View Single Post
Old 02-26-2012, 09:43 PM   #87
geekmaster
Всё гениальное просто.
geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.
 
geekmaster's Avatar
 
Posts: 5,070
Karma: 6789001
Join Date: Nov 2011
Location: Щедрость не имеет пределов.
Device: *.*
Talking Another one (un)bites the dust!

Here is the IRC session (with permission) from another successfully debricked kindle touch:
Code:
14:51 <dasmoover> so i can repair the dead kindle touch?
14:53 <geekmstr> A lot of people did. I provided a "demo" payload, that does
                 nothing but put something on the display, but my "universal" 
                 mntus.params works on all kindles by computing the values,
                 even with no payload, fixes kindles that were bricked when
                 they used a data.tar.gz for a different kindle model.
14:53 <geekmstr> In that thread, cscat added a command to call the
                 factory_reset script (not included in my download yet),
                 that unbricked a lot more kindles...
14:54 <geekmstr> My KindleSelectBoot tool (custom u-boot images and
                 custom MfgTool profiles) lets you boot a bricked kindle to main,
                 diags, or fastboot with no changes to mmc...
14:55 <dasmoover> link!
14:55 <dasmoover> i need to restore my old ktouch
14:55 <dasmoover> remember the one i bricked?
14:55 <geekmstr> http://www.mobileread.com/forums/showthread.php?t=169645
14:56 <geekmstr> http://www.mobileread.com/forums/showthread.php?t=170241
14:57 <dasmoover> well wheres the tool dude/
14:58 <geekmstr> downloads in first post:
                 http://www.mobileread.com/forums/showthread.php?t=169645
14:58 <geekmstr> screenshots this post:
                 http://www.mobileread.com/forums/showthread.php?p=1972836
15:01 <geekmstr> you can write a RUNME.sh to copy all the dropbear files
                 from main to diags (if you mount them), if you installed yifanlu's
                 SSH package. Or you could put his .tar.gz on /mnt/mmc and
                 make RUNME.sh extract it to diags root if you make it writable...
15:02 <geekmstr> With the dropbear files in place, the USBnet diags menu
                 starts SSH (which takes about 20 secs for dropbear to init before
                 you can connect). diags menus N) U) Z) then exit to start dropbear...
15:03 <geekmstr> Either use SSH to mount and fix main, or use some custom
                 RUNME.sh scripts. Later in the thread I posted (in "code" tags)
                 that dumps a LOT of diags info into /mnt/us/gmlogs.txt (or
                 something like that)...
15:04 <geekmstr> Anyway, my tools have unbricked a lot of touches lately,
                 but they work on k4 as well...
15:04 <geekmstr> k4 is easier because booting to diags gives you ssh.
                 The dropbear files are already on the diags partition...
15:05 <geekmstr> Read the threads....
15:07 <geekmstr> But especially post#4 for screenshots, and bottom of #1
                 for downloads. And post #11 for the factory reset option...
15:08 <geekmstr> here you can read the code before installing it:
                 http://www.mobileread.com/forums/showthread.php?p=1978973
15:09 <dasmoover> cant seem to get into the special mode
15:10 <geekmstr> maybe your battery needs charging. use a usb power
                 adapter for a few hours. The battery completely drains when
                 bricked...
15:11 <geekmstr> you need to charge it enough (maybe overnight) to boot to
                 fastboot mode. In fastboot it charges quickly...
15:11 <dasmoover> ah
15:12 <dasmoover> yeah
15:12 <dasmoover> dead battery icon
15:12 <dasmoover> lol
15:12 <geekmstr> Anyway, try this: Plug into computer USB. Press and hold
                 power until LED off. Press Home button. Release power. Release
                 Home. New device with VID/PID 0x15a2/0x0052. Windows USB
                 HID drivers should install automagically... Then run MfgTool,
                 which talks to it...
15:13 <geekmstr> Charge it two or 3 hrs, then go to fastboot and fast-charge
                 it another hour...
15:13 <geekmstr> bricked only charges EXTREMELY slowly and only with a
                 power adapter...
15:13 <geekmstr> fastboot charges rapidly.
15:14 <geekmstr> Got it?
