adq


Andrew de Quincey's livejournal


Previous Entry Add to Memories Share Next Entry
Kindle 3 hacking
adq
My latest gadget is a kindle 3, and of course I want to hack it.

It has already been jailbroken using an exploit in busybox's tar command symlink handling. See here for details and updates. I installed the kindle-jailbreak-0.3.N.zip and kindle-usbnetwork-0.20.N.zip updates to let me ssh in.  To enable usbnetwork, go to the "Search" screen and type ";debugOn" followed by enter, and then "~usbNetwork" followed by enter. "~help" gives the complete command list.

There's an iptables firewall on the kindle by default preventing access to kindle-local servers from outside. However I hacked the usbnetwork scripts installed by the above to disable the inbound ssh firewall so I could just ssh into it over WIFI.

It seems to be a remarkably straightforward linux install. The main kindle applications are all implemented using a normal Java VM (Sun's "C" Virtual Machine (CVM).

Anyway, I want to write my own kindle apps, Kindlets, as they're called. Amazon have announced and released a closed beta of the KDK. I've applied for this, but never heard anything back. Some other resources are: the API docs, someone else (who has the KDK)'s open source kindlet project, and finally, a KDK emulator. Oh, the Kindle uses (wait for it...) Java CDC Personal Basis Profile (PBP) 1.1, or JSR 217. Javadocs for that are here.

I'm not willing to wait: so I've been exploring the system. My first discovery was how to enable full debug logging:
cp /opt/amazon/ebook/bin/start.sh /mnt/us
Edit the start.sh script, and look for the line -Ddebug=1, and change it to -Ddebug=-1 /etc/init.d/framework stop
/mnt/us/start.sh

The kindle framework should start up as normal, but if you tail -f /var/log/messages, it should be far more verbose.

From here, I knew that kindlets were just jar files with an extension of ".azw2". A bit of poking about in the emulator and filing system, I knew that the Kindlet API I want to link against is "/opt/amazon/ebook/lib/Kindlet-1.1.jar". So I copied that off, and built a simple "Hello World kindlet" using eclipse and copied it on the device into /mnt/us/documents. The source is here.

The debug logs showed I was missing some entries from the manifest file for that azw2 file. After some fiddling, I figured out a working manifest for my developer application is:
Manifest-Version: 1.0
Main-Class: net.lidskialf.ktest.ktest
Implementation-Title: ktest
Implementation-Version: 0.1
Implementation-Vendor: Andrew de Quincey

Another cycle of Rebuilding/copying/restarting framework and I now have a "ktest" entry on the main screen with "dev" next to it!  However, clicking on it says "The device is not registered as a Test Kindle to run this title. Please ask the developer to add this device to the list of registered Test Kindles.". A bit more grepping in the logs shows that its looking for a developer keystore in /var/local/java/keystore/developer.keystore which is not present.

So, the next step is to determine what should be in that. All the keystores/signing appear to be standard java, so I assume it is just a matter of finding the correct entries to use.

UPDATED: The source to my "ktest" app is here. Also, the jars in /opt/amazon/ebook/sdk/lib/ are also valid to link against for KDK apps; I just pulled them off the device too.

Browser

(Anonymous)

2010-09-30 11:11 am (UTC)

When you have a dig around, can you see how you would go about changing the useragent for the browser? I assume it is a Webkit via SWT if if is all Java. It would be good to know how you go about adding javascript bookmarklets - I can't see how to do it, and it would be great to add readability, like squarefree's 'zap' ones.

I am so glad you have this device too. It is a massive value add :)

--Neil

I've been really enjoying using the kindle!

As for the user agent, there seem to be a couple of files that might let you change that: (not tried it myself yet)

/opt/amazon/ebook/config/wrs.ini:
userAgentKindleVersion = "Kindle/3.0 (screen 600x800; rotate)"

/opt/amazon/ebook/config/browser_wv.conf:
# User-agent sent with HTTP header
user_agent.base = Mozilla/4.0 (compatible; Linux 2.6.22) NetFront/3.4 Kindle/2.2


Bookmarklets - I guess it must store them on the filing system somewhere so even if we can't add 'em from the GUI, perhaps we can mess with the thing when mounted as a USB device.


