What I found was a very complex web of protection on a scale above anything i've seen an Android app before. Not only does the application check for root in more that one location (in the application itself and in the native library), it also performs tamper detection on the APK. Not only that but it also checks that the signature on the APK to check that no code has changed (if you change the code in classes.dex and drop it in, this is usually OK on a /system/app file, but not in this case). The code itself doesn't have a single, uniform tamper / root check function, it does it all over the place. Finally, just to make things even more difficult, key parts of the code are pretty heavily obfuscated to make the code hard to analyse / modify.
Despite this, I thought i'd see what I could achieve by patching it piece by piece with the goal of allowing video with root.
The first step was to work out how to get around the signature check. Without sorting this out, the app would immediately flag up as being tampered if I made ANY change to the code. The answer to this was to re-sign the Amazon Video APK, ATVAndroidClient.apk. Of course we don't have the Amazon certificates, so we can sign them with our own, or with SDK certificates. Since Amazon Video uses a shared user id, other APKs need to be signed too. The full list is ATVAndroidClient.apk, KindleForOtter.apk, OtterTutorial.apk, AmazonVenezia.apk, Launcher.apk, Windowshop.apk, CSApp-unsigned.apk, MyAccount-unsigned.apk, amazonmp3-unsigned.apk, Cloud9-unsigned.apk, OOBE-unsigned.apk, com.amazon.dcp.apk, Cloud9SystemBrowserProvider-unsigned.apk, OTASilentInstall.apk, Facebook.apk and OtterAppManager.apk.
After doing this, the next step is to patch out the tamper checks. This can really only be achieved by tracing where the app goes and how it works and by carefully analysing logcat to get clues as to where the errors are happening. Since i'm in the UK I also had to use a DNS proxy with a static IP... I used unblock-us which works a treat. Eventually I got to a stage where I got the application to ignore any tamper detections, thereby enabling the various 'Watch' buttons.
In the next step I could see what something was triggering another problem, and it turned out to be detection of root. This was happening in one of the more obfuscated bits of code, but again with careful tracing I managed to find this and patch it out.
At this point the application was loading, passing tamper checks, giving me the watch buttons, requesting the stream from Amazon and giving me the loading progress bar etc... BUT... the licence request to Amazon continually failed. This is the point where I came to something of a brick wall. It appears that there is some additional root checking going on in the native library, and unfortunately, reverse engineering this is beyond both my abilities and more important the time I have available, so we don't have a fully working solution.
The positive things though are that we now have a patchable Amazon Video APK, which means we can implement the functionality of the 'root keepers' within the app itself. We can effectively make the Amazon Video APK hide the su binary from itself on launch and put it back after it's run it's checks. Not ideal, but might be the best way to go. Note that the root check doesn't care about the Superuser APK, it only checks for 'su'. It checks in all the locations in the PATH variable, so moving it to, say. /system/root and adding that to the path won't help. Unfortunately.
For now, I have to put this on the back burner, but i'm posting my patched APK below so that if anyone wants to pick up the work of reversing the native binary they can do so, simply by using this APK and re-signing it and the other APKs mentioned above.
Any questions, feel free to ask them here. Obviously I have no interest in saving streams, downloading movies or any stupid stuff like that, so don't even ask.
- DOWNLOAD (ROMraid) - MD5: f6044dbeffa4eb3f8361c71a96683150