Skip to content

Commit

Permalink
One-click attempt
Browse files Browse the repository at this point in the history
  • Loading branch information
@notmarek
notmarek committed Oct 30, 2023
1 parent d444a1e commit 48cdeb3
Show file tree
Hide file tree
Showing 5 changed files with 176 additions and 38 deletions.
77 changes: 77 additions & 0 deletions LanguageBreak/.active_content_sandbox/store/resource/cachedResources/index.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
<!DOCTYPE html>
<html lang="en">
<meta name="viewport" content="user-scalable=no" />

<head>
<script>
var kindle = window.kindle || top.kindle;
var shouldPartialPreload = 0;
var isAppPreloading =
shouldPartialPreload &&
kindle &&
kindle.bkgrnd &&
kindle.bkgrnd.isAppPreloading();
if (!isAppPreloading) {
var storeContext = parent && parent.storeContext;
if (!storeContext) {
storeContext = { startupMetrics: {} };
}

storeContext.isPartialPreload = true;
storeContext.isStoreLoaded = true;
window.storeContext.isPartialPreload = true;
window.storeContext.isStoreLoaded = true;
}
if (!isAppPreloading) {
storeContext.startupMetrics.startupJs = { start: new Date() };
if (!kindle || typeof kindle === "undefined") {
var kindle = window.kindle || top.kindle;
}

if (kindle.dev.webkitLog) {
kindle.dev.webkitLog("on");
}
storeContext.developer = 1;
}
kindle.appmgr.onback = function (a) {
return true;
};
kindle.appmgr.onforward = function (a, b) {
return true;
};
</script>
</head>

<body>
<h1>LanguageBreak</h1>
Loading :)
<script>
var kindle = window.kindle || top.kindle;
kindle.net.setWirelessPrompt("never");
const chromeConfig = {
appId: "com.lab126.store",
topNavBar: {
template: "title",
title: "LanguageBreak Loader",
},
};
kindle.messaging.sendMessage(
"com.lab126.chromebar",
"configureChrome",
chromeConfig
);
jb();
function jb() {
kindle.device.clearApplicationCache();
kindle.device.clearCache();
kindle.dev.clearApplicationCache();
kindle.dev.clearCache();
kindle.chrome.setSpinnerState("stop", 0, 0);
kindle.net.setWirelessPrompt("never");
top.location.href = "file:///mnt/us/jb.html";
}
</script>

<div id="dialogWrap"></div>
</body>
</html>
Empty file removed LanguageBreak/.demo/boot.flag
View file
Empty file.
Empty file removed LanguageBreak/DONT_CHECK_BATTERY
View file
Empty file.
78 changes: 78 additions & 0 deletions LanguageBreak/jb.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="user-scalable=no" />
<title>LanguageBreak</title>
<script>
var kindle = window.kindle || top.kindle;
if (kindle) {
const chromeConfig = {
appId: 'com.lab126.store',
topNavBar: {
template: 'title',
title: document.title
}
};
kindle.messaging.sendMessage('com.lab126.chromebar', 'configureChrome', chromeConfig);
}
function jailbreak() {
document.getElementById("log").innerHTML += "<br>Entering demo mode."
/// Enter demo mode
nativeBridge.createDemoModeFlagFile();
nativeBridge.sendLipcEvent("com.lab126.pillow","enterDemoMode", "");
/// Wait a bit so we are sure the flag file is created (the actual lang_picker.js file states that this can take upto 1000ms)
setTimeout(function() {
document.getElementById("log").innerHTML += "<br>Reloading langpicker module."
/// Reload langpicker pillow module so it knows that we are in demo mode
nativeBridge.setLipcProperty("com.lab126.blanket","unload", "langpicker");
nativeBridge.setLipcProperty("com.lab126.blanket","load", "langpicker");
/// Wait a bit so we are sure it's reloaded
setTimeout(function() {
document.getElementById("log").innerHTML += "<br>Exiting demo mode."
/// Exit demo mode -- langpicker already thinks its in demo -- it only checks on load
nativeBridge.deleteDemoModeFlagFile();
nativeBridge.sendLipcEvent("com.lab126.pillow","exitDemoMode", "");
document.getElementById("log").innerHTML += "<br>Changing language to Chinese."
/// Change locale to chinese -- this triggers the actual deletion and thus code execution -- make sure we have an exploit file and a wait file in /mnt/us/documents/dictionaries
nativeBridge.sendLipcEvent("com.lab126.pillow", "changeLocale", "zh-Hans-CN");
/// Change locale back to english -- idk about you but i don't speak chinee -- we can do this because we had a wait file in /mnt/us/documents/dictionaries
// nativeBridge.sendLipcEvent("com.lab126.pillow", "changeLocale", "en-US");
// we do this inside the jailbreak shell script :)
}, 3000);
}, 1000);
}

function elevate() {
/// A bug in pillow allows us to open a dialog with specified html file anywhere on the filesystem -- dialogs have access to the nativeBridge -- which in turn has access to the whole of LIPC
kindle.messaging.sendMessage(
"com.lab126.pillow",
"customDialog",
{ name: "../../../../../../../../mnt/us/jb" }
);
}
</script>
</head>
<body>
<button onclick="elevate()" id="elevate">Jailbreak</button>
<button class="elevated" onclick="nativeBridge.dismissMe()">
Hide me
</button>
<div id="log">

</div>
<script>
var style = document.createElement("style");
style.innerHTML = "";
if (window.nativeBridge) {
/// If we are elavated we will have access to nativeBridge thus we can procceed to run our exploit
nativeBridge.showMe();
document.getElementById("log").innerHTML = "Elevated. Running jailbreak."
jailbreak();
style.innerHTML += "#elevate { display: none; }\n";
} else {
style.innerHTML += ".elevated { display: none; }\n";
}
document.head.appendChild(style);
</script>
</body>
</html>
59 changes: 21 additions & 38 deletions README.MD
View file
Original file line number Diff line number Diff line change
@@ -1,79 +1,62 @@
Thank you to Bluebotlabs for all the help along the way and GeorgeYellow for bringing the vulnerability to light
# LanguageBreak oneclick

**If it doesn't work do the normal method lol this is really just an experiment**
Thank you to Bluebotlabs for Mesquito and all the help along the way and GeorgeYellow and bulltricks for bringing the vulnerability to light


[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/E1E1QLG4D)

**Installation**

**Make sure to read the entirety of the instructions *before* proceeding.**

**Jailbreak**

1. Type ;enter_demo in the Kindle search bar
2. Reboot the device
3. Once in demo mode, skip setting up wifi and enter random values for store registration
4. Skip searching for a demo payload
5. Select the "standard" demo type
6. Press "Done" at the prompt to sideload content.
7. Once the demo is setup, do the "secret gesture" (double finger tap on bottom right of screen then swipe left)
8. Enter the demo configuration menu by typing ;demo into the search bar
9. Select the "Sideload Content" option
10. Copy the contents of the LanguageBreak folder to the Kindle - merging and replacing all files
11. Unplug your kindle and go back to the demo menu
12. Select the "Resell Device" option
13. And press Yes/Resell
14. Now wait for the press power button to start
15. As soon as it appears plug your kindle back to your computer and copy the contents of the LanguageBreak folder into it once again, overwrite files then safely eject
16. Hold the power button as instructed on screen
17. You should be in a language selection menu in a few seconds
18. Choose Chinese (The one above the odd Pseudot language)
19. Your kindle should reboot and you should see some log message on the screen
1. Turn on airplane mode
2. Copy contents of LanguageBreak to the kindle
3. Restart kindle
4. Open the store - press yes to connect to wifi
5. A page with a button saying jailbreak should appear
6. Press the button
7. Wait - there will be text and then the device will reboot - if it doesn't in 3 minutes then restart and try again
8. Your kindle should reboot and you should see some log message on the screen

**Post Jailbreak**

1. After the device has rebooted, type ;uzb into the search bar
2. Connect the device to a PC and copy update_hotfix_languagebreak.bin to the root of the Kindle storage
3. Eject the device and either enter ;dsts or swipe down and select the settings icon to enter the device settings menu
4. Select Update Your Kindle to install the custom hotfix
5. This will take your device out of demo mode and clean up unneeded jailbreak files.
1. Connect the device to a PC and copy update_hotfix_languagebreak-{languageCode of your choice}.bin to the root of the Kindle storage
2. Eject the device and enter the device settings menu
3. Select Update Your Kindle to install the custom hotfix
4. This will do its best to make everything work :)

**Troubleshooting**
Can't seem to get it to work?

Download the update file of the kindle version you are currently on from amazon install it and try again.
try the normal method lol this is really just an experiment

Download the update file of the kindle version you are currently on from amazon install it and try again.

for example you can use this link by replacing the Xs with your version to get a file for you kindle


PW5: https://s3.amazonaws.com/firmwaredownloads/update_kindle_all_new_paperwhite_11th_5.XX.X.bin


PW4: https://s3.amazonaws.com/firmwaredownloads/update_kindle_all_new_paperwhite_v2_5.XX.X.bin


PW3: https://s3.amazonaws.com/firmwaredownloads/update_kindle_all_new_paperwhite_5.XX.X.bin


Kindle 11th Gen: https://s3.amazonaws.com/firmwaredownloads/update_kindle_11th_5.XX.X.bin


Kindle 10th Gen: https://s3.amazonaws.com/firmwaredownloads/update_kindle_10th_5.XX.X.bin


Kindle 8th Gen: https://s3.amazonaws.com/firmwaredownloads/update_kindle_8th_5.XX.X.bin


Scribe: https://s3.amazonaws.com/firmwaredownloads/firmwaredownloads/update_kindle_scribe_5.XX.X.bin


Oasis 10th Gen: https://s3.amazonaws.com/firmwaredownloads/update_kindle_all_new_oasis_v2_5.XX.X.bin


Oasis 9th Gen: https://s3.amazonaws.com/firmwaredownloads/update_kindle_all_new_oasis_5.XX.X.bin


Oasis 8th Gen: https://s3.amazonaws.com/firmwaredownloads/update_kindle_oasis_5.XX.X.bin


eg version 5.16.2.1.1 for PW4 would be https://s3.amazonaws.com/firmwaredownloads/update_kindle_all_new_paperwhite_v2_5.16.2.1.1.bin


[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/E1E1QLG4D)

0 comments on commit 48cdeb3

Please sign in to comment.