Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book Readers > Amazon Kindle > Kindle Developer's Corner

Notices

Reply
 
Thread Tools Search this Thread
Old 01-22-2012, 12:17 PM   #46
geekmaster
Всё гениальное просто.
geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.
 
geekmaster's Avatar
 
Posts: 5,070
Karma: 6789001
Join Date: Nov 2011
Location: Щедрость не имеет пределов.
Device: *.*
Quote:
Originally Posted by yifanlu View Post
Uboot is on the mmc along with the kernel, serial/Mac address, and root partition. They can all be flashed from within Uboot and USB download mode.
I want to understand the kindle boot process so I can execute some code in RAM from USB/HID mode in my bricked K4NT.

The CPU in the new kindles contains a 96KB internal boot ROM (more info here): http://cache.freescale.com/files/32b...t/IMX50CEC.pdf

The boot code in this internal boot ROM is what initializes and mounts the external MMC, from which the linux kernel is loaded. This internal ROM is the same size as u-boot, as shown in this typical example taken from the "Das U-Boot" web page:
Code:
u-boot # tftp 8000 u-boot.bin
From server 10.0.0.1; our IP address is 10.0.0.11
Filename 'u-boot.bin'.
Load address: 0x8000
Loading: ###################
done
Bytes transferred = 95032 (17338 hex)
U-boot knows how to flash this internal flash boot ROM, as well as multiple kinds of external flash memory, including MMC. The MMC in the kindle begins with a partition table, and all four partitions are dedicated to other uses.

If u-boot were in the MMC, where would it go, and what code would then be in the "u-boot sized" Rflash ROM inside the CPU chip? The internal boot loader would have to include much of u-boots functionality just to initialize MMC and "boot" u-boot from MMC, so it might just as well boot the linux kernel directly.

If u-boot is in MMC as you say, could you please point me to some documentation that shows how and where u-boot *can* be loaded from MMC? Thanks.

Last edited by geekmaster; 01-22-2012 at 01:22 PM.
geekmaster is offline   Reply With Quote
Old 01-22-2012, 01:46 PM   #47
eureka
but forgot what it's like
eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.
 
Posts: 715
Karma: 2290994
Join Date: Dec 2011
Location: north (by northwest)
Device: Kindle Touch
I suppose that in Kindle Touch u-boot is in serial flash chip shown by "Cracking open ..." article. I've made full dump of MMC (/dev/mmcblk0) and didn't found any traces of u-boot. But dump file is of 3959422976 bytes long, so it isn't exactly 4G, so it leaves Yifan Lu's theory possibly valid (maybe part of MMC where u-boot is located is hidden from Linux kernel). But, on other side, there is low-level eMMC initialization code in u-boot sources of KT, so it looks like u-boot is loaded not from eMMC...
eureka is offline   Reply With Quote
Old 01-22-2012, 02:10 PM   #48
geekmaster
Всё гениальное просто.
geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.
 
geekmaster's Avatar
 
Posts: 5,070
Karma: 6789001
Join Date: Nov 2011
Location: Щедрость не имеет пределов.
Device: *.*
Quote:
Originally Posted by eureka View Post
I suppose that in Kindle Touch u-boot is in serial flash chip shown by "Cracking open ..." article..
...
That flash chip is on the eInk display flex cable. On the k4nt teardown, it was dumped and contained no code. It was speculated that because is contains only "numbers" and it is attached to the replaceable display, it contains eInk calibration data.

Because the Freescale iMX50 CPU chip contains in internal flash boot ROM that is the same size as a typical uboot.bin file, it makes much more sense that u-boot is in the internal flash ROM in the CPU package.

Thanks for confirming that u-boot is not in MMC. This provides one more step on my path of discovery to writing some raw code to inject into kindle RAM and execute with USB/HID mode.

Last edited by geekmaster; 01-22-2012 at 02:37 PM.
geekmaster is offline   Reply With Quote
Old 01-22-2012, 02:36 PM   #49
eureka
but forgot what it's like
eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.
 