15:19 <dasmoover> jst gonna charge it a bit
15:22 <geekmstr> My "diags" RUNME.sh is here:
                 http://mobileread.com/forums/showthread.php?p=1979042
15:24 <dasmoover> beautiful man very good shit here
15:24 <geekmstr> thanks.
15:25 <geekmstr> I post all the steps of the evolution of my learning, in
                 stream-of-consciousness format, in hopes that others will learn
                 to learn like I do...
15:26 <geekmstr> Not just the end result, but the PROCESS of getting there
                 is what is the REAL goldmine...
15:26 <geekmstr> IMHO
15:28 <geekmstr> Of course my epiphany was obvious to people who
                 came from the android community, but it was new to me...
15:31 <geekmstr> Much of what I learned came from the GPL source code
                 and the freescale iMX50 Reference (and other) Manuals, and
                 using the tools you can download at freescale.com
15:33 <geekmstr> And from sbloader code for RockBox and other linux project
                 that use sbloader, and from yifanlu's fastboot tool (I cleaned the 
                 source code so no warnings with gcc -Wall and -Wextra).
15:34 <dasmoover> awh yeah i'm in diags 
15:35 <geekmstr> warning: I successfully flashed images to my k4, but others
                 say fastboot image flashing on touch reports "success" way to soon 
                 and cannot have worked...
15:36 <geekmstr> Do not erase main system or diags with fastboot. Some dude
                 in my thread says he erased his before trying to flash it. It is not 
                 eeprom, so why erase flash when you are going to completely fill
                 that range anyway?
15:36 <dasmoover> okay so i have usb mounted
15:36 <dasmoover> i remember
15:36 <dasmoover> i broke i by loading tun.ko 
15:37 <dasmoover> so i'vw got to chang /lib 
15:37 <dasmoover> i need to restore /lib 
15:37 <geekmstr> in low power mode it loads a 0-byte fake storage device to
                 keep host PC "green" crap from turning off USB power...
15:38 <geekmstr> In the source code it is called "fstor" mode (fake storage).
                 It is part of the battery charging process...
15:39 <geekmstr> That is a problem with running scripts from mntus.params,
                 because "fdisk -l" can return bad values from the fstor device...
15:39 <dasmoover> so i need to create a data.tar.gz with original /lib
15:40 <geekmstr> do not use data.tar.gz -- root partition may not be
                 writeable. boot diags. export USB. Add MY data.tar.gz to launch
                 your RUNME.sh at next reboot to diags. 
15:41 <dasmoover> okay
15:41 <geekmstr> Put your stuff in a .tar.gz, and have RUNME do "mount
                 /dev/mmcblk0p1 /mnt/mmc" then extract your package there...
15:42 <dasmoover> so no fastboot?
15:42 <geekmstr> Or --- make a runme and ssh.tar.gz and extract those
                 dropbear files to diags, so menu N) U) Z) X) will start dropbear.
15:43 <geekmstr> MfgTool with my profiles does NOT need fastboot (except
                 to recharge the battery).
15:44 <dasmoover> okay so i have /lib in .zip
15:44 <geekmstr> In my case, I did a BAD mntus.params that bricks main
                 and diags. If fastboot could erase mmcblk0p3 that would fix it, but its 
                 partition names do not indicate which partition, and I already erased
                 the safe ones.
15:44 <dasmoover> on root 
15:44 <dasmoover> usb
15:44 <geekmstr> I can ONLY use fastboot in my case. But you can boot to
                 diags to export usb drive.
15:44 <dasmoover> yeah
15:44 <dasmoover> i have lib.zip on usb 
15:45 <dasmoover> now write a script to mount root and extract?
15:45 <geekmstr> yes...
15:45 <dasmoover> mount /dev/mmcblk0p1 /mnt/mmc 
15:46 <dasmoover> unzip /mnt/us/lib.tar /mnt/mmc/
15:46 <dasmoover> does kindle have unzip?
15:46 <geekmstr> you can model it after scripts in my thread. Use the logger
                 one that pipes ALL output ( all code here ) 2>&1 >>/mnt/us/gmlogs.txt
15:47 <geekmstr> I believe it has unzip. It runs from startup scripts and they
                 use full path. You could add PATH= at top of script...
