On 12/23/2011 I released a new Root Exploit for the Kindle Fire. I found and used what seemed to be either an Easter Egg or left over debug code – either way its more of a freebie then an exploit.VashyPooh had asked me to look into it the day before, as the 6.2.1 update from Amazon had patched the ZergRush exploit that was in use.

I began an audit of the Kindle Fire firmware and quickly found a rather odd property in its /sbin/adb file,  “service.root.amazon.allow“. This property would allow adbD to run as root if we could find a way to set it. Considering that we needed a system process to set it, I was not too hopeful. My next step was to disassemble and search through the rest of the firmware, for anything else using that property.

We hit the jack pot with /system/framework/services.jar, the class “com.lab126.services.EasterEggReceiver”. This receiver has no purpose but to listen for an intent, and to set the above property. No protection, no authentication of any kind! Bingo.

> sendBroadcast(new Intent(“com.amazon.internal.E_COMMAND”).putExtra(“cmd”, “adbd_start”));

Now we can issue the adb root command, and adbD will restart as root.

Why did I name it BurritoRoot? I wanted to see how stupid of a name I could get the big blogs to publish.

Source Code: https://github.com/CunningLogic/BurritoRoot

Original Announcement: Android Police

This is a “back” post,of work I have done before starting this blog.