10月29日,Github用户notmarek发布了一个仓库LanguageBreak,内容是版本号<=5.16.2.1.1的kindle设备的越狱(截至10月30日官网最新版本号为5.16.4),而在此之前仅5.14.2及以下的版本才有机会越狱。
作者对此项目的介绍在:https://www.mobileread.com/forums/showthread.php?t=356872。该漏洞相关信息:https://www.mobileread.com/forums/showthread.php?t=356766,内容如下:
Looking at the differences between 5.16.2 and 5.16.3, I think I found
a smoking gun of a change.There is small difference the versions of
"usr/lib/blanket/langpicker.so.1.0" In the function:
module_langpicker_utilDeleteExtraDictionariesBefore: Code:
__sprintf_chk(acStack_238,1,0x206,"rm -rf %s/%s","/mnt/us/documents/dictionaries",pcVar2); pcVar6 = (char *)system(acStack_238); after: Code: __sprintf_chk(acStack_830,1,0x200,"%s/%s","/mnt/us/documents/dictionaries",pcVar2); pcVar6 = (char *)lab126_rmdir(acStack_830); This was passing strings to "system()" which is a glaring problem.Expanding out a bit: Code: __dirp =
opendir("/mnt/us/documents/dictionaries"); if (__dirp == (DIR *)0x0)
{if (iVar1 == 0) { return; } } else { LAB_000134d4: pdVar4 = readdir(__dirp); if (pdVar4 != (dirent *)0x0) { pcVar2 = pdVar4->d_name; iVar5 = strcmp(pcVar2,"."); if (((iVar5 != 0) && (iVar5 = strcmp(pcVar2,".."), iVar5 != 0)) && (pcVar6 = strchr(pcVar2,0x2e), pcVar6 == (char *)0x0)) { puVar7 = (undefined4 *)g_list_find_custom(iVar1,pcVar2,&LAB_00012534); if (puVar7 == (undefined4 *)0x0) { __sprintf_chk(acStack_238,1,0x206,"rm -rf %s/%s","/mnt/us/documents/dictionaries",pcVar2); pcVar6 = (char *)system(acStack_238); if ((pcVar6 == (char *)0x0) || ((g_blanket_llog_mask & 0x2000000) == 0)) goto LAB_000134d4; pcVar2 = "E langpicker:DELETE_DICTIONARIES_FAILED:returnCode=%d:Error deleting unneeded dictionary directory" It looks like this code walksthrough "/mnt/us/documents/dictionaries" (which is on the exposed file
system!)For each filename it finds, if it isn't in the list, it will append
that filename to a string and pass it to system.Using Shell escapes such as Code:
someprogramor Code: $(some
program) should be valid filenames. However, slashes are NOT normally
allowed (is that why there was a mention of corrupting the VFAT file
system?)Looking at the calling function, it appears to be: 'changeLocale'
This is called from the startup script "etc/upstart/langpicker.conf"
Code:# send the event to langpicker module to install the language lipc-send-event com.lab126.blanket.langpicker changeLocale -s "en-US" and from "langPicker" ("language_picker.js") Code: setTimeout(function() { nativeBridge.sendLipcEvent(LIPC_PILLOW_SOURCE, "changeLocale", changeLocaleParams); actionsInactive = false; }, SPLASH_EVENT_TIME_OUT); It does NOT appear to be called when changing the language in the GUI - but that uses Java (settingsbooklet) and not Javascript (language_picker.js).
So, the exploit path seems to be: Create a file in
documents/dictionaries with Shell injection to run something Use
'mesquito' to call the LIPC function changeLocale
在原文下面有很多用户表示通过这个方法已经成功实现越狱了。
包括但不限于:
Kindle 第 10 代(5.14.3.2)
KPW4和KPW5 (5.16.2.1和5.16.2)
KPW2(5.12.2.2)
但也有很多人表示操作过程中遇到问题,因为项目是刚发布的,后续应该会有修复。
越狱的相关说明(机翻):
越狱部分:
1.在 Kindle 搜索栏中输入 ;enter_demo
2.重新启动设备
3.进入演示模式后,跳过 wifi 设置,输入随机值进行商店注册
4.跳过搜索演示有效载荷
5.选择 "标准 "演示类型
6.在提示符下按 "完成",以侧载内容。
7.演示设置完成后,做 "秘密手势"(双指轻点屏幕右下角,然后向左滑动)
8.在搜索栏中输入 ;demo 进入演示配置菜单
9.选择 "侧载内容 "选项
10.将 LanguageBreak 文件夹的内容复制到 Kindle - 合并并替换所有文件
11.拔下 Kindle 插头,返回演示菜单
12.选择 "转售设备 "选项
13.然后按 "是/转售
14.现在等待按下电源按钮启动
15.一旦出现,将你的 kindle 插回电脑,再次将 LanguageBreak 文件夹的内容复制到电脑中,覆盖文件,然后安全弹出。
16.按照屏幕上的指示按住电源按钮
17.几秒钟后,你将进入语言选择菜单
18.选择 "中文"(在 "奇特的伪托语言 "上面的那个)。
19.你的 kindle 应该会重启,屏幕上会出现一些日志信息.
越狱后的操作:
1.设备重启后,在搜索栏中输入 ;uzb
2.将设备连接到 PC,然后将 update_hotfix_languagebreak.bin 复制到 Kindle 存储根目录下。
3.弹出设备,输入 ;dsts 或向下滑动并选择设置图标,进入设备设置菜单
4.选择 "更新你的 Kindle",安装自定义修复程序
5.这将使您的设备退出演示模式,并清理不需要的越狱文件。
过段时间我拿自己的KPW3试试(反正我有TTL线,随时跑路)