Playing with fire: Kindle combustion

Features Mark Pickavance Jan 11, 2013

Mark Pickavance exposes the Kindle Fire to the white-hot heat of hacking

For those who aren’t long term subscribers of this magazine, it’s worth me revealing that I wasn’t a fan of the original Amazon Kindle. I found it remarkably poorly designed, even if the technology in it had some promise.

Subsequently, we’ve seen numerous variants on that original e-book design, each of which has improved on the original concept. Then in 2011, Amazon released the Kindle Fire, a full colour 7” tablet with an Android (Gingerbread version) soft underbelly. Inside was a 1GHz Texas Instruments OMAP 4430 dual-core processor, 512MB of RAM, 8GB of Flash storage (6.5GB available to use) and 600 x 1024 pixel display.

At the time it seemed a pretty powerful device, and one that in terms of tablet sales was only outsold by the iPad in the USA, but there were a few less desirable parts. It had no camera, SD card slot or GPS for example, all problems that can be overlooked by many users. Harder to ignore, however, was that Amazon took Android and butchered it to their own ends, removing many of the features that you’d expect, and slotting in marketing opportunities of their own in their place.

Warnings etc

Originally, my intention was to provide this feature as a step-by-step approach to peeling Amazon’s sticky fingers off a Kindle Fire. It wasn’t a pleasant experience, though, and frankly I’d suggest you DON’T follow my example. To those that choose to ignore my caps lock advice: be warned, it is entirely possible to ‘brick’ the device using the approach I tried, turning it into something entirely useless without a warranty. These are things I’m willing to try for Micro Mart, but they’re just not worth experimenting with in general.
You’ve been warned! I really don’t want to see any sob-stories in my inbox about how wrong it went for anyone else.

Hunt your Kindle Fire

The basis of this piece was a conversation with the publisher (and former editor) of Micro Mart, Simon Brew. He rang me on ‘Black Friday’, which in America is the Friday before the American national holiday of Thanksgiving. Amazon apparently doesn’t realise that the rest of the world doesn’t celebrate that holiday, and therefore hold a ‘Black Friday’ sale here in the UK, too.

Simon mentioned that it was selling the Kindle Fire for just £99 (they’re usually £129, and have returned to that price now, I’m sorry to say), and enquired as to whether I would like to buy one with the intention of doing something “interesting” with it. I ordered one, and by agreeing to a one month trial of Amazon Prime was able to get next day delivery. By which time I’d cancelled Amazon Prime.

My first inspection of the Kindle Fire revealed some interesting diversions from the specification as defined for this device. It turns out that what I’d bought was a Kindle Fire Gen 2, also referred to in Android hacking circles as the KF2. The upshot is that this Kindle Fire that’s about 20% quicker with double the RAM and a better battery life than the original.

As Android devices go, it also had a number of significant drawbacks, not least that it couldn’t access the Google Play Store, but perhaps I could fix those deficiencies.

First assault

It might seem coy of me to complain about how unhelpful the Internet can be on occasion, but there are times when it leads you down frustrating blind alleys. Like those commercial websites that like to claim they have every file anyone ever asked for, but in fact have nothing - apart from a varied selection of malware to dispense. If that isn’t enough to put you off track, then you’ll run into the idiots who frequent technical forums, claiming they’ve done the impossible, or speaking ‘knowledgeably’ about things they don’t remotely understand.

I mention these things because trying to find concrete facts with which to realise ideas such as this isn’t easy, and I must have spent the best part of two days reading all manner of documents under the general search criteria of ‘hacking the Kindle Fire’. Initially this seemed remarkably easy, as a lovely piece of software exists called the KFU or Kindle Fire Utility, that’s designed to hack the device and allow you to install a Recovery tool like ClockworkMod, so you can then install your own custom ROM.

To do any of this you first need to prepare the ground by installing a number of things on to your PC: Java JDK and Android SDK. You need both of these because one is dependent on the other, and the Android SDK includes the ADB (Android Debugging) tool that we need if we want to open a command line to the Kindle Fire.

Once they’re installed, you need to make some minor tweaks to the Android ADB drivers before you install them. You can do this manually to add the Kindle Fire into the files, but it’s much easier to download another tool that includes pre-fixed versions. That tool is called KFU, or Kindle Fire Utility, which initially looked like the complete solution to hack the Fire. It’s worth getting for those driver files, but as I discovered it doesn’t work on the Kindle Fire I’ve got. What it does do, however, is confirm that ADB is working. I won’t give a specific location for KFU, but putting ‘Kindle Fire Utility’ into a search engine should get it pretty easily.

You also need to set two things on the Kindle itself. One is to activate ADB, which you’ll find in the Security section of Settings. The other is to set ‘Allow Installation of Applications from Unknown Sources’ to On in Settings > Device. I’ll admit that I had some real ‘fun’ getting the drivers properly installed, possibly due to previous Android adventures on my PC. In the end I forced them on by attaching the Kindle Fire to the PC, finding the ‘pling’ in the Device Manager, and then telling the system that I had my own drivers, which I would select. It says that they’re the wrong drivers for this hardware, but installs them anyway. Once I’d got ‘ADB Status’ on KFU to say ‘Online’, my confidence began to rise.

Failure is always an option

What I didn’t know at this point was that, as nicely scripted as KFU is, the Gen 2 of the Kindle Fire doesn’t allow you to alter the Bootmode (yet), and as such you can’t install Clockwork Recovery, or the recovery control code called FireFireFire. This was something of a shock, because it had looked very promising up to this point, and I was now facing defeat at the very first hurdle. I went away and researched harder; surely some means to get inside the Kindle Fire existed?

The more I researched the Kindle Fire, or specifically the Gen 2 versions, the more I realised that it was much closer to the Kindle Fire HD than the original design. Logically I realised that if superuser could be installed onto a Fire HD, then it could possibly fix my device, too. As I didn’t have a plan ‘B’, I decided to take this path.

The tool you need for that job is called Qemu, which is actually a batch file that works an exploit in the ICS release of Android found by a developer called sparkym3. To be accurate the exploit isn’t in the current code for ICS, but Amazon failed to fix their version when they built the Kindle Fire and Fire HD.

If you want to do this without Qemu, you can get the files you’ll need for this exercise here.at tinyurl.com/KFICSExploit. Once you have those you can execute the following code via ADB.

adb shell
rm -r /data/local/tmp
ln -s /data/ /data/local/tmp
exit
adb reboot

adb shell
echo ‘ro.kernel.qemu=1’ > /data/local.prop
exit

adb reboot

adb shell mount -o remount,rw /system
adb push su /system/xbin/su
adb shell
chown 0.0 /system/xbin/su
chmod 06755 /system/xbin/su
rm /data/local.prop
exit

adb reboot

adb install Superuser.apk

This works, after a fashion - and after doing this (or simply running Qemu) and making ourselves Superusers on the Kindle Fire, we’ve got our foot, or maybe a toe, in Amazon’s technological door.

Superuser power!

Once I’d got Superuser powers, then I was able to start addressing some of the more irritating aspects that Amazon saddled the Kindle Fire with. Namely the lack of Google Play access, and the annoying Carousel interface. However, I quickly began to realise that the Superuser power wasn’t the whole story; for some reason, the permissions on this device aren’t perfect. What I’ve since worked out is that apps that are installed from the Play Store don’t always work, because they’ve not been given the authorities they need to make changes to the settings.

The trick is to do what I did with the vending.apk. Moving it to the system/app folder, and changing permissions works in many cases. It’s not exactly convenient, but it’s a solution. The real donkey work with that is getting the apk versions of these files, because the internet doesn’t just direct you to them without wanting something in return, it seems. You can save the time I spent surfing, by using Android Drawer instead. Thank me later.

Getting software from the accessible parts of the Kindle Fire to those important folders where it works was challenging. My first attempt involved loading ES File Explorer - which, oddly, the Amazon app store allows - and then trying to activate ‘Root’ mode so I had authority to copy files to the system/app folder. That didn’t work, because each time I mounted the OS with Root it errored. In the end I used a tool called ‘Root Explorer’, which I got on to the tablet by physically copying it over, and then executing the apk using ES File Explorer. Got that? Good.

But here’s the kicker... Initially that didn’t work either, but eventually I found a means to make it work by using the ADB shell. The first step was to get the Kindle Fire to the stage in the process where I was about to press the button in Root Explorer to “Mount as R/W” and then ‘paste’ the file, then I simultaneously opened a shell using ADB and in a command window in the directory where ADB lives, I typed the following:

ADB shell
su
mount -o remount,rw /system

Then, back on the Kindle Fire, I clicked the button to Mount as R/W, and pasted! After that was successful, I changed the file permissions on the apk accordingly to Read on User, Group and Others, and Write on User. Once that technique was defined, I could start loading a great many things that the Kindle really needed, like the Google Play Store, and then other critical apps.

To load the Google Play store you’ll need three apk files: GoogleServicesFramework.apk, vending.apk and Gplay3.8.17.apk. First load the GoogleServicesFramework.apk file (by copying it onto the device from the PC and running the file from ES File Explorer (or Root Explorer). Then do the same trick as I previously described to copy vending.apk from where you copied it on to the system/app folder, changing permissions as before. And, finally, load the Gplay apk just by launching it.

If all goes to plan, you’ll have Google Play, though you might need to reboot the Kindle Fire to get it working perfectly. It will ask for Google credentials when you run it for the first time, and then you’ll have access to the whole Google Play library, and not the limited selection Amazon offered you.

Buoyed by this success, I began to install all manner of useful tools - some of which worked, and some that needed the source apk, and the hand cranking that I’ve just described. However, the big breakthrough came when I got Go Launcher EX up and running, using the same technique as I used on vending.apk. Rebooting after that was done, Android asked which interface I wanted, allowing me to ditch Carousel. Those that like Carousel can actually find some tools that reassemble the apps they’ve got with high resolutions icons, but I decided to be done with it completely instead.

Incidentally, if you want to kill the advertising that you get when you power the Kindle Fire up, just remove all the permissions on the file dtcp_apk.apk, which you will find in system/app folder. You can delete it, but it magically returns, so doing this has a less easily reversible result.

Soon my Kindle Fire looked much like any typical ICS installation, and less like a marketing opportunity for Amazon. I was really thrilled I’d got this far, but I’ll admit it wasn’t the complete success I was looking for.

Superuser limitations

My previous experience of hacking Android devices usually tells me that once you’ve got Superuser powers, you’re unstoppable, but that’s a bit of a false dawn here I’m afraid. The problem is that while it allowed me to make all sorts of modification to the ICS installation that Amazon crafted, what it didn’t do was remove the locked bootloader. I tried to do this by installing the likes of ROM Manager, as this can install ClockWorkMod, a bootloader recovery tool you can use to write entirely new operating systems to the device.

I was understandably nervous about this, because the Kindle Fire has no selection button or volume rocker, which are vital to operating ClockworkMod on each phone or tablet I’ve previously used it. There is a touch-based recovery tool called TWRP, included in the KFU installation, but I found no way to get this written into position on this device.

After going round in circles I decided to force the issue by attempting to run a recovery boot, and got a rather disturbing message. Luckily after holding the power button in for four seconds the Kindle Fire rebooted correctly, and I was able to use it again. Phew.
It was this event that convinced me to stop entirely, because I could see that I’d pushed the envelope too far, and was in danger of ending up with a dead Kindle Fire. I’ll probably discover soon that I was taking entirely the wrong approach, and some bright spark elsewhere had written a tool to accomplish what I’d gloriously failed to do.

Hacking ethics

Before I wrap up, I feel duty-bound to speak about how I rather bent Amazon’s business model here. Amazon offer the Fire in both ad-free and promotionally subsidised versions, and it was the cheap one with inbuilt commercials that I bought. And, when I’d finished, I’d wiped that facility off the tablet. Bad Mark.

But hang on, that’s a business agreement that Amazon had with other companies, and as such I don’t actually feel obliged to support it - in the same way that I’m happy to watch TV without paying attention during the adverts. It could be argued that the Kindle Fire costs more than I paid for it, and Amazon sell it at this price based on the income they’ll get from e-books and movie rentals. I don’t use either of these services, so even if I’d not hacked it, then they weren’t going to cash in there.

What’s more, it’s worth noting that Google sells the Nexus 7 for exactly the same price as the Kindle Fire HD, and doesn’t argue this point. If we’re forced to talk about ethics, I could also point out that my business pays UK taxes, isn’t registered in Luxembourg, which Amazon is (thus avoiding paying any UK corporation tax on £7bn or so worth of sales). So, they hardly need my specific help with their business model, do they?

In the end, it’s hard economics. If everyone hacked their Kindle Fire and didn’t pay inflated e-book prices then Amazon would need to find another business. But realistically most people don’t hack their devices, and live with them restricted until they stop working. That’s because it’s often not very straightforward (and on this occasion rather complicated), not because they’ve wouldn’t prefer it that way.

I have hacked mine, because it is ‘mine’, and in doing so I’ve most certainly invalidated the warranty, so it’s not without some cost implication to me. Those that think I’m giving a big company a hard time by doing this don’t have to copy me, and those who think otherwise can make their own minds up.

Final thoughts

This wasn’t as entirely successful as I’d anticipated, because the Kindle Fire Generation 2 isn’t a walk in the park to hack. The protected boot loader is a major problem, even if you’ve got root authority, though I don’t think it’s an insurmountable one. Given how close this is to the Kindle Fire HD, I’m confident that, in a couple of months, the means to get a pure version of Android 4.2 on here will materialise. At which point we can wave a skyward finger at the Kindle side of the Fire for good. Those that have an original Fire can do that already, and it’s an exercise that’s well worth considering if you’ve got one.

From my own perspective the goal of making the Fire a big Android Phone (without the ability to make calls) is 90% there, and the device is singularly more useful than when I first unpacked it. The screen is exceptionally nice, and playing streamed TV is a delight on it.

If I didn’t think that the bootloader issue can be overcome with a little bit of advanced know-how, I’d probably work a little more on tweaking the systems to address some of the annoying aspects. The top of that list would have to be the Kindle ‘People’ application, which isn’t one that Google supports. That means when you use Gmail you don’t have a contacts database to call on for addresses. I’m confident that’s fixable, and the I’ve almost got the proper Google calendar working perfectly too. Other issues are that neither Firefox or Chrome work, so I’m forced to use the ‘Silk’ browser that Amazon included. Chrome won’t install, Firefox will, but won’t run. Again, these are easily addressable, I’m sure.

It’s all about how much time I’m willing to work on it, remembering that I wouldn’t have had any of these issues if I’d spent another £60 and bought a Google Nexus 7. That’s the killer issue here, really: the economics of my effort don’t work, it’s cheaper to just get the full solution.

The Kindle Fire (Gen 2) is a rather nice Android device somewhat kneecapped by the commercial ambitions of Amazon. This is frustrating, but it doesn’t need to always be that way, does it? Here I’ve taken the first step to making it a more open device, and I’d be surprised that by 2013, if it’s not shrugged off its Ice Cream Sandwich roots, and taken up with the Jellybean gang, despite Amazon’s aspirations.