A reverse engineer finds Kindle's hidden features

Amazons Kindle e-book reader.(Credit: Amazon.com)

A significant amount of skill with a soldering iron and some custom firmware has revealed a number of interesting features Amazon.com hid within its Kindle e-book reader.

Among the ones that hardware hacker Igor Skochinsky uncovered and described on his blog are a basic photo viewer, a minesweeper game, and most interesting, location technology that uses the Kindle's CDMA networking to pinpoint its position. There also are some basic location-based services that call up a Google Maps view to show where you are and nearby gas stations and restaurants. I confess I was as interested in the reverse-engineering process, documented in three blog postings (first, second, and third).

Skochinsky started by scrutinizing the Kindle source code Amazon publishes. (Some open-source licenses, including the General Public License (GPL) that governs Linux that the Kindle also uses, require source code to be published when a product ships that uses it.) From the source he inferred the Kindle employed console software, which displays text output.

Through methodically testing electrical pins on an external port he eventually found the text output from the Kindle boot process. That showed the machine was using das U-Boot software to handle booting, during which stored software is loaded into memory. U-Boot offers an interactive shell with a command-line interface, and Skochinsky used that to laboriously piece together the Kindle operating system kernel used during its firmware update recovery process. From that he deduced the file format of firmware updates.

Getting a real Linux command line took more work. By looking at the file system, Skochinsky found a root password of "Fiona"--but also found that password had been changed before shipping. Using the firmware update process, he was able to swap in a new shadow file, which stores a garbled byproduct of passwords called a hash, that enabled him to use the hash from the original root password.

On reboot, he was able to control the system and see what processes it runs, what file systems it mounts, and what files are stored in its directories.

He also found that the interface is written in Java. Using the Jad decompiler software, he uncovered the hidden features and a number of keyboard shortcuts.