Incredibly simple jailbreak makes Amazon Kindle Touch a fuller-function tablet

JavaScript code in MP3 tag opens root access for whatever code you want to run

Amazon's Kindle Touch has a full-touch control interface, built-in Wifi, the ability to run or stream audio MP3 files, several unannounced features many users would love and, now, a freely available jailbreak that could let developers build their own apps to run on the newest version of Amazon's e-book reader.

The jailbreak is surprisingly simple to find, build and use, according to developer and Kindle expert Yifan Lu, who has jailbroken several previous versions of the device as well.

Amazon rewrote significant chunks of the Kindle interface to add full touch support and to make the controls more easily accessible with one hand.

Much of the interface was rewritten in HTML5 and JavaScript, rather than less accessible Java code, Lu wrote.

"In fact, many of the interfaces on the Touch are actually web pages in disguise," Lu wrote. "For example: the password entry screen, the search bar (which is just an HTML page with a frame), the browser, Wifi selection screen and even the music player."

None of the functions themselves are written in HTML5 or JavaScript because that would make them too slow, Lu wrote.

Only the interfaces use JavaScript, but Amazon built in hooks that allow JavaScript code to call function libraries in the Kindle's proprietary OS.

That makes for a more web-friendly interface, but also creates a connection to core functions of the OS that other developers can also exploit, though Lu didn't have to look too deep before finding a readty-made pathway through the Kindle's security:

"I found a curious function: nativeBridge.dbgCmd();. It seems too good to be true. This function takes any shell command, and runs it (as root). Yup. The web browser will run as root, any command given to it. Don’t go looking for remote code execution yet (although it is highly possible), as the native bridge seems to be disabled when in web browser mode (it may be able to be bypassed, but I haven’t looked into it)." – Yifan Lu, Dec. 10, 2011

Using that one command, Lu was able to write HTML and JavaScript commands in the ID3 comment tag of an MP3 file and run the scripts when the MP3 launched.

Lu also found two functions Amazon built into the Kindle but didn't advertise: an accelerometer and a proximity sensor. Both are functional, though no available Kindle apps use them; code written by other developers running on jailbroken systems should be able to access both, however, Lu wrote.

and should be accessible to code written to take advantage of them on jailbroken systems

So how do you jailbreak your own Kindle Touch?

Lu packaged the Kindle Touch Jailbreak along with instruction for using it and recovering if you accidentally brick the thing.

The jailbreak code is written in the metadata of an MP3 file, and includes "very basic" USB network code that gives the user SSH-encrypted access to the Kindle.

The jailbreak doesn't change any of the files on Kindle unnecessarily and doesn't add new functionality. It only provides an entry for other developers or owners to make modifications using code they write themselves.

So far there are few, if any, rogue Kindle apps. As with iOS and Android, however, once an OS is jailbroken, it's only a matter of (a very short) time before ports of existing apps or entirely new one start circulating.

Where rogue developers go, malware writers quickly follow, though. As always, be careful what you download.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies