|
Carpe diem, c'est la vie.
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
|
Another one (un)bites the dust!
Here is the IRC session (with permission) from another successfully debricked kindle touch:
Code:
14:51 <dasmoover> so i can repair the dead kindle touch?
14:53 <geekmstr> A lot of people did. I provided a "demo" payload, that does
nothing but put something on the display, but my "universal"
mntus.params works on all kindles by computing the values,
even with no payload, fixes kindles that were bricked when
they used a data.tar.gz for a different kindle model.
14:53 <geekmstr> In that thread, cscat added a command to call the
factory_reset script (not included in my download yet),
that unbricked a lot more kindles...
14:54 <geekmstr> My KindleSelectBoot tool (custom u-boot images and
custom MfgTool profiles) lets you boot a bricked kindle to main,
diags, or fastboot with no changes to mmc...
14:55 <dasmoover> link!
14:55 <dasmoover> i need to restore my old ktouch
14:55 <dasmoover> remember the one i bricked?
14:55 <geekmstr> https://www.mobileread.com/forums/showthread.php?t=169645
14:56 <geekmstr> https://www.mobileread.com/forums/showthread.php?t=170241
14:57 <dasmoover> well wheres the tool dude/
14:58 <geekmstr> downloads in first post:
https://www.mobileread.com/forums/showthread.php?t=169645
14:58 <geekmstr> screenshots this post:
https://www.mobileread.com/forums/showthread.php?p=1972836
15:01 <geekmstr> you can write a RUNME.sh to copy all the dropbear files
from main to diags (if you mount them), if you installed yifanlu's
SSH package. Or you could put his .tar.gz on /mnt/mmc and
make RUNME.sh extract it to diags root if you make it writable...
15:02 <geekmstr> With the dropbear files in place, the USBnet diags menu
starts SSH (which takes about 20 secs for dropbear to init before
you can connect). diags menus N) U) Z) then exit to start dropbear...
15:03 <geekmstr> Either use SSH to mount and fix main, or use some custom
RUNME.sh scripts. Later in the thread I posted (in "code" tags)
that dumps a LOT of diags info into /mnt/us/gmlogs.txt (or
something like that)...
15:04 <geekmstr> Anyway, my tools have unbricked a lot of touches lately,
but they work on k4 as well...
15:04 <geekmstr> k4 is easier because booting to diags gives you ssh.
The dropbear files are already on the diags partition...
15:05 <geekmstr> Read the threads....
15:07 <geekmstr> But especially post#4 for screenshots, and bottom of #1
for downloads. And post #11 for the factory reset option...
15:08 <geekmstr> here you can read the code before installing it:
https://www.mobileread.com/forums/showthread.php?p=1978973
15:09 <dasmoover> cant seem to get into the special mode
15:10 <geekmstr> maybe your battery needs charging. use a usb power
adapter for a few hours. The battery completely drains when
bricked...
15:11 <geekmstr> you need to charge it enough (maybe overnight) to boot to
fastboot mode. In fastboot it charges quickly...
15:11 <dasmoover> ah
15:12 <dasmoover> yeah
15:12 <dasmoover> dead battery icon
15:12 <dasmoover> lol
15:12 <geekmstr> Anyway, try this: Plug into computer USB. Press and hold
power until LED off. Press Home button. Release power. Release
Home. New device with VID/PID 0x15a2/0x0052. Windows USB
HID drivers should install automagically... Then run MfgTool,
which talks to it...
15:13 <geekmstr> Charge it two or 3 hrs, then go to fastboot and fast-charge
it another hour...
15:13 <geekmstr> bricked only charges EXTREMELY slowly and only with a
power adapter...
15:13 <geekmstr> fastboot charges rapidly.
15:14 <geekmstr> Got it?
15:19 <dasmoover> jst gonna charge it a bit
15:22 <geekmstr> My "diags" RUNME.sh is here:
http://mobileread.com/forums/showthread.php?p=1979042
15:24 <dasmoover> beautiful man very good shit here
15:24 <geekmstr> thanks.
