SlideShare a Scribd company logo

Beginning Kindle Hackery

Download as ZIP, PDF
Jesse Vincent
Jesse Vincent

I gave a talk on Kindle hacking at Shibuya Perl Mongers in April 2009. It documents my first couple months messing around with the Kindle.

Related slideshows

Infrastructure as code might be literally impossible part 2
Infrastructure as code might be literally impossible part 2Infrastructure as code might be literally impossible part 2
Infrastructure as code might be literally impossible part 2
 
stackconf 2022: Is that an Ansible? Stop holding it like a Puppet
stackconf 2022: Is that an Ansible? Stop holding it like a Puppetstackconf 2022: Is that an Ansible? Stop holding it like a Puppet
stackconf 2022: Is that an Ansible? Stop holding it like a Puppet
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
 
1 of 331
You can take the Hacker out of Perl...
...but you can’t take the Perl out of the hacker.
Laziness, Impatience and Hubris on the Kindle
This talk contains almost no Perl.
...and almost no Japanese.
I’m very sorry.
And no x86 ASM
I’m not sorry.
The Amazon Kindle
eBook Reader
Beginning Kindle Hackery
Beginning Kindle Hackery
eInk Screen
800x600; 16 levels of grey
No backlight
Looks great outside!
Good things about the Kindle
3G for 1-click shopping
250,000+ books to buy
(Most < USD10)
Newspaper, Magazine, Blog subscriptions
Delivered every morning
$1-$10 each month
Email → eBook conversion
$0.10 for autodelivery
$FREE if you copy the result by USB
Free Web Browser
Download .mobi, .prc, .azw, .txt for free
“Experimental”
Means: We might start charging money for this
NetFront 3.5
Basic CSS
Javascript
XmlHttpRequest
Free Wikipedia
Not “experimental”
Text to speech.
Minesweeper!
Beginning Kindle Hackery
Bad things about the Kindle
DRM
When you buy books, they are locked to the Kindle
Amazon lawyers went after a tool to let you read non- Amazon DRMed ebooks
(The same tool can help you remove the DRM from books Amazon sells you)
Limited eBook formats
I want to read PDFs
I want to read ePubs
I want to read Manga
Actually, I don’t read manga
But lots of my friends do
Surveillance
Beginning Kindle Hackery
In the US, 3G includes GPS
The Kindle has a GPS
Device logs are sent to Amazon
Including many user actions
...like the websites you visit
...and what books you read
Appears to include GPS info
Amazon knows where you are
Lock-in
Beginning Kindle Hackery
Designed to work only with Amazon
3G use is free, but only while Amazon likes you
Summary: The Kindle is an “appliance”
You wouldn’t hack a book, would you?
I got a Kindle to read books
I didn’t plan to hack it
I really wanted to read books in other formats
I’m a sucker for sexy platforms
And it was begging me
It’s a new toy.
I am going to hack it.
Laziness
http://igorsk.blogspot.com
Hidden debug commands
;debugOn
‘help
Beginning Kindle Hackery
Hubris
“I can’t possibly brick my Kindle with the keyboard, right?”
So, I started typing commands.
“‘usbNetwork” sounds good.
...nothing happened
How about “‘usbQa’”?
It turned off the WIFI
..and turned off USB Disk mode.
Impatience
I gave up
Sometimes laziness wins
An hour later, I rebooted my Macbook Air
Beginning Kindle Hackery
So I set up a DHCP server
Nothing...
sh-3.2# tcpdump -i en1 listening on en1, link-type EN10MB (Ethernet), capture size 96 bytes [ ...] 12:36:15.238229 arp who-has 192.168.15.200 tell 192.168.15.244
Beginning Kindle Hackery
Beginning Kindle Hackery
Beginning Kindle Hackery
Now my Kindle can tether through my Macbook
I want to read other eBook formats - attempt #1
The Kindle has a browser
I have a web server
Web based proxy
Small perl app
mobiperl
Perl 4
no strict;
no warnings;
global variables
hmm. no ePub support
Spent a weekend learning how ePub format works
github.com/obra/ unsavory-epub-hacks
Slow. Annoying. Requires a Server
Servers are evil
Hm.
Back to the drawing board
I want to read other eBook formats - attempt #2
Let’s review what we know:
What’s inside the Kindle?
800x600 eInk screen
You know about the screen
Freescale iMX31
ARM1136JF-S
(Includes FPU)
+ Multimedia stuff
2 GB Flash
128 MB RAM
USB OTG + MicroUSB slot
Audio hardware
Keyboard
The Kindle sounds like a computer, not a book
It MUST use some GPL code...
https://www.amazon.com/gp/help/ customer/display.html?inodeId=200203720
gplrelease.tar.gz