Posts: 715
Karma: 2290994
Join Date: Dec 2011
Location: north (by northwest)
Device: Kindle Touch
Quote:
Originally Posted by geekmaster View Post
Because the Freescale iMX50 CPU chip contains in internal flash boot ROM that is the same size as a typical uboot.bin file, it makes much more sense that u-boot is in the internal flash ROM in the CPU package.

Thanks for confirming that u-boot is not in MMC. This provides one more step on my path of discovery to writing some raw code to inject into kindle RAM and execute with USB/HID mode.
Well, I didn't confirmed that u-boot isn't at MMC. And I'm not confirming it now. I've just provided one relevant fact.

Also, I think that i.MX50 boot ROM couldn't be reprogrammed. It's a ROM. And I didn't found anything about boot ROM reprogramming at i.MX50 Reference Manual. Boot ROM supports ROM patching, but it's a runtime mechanism, not one-time reprogramming.

Besides, Kindle u-boot size could be not the same as typical u-boot size.

Last edited by eureka; 01-22-2012 at 05:33 PM. Reason: typo
eureka is offline   Reply With Quote
Old 01-22-2012, 04:00 PM   #50
PoP
Fᵘᶻᶻʸ⅓⋚¹¹⫽₃₃⪓¹¹¹⫻₃₃₃ Mᵃᵗʰ
PoP ought to be getting tired of karma fortunes by now.PoP ought to be getting tired of karma fortunes by now.PoP ought to be getting tired of karma fortunes by now.PoP ought to be getting tired of karma fortunes by now.PoP ought to be getting tired of karma fortunes by now.PoP ought to be getting tired of karma fortunes by now.PoP ought to be getting tired of karma fortunes by now.PoP ought to be getting tired of karma fortunes by now.PoP ought to be getting tired of karma fortunes by now.PoP ought to be getting tired of karma fortunes by now.PoP ought to be getting tired of karma fortunes by now.
 
PoP's Avatar
 
Posts: 494
Karma: 4504893
Join Date: Dec 2010
Location: ♁ ᴺ₄₅°₃₀' ᵂ₇₃°₃₇' ±₆₀"
Device: K3.₄, PRS-350, SGS3, Rπ, iPad Air
Quote:
Originally Posted by yifanlu View Post
Uboot is on the mmc along with the kernel, serial/Mac address, and root partition. They can all be flashed from within Uboot and USB download mode.
I concurr.

I don't have a KTouch or KindleNonTouch which might be different, but in this old Kindle3 post http://www.mobileread.com/forums/sho...7&postcount=10

You can see that the first partition on my Kindle3 starts at block 7688 of the mmc.
Inspecting the blocks prior to the first partition with a hex editor also showed interesting pieces of information, including what appears to be the bootloader.

Offset:
00012F20 U-BOOT 1.3.0-rc3-lab126 [Boot Loader Id]
00040C00 B0A8XXXXXXXXXXXX [Serial Number]
00040C58 28EF01XXXXXX [MAC Address]
00040C64 A0036XXXXXXXX [PCB ID]
00040C80 OH40TWXXXXXXXXXXXXXX [Manufacturer Code]
00041040 Linux-2.6.26-rt-lab126 [Kernel Id]
PoP is offline   Reply With Quote
Old 01-22-2012, 04:08 PM   #51
geekmaster
Всё гениальное просто.
geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.
 
geekmaster's Avatar
 
Posts: 5,070
Karma: 6789001
Join Date: Nov 2011
Location: Щедрость не имеет пределов.
Device: *.*
How is ROM patching different from flashing?

What size is the Kindle U-Boot image (after stripping)?

Wherever U-Boot loads from, it is running when USB/HID mode is active. It also has initialized serial I/O and MMC. I would like to be able to call it to output to the serial port, and to access wherever idme stores the board ID and serial number.