15:25 <geekmstr> I post all the steps of the evolution of my learning, in
stream-of-consciousness format, in hopes that others will learn
to learn like I do...
15:26 <geekmstr> Not just the end result, but the PROCESS of getting there
is what is the REAL goldmine...
15:26 <geekmstr> IMHO
15:28 <geekmstr> Of course my epiphany was obvious to people who
came from the android community, but it was new to me...
15:31 <geekmstr> Much of what I learned came from the GPL source code
and the freescale iMX50 Reference (and other) Manuals, and
using the tools you can download at freescale.com
15:33 <geekmstr> And from sbloader code for RockBox and other linux project
that use sbloader, and from yifanlu's fastboot tool (I cleaned the
source code so no warnings with gcc -Wall and -Wextra).
15:34 <dasmoover> awh yeah i'm in diags
15:35 <geekmstr> warning: I successfully flashed images to my k4, but others
say fastboot image flashing on touch reports "success" way to soon
and cannot have worked...
15:36 <geekmstr> Do not erase main system or diags with fastboot. Some dude
in my thread says he erased his before trying to flash it. It is not
eeprom, so why erase flash when you are going to completely fill
that range anyway?
15:36 <dasmoover> okay so i have usb mounted
15:36 <dasmoover> i remember
15:36 <dasmoover> i broke i by loading tun.ko
15:37 <dasmoover> so i'vw got to chang /lib
15:37 <dasmoover> i need to restore /lib
15:37 <geekmstr> in low power mode it loads a 0-byte fake storage device to
keep host PC "green" crap from turning off USB power...
15:38 <geekmstr> In the source code it is called "fstor" mode (fake storage).
It is part of the battery charging process...
15:39 <geekmstr> That is a problem with running scripts from mntus.params,
because "fdisk -l" can return bad values from the fstor device...
15:39 <dasmoover> so i need to create a data.tar.gz with original /lib
15:40 <geekmstr> do not use data.tar.gz -- root partition may not be
writeable. boot diags. export USB. Add MY data.tar.gz to launch
your RUNME.sh at next reboot to diags.
15:41 <dasmoover> okay
15:41 <geekmstr> Put your stuff in a .tar.gz, and have RUNME do "mount
/dev/mmcblk0p1 /mnt/mmc" then extract your package there...
15:42 <dasmoover> so no fastboot?
15:42 <geekmstr> Or --- make a runme and ssh.tar.gz and extract those
dropbear files to diags, so menu N) U) Z) X) will start dropbear.
15:43 <geekmstr> MfgTool with my profiles does NOT need fastboot (except
to recharge the battery).
15:44 <dasmoover> okay so i have /lib in .zip
15:44 <geekmstr> In my case, I did a BAD mntus.params that bricks main
and diags. If fastboot could erase mmcblk0p3 that would fix it, but its
partition names do not indicate which partition, and I already erased
the safe ones.
15:44 <dasmoover> on root
15:44 <dasmoover> usb
15:44 <geekmstr> I can ONLY use fastboot in my case. But you can boot to
diags to export usb drive.
15:44 <dasmoover> yeah
15:44 <dasmoover> i have lib.zip on usb
15:45 <dasmoover> now write a script to mount root and extract?
15:45 <geekmstr> yes...
15:45 <dasmoover> mount /dev/mmcblk0p1 /mnt/mmc
15:46 <dasmoover> unzip /mnt/us/lib.tar /mnt/mmc/
15:46 <dasmoover> does kindle have unzip?
15:46 <geekmstr> you can model it after scripts in my thread. Use the logger
one that pipes ALL output ( all code here ) 2>&1 >>/mnt/us/gmlogs.txt
15:47 <geekmstr> I believe it has unzip. It runs from startup scripts and they
use full path. You could add PATH= at top of script...
15:47 <geekmstr> then do not need full prefix path on all commands like
startup scripts use.
15:48 <geekmstr> mntusb is sourced, and kindle bricks easily from it, so
just use my published on in my data.tar.gz. Look at it though. Good
learning there...
