Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

New Kindle Fires are locked

OP kinfauns

14th September 2012, 10:42 PM   |  #1  
kinfauns's Avatar
OP Developer Committee / Senior Moderator
Thanks Meter: 3,157
 
1,728 posts
Join Date:Joined: Jan 2012
I've exchanged several PMs with pokey9000 today. He has taken a look at the software update packages for both the 2nd generation KF and the 7" HD. The MLO (xloader, 1st stage bootloader) is signed and the boot header is the type used for HS (high security) OMAP devices with the M-Shield turned on. If the setup is comparable to the Nook Tablet, this is not good news for those hoping to modify these devices in one way or another. The Nook Tablet's exploit was to utilize the external sdcard as an alternate boot device and that doesn't really help with these 2nd generation KFs.

It's all subject to verification by someone who has a device in hand, but it doesn't look good. This is not to say that it's impossible, but it will be considerably more difficult to manipulate these devices than their 1st generation cousin.

So, let's all hope for the best, but be prepared for the worst. If you plan to buy one of these devices, buy them as an Amazon tablet to be used in the Kindle Fire ecosystem. Don't buy them expecting to run Jelly Bean the day after tomorrow.
The Following 6 Users Say Thank You to kinfauns For This Useful Post: [ View ]
14th September 2012, 11:08 PM   |  #2  
fattire's Avatar
Recognized Developer
Thanks Meter: 4,770
 
1,734 posts
Join Date:Joined: Oct 2010
Info 2 Some clarification... and much left unanswered...
Quote:
Originally Posted by kinfauns

The Nook Tablet's exploit was to utilize the external sdcard as an alternate boot device and that doesn't really help with these 2nd generation KFs.

Not quite right. NT's exploit was far more complicated than that and has nothing to do with using the external SD card (or depending on one). It could have been done simply with root (or any other method for overwriting a partition, which was required to insert a 2nd unsigned bootloader into the boot sequence). If you're curious, you can look at the CyanoBoot 2nd bootloader for NT description or source to see what's going on.

I've taken a VERY quick look at the bootloader source for the HD7 as well, pushed here for anyone who wants it. There is in fact signature verification code in the uboot source (~line 140).

Also, looks like there are three configs-- bowser, jem, and tate. I have to look at it closer but it looks like tate is a subtype of bowser, and the HD7 I assume is tate. Hashcode also found a "radley" in the kernel code, but I haven't looked at that.

Anyway.. it is possible that bauwks' flaw or some other flaw exists in this signature verification code, but the code isn't identical to NT so who knows.

Incidentally, the new revision of the Kindle Fire (otter2) also has the same code, and there's a thread about the signature issue here as well.

Quote:

It's all subject to verification by someone who has a device in hand, but it doesn't look good. This is not to say that it's impossible, but it will be considerably more difficult to manipulate these devices than their 1st generation cousin.

So, let's all hope for the best, but be prepared for the worst. If you plan to buy one of these devices, buy them as an Amazon tablet to be used in the Kindle Fire ecosystem. Don't buy them expecting to run Jelly Bean the day after tomorrow.

Yeah.. it all depends on whether there's a flaw as there was with the Nook Tablet... someone get bauwks on the line

Meanwhile, I'm enjoying my free (as in speech) Nexus 7... :P
The Following 6 Users Say Thank You to fattire For This Useful Post: [ View ]
15th September 2012, 12:00 AM   |  #3  
Senior Member
Flag Austin
Thanks Meter: 387
 
766 posts
Join Date:Joined: Apr 2007
More
Quote:
Originally Posted by fattire

Not quite right. NT's exploit was far more complicated than that and has nothing to do with using the external SD card (or depending on one). It could have been done simply with root (or any other method for overwriting a partition, which was required to insert a 2nd unsigned bootloader into the boot sequence).

Technically true, but altering the boot chain with a removable microSD makes it a reversible process. Overwriting the boot image on emmc without any other boot options is serious brown trousers time. Now if they left in fastboot, then its not so scary if a similar hack to the NT can be done. Still, with no possibility of USB boot there's no recourse if any exploits get patched.
Quote:


Meanwhile, I'm enjoying my free (as in speech) Nexus 7... :P

Yes.

Sent from my Nexus 7 using xda premium
The Following User Says Thank You to pokey9000 For This Useful Post: [ View ]
15th September 2012, 12:20 AM   |  #4  
kinfauns's Avatar
OP Developer Committee / Senior Moderator
Thanks Meter: 3,157
 
1,728 posts
Join Date:Joined: Jan 2012
Quote:
Originally Posted by fattire

Not quite right. NT's exploit was far more complicated than that and has nothing to do with using the external SD card (or depending on one). It could have been done simply with root (or any other method for overwriting a partition, which was required to insert a 2nd unsigned bootloader into the boot sequence). If you're curious, you can look at the CyanoBoot 2nd bootloader for NT description or source to see what's going on.

...

Thanks for the clarification and your input as well. I just wanted to get the discussions going on the possibilities of opening up this device to development, but also temper some expectations. There are many people waiting and some undoubtedly have ordered with the assumption that these 2nd generation devices will be getting the full range of development enjoyed by the original. I was mostly paraphrasing and summarizing, so I'll leave the details to those with the know-how.