So perhaps u-boot lives in the boot record in the partition table then, just like a bootable hard drive contains a boot loader starting on sector zero that interprets the partition table (if it finds one) and loads and executes another boot loader from the primary bootable partition.

Then the code in the CPU must just be to find and load u-boot on whichever supported device contains it, including MMC.

If u-boot lives in sector zero of the partition table, it would start at address zero of the MMC.

I thought eureka examined all of mmc0 and did not see the u-boot information given by PoP.

Still confused, more or less...

Last edited by geekmaster; 01-22-2012 at 04:14 PM.
geekmaster is offline   Reply With Quote
Old 01-22-2012, 04:46 PM   #52
eureka
but forgot what it's like
eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.
 
Posts: 715
Karma: 2290994
Join Date: Dec 2011
Location: north (by northwest)
Device: Kindle Touch
Quote:
Originally Posted by PoP View Post
I don't have a KTouch or KindleNonTouch which might be different, but in this old Kindle3 post http://www.mobileread.com/forums/sho...7&postcount=10

You can see that the first partition on my Kindle3 starts at block 7688 of the mmc.
Inspecting the blocks prior to the first partition with a hex editor also showed interesting pieces of information, including what appears to be the bootloader.

Offset:
00012F20 U-BOOT 1.3.0-rc3-lab126 [Boot Loader Id]
00040C00 B0A8XXXXXXXXXXXX [Serial Number]
00040C58 28EF01XXXXXX [MAC Address]
00040C64 A0036XXXXXXXX [PCB ID]
00040C80 OH40TWXXXXXXXXXXXXXX [Manufacturer Code]
00041040 Linux-2.6.26-rt-lab126 [Kernel Id]
Data from Kindle Touch:
Code:
[root@kindle root]# fdisk -l -u /dev/mmcblk0

Disk /dev/mmcblk0: 3959 MB, 3959422976 bytes
4 heads, 16 sectors/track, 120832 cylinders, total 7733248 sectors
Units = sectors of 1 * 512 = 512 bytes

        Device Boot      Start         End      Blocks  Id System
/dev/mmcblk0p1   *       65536      782335      358400  83 Linux
/dev/mmcblk0p2          782336      913407       65536  83 Linux
/dev/mmcblk0p3          913408      978943       32768  83 Linux
/dev/mmcblk0p4          978944     7733247     3377152   b Win95 FAT32
Still, I can't find any traces of u-boot code in dump of /dev/mmcblk0. (Though, kernel is definitely there, Kernel Id is somewhere near address given by you). I've searched for 'u-boot' and didn't found any Boot Loader Id.
eureka is offline   Reply With Quote
Old 01-22-2012, 04:59 PM   #53
eureka
but forgot what it's like
eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.
 
Posts: 715
Karma: 2290994
Join Date: Dec 2011
Location: north (by northwest)
Device: Kindle Touch
Quote:
Originally Posted by geekmaster View Post
How is ROM patching different from flashing?
ROM patching intercepts access to given memory address in runtime. And, I believe, it should be setup in runtime too. Is it different from flashing? If you are curious, you should look into i.MX50 Reference Manual for further information.

Quote:
Originally Posted by geekmaster View Post
What size is the Kindle U-Boot image (after stripping)?
I don't know. Did you measured it's size? If not, why it couldn't be more than 96KB? I think it's possible. So, I've said it without rhethorical questions.
eureka is offline   Reply With Quote
Old 01-22-2012, 05:34 PM   #54
yifanlu
Kindle Dissector
yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.
 