15:48 <dasmoover> okay so now how to run?
15:48 <dasmoover> just rebboot?
15:48 <geekmstr> I like code to fit one screen full. Old school. My scripts
are compact.
15:49 <geekmstr> reboot from menu. Hard reset often does not run payload...
15:49 <dasmoover> D?
15:49 <geekmstr> in diags. reboot from menu.
15:50 <geekmstr> first menu item has a reboot in it. easier than the reboot
buried in the bottom exit menu...
15:50 <geekmstr> touch the first menu item in main screen, then restart there...
15:51 <dasmoover> its restarting
15:51 <geekmstr> I did not publish that yet. I will do screenshots of all the
steps later...
15:51 <dasmoover> still amazon thing
15:51 <dasmoover> happen to have ssh package handy
15:52 <geekmstr> You may need to add a reset for the boot counter if "repair
needed" screen. see the thread. SSH was already installed in main
using yifanlus package. I just copied from main to diags.
15:53 <dasmoover> is that info there
15:54 <geekmstr> https://github.com/downloads/yifanlu/KindleTool/simple_usbnet_1.1.zip
16:13 <dasmoover> how to write back img file in fastboot?
16:13 <dasmoover> i have .img file
16:13 <geekmstr> dd if=/mnt/us/mmcblk0p1.img of=/dev/mmcblk0p1 bs=1024
16:14 <geekmstr> That is probably in 100 posts in the forums. Basic linux.
16:20 <dasmoover> just rebooted.. waiting to see result
16:20 <dasmoover> dunno it still seems bricked
16:20 <dasmoover> i didnt use fastboot
16:20 <dasmoover> i used diags
16:20 <dasmoover> but i wanted to know fastboot
16:21 <dasmoover> i mean i just replaced pl01 and its still not booting up
16:21 <dasmoover> dunno what else could have corrupted
16:22 <geekmstr> did you boot diags (either with ENABLE_DIAGS or with my
boot tool) before writing your p1 image?)
16:22 <dasmoover> boot tool
16:22 <dasmoover> boot tool all times
16:23 <dasmoover> well f--- it wont go into diags now
16:23 <geekmstr> Each reboot goes back to whatever the bootmode var was.
If bootmode = main and no ENABLE_DIAGS, exting diags booted
to main before running payload.
16:23 <geekmstr> Maybe you need to charge the battery more...
16:24 <geekmstr> charge in fastboot mode.
16:24 <geekmstr> next time in diags, add ENABLE_DIAGS with the payload,
before rebooting.
16:25 <geekmstr> Or... do a hard reset with magic key to use my tool.
16:25 <dasmoover> says
16:25 <dasmoover> runmme.done
16:25 <dasmoover> and runme.out
16:25 <dasmoover> so it mustve run
16:25 <geekmstr> It ran from main. writing an image with files open corrupts it.
16:25 <geekmstr> Do it again with ENABLE_DIAGS.
16:26 <geekmstr> And you are using a low battery, so complications there too...
16:26 <dasmoover> so ENABLE_DIAGS on root righ
16:26 <geekmstr> Erase RUNEM.done first or script does not run.
16:26 <geekmstr> ENABLE_DIAGS on usb drive.
16:27 <dasmoover> yah did thatrebooting now
16:27 <geekmstr> Need to update first post. Info in later posts says add
ENABLE_DIAGS and erase RUNME.done and add data.tar.gz
while exporting USB drive in diags.
16:27 <dasmoover> ywah i did all that
16:28 <geekmstr> data.tar.gz erases itself. RUNME.done disables the script.
16:28 <dasmoover> so when its done writing it should boot to diags/
16:29 <geekmstr> It runs ONESHOT mode so a bug does not brick the kindle.
You do NOT need a new data.tar.gz each time -- only if the payload in
/var/local gets deleted (factory restore).
16:30 <geekmstr> The kindle rebuilds /var/local if you dd /dev/zero to
/dev/mmcblk0p3
16:30 <dasmoover> yah i'm wrrwring p1
16:30 <geekmstr> you have ENABLE_DIAGS so it should boot to diags.
