5,600,234 Members 35,982 Now Online
XDA Developers Android and Mobile Development Forum

New Kindle Fires are locked

Tip us?
 
kinfauns
Old
#1  
kinfauns's Avatar
Developer Committee / Senior Moderator - OP
Thanks Meter 2881
Posts: 1,644
Join Date: Jan 2012
Default New Kindle Fires are locked

I've exchanged several PMs with pokey9000 today. He has taken a look at the software update packages for both the 2nd generation KF and the 7" HD. The MLO (xloader, 1st stage bootloader) is signed and the boot header is the type used for HS (high security) OMAP devices with the M-Shield turned on. If the setup is comparable to the Nook Tablet, this is not good news for those hoping to modify these devices in one way or another. The Nook Tablet's exploit was to utilize the external sdcard as an alternate boot device and that doesn't really help with these 2nd generation KFs.

It's all subject to verification by someone who has a device in hand, but it doesn't look good. This is not to say that it's impossible, but it will be considerably more difficult to manipulate these devices than their 1st generation cousin.

So, let's all hope for the best, but be prepared for the worst. If you plan to buy one of these devices, buy them as an Amazon tablet to be used in the Kindle Fire ecosystem. Don't buy them expecting to run Jelly Bean the day after tomorrow.
XDA Developers - Developer Committee / Senior Moderator
The Following 6 Users Say Thank You to kinfauns For This Useful Post: [ Click to Expand ]
 
fattire
Old
#2  
fattire's Avatar
Recognized Developer
Thanks Meter 4371
Posts: 1,517
Join Date: Oct 2010
Info 2 Some clarification... and much left unanswered...

Quote:
Originally Posted by kinfauns View Post
The Nook Tablet's exploit was to utilize the external sdcard as an alternate boot device and that doesn't really help with these 2nd generation KFs.
Not quite right. NT's exploit was far more complicated than that and has nothing to do with using the external SD card (or depending on one). It could have been done simply with root (or any other method for overwriting a partition, which was required to insert a 2nd unsigned bootloader into the boot sequence). If you're curious, you can look at the CyanoBoot 2nd bootloader for NT description or source to see what's going on.

I've taken a VERY quick look at the bootloader source for the HD7 as well, pushed here for anyone who wants it. There is in fact signature verification code in the uboot source (~line 140).

Also, looks like there are three configs-- bowser, jem, and tate. I have to look at it closer but it looks like tate is a subtype of bowser, and the HD7 I assume is tate. Hashcode also found a "radley" in the kernel code, but I haven't looked at that.

Anyway.. it is possible that bauwks' flaw or some other flaw exists in this signature verification code, but the code isn't identical to NT so who knows.

Incidentally, the new revision of the Kindle Fire (otter2) also has the same code, and there's a thread about the signature issue here as well.

Quote:
It's all subject to verification by someone who has a device in hand, but it doesn't look good. This is not to say that it's impossible, but it will be considerably more difficult to manipulate these devices than their 1st generation cousin.

So, let's all hope for the best, but be prepared for the worst. If you plan to buy one of these devices, buy them as an Amazon tablet to be used in the Kindle Fire ecosystem. Don't buy them expecting to run Jelly Bean the day after tomorrow.
Yeah.. it all depends on whether there's a flaw as there was with the Nook Tablet... someone get bauwks on the line

Meanwhile, I'm enjoying my free (as in speech) Nexus 7... :P
The Following 6 Users Say Thank You to fattire For This Useful Post: [ Click to Expand ]
 
pokey9000
Old
#3  
Senior Member
Thanks Meter 374
Posts: 739
Join Date: Apr 2007
Location: Austin
Quote:
Originally Posted by fattire View Post
Not quite right. NT's exploit was far more complicated than that and has nothing to do with using the external SD card (or depending on one). It could have been done simply with root (or any other method for overwriting a partition, which was required to insert a 2nd unsigned bootloader into the boot sequence).
Technically true, but altering the boot chain with a removable microSD makes it a reversible process. Overwriting the boot image on emmc without any other boot options is serious brown trousers time. Now if they left in fastboot, then its not so scary if a similar hack to the NT can be done. Still, with no possibility of USB boot there's no recourse if any exploits get patched.
Quote:

Meanwhile, I'm enjoying my free (as in speech) Nexus 7... :P
Yes.

Sent from my Nexus 7 using xda premium
The Following User Says Thank You to pokey9000 For This Useful Post: [ Click to Expand ]
 
kinfauns
Old
#4  
kinfauns's Avatar
Developer Committee / Senior Moderator - OP
Thanks Meter 2881
Posts: 1,644
Join Date: Jan 2012
Quote:
Originally Posted by fattire View Post
Not quite right. NT's exploit was far more complicated than that and has nothing to do with using the external SD card (or depending on one). It could have been done simply with root (or any other method for overwriting a partition, which was required to insert a 2nd unsigned bootloader into the boot sequence). If you're curious, you can look at the CyanoBoot 2nd bootloader for NT description or source to see what's going on.

...
Thanks for the clarification and your input as well. I just wanted to get the discussions going on the possibilities of opening up this device to development, but also temper some expectations. There are many people waiting and some undoubtedly have ordered with the assumption that these 2nd generation devices will be getting the full range of development enjoyed by the original. I was mostly paraphrasing and summarizing, so I'll leave the details to those with the know-how.

I'm sure many people will be scouring the code and tinkering with their new devices in the coming days to figure something out.
XDA Developers - Developer Committee / Senior Moderator
 
fattire
Old
#5  
fattire's Avatar
Recognized Developer
Thanks Meter 4371
Posts: 1,517
Join Date: Oct 2010
Tablet Boring stuff...

