Why there is no fix (yet) (and how you can look for one)...
Originally Posted by wiseguyy
I dont get why devs aren't on this tablet. With such great specs and potential for cm and a hefty cash incentive it boggles my mind. Near every chincy android phone gets cracked and Im sitting here dumbfounded as to why someone wont take the leap.
Originally Posted by Faznx92
Hashcode said he's sure the bootloader is patched up well. Perhaps in a year or two? Hopefully sooner if ever.
FYI: Hashcode, verygreen,and I went through the bootloader source
like maybe 5 months ago when it first dropped, and it appeared to be locked up pretty tight. We revisited it a few weeks ago just kind of cursorily and nothing new popped out. This is the third generation of Kindles, and Amazon has learned a lot from two previous releases-- version one didn't lock the bootloader at all, then the HDs did, but I happened to notice some unverified header input (below), and indeed it was born out by Hashcode & verygreen who could actually try it. The HDXs are the third round of kindles, and they did a MUCH more diabolical job restricting your freedom to use your own hardware w/all kinds of "improvements" (or as I see them, new flaws)... That's not to say there isn't something to be found, but it's not as obvious as it was for other locked devices I've in some way been involved with (cited here for historical reference):
- The Nook Tablet - (Bawks' discovery) about an unchecked memory address. He posted some working code, which I enhanced a bit w/ a menu'd fork of uboot, Cyanoboot.
- The Nook HD/HD+ (I noticed this whoopsie that was confirmed/exploited by verygreen-- though he later found a second, better solution, really a variation of bawks' discovery)
- Kindle 2 + 7"/8.9" HDs (unverified input found by me, implementation by Hashcode w/help from Verygreen).
Funny thing is, I've never actually bought or even used any
of those devices.
I can't imagine any bounty will make any difference as that's not really why people look for these "holes" -- though I consider them more "bug fixes" than "exploits" as any locked bootloader should be seen as bug-ridden and flawed. We've had a lot of discussions about how much effort to put into locked bootloaders. People shouldn't buy devices with them just expecting them to be magically unlocked. I'd rather discourage people from buying them in the first place (I never have), so speaking for myself it isn't worth spending time on a one-sided arms race. I sure as hell am not buying any Kindle anything so long as it's shıtty like that. Even worse, Intel is getting into this
.😱. Makes me wanna puke.
In the meantime, Hashcode has his safestrap stuff
as a workaround. I assume it's still working.
Anyone who feels adventurous
: the bootloader source code for the Kindle HDX is as mentioned here
. It's been five months since I really looked at this, but if I remember right, the general process of booting from emmc, that is, the steps it takes when it starts, is around here
. The boot image verification stuff is here
. Crypto/verification-related headers like image_verify.h
. If I remember right, the master boot record itself is signed, as I think is partition schemes, etc... And Hashcode had mentioned a few other issues that also make this hard to keep any discovery, if made, relevant for any period of time.
Some other quick things off the top of my head-- the shared/common kernel implements device tree
so DEVICE_TREE will be set. You can look at the Nook HD, Kindle HD, and Nook Tabletposts by Bawks discussion linked above for some ideas of the sorts of things that might constitute a way around the chained boot... there's some explanation and info there for anyone interested.
All that said, good night, and good luck.