

Kindle Touch jail broken via ID3 Tag - eof
http://yifan.lu/2011/12/10/kindle-touch-5-0-jailbreakroot-and-ssh/

======
hmottestad
That's great.

As a summary:

This guy found out that most of the GUI is HTML and Javascript. Some of the JS
functions are mapped to OS calls, including one that will run any script as
root (nativeBridge.dbgCmd();). This function is disabled in the browser, so it
needs to be called from somewhere else.

So he injects the function call into the ID3 tag of an MP3 file and plays the
file on the native mp3 player which has a html gui for displaying the id3 tag
info :)

Finally he uses this exploit to enable ssh and install a certificate so he can
connect to it.

~~~
malnourish
What a great, simple (not to diminish in any way), hack.

Why did Amazon allow a call that always runs as root?

Is it necessity, oversight, or something else?

~~~
lmm
dbgCmd() suggests it was originally there for debugging. It runs as root
because the UI runs as root, AIUI.

------
dsl
tl;dr: Don't play MP3s from untrusted sources until Amazon has a fix. (this is
remote code execution, don't let the term "jailbreaking" candy coat it)

~~~
burgerbrain
I believe this is technically local code execution, not remote. It's not like
you can do this unless you have access to the device (the browser apparently
doesn't allow it, and I can't imagine you can remotely make the device play an
MP3).

~~~
vasco
From what I understood you can download a song thinking its new hottest club
hit and have your Kindle bricked.

~~~
burgerbrain
Assuming arbitrary code can brick it, yes. That is my impression. That's still
not "remote" though.

------
judofyr
Are you kidding me? They found a XSS hole?! How can you create _anything_
based on HTML and _not_ think about XSS?

~~~
dsr_
It's clear that Amazon did think about XSS -- in the context of the browser.
The debugCmd isn't available there.

It's also clear that tney didn't think about all the other potential
interactions with the system. It's not the things you don't know that bite you
-- it's the thing you know that isn't so.

~~~
Genmutant
I don't think Amazon has that much of a problem with the jailbreaks. I can't
see how they would loose any money with it, and who uses them, knows that he
can potentially brick the device.

~~~
raphman
I guess, this would mean that a user can remove the ads from the ad-supported
Kindle and save $40. This would mean that Amazon loses almost 30% in revenue
each time they sell a Kindle Touch that is to be jailbroken.

~~~
burgerbrain
Although the other "special offer" kindles have been jailbroken for some time,
the kindle hacking community seems to be doing a good job of refusing to (at
least for the relative layman) disable advertisements on them or enable any
sort of tethering over 3g.

~~~
esrauch
You must have a certain website or subset of the community in mind. I actually
got a Kindle 3 a couple months ago and the majority of the discussion that I
could find about homebrew on the device was centered around removing the ads.
I browsed 4 or 5 forums before deciding it was a lost cause.

In fact, I wasn't even really able to find anything other than removing the
ads and changing the screensaver as what you can do after your kindle is
jailbroken.

------
Sidnicious
FWIW, I noticed some images loading in the description overlay in a podcast I
was listening to on my iPhone. So, it looks like iOS devices render HTML
content in ID3 tags.

I've been meaning to explore whether they run JavaScript too but haven't
gotten around to it yet.

------
SquareWheel
It's an exploit and it will get fixed, but I'd like to see what people can do
with root access. Will we see vanilla Android ports?

~~~
teilo
Kindle Touch doesn't run Android. You are thinking of the Fire.

~~~
SquareWheel
Oh boy, you're right. I replaced the word "Touch" with "Fire" in my mind while
reading the article and didn't notice even once. My apologies.