Quote:
Originally Posted by pokey9000 View Post
Technically true, but altering the boot chain with a removable microSD makes it a reversible process. Overwriting the boot image on emmc without any other boot options is serious brown trousers time
It's not THAT risky, I don't think. Even w/o SD card on NT, the safe(st) way to do it would be to replace the recovery partition with a 2ndboot/cyanoboot-enhanced recovery.img from a normal rooted boot. If recovery fails, you're still okay-- you can always just boot normally, gain root, and replace recovery again. If you're verified good, then use recovery to replace boot.img.

On NT, the normal secure boot sequence is unaffected when you replace recovery. That's because on the NT, you are never removing or touching the original uboot (ub1), so there's not much danger of a brick as long as you always have two means for booting (normal + recovery).

This is all academic as far as KFire HD goes, as I'm guessing from existence of the "crypto" partition that bauwks' bugfix won't work. I need to give a look at the signature verification stuff, as I haven't looked at it yet, but I'm not particularly optimistic.

Quote:
Originally Posted by pokey9000 View Post
Now if they left in fastboot, then its not so scary if a similar hack to the NT can be done. Still, with no possibility of USB boot there's no recourse if any exploits get patched.
True, although w/NT, BN can only patch it by modifying the hardware, which would create massive support headaches for two versions of the boot. This is because w/unchanged hardware, the current, signed xloader->ub1->ub2 chain can always be used to load whatever. Again, I have more clarification on this-- if you're not already familiar with the details, find me on IRC.

speaking of fastboot, apparently if CONFIG_MACH_BOWSER_SUBTYPE_TATE is set, fastboot_idme is defined and fastboot and other debugging stuff seems to be turned on. I'm pretty sure "idme" is a uboot command. It's commented-out of drivers/fastboot.c as a shortcut to be enabled for TATE only.

FWIW, here are some various versions of the bowser board:

Bowser-Jem-PreEVT2-
Bowser-Jem-PreEVT2-
Bowser-Tate-PreEVT2.1-
Bowser-Tate-PostEVT2.1-
Bowser-Tate-PostEVT3HS2-
Bowser-Tate-DVT-
Bowser-Tate-PVT-
Bowser-Radley-


tate = product id 7
jem = product id 8
radley = product id 9
HS is High Security, I'm pretty sure.

Someone apparently is a fan of To Kill a Mockingbird (Boo Radley, Atticuls "Jem" Finch, Heck Tate, etc.). I don't know what the Bowser connection is... this guy? Or maybe just one of these.

Gotta go.
The Following 2 Users Say Thank You to fattire For This Useful Post: [ Click to Expand ]
 
bournezhang
Old
#6  
Member
Thanks Meter 3
Posts: 30
Join Date: Dec 2011
software RD of AMAZON said it was impossible to crack the NEW KF system, unless u know the key in the machine
 
wrexus
Old
#7  
Member
Thanks Meter 2
Posts: 34
Join Date: Jun 2011
This was probably done in response to all the bricked Kindle Fires that were returned with the original Fire. That and the fact that if they didn't, it probably would have meant a price increase due to increased warranty expense. However, it seems i would make sense to simply allow an owner to pay a small fee to unlock the boot loader and register a modified Fire as "no warranty" for software issues.
 
psomero
Old
#8  
Junior Member
Thanks Meter 7
Posts: 18
Join Date: Dec 2008
Location: San Jose
Quote:
Originally Posted by kinfauns View Post
I've exchanged several PMs with pokey9000 today. He has taken a look at the software update packages for both the 2nd generation KF and the 7" HD. The MLO (xloader, 1st stage bootloader) is signed and the boot header is the type used for HS (high security) OMAP devices with the M-Shield turned on. If the setup is comparable to the Nook Tablet, this is not good news for those hoping to modify these devices in one way or another. The Nook Tablet's exploit was to utilize the external sdcard as an alternate boot device and that doesn't really help with these 2nd generation KFs.

It's all subject to verification by someone who has a device in hand, but it doesn't look good. This is not to say that it's impossible, but it will be considerably more difficult to manipulate these devices than their 1st generation cousin.

So, let's all hope for the best, but be prepared for the worst. If you plan to buy one of these devices, buy them as an Amazon tablet to be used in the Kindle Fire ecosystem. Don't buy them expecting to run Jelly Bean the day after tomorrow.
I got my 7" Fire HD in the mail yesterday and am in this 100% to see custom roms running on it.

While I have just under a year of Android tinkering under my belt and many more years of experience playing with pc's and various flavors of embedded systems, I dunno where it all begins for this new device, but I want to help the dev community in any way I can.

If anybody has specific requests about the device or needs to test out something on one, I don't mind being a guinea pig, as long as there isn't too much risk of bricking my cool new toy...
 
deeper-blue
Old
#9  
Member
Thanks Meter 578
Posts: 37
Join Date: Nov 2010
Location: somewhere in good ol' Germany
I will take a look at the u-boot sources of the new fires too and see how/what they have changed. Very possible that they fixed the funny flaw in the loading process for this iteration of their devices.
It would certainly be sad since a full HD android tab is tempting. At least for the 7inch category we have the nexus7 as an extremely good alternative.
 
thebrave
Old
#10  
Junior Member
Thanks Meter 4
Posts: 26
Join Date: Apr 2007
Ifixit has a teardown of the device, and there is a big test point labeled "USB BOOT" on the main board, and two smaller ones labeled "RX" and "TX"....

http://guide-images.ifixit.net/igi/U...PXthjTrEn.huge

The Following 4 Users Say Thank You to thebrave For This Useful Post: [ Click to Expand ]
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes