Amazon Kindle Fire HDX 7 (3rd Gen) (thor)

[ghost]

Device: Kindle Fire HDX 7" (2013/3rd gen), codename "thor"
Recovery: TWRP unofficial 3.0.2-0, from here
Kernel: Kernel Source
ROM: CM 13.0 for thor
stock partition layout: I guess? I haven't messed with the layout.

log: repit-dump.txt

[Lanchon]

CM labels: thor

[Lanchon]

EDIT: THIS IS NO LONGER NEEDED !!!

hi, thanks!

with the device booted to TWRP, please connect it to the PC and run this command on the PC:

adb pull /dev/block/platform/msm_sdcc.1/by-name/aboot

then zip and post the resulting aboot file here

[Lanchon]

taken from factory image mod-update-kindle-thor-13.3.2.8_user_713328020.bin:

$ strings emmc_appsboot.mbn | grep -i gpt | grep -i sign

GPT: (WARNING) Primary signature invalid
GPT: Primary and backup signatures invalid
GPT: Primary signature invalid cannot write GPT
GPT: Backup signature invalid cannot write GPT

i'm sad to inform that there are strings in the bootloader that hint to a signed GPT. your bootloader might or might not enforce GPT signatures.

in case it does, altering the GPT might brick the device. the expectation is that not even fastboot would work, and the device would drop to one of the qualcomm bulk interfaces.

to recover from that situation requires qualcomm's tools and leaked factory firmware files for your device. leaked firmware files for your device seem to exist, but only if you were running firmware <= 1314.3.2.6 when you bricked. and you might also need a "factory cable". more info: http://forum.xda-developers.com/kindle-fire-hdx/general/how-to-unbrick-kindle-fire-hdx-firmware-t3277197

there are several threads devoted to downgrading firmware and it seems possible, but you might need to wipe your device and downgrade CM too.

there's a real hard-bricking possibility here. i can't really recommend going forward unless you are certain that you can unbrick your device. and... i wont be able to help you with that. so what do you think?

[ghost]

Wait... isn't that already saying that the GPT isn't signed, those 4 lines? Is there a way to verify that it's truly verified? (I downgraded to the <3.2.4 bootloader during the unlocking process)

IIRC, the 3.x.x bootloaders have an EXPLOIT relating to signatures, that's how it was unlocked in the first place. I think this also applies to the 8.9" version of the device (apollo)

[ghost]

http://forum.xda-developers.com/kindle-fire-hdx/orig-development/tool-signing-tool-pre-3-2-4-booloaders-t2992435

here's what it says about the exploit:

The bootloader is not properly checking the number of bytes decrypted from the signature. This allows us insert to garbage bytes and create a forged signature. A decrypted (cubed) PKCS#1 v1.5 padded signature starts with 00 01 PS 00. PS is the padding string and consists at least of 8 FF bytes After the start of the signature comes the 32 byte long SHA256 image hash.

also, pure C version of that tool using bignum: http://forum.xda-developers.com/kindle-fire-hdx/development/pure-c-implementation-cuber-using-t3241011

[ghost]

just incase the exploit actually works for this and you need aboot:
aboot.zip

[Lanchon]

Wait... isn't that already saying that the GPT isn't signed, those 4 lines?

why would those 4 lines imply the GPT isn't signed? if anything it implies the contrary.

Is there a way to verify that it's truly verified?

only reasonable way is to try it out. sometimes the code is there in the bootloader but is not run. for instance, unsigned GPTs might be accepted by the bootloader if a certain Qfuse is not yet blown. (moto's engineering fuse does this. the blowing of the fuse can't be reversed, of course.)

the 3.x.x bootloaders have an EXPLOIT relating to signatures

it might be possible to craft a GPT with a spoofed signature and flash it via fastboot. but that's absolutely not how repit works: repit uses standard linux userland GPT editing tools to do its dirty deeds. exploiting signatures totally exceeds the scope of repit.

[ghost]

only reasonable way is to try it out.

any way to safely see if it truly is signed?

[Lanchon]

no. if it trips, it's recovery time. maybe someone has experience unbricking their device and wants to take a shot at it.

my advice to you? don't.

[ghost]

Maybe just leave this as an issue with a "needs brave soul" label

[ghost]

My love of tinkering with android devices is screaming... no working CM13 nightly for thor/apollo since 11-07...

[Lanchon]

lol it needs more than a brave soul. it needs higher expectation of being useful. because if you ask me, it's not just the risk; most likely the GPT will not be modifiable in the end.

anyway, i'll close the issue but if Mr. Right Brave Soul shows up they can still post.

thanks, later!!

[ghost]

ooh i know what i'll do...

I'll make a OS with C and Lua!

[Lanchon]

i'll join and provide the empty initial commits!

[ghost]

ha ha

[ghost]

@Lanchon I invited you :P

[Lanchon]

there has been a new development regarding detection of GPT signatures via strings in the bootloader. it is now known that this method can result in false positives.

please see the details here.

[ghost]

Are the strings similar?

[ghost]

yep they are

KFHDX:

GPT: (WARNING) Primary signature invalid
GPT: Primary and backup signatures invalid
GPT: Primary signature invalid cannot write GPT
GPT: Backup signature invalid cannot write GPT

that:

GPT: Primary signature invalid cannot write GPT
GPT: Backup signature invalid cannot write GPT

[Lanchon]

well we already knew that strings didnt imply the signatures were being enforced, so nothing new here actually.

[ghost]

So, possible REPIT for thor?

[Lanchon]

nothing has changed. trying it out might brick your device.

[ghost]

ohk