Full Report
The author of this post bought a e-book on Amazon that required the usage of the Kindle App on their Android phone. As soon as they did this, the app crashed. They tried downloading it, backing it up but none of this worked. They had bought the book but couldn't read it. So, they decided to reverse engineer the app to get the book into a usable format for themselves. The Web API downloads a TAR file with several JSON blobs in it. Upon trying to read this information, they realized that the API was heavily obfuscating the requests. Their was a mapping of Glyphs to Character IDs. They were using a simple substitution cipher that changed on every API request. Interestingly enough, browsers handled the data fine because of native Path2D support. Using a custom parser for an SVG didn't work. SVG libraries had spurious lines everything. They even had 4 font variants! After a large amount of effort, they figured out how to render the book. It required a lot of visual mapping code that I'm sure was a pain to write. Although it wasn't perfectly precise, it was good enough to get the job done. The end of the book has a great point: "Was it worth it? To read one book? No. To prove a point? Absolutely."
Analysis Summary
# Research: How I Reversed Amazon's Kindle Web Obfuscation Because Their App Sucked
## Metadata
- **Authors:** Pixelmelt
- **Institution:** Independent Researcher (Pixelmelt.dev)
- **Publication:** Pixelmelt’s Blog
- **Date:** October 15, 2025
## Abstract
This technical analysis details the reverse engineering of Amazon’s Kindle Cloud Reader DRM and obfuscation mechanisms. Driven by the failure of the official Android application, the researcher bypassed web-based protections that utilize randomized glyph mapping, SVG path corruption, and multi-variant font obfuscation. The research culminates in the successful extraction of a purchased ebook into a standard EPUB format by employing perceptual hashing and font matching algorithms.
## Research Objective
The study addresses the challenge of interoperability and digital ownership in the face of aggressive Digital Rights Management (DRM). Specifically, it investigates how to programmatically reconstruct text from a web-based e-reader that deliberately obfuscates its data stream to prevent scraping or conversion.
## Methodology
### Approach
1. **Traffic Analysis:** Intercepted web API calls to the Kindle renderer to identify data structures (TAR files containing JSON blobs).
2. **Structural Deconstruction:** Analyzed the relationship between `glyph IDs` in text runs and their corresponding SVG definitions.
3. **Cryptographic Analysis:** Identified the use of a rotating substitution cipher where character mappings are randomized per API request.
4. **Feature Engineering:** Developed a "normalization" phase to handle corrupted SVG paths and a "matching" phase using computer vision techniques.
### Dataset/Environment
- **Target:** Amazon Kindle Cloud Reader Web API.
- **Sample:** A 920-page ebook consisting of approximately 1.05 million total glyphs.
- **Variables:** Four font variants (Bookerly Regular, Italic, Bold, Bold-Italic).
### Tools & Technologies
- **Python:** For the primary parser and reconstruction logic.
- **SVG Parsers:** Custom-tuned to handle malicious "micro MoveTo" commands.
- **SSIM (Structural Similarity Index):** For perceptual hashing and character matching.
- **Standard Web DevTools:** For initial session token and cookie extraction.
## Key Findings
### Primary Results
1. **Dynamic Obfuscation:** Amazon rotates the character-to-glyph mapping every 5 pages (the API limit), requiring 184 unique decryption tables for a single book.
2. **Path Corruption:** The SVG data contains "micro-path" artifacts—unnecessary MoveTo commands—designed to break standard SVG rendering libraries while remaining invisible in native browser Path2D implementations.
3. **Perfect Reconstruction:** By using perceptual hashing (SSIM), the researcher achieved a **100% match rate** across 361 unique glyphs, enabling a perfect conversion to EPUB.
### Supporting Evidence
- **Data Volume:** 184 API requests processed.
- **Accuracy:** Average SSIM score of 0.9527 (high confidence for visual matching).
- **Output:** Successfully decoded 5,623,847 characters.
### Novel Contributions
- Identification of "visual-only" font obfuscation where text ceases to exist as character codes and exists only as coordinates of vector shapes.
- A methodology for defeating randomized substitution ciphers by mapping vector shapes back to a known font library (Bookerly) using image comparison rather than OCR.
## Technical Details
The core of the obfuscation lies in the `TextRun` JSON. Instead of ASCII/Unicode, it provides an array of integers (Glyph IDs). Because the IDs change every request, traditional mapping is impossible. The researcher bypassed this by:
1. Rendering the SVG path of a Glyph ID into a bitmap.
2. Comparing that bitmap against a pre-rendered reference library of the "Bookerly" font.
3. Using SSIM to find the highest probability match (e.g., "This vector shape is 99% likely to be the letter 'a'").
## Practical Implications
### For Security Practitioners
- This demonstrates that "security through obscurity" (obfuscation) is a significant deterrent but not a permanent barrier against a determined adversary.
### For Defenders
- Obfuscation techniques should include server-side rate-limiting and behavior analysis to detect the rapid, sequential fetching of data batches required for this type of reconstruction.
### For Researchers
- This highlights a trend in "Browser-Native Obfuscation," where developers exploit subtle differences between browser rendering engines and headless scraping libraries to detect or break automated tools.
## Limitations
- **Manual Setup:** Requires valid session cookies and tokens from a legitimate login.
- **Compute Intensive:** Requires rendering and comparing thousands of image samples, making it slower than traditional text scraping.
- **Font Dependency:** The method relies on identifying the underlying font family used by the reader.
## Comparison to Prior Work
Unlike typical DRM removal (which often targets the decryption keys of the Kindle desktop app), this approach ignores the encryption layer entirely and focuses on the **Presentation Layer**, effectively "scraping" the rendered intent of the application rather than the source files.
## Real-world Applications
- **Interoperability:** Moving purchased content between siloed ecosystems (e.g., Kindle to Calibre).
- **Archival:** Ensuring long-term access to digital goods in the event of platform transition or service shutdown.
## Future Work
- Automating the identification of font families to make the tool font-agnostic.
- Exploring the use of machine learning classifiers (CNNs) to replace SSIM for even faster glyph identification.
## References
- [https://blog.pixelmelt.dev/kindle-web-drm/](https://blog.pixelmelt.dev/kindle-web-drm/)
- [https://news.ycombinator.com/item?id=45610226](https://news.ycombinator.com/item?id=45610226)