Researching the Kindle Fire's 'no Amazon Video with root' lock

[Guest Paul]

So it's a bit rubbish that you can't use Amazon Video on your Kindle Fire if it's rooted. I don't want to steal movies, crack DRM or anything else, I just want to have a rooted device to use with my Amazon Prime VOD feature. Bit harsh imho. Sooooo.... I thought i'd have a poke around and see what I could find out.

What I found was a very complex web of protection on a scale above anything i've seen an Android app before. Not only does the application check for root in more that one location (in the application itself and in the native library), it also performs tamper detection on the APK. Not only that but it also checks that the signature on the APK to check that no code has changed (if you change the code in classes.dex and drop it in, this is usually OK on a /system/app file, but not in this case). The code itself doesn't have a single, uniform tamper / root check function, it does it all over the place. Finally, just to make things even more difficult, key parts of the code are pretty heavily obfuscated to make the code hard to analyse / modify.

Despite this, I thought i'd see what I could achieve by patching it piece by piece with the goal of allowing video with root.

The first step was to work out how to get around the signature check. Without sorting this out, the app would immediately flag up as being tampered if I made ANY change to the code. The answer to this was to re-sign the Amazon Video APK, ATVAndroidClient.apk. Of course we don't have the Amazon certificates, so we can sign them with our own, or with SDK certificates. Since Amazon Video uses a shared user id, other APKs need to be signed too. The full list is ATVAndroidClient.apk, KindleForOtter.apk, OtterTutorial.apk, AmazonVenezia.apk, Launcher.apk, Windowshop.apk, CSApp-unsigned.apk, MyAccount-unsigned.apk, amazonmp3-unsigned.apk, Cloud9-unsigned.apk, OOBE-unsigned.apk, com.amazon.dcp.apk, Cloud9SystemBrowserProvider-unsigned.apk, OTASilentInstall.apk, Facebook.apk and OtterAppManager.apk.

After doing this, the next step is to patch out the tamper checks. This can really only be achieved by tracing where the app goes and how it works and by carefully analysing logcat to get clues as to where the errors are happening. Since i'm in the UK I also had to use a DNS proxy with a static IP... I used unblock-us which works a treat. Eventually I got to a stage where I got the application to ignore any tamper detections, thereby enabling the various 'Watch' buttons.

In the next step I could see what something was triggering another problem, and it turned out to be detection of root. This was happening in one of the more obfuscated bits of code, but again with careful tracing I managed to find this and patch it out.

At this point the application was loading, passing tamper checks, giving me the watch buttons, requesting the stream from Amazon and giving me the loading progress bar etc... BUT... the licence request to Amazon continually failed. This is the point where I came to something of a brick wall. It appears that there is some additional root checking going on in the native library, and unfortunately, reverse engineering this is beyond both my abilities and more important the time I have available, so we don't have a fully working solution. :(

The positive things though are that we now have a patchable Amazon Video APK, which means we can implement the functionality of the 'root keepers' within the app itself. We can effectively make the Amazon Video APK hide the su binary from itself on launch and put it back after it's run it's checks. Not ideal, but might be the best way to go. Note that the root check doesn't care about the Superuser APK, it only checks for 'su'. It checks in all the locations in the PATH variable, so moving it to, say. /system/root and adding that to the path won't help. Unfortunately.

For now, I have to put this on the back burner, but i'm posting my patched APK below so that if anyone wants to pick up the work of reversing the native binary they can do so, simply by using this APK and re-signing it and the other APKs mentioned above.

Any questions, feel free to ask them here. Obviously I have no interest in saving streams, downloading movies or any stupid stuff like that, so don't even ask.

P

• DOWNLOAD (ROMraid) - MD5: f6044dbeffa4eb3f8361c71a96683150

[Guest Amphoras]

Widevine is the same thing that is used in the Google Videos app and others. The company that created it was bought by Google, and it does seem to go pretty deep in detecting any changes to the system. When I emailed Google support to ask why it detected roms without superuser as being rooted, they said that using any custom rom, even one without superuser will be detected and blocked.

[Guest elixir.amrit]

I have a Chinese tablet.I mean a cheapy one although there is a lot of risk in experimenting on them and its brand is generic so I want a custom rom on as it can not be officially upgraded . What are the things needed to cook a custom rom?

Thank. U!

Sent from my Liquid using Tapatalk

[Guest sleewok]

Do you deal with busybox at all? For example. I can get it working if I use OTA Rootkeeper AND rename xbin to kbin (so that the video app can't see busybox). I'm not sure if that will help at all.

[Guest PaulOBrien]

Strange that it should look for busybox... :blink:

P

[Guest gman529]

Paul,

Have you had a chance to work on this issue anymore. I really want to get this app in to ICS on the kindle. If you are ever to build an ICS rom for the fire please let me know if you get this working.

[Guest mauramclark]

I always had problems with books. So I prefer books that consist from a paper. Actually, since I started writing my own book, and even using a book editing at https://help.plagtracker.com/book-editing.html, I realized the big process of book creation. Thanks to all guys that made our reading easy with kindle.