15:47 <geekmstr> then do not need full prefix path on all commands like
                 startup scripts use.
15:48 <geekmstr> mntusb is sourced, and kindle bricks easily from it, so
                 just use my published on in my data.tar.gz. Look at it though. Good 
                 learning there...
15:48 <dasmoover> okay so now how to run?
15:48 <dasmoover> just rebboot?
15:48 <geekmstr> I like code to fit one screen full. Old school. My scripts
                 are compact.
15:49 <geekmstr> reboot from menu. Hard reset often does not run payload...
15:49 <dasmoover> D?
15:49 <geekmstr> in diags. reboot from menu.
15:50 <geekmstr> first menu item has a reboot in it. easier than the reboot
                 buried in the bottom exit menu...
15:50 <geekmstr> touch the first menu item in main screen, then restart there...
15:51 <dasmoover> its restarting
15:51 <geekmstr> I did not publish that yet. I will do screenshots of all the
                 steps later...
15:51 <dasmoover> still amazon thing
15:51 <dasmoover> happen to have ssh package handy
15:52 <geekmstr> You may need to add a reset for the boot counter if "repair
                 needed" screen. see the thread. SSH was already installed in main 
                 using yifanlus package. I just copied from main to diags. 
15:53 <dasmoover> is that info there 
15:54 <geekmstr> https://github.com/downloads/yifanlu/KindleTool/simple_usbnet_1.1.zip
16:13 <dasmoover> how to write back img file in fastboot?
16:13 <dasmoover> i have .img file
16:13 <geekmstr> dd if=/mnt/us/mmcblk0p1.img of=/dev/mmcblk0p1 bs=1024
16:14 <geekmstr> That is probably in 100 posts in the forums. Basic linux.
16:20 <dasmoover> just rebooted.. waiting to see result
16:20 <dasmoover> dunno it still seems bricked
16:20 <dasmoover> i didnt use fastboot
16:20 <dasmoover> i used diags
16:20 <dasmoover> but i wanted to know fastboot
16:21 <dasmoover> i mean i just replaced pl01 and its still not booting up
16:21 <dasmoover> dunno what else could have corrupted
16:22 <geekmstr> did you boot diags (either with ENABLE_DIAGS or with my
                 boot tool) before writing your p1 image?)
16:22 <dasmoover> boot tool
16:22 <dasmoover> boot tool all times
16:23 <dasmoover> well f--- it wont go into diags now 
16:23 <geekmstr> Each reboot goes back to whatever the bootmode var was.
                 If bootmode = main and no ENABLE_DIAGS, exting diags booted
                 to main before running payload.
16:23 <geekmstr> Maybe you need to charge the battery more...
16:24 <geekmstr> charge in fastboot mode.
16:24 <geekmstr> next time in diags, add ENABLE_DIAGS with the payload,
                 before rebooting.
16:25 <geekmstr> Or... do a hard reset with magic key to use my tool.
16:25 <dasmoover> says
16:25 <dasmoover> runmme.done
16:25 <dasmoover> and runme.out 
16:25 <dasmoover> so it mustve run 
16:25 <geekmstr> It ran from main. writing an image with files open corrupts it.
16:25 <geekmstr> Do it again with ENABLE_DIAGS.
16:26 <geekmstr> And you are using a low battery, so complications there too...
16:26 <dasmoover> so ENABLE_DIAGS on root righ
16:26 <geekmstr> Erase RUNEM.done first or script does not run.
16:26 <geekmstr> ENABLE_DIAGS on usb drive.
16:27 <dasmoover> yah did thatrebooting now
16:27 <geekmstr> Need to update first post. Info in later posts says add
                 ENABLE_DIAGS and erase RUNME.done and add data.tar.gz
                 while exporting USB drive in diags.
16:27 <dasmoover> ywah i did all that 
16:28 <geekmstr> data.tar.gz erases itself. RUNME.done disables the script.
16:28 <dasmoover> so when its done writing it should boot to diags/
16:29 <geekmstr> It runs ONESHOT mode so a bug does not brick the kindle.
                 You do NOT need a new data.tar.gz each time -- only if the payload in 
                 /var/local gets deleted (factory restore).
16:30 <geekmstr> The kindle rebuilds /var/local if you dd /dev/zero to
                 /dev/mmcblk0p3
16:30 <dasmoover> yah i'm wrrwring p1
16:30 <geekmstr> you have ENABLE_DIAGS so it should boot to diags.
16:31 <geekmstr> You may have problems if your battery is too low...
16:31 <dasmoover> its plugged i tho
16:32 <dasmoover> its jut doing the tree stuff
16:32 <geekmstr> It takes a long time to write a 350MB image. If battery low
                 it will reboot before it completes.
16:32 <geekmstr> Others reported success only after a full recharge in
                 fastboot mode.
16:34 <geekmstr> You can run the factory_restore script. If you kill
                 mmcblk0p3 it will rebuild on reboot. If you kill mmcblk0p4 it will
                 rebuild on reboot. At least that is what the startup scripts say.
16:35 <geekmstr> If it cannot mount p3 or p4 it formats them and copies files
                 there from /opt
16:38 <geekmstr> It sits at the tree while copying p1.
16:39 <geekmstr> You can use eips to display text on the kindle tree screen.
                 See my sample RUNME.sh on the first post.
16:39 <geekmstr> You can display progress messages on eink while it runs.
16:40 <geekmstr> But during the dd you can only wait.
16:41 <geekmstr> It can take like 15 minutes or something to copy. Low battery
                 is a big problem. Not charging during payload. Only draining the 
                 battery (and faster while writing flash).
16:41 <geekmstr> If no luck, charge overnight, and read the thread while it charges...
16:42 <geekmstr> Adding usbnet from the link I posted above allows SSH
                 from diags and interactive exporation and repair.
17:26 <dasmoover> it is just frozen still
17:26 <dasmoover> unplugged it from computer
17:26 <dasmoover> led died
17:26 <dasmoover> then plugged it into wall
17:26 <dasmoover> waiting now
17:26 <dasmoover> guessing it ran, died
17:27 <dasmoover> so waiting on full charge
17:27 <dasmoover> can get to diags no problem
18:04 <dasmoover> i have all p*
18:30 <dasmoover> all the image blocks
18:31 <dasmoover> anyways i want to use fastboot...
18:31 <geekmstr> You could have mounted it and deleted that tun.ko file and
                 fixed any script that started it...
18:33 <dasmoover> i f---ed with /lib
18:51 <geekmstr> I had to install libusb-1.0 with apt-get (needed for compile).
18:52 <geekmstr> So you really only need the binary, but I will send all...
18:53 <dasmoover> installed libusb-1.0
18:54 <geekmstr> need to run fastboot with "sudo ./fastboot" or it runs but
                 only partly works. Usb writing needs sudo...
18:54 <dasmoover> rgr
19:01 <dasmoover> so what command to compile
19:01 <geekmstr> make
19:01 <geekmstr> or make -j5 on a quadcore...
19:02 <dasmoover> gcc -ofastboot fastboot.o protocol.o engine.o
                 usb_linux.o&&strip fastboot&&upx fastboot>/dev/null
19:02 <dasmoover> /bin/sh: upx: not found
19:02 <dasmoover> make: *** [fastboot] Error 127
19:02 <dasmoover> mb, g
19:02 <dasmoover> nvm fixed
19:02 <geekmstr> I compress my exes with upx. either install upx, or remove
                 that step from makefile
19:02 <dasmoover> yay it works
19:02 <dasmoover> plugging in kindle now
19:02 <dasmoover> err
19:02 <dasmoover> booting fastboot mode
19:03 <dasmoover> then unplugging and jacking into my linux machine
19:03 <geekmstr> sudo ./fastboot getvar bootmode
19:03 <dasmoover> do i set it via mfg or this tool
19:03 <geekmstr> you can read or write all idme vars with fastboot
19:03 <geekmstr> to get to fastboot mode, need mfgtool.
19:03 <dasmoover> okay
19:03 <dasmoover> brb setting it in
19:04 <geekmstr> In fastboot mode, fastboot tool will see it.
