый ковры shell