• Announcements

    • Reminder - MoDaCo position on illegal content   07/30/15

      ILLEGAL CONTENT I'd like to just reaffirm MoDaCo's position regarding piracy and illegal content in the light of some recent questions / postings. Posts will be censored by myself or my moderation team if the contain or link to: Illegal / pirated / cracked software or sites that host such softwareNintendo emulators / ROMs or sites hosting them (in light of Nintendo's legal stance)CUSTOM ROMS You may discuss and post links to custom device ROMs on MoDaCo, provided the following rules are adhered to: ROMs must not contain any illegal 3rd party software (this includes trial versions included without permission)ROMs must give full credit to the original authorISSUES If you have any issues with this policy, please contact PaulOBrien directly via PM.
    • Reminder: Selling items on the forum directly is not allowed   07/30/15

      Please note that selling items on the forum directly is not allowed by the forum rules. There is a forum for eBay auctions whereby you can list the items on eBay and link to them there. This is the ONLY forum for this type of activity. You may also advertise links to the eBay forum in your signature. Please note that selling directly in contravention of these rules will result in a warning / suspension / ban.
Sign in to follow this  
Followers 0

Researching the Kindle Fire's 'no Amazon Video with root' lock

6 posts in this topic

Posted · Report post

So it's a bit rubbish that you can't use Amazon Video on your Kindle Fire if it's rooted. I don't want to steal movies, crack DRM or anything else, I just want to have a rooted device to use with my Amazon Prime VOD feature. Bit harsh imho. Sooooo.... I thought i'd have a poke around and see what I could find out.

What I found was a very complex web of protection on a scale above anything i've seen an Android app before. Not only does the application check for root in more that one location (in the application itself and in the native library), it also performs tamper detection on the APK. Not only that but it also checks that the signature on the APK to check that no code has changed (if you change the code in classes.dex and drop it in, this is usually OK on a /system/app file, but not in this case). The code itself doesn't have a single, uniform tamper / root check function, it does it all over the place. Finally, just to make things even more difficult, key parts of the code are pretty heavily obfuscated to make the code hard to analyse / modify.

Despite this, I thought i'd see what I could achieve by patching it piece by piece with the goal of allowing video with root.

The first step was to work out how to get around the signature check. Without sorting this out, the app would immediately flag up as being tampered if I made ANY change to the code. The answer to this was to re-sign the Amazon Video APK, ATVAndroidClient.apk. Of course we don't have the Amazon certificates, so we can sign them with our own, or with SDK certificates. Since Amazon Video uses a shared user id, other APKs need to be signed too. The full list is ATVAndroidClient.apk, KindleForOtter.apk, OtterTutorial.apk, AmazonVenezia.apk, Launcher.apk, Windowshop.apk, CSApp-unsigned.apk, MyAccount-unsigned.apk, amazonmp3-unsigned.apk, Cloud9-unsigned.apk, OOBE-unsigned.apk, com.amazon.dcp.apk, Cloud9SystemBrowserProvider-unsigned.apk, OTASilentInstall.apk, Facebook.apk and OtterAppManager.apk.

After doing this, the next step is to patch out the tamper checks. This can really only be achieved by tracing where the app goes and how it works and by carefully analysing logcat to get clues as to where the errors are happening. Since i'm in the UK I also had to use a DNS proxy with a static IP... I used unblock-us which works a treat. Eventually I got to a stage where I got the application to ignore any tamper detections, thereby enabling the various 'Watch' buttons.

In the next step I could see what something was triggering another problem, and it turned out to be detection of root. This was happening in one of the more obfuscated bits of code, but again with careful tracing I managed to find this and patch it out.

At this point the application was loading, passing tamper checks, giving me the watch buttons, requesting the stream from Amazon and giving me the loading progress bar etc... BUT... the licence request to Amazon continually failed. This is the point where I came to something of a brick wall. It appears that there is some additional root checking going on in the native library, and unfortunately, reverse engineering this is beyond both my abilities and more important the time I have available, so we don't have a fully working solution. :(

The positive things though are that we now have a patchable Amazon Video APK, which means we can implement the functionality of the 'root keepers' within the app itself. We can effectively make the Amazon Video APK hide the su binary from itself on launch and put it back after it's run it's checks. Not ideal, but might be the best way to go. Note that the root check doesn't care about the Superuser APK, it only checks for 'su'. It checks in all the locations in the PATH variable, so moving it to, say. /system/root and adding that to the path won't help. Unfortunately.

For now, I have to put this on the back burner, but i'm posting my patched APK below so that if anyone wants to pick up the work of reversing the native binary they can do so, simply by using this APK and re-signing it and the other APKs mentioned above.

Any questions, feel free to ask them here. Obviously I have no interest in saving streams, downloading movies or any stupid stuff like that, so don't even ask.

P

  • DOWNLOAD (ROMraid) - MD5: f6044dbeffa4eb3f8361c71a96683150

1

Share this post


Link to post
Share on other sites

Posted · Report post

Widevine is the same thing that is used in the Google Videos app and others. The company that created it was bought by Google, and it does seem to go pretty deep in detecting any changes to the system. When I emailed Google support to ask why it detected roms without superuser as being rooted, they said that using any custom rom, even one without superuser will be detected and blocked.

0

Share this post


Link to post
Share on other sites

Posted · Report post

I have a Chinese tablet.I mean a cheapy one although there is a lot of risk in experimenting on them and its brand is generic so I want a custom rom on as it can not be officially upgraded . What are the things needed to cook a custom rom?

Thank. U!

Sent from my Liquid using Tapatalk

0

Share this post


Link to post
Share on other sites

Posted · Report post

Do you deal with busybox at all? For example. I can get it working if I use OTA Rootkeeper AND rename xbin to kbin (so that the video app can't see busybox). I'm not sure if that will help at all.

0

Share this post


Link to post
Share on other sites

Posted · Report post

Strange that it should look for busybox... :blink:

P

0

Share this post


Link to post
Share on other sites

Posted · Report post

Paul,

Have you had a chance to work on this issue anymore. I really want to get this app in to ICS on the kindle. If you are ever to build an ICS rom for the fire please let me know if you get this working.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

MoDaCo is part of the MoDaCo.network, © Paul O'Brien 2002-2015. MoDaCo uses IntelliTxt technology.