Edited at 2010-09-30 11:19 am (UTC)

Using the shell on Kindle 3

(Anonymous)

2010-10-09 02:01 am (UTC)

Aloha Andrew,

Can you please tell me if currently there is a known method for accessing and using the shell directly on a Kindle? I've been doing this in the meantime:

http://tinyapps.org/blog/nix/201009300700_kindle_text_editing.html

Sincerely,

Miles

Re: Using the shell on Kindle 3

adq

2010-10-09 09:35 am (UTC)

Hmm, I've not seen a java shell GUI for the shell on it, no; hopefully someone will write one now though!

iptables

(Anonymous)

2010-11-04 01:40 pm (UTC)

Can you explain how to hack the usbnetwork scripts to disable the firewall? Thank you in advance.

With the latest, there's a file you can create on the USB stick which does that...
/usbnet/etc/config

Set:
K3_WIFI="true"
K3_WIFI_SSHD_ONLY="true"

You'll need to change the root password though as the default kindle one is unknown AFAIK..

Re: iptables

(Anonymous)

2011-11-19 04:54 pm (UTC)

default kindle root password:

#!/bin/bash
# kpass script for kindle root passwd
serno=$1
echo kindle root passwd:
echo fiona$(echo $serno | md5sum | cut -b 8-10)

example:
./kpass B006A0A004749999
fiona984

There are 4096 different root passwords. The one that you need to use depends on your kindle serial number.

Hi,

Thanks for all your hard work - I now have a simple applet running on my Kindle - however I have run into an issue with permissions. Do you know what permissions policy file the Kindle uses?

I have searched the jar files and found a file called 'kindlet.properties' - but I am not sure what should be placed in here...any ideas?

Cheers,
Andy

Re: FilePermission

adq

2010-12-05 05:32 pm (UTC)

There's a file on the system partition I was guessing you need to modify (I've not tried it myself though). Have a look at /opt/amazon/ebook/security/external.policy -- it seems a fairly standard java permissions file.

I don't know if there are any other checks beside this: I do know that the kindlet loader will only allow certain classes from the framework to be loaded.

After looking at some official kindlet, they seem to be able to load resource from the jar file as usually done, this features doesn't seem to work with kindlet signed with developper key, have you missed one entry ?

Hmm, those were the only three I could see; enabling verbose debugging (as in my first kindle post) might give a clue as to what is going on...

Argh - Help?

(Anonymous)

2011-03-11 02:18 pm (UTC)

Hi, I'm getting the same error message for Kif now - ie 'don't have permission' - you linked the files but I'm not sure where I need to put them to get Kif running. I need to do this because 3.1 has started blocking the jailbreaks, and the only one that seems to work - yifan.lu's 'kindle-jailbreak' doesn't want to play nice with your dev keys install. Halp!

Have you tried the one from the orignal mobileread thread? I've just tested it here, and it works ok for me with my 0.2 devkeys.

Re: Argh - Help?

(Anonymous)

2011-03-23 04:27 am (UTC)

http://www.hexatron.com/news.html

Especially when you consider that he is making the source available.

I've been trying to get your ktest running according to your explanation, but I haven't even been able to get the app tho show up on the main screen as you did. Is this the same configuration to yours (used downladed source from http://code.google.com/p/adqmisc/source/browse/#svn/trunk/ktest ):

[root@kindle root]# ls -la /mnt/us/documents/ktest
drwxr-xr-x 3 root root 8192 Apr 17 23:49 .
drwxr-xr-x 4 root root 8192 Apr 17 23:15 ..
-rwxr-xr-x 1 root root 950 Apr 17 23:29 ktest.jardesc
-rwxr-xr-x 1 root root 162 Apr 17 23:29 ktest.manifest
-rwxr-xr-x 1 root root 615 Apr 17 23:30 makekeystore
-rwxr-xr-x 1 root root 217 Apr 17 23:30 signkindlet
drwxr-xr-x 4 root root 8192 Apr 17 23:30 src

I setup the logging as well, and saw:

PrefixFreeVolume:DebugInfo::PathDataMap.UpdateFilter.accept: rejected: ktest.jardesc
PrefixFreeVolume:DebugInfo::PathDataMap.UpdateFilter.accept: rejected: ktest.manifest
... etc

I also tried putting the files in the home directory without a container, but no success there either.

Thanks!

Sorry, only just spotted this now; did you manage to get it working in the end?