16:31 <geekmstr> You may have problems if your battery is too low...
16:31 <dasmoover> its plugged i tho
16:32 <dasmoover> its jut doing the tree stuff
16:32 <geekmstr> It takes a long time to write a 350MB image. If battery low
it will reboot before it completes.
16:32 <geekmstr> Others reported success only after a full recharge in
fastboot mode.
16:34 <geekmstr> You can run the factory_restore script. If you kill
mmcblk0p3 it will rebuild on reboot. If you kill mmcblk0p4 it will
rebuild on reboot. At least that is what the startup scripts say.
16:35 <geekmstr> If it cannot mount p3 or p4 it formats them and copies files
there from /opt
16:38 <geekmstr> It sits at the tree while copying p1.
16:39 <geekmstr> You can use eips to display text on the kindle tree screen.
See my sample RUNME.sh on the first post.
16:39 <geekmstr> You can display progress messages on eink while it runs.
16:40 <geekmstr> But during the dd you can only wait.
16:41 <geekmstr> It can take like 15 minutes or something to copy. Low battery
is a big problem. Not charging during payload. Only draining the
battery (and faster while writing flash).
16:41 <geekmstr> If no luck, charge overnight, and read the thread while it charges...
16:42 <geekmstr> Adding usbnet from the link I posted above allows SSH
from diags and interactive exporation and repair.
17:26 <dasmoover> it is just frozen still
17:26 <dasmoover> unplugged it from computer
17:26 <dasmoover> led died
17:26 <dasmoover> then plugged it into wall
17:26 <dasmoover> waiting now
17:26 <dasmoover> guessing it ran, died
17:27 <dasmoover> so waiting on full charge
17:27 <dasmoover> can get to diags no problem
18:04 <dasmoover> i have all p*
18:30 <dasmoover> all the image blocks
18:31 <dasmoover> anyways i want to use fastboot...
18:31 <geekmstr> You could have mounted it and deleted that tun.ko file and
fixed any script that started it...
18:33 <dasmoover> i f---ed with /lib
18:51 <geekmstr> I had to install libusb-1.0 with apt-get (needed for compile).
18:52 <geekmstr> So you really only need the binary, but I will send all...
18:53 <dasmoover> installed libusb-1.0
18:54 <geekmstr> need to run fastboot with "sudo ./fastboot" or it runs but
only partly works. Usb writing needs sudo...
18:54 <dasmoover> rgr
19:01 <dasmoover> so what command to compile
19:01 <geekmstr> make
19:01 <geekmstr> or make -j5 on a quadcore...
19:02 <dasmoover> gcc -ofastboot fastboot.o protocol.o engine.o
usb_linux.o&&strip fastboot&&upx fastboot>/dev/null
19:02 <dasmoover> /bin/sh: upx: not found
19:02 <dasmoover> make: *** [fastboot] Error 127
19:02 <dasmoover> mb, g
19:02 <dasmoover> nvm fixed
19:02 <geekmstr> I compress my exes with upx. either install upx, or remove
that step from makefile
19:02 <dasmoover> yay it works
19:02 <dasmoover> plugging in kindle now
19:02 <dasmoover> err
19:02 <dasmoover> booting fastboot mode
19:03 <dasmoover> then unplugging and jacking into my linux machine
19:03 <geekmstr> sudo ./fastboot getvar bootmode
19:03 <dasmoover> do i set it via mfg or this tool
19:03 <geekmstr> you can read or write all idme vars with fastboot
19:03 <geekmstr> to get to fastboot mode, need mfgtool.
19:03 <dasmoover> okay
19:03 <dasmoover> brb setting it in
19:04 <geekmstr> In fastboot mode, fastboot tool will see it.
19:04 <geekmstr> usb in, power press, led off, home press, power release.