19:04 <geekmstr> usb in, power press, led off, home press, power release.
19:04 <dasmoover> okay sent to fastboot
19:04 <dasmoover> can i unplugand plug into linux now
19:05 <dasmoover> i got fastboot woking
19:05 <geekmstr> try sudo ./fastboot getvar bootmode
19:06 <dasmoover> its running down a bunch of stuff
19:06 <geekmstr> It is normal for "check main" or whatever to fail. The flash
                 CRC is set at first flash, but mounting a partition from mmc changes 
                 it to not match flash header crc.
19:06 <dasmoover> so now what
19:10 <dasmoover> thats all the command sees 
19:10 <geekmstr> But vid/pid is for a different usb device
19:10 <dasmoover> ill unplug em ll
19:10 <dasmoover> ill unplug em all
19:10 <geekmstr> leave kindle plugged in. Put it in USB HID mode. Tell
                 MfgTool to use fastboot profile. Click start.
19:10 <dasmoover> thats what i did
19:10 <geekmstr> Other devices do not matter.
19:10 <dasmoover> then i unplugged it and put it on my linux box
19:10 <dasmoover> now we are here
19:11 <geekmstr> Did you do sudo?
19:11 <dasmoover> trying to use fastboot
19:11 <dasmoover> yes..
19:11 <geekmstr> It cannot send commands unless root.
19:11 <geekmstr> It must see vendor 0x1949,product 0xd0d0
19:12 <geekmstr> dev(vendor:0x1949,product:0xd0d0,...
19:13 <dasmoover> it still shows same values when kindle is not plugged in
19:13 <geekmstr> The kindle SHOULD go into fastboot mode if you tool can
                 write usb (needs to be root for usb write access)
19:13 <dasmoover> just sent into fastboot via mfg..
19:14 <dasmoover> unplugging and putting onto linux box now
19:14 <geekmstr> 0x1948 belongs to lab126.
19:14 <dasmoover> LED died on unplug
19:14 <geekmstr> Do not unplug.
19:14 <dasmoover> dude i have to
19:14 <dasmoover> in order to put my windows machine
19:14 <dasmoover> with mfg
19:14 <dasmoover> tolinux box
19:15 <dasmoover> with fastboot
19:15 <dasmoover> how2set fastboot mode in linux then 
19:16 <geekmstr> Yifanlu said that the "install fastboot bundle" item in diags
                 sets fastboot mode. Did not try that myself...
19:16 <dasmoover> ill try to do that
19:16 <geekmstr> mfgtool boot diags. fastboot bundle while plugged into linux
                 and fastboot running.
19:23 <dasmoover> got it in fastboot mode
19:24 <geekmstr> try sudo ./fastboot getvar bootmode
19:25 <dasmoover> dev(vendor:0x1949,product:0xd0d0,class:0,subclass:0,
                 protocol:0),writable:1,ifc(class:255,subclass:66,protocol:3),
                 has_bulk(in:1,out:1),serial_number:0061XXXXXXXXXXXX
19:25 <dasmoover> bootmode: fastboot
19:25 <dasmoover> dev(vendor:0x1949,product:0xd0d0,class:0,subclass:0,
                 protocol:0),writable:1,ifc(class:255,subclass:66,protocol:3),
                 has_bulk(in:1,out:1),serial_number:0061XXXXXXXXXXXX
19:26 <dasmoover> finished. total time: 0.001s
19:26 <dasmoover> bootmode: fastboot
19:26 <dasmoover> finished. total time: 0.001s
19:26 <dasmoover> sudo ./fastboot flash system mmcblk0p1.img
19:26 <dasmoover> right
19:26 <geekmstr> that looks good.
19:26 <geekmstr> flash should take many minutes
19:26 <dasmoover> downloading 'system'...
19:26 <dasmoover> OKAY [  3.764s]
19:26 <dasmoover> writing 'system'...
19:26 <geekmstr> a user on mobileread said it completes in 4 seconds.
                 Too fast...
19:26 <dasmoover> writing 'system'...
19:26 <dasmoover> OKAY [  8.991s]
19:26 <dasmoover> finished. total time: 12.756s
19:26 <dasmoover> uhhh
19:27 <geekmstr> It took many minutes on my k4nt...
