Jump to content


Photo

Researching the Kindle Fire's 'no Amazon Video with root' lock

- - - - -

  • Please log in to reply
5 replies to this topic

#1
PaulOBrien

PaulOBrien

    It's My Party

  • Founder
  • PipPipPipPipPipPip
  • 36,366 posts
  • Gender:Male
  • Location:Norwich, UK
  • Devices:All the Nexus!
  • Twitter:@paulobrien
So it's a bit rubbish that you can't use Amazon Video on your Kindle Fire if it's rooted. I don't want to steal movies, crack DRM or anything else, I just want to have a rooted device to use with my Amazon Prime VOD feature. Bit harsh imho. Sooooo.... I thought i'd have a poke around and see what I could find out.

What I found was a very complex web of protection on a scale above anything i've seen an Android app before. Not only does the application check for root in more that one location (in the application itself and in the native library), it also performs tamper detection on the APK. Not only that but it also checks that the signature on the APK to check that no code has changed (if you change the code in classes.dex and drop it in, this is usually OK on a /system/app file, but not in this case). The code itself doesn't have a single, uniform tamper / root check function, it does it all over the place. Finally, just to make things even more difficult, key parts of the code are pretty heavily obfuscated to make the code hard to analyse / modify.

Despite this, I thought i'd see what I could achieve by patching it piece by piece with the goal of allowing video with root.

The first step was to work out how to get around the signature check. Without sorting this out, the app would immediately flag up as being tampered if I made ANY change to the code. The answer to this was to re-sign the Amazon Video APK, ATVAndroidClient.apk. Of course we don't have the Amazon certificates, so we can sign them with our own, or with SDK certificates. Since Amazon Video uses a shared user id, other APKs need to be signed too. The full list is ATVAndroidClient.apk, KindleForOtter.apk, OtterTutorial.apk, AmazonVenezia.apk, Launcher.apk, Windowshop.apk, CSApp-unsigned.apk, MyAccount-unsigned.apk, amazonmp3-unsigned.apk, Cloud9-unsigned.apk, OOBE-unsigned.apk, com.amazon.dcp.apk, Cloud9SystemBrowserProvider-unsigned.apk, OTASilentInstall.apk, Facebook.apk and OtterAppManager.apk.

After doing this, the next step is to patch out the tamper checks. This can really only be achieved by tracing where the app goes and how it works and by carefully analysing logcat to get clues as to where the errors are happening. Since i'm in the UK I also had to use a DNS proxy with a static IP... I used unblock-us which works a treat. Eventually I got to a stage where I got the application to ignore any tamper detections, thereby enabling the various 'Watch' buttons.

In the next step I could see what something was triggering another problem, and it turned out to be detection of root. This was happening in one of the more obfuscated bits of code, but again with careful tracing I managed to find this and patch it out.

At this point the application was loading, passing tamper checks, giving me the watch buttons, requesting the stream from Amazon and giving me the loading progress bar etc... BUT... the licence request to Amazon continually failed. This is the point where I came to something of a brick wall. It appears that there is some additional root checking going on in the native library, and unfortunately, reverse engineering this is beyond both my abilities and more important the time I have available, so we don't have a fully working solution. :(

The positive things though are that we now have a patchable Amazon Video APK, which means we can implement the functionality of the 'root keepers' within the app itself. We can effectively make the Amazon Video APK hide the su binary from itself on launch and put it back after it's run it's checks. Not ideal, but might be the best way to go. Note that the root check doesn't care about the Superuser APK, it only checks for 'su'. It checks in all the locations in the PATH variable, so moving it to, say. /system/root and adding that to the path won't help. Unfortunately.

For now, I have to put this on the back burner, but i'm posting my patched APK below so that if anyone wants to pick up the work of reversing the native binary they can do so, simply by using this APK and re-signing it and the other APKs mentioned above.

Any questions, feel free to ask them here. Obviously I have no interest in saving streams, downloading movies or any stupid stuff like that, so don't even ask.

P

  • DOWNLOAD (ROMraid) - MD5: f6044dbeffa4eb3f8361c71a96683150

  • 1

You can follow me on Twitter - http://twitter.com/paulobrien / Follow MoDaCo on Twitter - http://twitter.com/modaco

Want to donate? MoDaCo is raising money for the Multiple Sclerosis society.

Posted Image


#2
Amphoras

Amphoras

    Addict

  • Members
  • PipPipPipPipPip
  • 766 posts
Widevine is the same thing that is used in the Google Videos app and others. The company that created it was bought by Google, and it does seem to go pretty deep in detecting any changes to the system. When I emailed Google support to ask why it detected roms without superuser as being rooted, they said that using any custom rom, even one without superuser will be detected and blocked.

  • 0

TPT Helper lets you easily repartition your ZTE phone, install a new ROM and for the Blade, convert to/from Gen 2. Available for Orange San Francisco/ZTE Blade, Orange Monte Carlo/ZTE Skate and Orange San Francisco II/T-Mobile Vivacity. https://market.andro...horas.tpthelper

TPTs and other apps


#3
elixir.amrit

elixir.amrit

    Regular

  • Members
  • PipPip
  • 52 posts
  • Devices:Acer liquid A1
I have a Chinese tablet.I mean a cheapy one although there is a lot of risk in experimenting on them and its brand is generic so I want a custom rom on as it can not be officially upgraded . What are the things needed to cook a custom rom?
Thank. U!

Sent from my Liquid using Tapatalk

  • 0

#4
sleewok

sleewok

    Newbie

  • Members
  • Pip
  • 27 posts
  • Devices:Cingular 2125
Do you deal with busybox at all? For example. I can get it working if I use OTA Rootkeeper AND rename xbin to kbin (so that the video app can't see busybox). I'm not sure if that will help at all.

  • 0

#5
PaulOBrien

PaulOBrien

    It's My Party

  • Founder
  • PipPipPipPipPipPip
  • 36,366 posts
  • Gender:Male
  • Location:Norwich, UK
  • Devices:All the Nexus!
  • Twitter:@paulobrien
Strange that it should look for busybox... :blink:

P

  • 0

You can follow me on Twitter - http://twitter.com/paulobrien / Follow MoDaCo on Twitter - http://twitter.com/modaco

Want to donate? MoDaCo is raising money for the Multiple Sclerosis society.

Posted Image


#6
gman529

gman529

    Newbie

  • Members
  • Pip
  • 1 posts
  • Devices:kindle fire and Galaxy nexus
Paul,

Have you had a chance to work on this issue anymore. I really want to get this app in to ICS on the kindle. If you are ever to build an ICS rom for the fire please let me know if you get this working.

  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users