I'm sure many people will be scouring the code and tinkering with their new devices in the coming days to figure something out.
15th September 2012, 04:43 AM   |  #5  
fattire's Avatar
Recognized Developer
Thanks Meter: 4,770
 
1,734 posts
Join Date:Joined: Oct 2010
Tablet Boring stuff...
Quote:
Originally Posted by pokey9000

Technically true, but altering the boot chain with a removable microSD makes it a reversible process. Overwriting the boot image on emmc without any other boot options is serious brown trousers time

It's not THAT risky, I don't think. Even w/o SD card on NT, the safe(st) way to do it would be to replace the recovery partition with a 2ndboot/cyanoboot-enhanced recovery.img from a normal rooted boot. If recovery fails, you're still okay-- you can always just boot normally, gain root, and replace recovery again. If you're verified good, then use recovery to replace boot.img.

On NT, the normal secure boot sequence is unaffected when you replace recovery. That's because on the NT, you are never removing or touching the original uboot (ub1), so there's not much danger of a brick as long as you always have two means for booting (normal + recovery).

This is all academic as far as KFire HD goes, as I'm guessing from existence of the "crypto" partition that bauwks' bugfix won't work. I need to give a look at the signature verification stuff, as I haven't looked at it yet, but I'm not particularly optimistic.

Quote:
Originally Posted by pokey9000

Now if they left in fastboot, then its not so scary if a similar hack to the NT can be done. Still, with no possibility of USB boot there's no recourse if any exploits get patched.

True, although w/NT, BN can only patch it by modifying the hardware, which would create massive support headaches for two versions of the boot. This is because w/unchanged hardware, the current, signed xloader->ub1->ub2 chain can always be used to load whatever. Again, I have more clarification on this-- if you're not already familiar with the details, find me on IRC.

speaking of fastboot, apparently if CONFIG_MACH_BOWSER_SUBTYPE_TATE is set, fastboot_idme is defined and fastboot and other debugging stuff seems to be turned on. I'm pretty sure "idme" is a uboot command. It's commented-out of drivers/fastboot.c as a shortcut to be enabled for TATE only.

FWIW, here are some various versions of the bowser board:

Bowser-Jem-PreEVT2-
Bowser-Jem-PreEVT2-
Bowser-Tate-PreEVT2.1-
Bowser-Tate-PostEVT2.1-
Bowser-Tate-PostEVT3HS2-
Bowser-Tate-DVT-
Bowser-Tate-PVT-
Bowser-Radley-


tate = product id 7
jem = product id 8
radley = product id 9
HS is High Security, I'm pretty sure.

Someone apparently is a fan of To Kill a Mockingbird (Boo Radley, Atticuls "Jem" Finch, Heck Tate, etc.). I don't know what the Bowser connection is... this guy? Or maybe just one of these.

Gotta go.
The Following 2 Users Say Thank You to fattire For This Useful Post: [ View ]
16th September 2012, 03:57 PM   |  #6  
Member
Thanks Meter: 3
 
45 posts
Join Date:Joined: Dec 2011
Unhappy
software RD of AMAZON said it was impossible to crack the NEW KF system, unless u know the key in the machine
16th September 2012, 04:08 PM   |  #7  
Member
Thanks Meter: 2
 
34 posts
Join Date:Joined: Jun 2011
This was probably done in response to all the bricked Kindle Fires that were returned with the original Fire. That and the fact that if they didn't, it probably would have meant a price increase due to increased warranty expense. However, it seems i would make sense to simply allow an owner to pay a small fee to unlock the boot loader and register a modified Fire as "no warranty" for software issues.
17th September 2012, 04:01 AM   |  #8  
Quote:
Originally Posted by kinfauns

I've exchanged several PMs with pokey9000 today. He has taken a look at the software update packages for both the 2nd generation KF and the 7" HD. The MLO (xloader, 1st stage bootloader) is signed and the boot header is the type used for HS (high security) OMAP devices with the M-Shield turned on. If the setup is comparable to the Nook Tablet, this is not good news for those hoping to modify these devices in one way or another. The Nook Tablet's exploit was to utilize the external sdcard as an alternate boot device and that doesn't really help with these 2nd generation KFs.

It's all subject to verification by someone who has a device in hand, but it doesn't look good. This is not to say that it's impossible, but it will be considerably more difficult to manipulate these devices than their 1st generation cousin.

So, let's all hope for the best, but be prepared for the worst. If you plan to buy one of these devices, buy them as an Amazon tablet to be used in the Kindle Fire ecosystem. Don't buy them expecting to run Jelly Bean the day after tomorrow.

I got my 7" Fire HD in the mail yesterday and am in this 100% to see custom roms running on it.

While I have just under a year of Android tinkering under my belt and many more years of experience playing with pc's and various flavors of embedded systems, I dunno where it all begins for this new device, but I want to help the dev community in any way I can.

If anybody has specific requests about the device or needs to test out something on one, I don't mind being a guinea pig, as long as there isn't too much risk of bricking my cool new toy...
17th September 2012, 01:47 PM   |  #9  
Member
somewhere in good ol' Germany
Thanks Meter: 597
 
52 posts
Join Date:Joined: Nov 2010
I will take a look at the u-boot sources of the new fires too and see how/what they have changed. Very possible that they fixed the funny flaw in the loading process for this iteration of their devices.
It would certainly be sad since a full HD android tab is tempting. At least for the 7inch category we have the nexus7 as an extremely good alternative.
17th September 2012, 03:01 PM   |  #10  
Junior Member
Thanks Meter: 4
 
26 posts
Join Date:Joined: Apr 2007
Ifixit has a teardown of the device, and there is a big test point labeled "USB BOOT" on the main board, and two smaller ones labeled "RX" and "TX"....

http://guide-images.ifixit.net/igi/U...PXthjTrEn.huge

The Following 4 Users Say Thank You to thebrave For This Useful Post: [ View ]
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes