[yifanlu]

Ok, here's a possibly unrelated thing I found while looking through the bootloader code. On the Kindle 3/2, if you wanted to flash the serial number, mac address, etc, all you had to do was call "idme --serial XXX" or something like that. I'm guessing this is blocked on the Kindle 4 because Amazon doesn't want people spoofing serial numbers. I think they're achieving this by write-protecting that section of the MMC after bootup. Anyways, to flash the idme vars (serial, mac, boardid, etc), you flash a binary file with the magic number (header) "abcdefghhgfedcba" to 0x3f000 in the nand. I haven't looked into what the format for this file should be, but I'm guessing it's just a byte-aligned file containing all the idme variables. At bootup, when the Kindle detects this (the magic header on 0x3f000), it flashes the variables. Now, I don't know how much use this information is, as I would think you have to have root access before you can start flashing the nand, but just throwing ideas out there.

But yea, I advice everyone who's intrested to read the bootloader code. It's pretty interesting, and has the most potential for a permanent jailbreaking solution. (Aka, not patched in updates). In the source code release, it's the archive named "u-boot-2009.08.tar.bz2". The folders of interests are "/board/imx50_yoshi" (Kindle 4/touch) and "/board/imx51_banjo" (99% sure it's the Kindle fire because it talks about a "system" partition, which we find on android). Also, in "/includes/configs" you'll see "imx35_luigi.h" and "imx51_banjo.h".