On 12/23/2011 I released a new Root Exploit for the Kindle Fire. I found and used what seemed to be either an Easter Egg or left over debug code – either way its more of a freebie then an exploit.VashyPooh had asked me to look into it the day before, as the 6.2.1 update from Amazon had patched the ZergRush exploit that was in use.
I began an audit of the Kindle Fire firmware and quickly found a rather odd property in its /sbin/adb file, “service.root.amazon.allow“. This property would allow adbD to run as root if we could find a way to set it. Considering that we needed a system process to set it, I was not too hopeful. My next step was to disassemble and search through the rest of the firmware, for anything else using that property.
We hit the jack pot with /system/framework/services.jar, the class “com.lab126.services.EasterEggReceiver”. This receiver has no purpose but to listen for an intent, and to set the above property. No protection, no authentication of any kind! Bingo.
> sendBroadcast(new Intent(“com.amazon.internal.E_COMMAND”).putExtra(“cmd”, “adbd_start”));
Now we can issue the adb root command, and adbD will restart as root.
Why did I name it BurritoRoot? I wanted to see how stupid of a name I could get the big blogs to publish.
Source Code: https://github.com/CunningLogic/BurritoRoot
Original Announcement: Android Police
This is a “back” post,of work I have done before starting this blog.