alsa-lib-1.0.13 gcc-4.1.2 module-init-tools-3.2.2_patch alsa-lib-1.0.13_patch glib-2.12.9 monit-4.9 alsa-utils-1.0.13 glibc-2.5 mtd-utils-1.0.0 alsa-utils-1.0.13_patch gst-plugins-base-0.10.17 picocom-1.4 base-files-3.0.14.ipk gst-plugins-base-0.10.6 powertop-1.10 base-passwd_3.5.9 gstreamer-0.10.17 procps-3.2.7 binutils-2.17.50.0.5 hotplug-2004_09_20 procps-3.2.7_patch bonnie++-1.03c ifupdown_0.6.8 readline-4.3 bootchart-0.9 iptables-1.3.3 syslog-ng-1.6.11 busybox-1.7.2 klibc-1.5 sysvinit-2.86 dosfstools-2.11 libol-0.3.18 taglib-1.5 e2fsprogs-1.38 linux-2.6.22-lab126 uboot-1.3.0-rc3 e2fsprogs-1.38_patch lrzsz-0.12.20 udev-112 fuse-2.7.1 lzo-1.08 util-linux-2.12r fuse-2.7.1_link module-init-tools-3.2.2
Linux
I can work with this
But how do I get code onto it?
My friend nmap tells me...
The Kindle listens on a few ports.
None of them love me at all
I guess I’ll need to take matters into my own hands.
Hey, the Kindle has busybox
busybox has telnetd
Maybe I just need to install /etc/rc5.d/S99telnetd
More research from http://igorsk.blogspot.com
Kindle 1 update extractor
(Python script)
But I want to make new updates...
I reverse engineered the reverse engineering tool
Updates are a short header, an MD5 and a tarball
...run through a trivial cipher
they’re not encrypted
The Kindle2 is a little different than the Kindle1
It has different magic #s in the update header
I waited for the first Kindle 2 “update.bin”
I grabbed its header
I built a new “update”
It installed one file
/etc/rc5.d/S99telnetd
/bin/busybox telnetd -p 2323
...nope.
I ran strings on the Kindle’s busybox
No telnetd!
Where can I get a busybox for the Kindle?
What else has a a similar CPU?
My gPhone!
Lots of people built static busybox for the gPhone
telnetd: take 2
login:
login: root Password: Login incorrect
Beginning Kindle Hackery
/bin/sh makes a better /bin/login
Beginning Kindle Hackery
125-6-81-160:ß jesse$ telnet kindle 2323 Trying 192.168.15.244... Connected to kindle. Escape character is '^Ü'. / # cat /etc/motd ############################################### ## # NOTICE * NOTICE * NOTICE # ############################################### ## Rootfs is mounted read-only. Invoke mntroot rw to switch back to a writable rootfs. ############################################### ## /#
What I found:
Most of /sbin is written in sh
Fun stuff in /proc
/proc/config.gz
# # Automatically generated make config: don't edit # Linux kernel version: 2.6.22.19 # Mon Mar 2 12:13:07 2009 # CONFIG_ARM=y CONFIG_SYS_SUPPORTS_APM_EMULATION=y # CONFIG_GENERIC_GPIO is not set CONFIG_GENERIC_TIME=y CONFIG_GENERIC_CLOCKEVENTS=y CONFIG_MMU=y # CONFIG_NO_IOPORT is not set CONFIG_GENERIC_HARDIRQS=y CONFIG_STACKTRACE_SUPPORT=y CONFIG_LOCKDEP_SUPPORT=y ...
...I could rebuild the Kernel
/proc/filesystems
nodev sysfs nodev rootfs nodev bdev nodev proc msdos nodev sockfs vfat nodev pipefs nodev nfs nodev nodev rpc_pipefs anon_inodefs nodev fuse nodev futexfs fuseblk nodev tmpfs nodev fusectl nodev inotifyfs nodev devpts ext3 nodev ramfs
nodev sysfs nodev rootfs nodev bdev nodev proc msdos nodev sockfs vfat nodev pipefs nodev nfs nodev nodev rpc_pipefs anon_inodefs nodev fuse nodev futexfs fuseblk nodev tmpfs nodev fusectl nodev inotifyfs nodev devpts ext3 nodev ramfs
I’m not restricted to 2GB
It’s a Linux box
I can cross-compile!
http://www.codesourcery.com/ Prebuilt ARM toolchain
It generates generic ARM machine code
That’s ok, but not great
I’ll cross compile Perl
1 day of frustration passes
I won’t cross-compile Perl
Crosscompiling Perl == Bad Joke
I’ll cross-compile Python
Same bad joke
Maybe I need a native compiler for ARM
Where do I get an ARM build farm?
I have a gPhone
It’s not a great build host
I have an N810
It’s not a great build host...
...but it has an important advantage
apt-get install gcc
N810: Linux 2.6; glibc 2.5
N810 binaries run unmodified on the Kindle
I built perl in an hour
Sadly, I realized that Python is a better choice
I also realized that building on the Kindle works better than on the N810.
(Version skew in extra libraries makes things hard)
I tried building gcc on the N810...
Found Pengutronix / OSELAS.de
It’s a compiler toolchain builder.
I built my own crosscompilers for ARM1136JF-S - Linux 2.6 - glibc 2.5
I used the cross compiler to compile gcc, glibc (for proper headers), binutils, shellutils, dropbear & screen
I cross-compiled nfsmount
I nfs-mounted a disk image with the compiler
Then I started building more stuff
I am a Perl Hacker
I believe in the three virtues
Lazyness
Impatience
Hubris
Sometimes, Perl isn’t the Right Tool
Calibre is the Killer App for ebook conversion and management
Lazyness
I like the best tools
The best tools already exist
Calibre has dozens of eBook format converters.
Why reimplement them?
Hubris
“I can learn enough Python in a weekend to port this application to the Kindle”
The downside
Dependencies
Who’s dealt with Python app dependencies?
No CPAN.
Everything you need is in the Standard Library.
If it’s not in the Standard Library, it’s not worth using.
Except when you need it.
They have....
“easy_install”
It’s not so easy
It is very perlish
It does recursive web scraping to find tarballs on developers’ web sites.
Most of the deps actually installed ok.
I just ran the app over and over until it stopped erroring.
God I miss Perl.
And then we get to the big problem.
Qt
Calibre’s UI is in Qt
...so its backend uses Qt because it’s easy
PyQt binds Qt to Python
For Qt for Windows
for Qt for Mac
for Qt for X11
No X11 on Kindle
(Just a Framebuffer)
QtEmbedded
No problem!
No PyQtEmbedded
Finally got Calibre running...
by hacking out components I don’t need.
It was good enough to try to convert a trivial ebook.
It took 12 hours...
...after I built swaputils and gave it 256MB of swap
Beginning Kindle Hackery
So what was it doing?
HTML → Mobipocket converter
With a full CSS engine
It visits every DOM element...
and computes CSS styles to convert them to trivial HTML 3.2...
...twice.
Lazyness, Impatience, Hubris can all help here.
Help me Larry-wan.
Very few CSS rules really matter.
The Kindle supports very little HTML.
It mostly supports HTML 3.2...just no <pre>
...that’s the only thing the 12 hour CSS engine got us
You can emulate <pre> with <tt> and &nbsp;
Beginning Kindle Hackery
if tag == 'pre': self.inside_pre = 1 tag = 'tt' if prefixname(elem.tag, nsrmap) == 'pre': buffer.write('<br/>n') self.inside_pre = 0 if self.inside_pre: text=text.replace(' ','&nbsp;') text=re.sub(r'(rn|r|n)', '<br/>n', text)
Now it runs in 60 megs and about 10 minutes
So, now I can run code.
Still no UI access.
I don’t really want to hack Java GUI code.
And where could I plug my custom UI into the Kindle’s?
I don’t want to break Amazon’s UI.
Oh hey.
There is an application I could replace with something custom...
Beginning Kindle Hackery
But really, I don’t want to.
Sure, I could decompile.
It’s obfuscated.
It’d be annoying.
If I built UI, I’d have to maintain a UI.
And users can break a UI.
No buttons = Less to screw up
But I have this ebook converter.
I do want to let users convert books.
What to do?
nodev sysfs nodev rootfs nodev bdev nodev proc msdos nodev sockfs vfat nodev pipefs nodev nfs nodev nodev rpc_pipefs anon_inodefs nodev fuse nodev futexfs fuseblk nodev tmpfs nodev fusectl nodev inotifyfs nodev devpts ext3 nodev ramfs
nodev sysfs nodev rootfs nodev bdev nodev proc msdos nodev sockfs vfat nodev pipefs nodev nfs nodev nodev rpc_pipefs anon_inodefs nodev fuse nodev futexfs fuseblk nodev tmpfs nodev fusectl nodev inotifyfs nodev devpts ext3 nodev ramfs
Inotify blocks on filesystem events.
pyInotify lets me get at fs events easily.
class InotifyListener (threading.Thread): global cv def run ( self ): global conversionQueue wm = WatchManager() # Watch Manager mask = IN_MOVED_TO | IN_CREATE # watched events p = PTmp() notifier = Notifier(wm, p) wdd = wm.add_watch('/mnt/us/documents', mask, rec=True) notifier.loop()
It works great for downloads
Copies over USB didn’t trigger inotify events.
It’s probably something fuse-related.
I went for the cheap hack.
When you eject the Kindle, it generates a DBus event.
class DbusWatcher (threading.Thread): global cv def run ( self ): global conversionQueue cmd='/usr/bin/dbus-monitor --system' pipe = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE).stdout while 1: line = pipe.readline() if any(line.find(i) != -1 for i in ['usbPlugOut', 'resuming']): for f in os.listdir('/mnt/us/documents'): maybe_enqueue_file('/mnt/us/documents/'+f)
What’s next?
Remember config.gz?
I can build a new kernel
...and add back missing drivers
USB Mass Storage Host
USB WIFI?
What isn’t next?
Reverse engineering Java to extend the Kindle’s UI
Python, and Shell, I’m happy to hack for a good cause.
Java is another matter entirely.
Thanks!
I had a big finish planned.
I was going to build and show off a manga converter.
(for .cbz format books)
So I downloaded a .cbz.
...and copied it to the Kindle...
...and I saw this...
Beginning Kindle Hackery
The best hacking is no hacking.
Thanks!

More Related Content

Beginning Kindle Hackery