kindle
advertisement
Edith Cowan University School of Computer and Security Science Hooray for Reading The Kindle and You Peter Hannay p.hannay@ecu.edu.au http://openduck.com Edith Cowan University School of Computer and Security Science The Kindle • Capabilities – Whispernet – Commerce – Information Gathering • Update Security • Getting a Shell • Tunnelling Edith Cowan University School of Computer and Security Science Capabilities • Reads books • Various versions • Arm6 device, runs linux Edith Cowan University School of Computer and Security Science The Kindle • Capabilities – Whispernet – Commerce – Information Gathering • Update Security • Getting a Shell • Tunnelling Edith Cowan University School of Computer and Security Science Whispernet • International roaming cellular network • Service provided by AT&T and Sprint (and international partners) • Access determined by home location, not current location • AT&T – VPN to kindleatt1.amazon.com • Sprint – Custom, no VPN, tunnel opens after sending some AT commands Edith Cowan University School of Computer and Security Science Whispernet • Extremely restrictive network • You can speak to three hosts – fints-g7g.amazon.com (proxy) – 207.171.165.149 (dns) – 207.171.165.150 (dns) • DNS servers drop any request that isn’t for fintsg7g.amazon.com Edith Cowan University School of Computer and Security Science The Kindle • Capabilities – Whispernet – Commerce – Information Gathering • Update Security • Getting a Shell • Tunnelling Edith Cowan University School of Computer and Security Science Commerce • You can buy books (depending on your home region & current location) • Create new amazon account with address in desired region, use gift cards, buy books on device • Create new amazon account with address in desired region, use gift cards, buy books on web (with region correct proxy) and manually transfer to device Edith Cowan University School of Computer and Security Science The Kindle • Capabilities – Whispernet – Commerce – Information Gathering • Update Security • Getting a Shell • Tunnelling Edith Cowan University School of Computer and Security Science Information Gathering • AGPS is used to determine the current location of every device • These devices report home every now and again • This is used to control content distrobution Edith Cowan University School of Computer and Security Science The Kindle • Capabilities – Whispernet – Commerce – Information Gathering • Update Security • Getting a Shell • Tunnelling Edith Cowan University School of Computer and Security Science Update Security • • • • Updates must be signed Uses internal RSA key for reference Updates are basically tar files It decompresses these tar files prior to sig check • It just runs tar on them, as root • So if we specify the full path of the file we want to write? Edith Cowan University School of Computer and Security Science Update Security • Yeah it works. • This is used to add an additional RSA key for authenticating updates • Igor Skochinsky & Jean-Yves Avenard have written libfreekindle and the firmware update tool that use this principal. • http://www.avenard.org/kindle2/ awesome • It works well. Edith Cowan University School of Computer and Security Science The Kindle • Capabilities – Whispernet – Commerce – Information Gathering • Update Security • Getting a Shell • Tunnelling Edith Cowan University School of Computer and Security Science Getting a shell • So, we need a shell on the device. • There is a usbnet package that has been created which configures the usb port as an ethernet device. • Install package (drop onto device and press the update button) • Type ;DebugOn • Type `usbNetwork Edith Cowan University School of Computer and Security Science Getting a Shell • Attach cable • Set local IP to something in the 192.168.2.0/24 subnet • SSH/telnet to 192.168.2.2 • All good. Edith Cowan University School of Computer and Security Science The Kindle • Capabilities – Whispernet – Commerce – Information Gathering • Update Security • Getting a Shell • Tunnelling Edith Cowan University School of Computer and Security Science Getting a Shell • There is a value passed to the proxy to identify your device. • This value is inserted prior to initial shipment • This is the only authentication mechanism, this value lets you buy things. • A kindle can buy books from amazon, without any authentication other than this value. • This worries me. Edith Cowan University School of Computer and Security Science Whispernet Tunneling • We need to find out super secret value… but how.. (Yeah I couldn’t figure out where its stored, but that’s ok). /opt/amazon/ebook/config/framework.mario.conf /opt/amazon/ebook/config/browser_prefs /opt/amazon/ebook/config/framework.fiona.conf HTTP_PROXY_HOST : fints-g7g.amazon.com • Lets change that to localhost Edith Cowan University School of Computer and Security Science Whispernet Tunneling sed -i 's/fints-g7g.amazon.com/127.0.0.1/g' framework.mario.conf sed -i 's/fints-g7g.amazon.com/127.0.0.1/g' browser_prefs sed -i 's/fints-g7g.amazon.com/127.0.0.1/g' framework.fiona.conf root@kindle bin]# ./netcat -l -p 80 GET http://en.m.wikipedia.org/ HTTP/1.1 Accept: image/png, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Host: en.m.wikipedia.org User-Agent: Mozilla/4.0 (compatible; Linux 2.6.22) NetFront/3.4 Kindle/2.3 (screen 600x800; rotate) Proxy-Connection: Keep-Alive Accept-Encoding: deflate, gzip x-fsn: BIG MAGIC VALUE GOES HERE x-appNamespace: WEB_BROWSER x-appId: Kindle_2.2 Edith Cowan University School of Computer and Security Science Compiling Stuff • Kindle doesn’t come with netcat, dig, corkscrew, a compiler and a lot of other things. • cs2007q3-glibc2.5-arm6 toolchain works Edith Cowan University School of Computer and Security Science Whispernet Tunneling • So we modify corkscrew strncpy(uri, "CONNECT ", sizeof(uri)); strncat(uri, desthost, sizeof(uri) - strlen(uri) - 1); strncat(uri, ":", sizeof(uri) - strlen(uri) - 1); strncat(uri, destport, sizeof(uri) - strlen(uri) - 1); strncat(uri, " HTTP/1.1", sizeof(uri) - strlen(uri) - 1); strncat(uri, linefeed, sizeof(uri) - strlen(uri) - 1); strncat(uri, "Host: ", sizeof(uri) - strlen(uri) - 1); strncat(uri, desthost, sizeof(uri) - strlen(uri) - 1); strncat(uri, ":", sizeof(uri) - strlen(uri) - 1); strncat(uri, destport, sizeof(uri) - strlen(uri) - 1); strncat(uri, linefeed, sizeof(uri) - strlen(uri) - 1); strncat(uri, "User-Agent: Mozilla/4.0 (compatible; Linux 2.6.22) NetFront/3.4 Kindle/2.1 (screen 600x800)", sizeof(uri) strlen(uri) - 1); strncat(uri, linefeed, sizeof(uri) - strlen(uri) - 1); strncat(uri, "x-fsn: \”BIG MAGIC VALUE GOES HERE\"", sizeof(uri) - strlen(uri) - 1); strncat(uri, linefeed, sizeof(uri) - strlen(uri) - 1); Edith Cowan University School of Computer and Security Science Whispernet Tunneling • Have to kill a couple of daemons • netwatchd and watchdogd • These things like to close connections and the like. /etc/init.d/netwatchd stop /etc init.d/watchdogd stop Edith Cowan University School of Computer and Security Science Whispernet Tunneling • So now we open up a tunnel ./dbclient kronicd@IP -K 5 -J "corkscrew fints-g7g.amazon.com 80 IP 443" -g -L 31337:IP:22 kronicd@IP's password: Linux boxen 2.6.32-5-486 #1 Thu Aug 12 12:59:56 UTC 2010 i586 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Nov 21 08:57:55 2010 from IP kronicd@boxen:~$ exit logout Edith Cowan University School of Computer and Security Science Questions ? ? ? ? ? ? ? ?