19:04 <dasmoover> okay sent to fastboot
19:04 <dasmoover> can i unplugand plug into linux now
19:05 <dasmoover> i got fastboot woking
19:05 <geekmstr> try sudo ./fastboot getvar bootmode
19:06 <dasmoover> its running down a bunch of stuff
19:06 <geekmstr> It is normal for "check main" or whatever to fail. The flash
CRC is set at first flash, but mounting a partition from mmc changes
it to not match flash header crc.
19:06 <dasmoover> so now what
19:10 <dasmoover> thats all the command sees
19:10 <geekmstr> But vid/pid is for a different usb device
19:10 <dasmoover> ill unplug em ll
19:10 <dasmoover> ill unplug em all
19:10 <geekmstr> leave kindle plugged in. Put it in USB HID mode. Tell
MfgTool to use fastboot profile. Click start.
19:10 <dasmoover> thats what i did
19:10 <geekmstr> Other devices do not matter.
19:10 <dasmoover> then i unplugged it and put it on my linux box
19:10 <dasmoover> now we are here
19:11 <geekmstr> Did you do sudo?
19:11 <dasmoover> trying to use fastboot
19:11 <dasmoover> yes..
19:11 <geekmstr> It cannot send commands unless root.
19:11 <geekmstr> It must see vendor 0x1949,product 0xd0d0
19:12 <geekmstr> dev(vendor:0x1949,product:0xd0d0,...
19:13 <dasmoover> it still shows same values when kindle is not plugged in
19:13 <geekmstr> The kindle SHOULD go into fastboot mode if you tool can
write usb (needs to be root for usb write access)
19:13 <dasmoover> just sent into fastboot via mfg..
19:14 <dasmoover> unplugging and putting onto linux box now
19:14 <geekmstr> 0x1948 belongs to lab126.
19:14 <dasmoover> LED died on unplug
19:14 <geekmstr> Do not unplug.
19:14 <dasmoover> dude i have to
19:14 <dasmoover> in order to put my windows machine
19:14 <dasmoover> with mfg
19:14 <dasmoover> tolinux box
19:15 <dasmoover> with fastboot
19:15 <dasmoover> how2set fastboot mode in linux then
19:16 <geekmstr> Yifanlu said that the "install fastboot bundle" item in diags
sets fastboot mode. Did not try that myself...
19:16 <dasmoover> ill try to do that
19:16 <geekmstr> mfgtool boot diags. fastboot bundle while plugged into linux
and fastboot running.
19:23 <dasmoover> got it in fastboot mode
19:24 <geekmstr> try sudo ./fastboot getvar bootmode
19:25 <dasmoover> dev(vendor:0x1949,product:0xd0d0,class:0,subclass:0,
protocol:0),writable:1,ifc(class:255,subclass:66,protocol:3),
has_bulk(in:1,out:1),serial_number:0061XXXXXXXXXXXX
19:25 <dasmoover> bootmode: fastboot
19:25 <dasmoover> dev(vendor:0x1949,product:0xd0d0,class:0,subclass:0,
protocol:0),writable:1,ifc(class:255,subclass:66,protocol:3),
has_bulk(in:1,out:1),serial_number:0061XXXXXXXXXXXX
19:26 <dasmoover> finished. total time: 0.001s
19:26 <dasmoover> bootmode: fastboot
19:26 <dasmoover> finished. total time: 0.001s
19:26 <dasmoover> sudo ./fastboot flash system mmcblk0p1.img
19:26 <dasmoover> right
19:26 <geekmstr> that looks good.
19:26 <geekmstr> flash should take many minutes
19:26 <dasmoover> downloading 'system'...
19:26 <dasmoover> OKAY [ 3.764s]
19:26 <dasmoover> writing 'system'...
19:26 <geekmstr> a user on mobileread said it completes in 4 seconds.
Too fast...
19:26 <dasmoover> writing 'system'...
19:26 <dasmoover> OKAY [ 8.991s]
19:26 <dasmoover> finished. total time: 12.756s
19:26 <dasmoover> uhhh
19:27 <geekmstr> It took many minutes on my k4nt...