19:27 <dasmoover> should i erase then put back on? or test first
19:27 <geekmstr> maybe the touch has a fastboot bug?
19:27 <geekmstr> NO do not erase.
19:27 <geekmstr> Flash memory does not need that.
19:27 <geekmstr> that will make it worse.
19:28 <dasmoover> okay
19:28 <dasmoover> guess a reboot
19:28 <geekmstr> You could still to dd to write it from a RUNME.sh instead
                 of fastboot.
19:28 <dasmoover> or another flash 
19:28 <geekmstr> apparently touch fastboot does not flash good, with false
                 success report.
19:28 <geekmstr> It cannot be that fast.
19:29 <geekmstr> USB is not that fast.
19:29 <geekmstr> I think it is a bug
19:29 <geekmstr> do this:
19:29 <geekmstr> sudo ./fastboot setvar bootmode diags
19:30 <geekmstr> that will boot to diags next time you boot. If not, boot there
                 with MfgTool.
19:30 <dasmoover> okay how2reboot
19:31 <geekmstr> hold power button 20 seconds.
19:31 <geekmstr> the fastboot reboot command does not work.
19:31 <geekmstr> You can repair it with RUNME.sh. fastboot is buggy on
                 the touch...
19:32 <dasmoover> ive tried runme.sh
19:32 <dasmoover> it has not worked for me writing the .img
19:32 <geekmstr> You booted main that time...
19:32 <dasmoover> okay will retry
19:32 <dasmoover> have usb up
19:33 <geekmstr> boot diags, export usb, add ENABLE_DIAGS and remove
                 RUNME.done. reboot. payload will run in diags this time...
19:33 <dasmoover> do i need to redrop data.tar.gz no right?
19:33 <geekmstr> You did not have ENABLE_DIAGS last time. It ran in main...
19:33 <geekmstr> No tar file needed. already dropped expoit that runs
                 RUNME.sh...
19:34 <dasmoover> okay
19:34 <dasmoover> hard reboot?
19:34 <geekmstr> yes.
19:34 <geekmstr> I think I should change my payload to detect main, set
                 bootmode=diags, and reboot...
19:34 <geekmstr> and only call RUNME.sh when in diags boot.
19:35 <geekmstr> writing to the partition you booted from will corrupt it...
19:35 <dasmoover> okay hard rebooting wall plugged in
19:32 <dasmoover> fixed :)
20:32 <dasmoover> thank you very much
I posted this IRC session here (with permission), during which a bricked kindle was explored and successful restored to full operation, in hopes that others can learn from it to help them debrick their kindle touch (or k4nt).

As this and other posts show, it is not a good idea to erase or flash partitions with fastboot for touch yet, even though it worked well for my k4nt. But you can flash partitions with the "dd" command just fine.

Be sure to boot diags to flash main from RUNME.sh, and boot main to flash diags from RUNME.sh. It is not good to change a partition that contains open files because you booted from it. Also be sure to have ENABLE_DIAGS set accordingly, because you need to reboot to run the RUNME.sh. It has been reported in various threads that RUNME.sh does not reliably run during a hard reset (long power button hold) so be sure to reboot using a menu item.

Good luck, and good learning! This is not easy (yet). I want a GUI that lets you choose what steps you want to do, and which makes a custom RUNME.sh for you. I want a GUI that runs fastboot for you, and avoids all the command-line stuff, and runs in Windows and Linux and Mac. Now, who is going to write that for me...

P.S. I want to thank yifanlu who helped me learn this stuff by guiding me through an IRC recovery session similar to the one shown above, but which was spread over a period of about one week, interrupted by studying manuals and code, which helped me debrick my k4nt, when we were first learning about what USB Downloader mode was and how we could use it. I also want to thank all the others who provided feedback and useful pointers that contributed to my learning as much as I have (so far) about this stuff. Thanks guys (and ladies)!

Downloads: See the "simple debricking" sticky.



Last edited by geekmaster; 01-15-2013 at 08:30 PM.
geekmaster is offline   Reply With Quote