19:27 <dasmoover> should i erase then put back on? or test first
19:27 <geekmstr> maybe the touch has a fastboot bug?
19:27 <geekmstr> NO do not erase.
19:27 <geekmstr> Flash memory does not need that.
19:27 <geekmstr> that will make it worse.
19:28 <dasmoover> okay
19:28 <dasmoover> guess a reboot
19:28 <geekmstr> You could still to dd to write it from a RUNME.sh instead
of fastboot.
19:28 <dasmoover> or another flash
19:28 <geekmstr> apparently touch fastboot does not flash good, with false
success report.
19:28 <geekmstr> It cannot be that fast.
19:29 <geekmstr> USB is not that fast.
19:29 <geekmstr> I think it is a bug
19:29 <geekmstr> do this:
19:29 <geekmstr> sudo ./fastboot setvar bootmode diags
19:30 <geekmstr> that will boot to diags next time you boot. If not, boot there
with MfgTool.
19:30 <dasmoover> okay how2reboot
19:31 <geekmstr> hold power button 20 seconds.
19:31 <geekmstr> the fastboot reboot command does not work.
19:31 <geekmstr> You can repair it with RUNME.sh. fastboot is buggy on
the touch...
19:32 <dasmoover> ive tried runme.sh
19:32 <dasmoover> it has not worked for me writing the .img
19:32 <geekmstr> You booted main that time...
19:32 <dasmoover> okay will retry
19:32 <dasmoover> have usb up
19:33 <geekmstr> boot diags, export usb, add ENABLE_DIAGS and remove
RUNME.done. reboot. payload will run in diags this time...
19:33 <dasmoover> do i need to redrop data.tar.gz no right?
19:33 <geekmstr> You did not have ENABLE_DIAGS last time. It ran in main...
19:33 <geekmstr> No tar file needed. already dropped expoit that runs
RUNME.sh...
19:34 <dasmoover> okay
19:34 <dasmoover> hard reboot?
19:34 <geekmstr> yes.
19:34 <geekmstr> I think I should change my payload to detect main, set
bootmode=diags, and reboot...
19:34 <geekmstr> and only call RUNME.sh when in diags boot.
19:35 <geekmstr> writing to the partition you booted from will corrupt it...
19:35 <dasmoover> okay hard rebooting wall plugged in
19:32 <dasmoover> fixed :)
20:32 <dasmoover> thank you very much
I posted this IRC session here (with permission), during which a bricked kindle was explored and successful restored to full operation, in hopes that others can learn from it to help them debrick their kindle touch (or k4nt).
As this and other posts show, it is not a good idea to erase or flash partitions with fastboot for touch yet, even though it worked well for my k4nt. But you can flash partitions with the "dd" command just fine.
Be sure to boot diags to flash main from RUNME.sh, and boot main to flash diags from RUNME.sh. It is not good to change a partition that contains open files because you booted from it. Also be sure to have ENABLE_DIAGS set accordingly, because you need to reboot to run the RUNME.sh. It has been reported in various threads that RUNME.sh does not reliably run during a hard reset (long power button hold) so be sure to reboot using a menu item.
Good luck, and good learning! This is not easy (yet). I want a GUI that lets you choose what steps you want to do, and which makes a custom RUNME.sh for you. I want a GUI that runs fastboot for you, and avoids all the command-line stuff, and runs in Windows and Linux and Mac. Now, who is going to write that for me...  EDIT: It seems that ixtab wrote that "GUI" for me (Kubrick)! 
P.S. I want to thank yifanlu who helped me learn this stuff by guiding me through an IRC recovery session similar to the one shown above, but which was spread over a period of about one week, interrupted by studying manuals and code, which helped me debrick my k4nt, when we were first learning about what USB Downloader mode was and how we could use it. I also want to thank all the others who provided feedback and useful pointers that contributed to my learning as much as I have (so far) about this stuff. Thanks guys (and ladies)!
Downloads: See the "simple debricking" sticky.
Last edited by geekmaster; 03-12-2016 at 06:20 PM.
|