Posts: 662
Karma: 170717
Join Date: Jul 2010
Device: Amazon Kindle 3
Quote:
Originally Posted by eureka View Post
Data from Kindle Touch:
Code:
[root@kindle root]# fdisk -l -u /dev/mmcblk0

Disk /dev/mmcblk0: 3959 MB, 3959422976 bytes
4 heads, 16 sectors/track, 120832 cylinders, total 7733248 sectors
Units = sectors of 1 * 512 = 512 bytes

        Device Boot      Start         End      Blocks  Id System
/dev/mmcblk0p1   *       65536      782335      358400  83 Linux
/dev/mmcblk0p2          782336      913407       65536  83 Linux
/dev/mmcblk0p3          913408      978943       32768  83 Linux
/dev/mmcblk0p4          978944     7733247     3377152   b Win95 FAT32
Still, I can't find any traces of u-boot code in dump of /dev/mmcblk0. (Though, kernel is definitely there, Kernel Id is somewhere near address given by you). I've searched for 'u-boot' and didn't found any Boot Loader Id.
This is just my prediction, but it may be that in Linux, there is no read (and maybe no write) access to some parts of the mmc. For example, I took the Uboot offset for the kernel and dumped that part of /dev/mmcblk0 and got the kernel. System too. But when attempting to dump the serial & boardid information as defined by the offsets in Uboot source, I get all zeros. Maybe it's to protect the device from a virus or something?

I also do know that by dumping the mmc from Uboot on my kindle 2, I get the serial number information, Uboot, and other stuff (eink calibration data). That's where my information came from. I have yet confirmed if it is the same on k4/kt.
yifanlu is offline   Reply With Quote
Old 01-22-2012, 07:49 PM   #55
eureka
but forgot what it's like
eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.
 
Posts: 715
Karma: 2290994
Join Date: Dec 2011
Location: north (by northwest)
Device: Kindle Touch
I've found that eMMC could have "hardware" boot partitions. Which aren't overlapped with user accessible area. (some info)

I've also found path /sys/block/mmcblk0/device/boot_config somewhere in MMC dump, before even start of first partition. Near of this path are strings about update etc., so it should be used by the code from kernel that handles "recovery" updates.

Now, looking at drivers/mmc/core/mmc.c at KT kernel sources, this boot_config file is write-only. And writing to it configures boot partitions. Don't mess with it by writing random values. It could be dangerous.

There is also /sys/block/mmcblk0/device/boot_info which is safe to read. Information from it could be interpreted somehow through reading of mmc.c.

Linux eMMC driver, used in KT, doesn't see boot paritions. So it's possible that u-boot is stored on it. (BTW, recent eMMC drivers could see these partitions as separate /dev/mmcblk0bootX, as patch has been provided.)

EDIT: there are some suspicious comments in mmc.c:
Code:
	/* switch the partitions that used to be accessed in OS layer */
	/* partition must be -
	 * 0 - user area
	 * 1 - boot partition 1
	 * 2 - boot partition 2
	 */
Code:
	/* Send SWITCH command to change partition for access */
UPD: and according to i.MX50 MCU Reference Manual, it can boot from such the boot partition.

Last edited by eureka; 01-22-2012 at 08:11 PM.
eureka is offline   Reply With Quote
Old 01-22-2012, 08:04 PM   #56
geekmaster
Всё гениальное просто.
geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.
 
geekmaster's Avatar
 
Posts: 5,070
Karma: 6789001
Join Date: Nov 2011
Location: Щедрость не имеет пределов.
Device: *.*
I wonder how idme is able to read and write that information if it is hidden.
geekmaster is offline   Reply With Quote
Old 01-22-2012, 08:11 PM   #57
yifanlu
Kindle Dissector
yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.yifanlu can program the VCR without an owner's manual.
 
Posts: 662
Karma: 170717
Join Date: Jul 2010
Device: Amazon Kindle 3
Quote:
Originally Posted by geekmaster View Post
I wonder how idme is able to read and write that information if it is hidden.
That's why I believe it may be write only. Because idme's code uses /proc/serial and stuff to read and fwrite() to write vars to the mmc. The /proc entries could be exported by the kernel, because otherwise, why not just fread() the mmc.
yifanlu is offline   Reply With Quote
Old 01-22-2012, 08:32 PM   #58
eureka
but forgot what it's like
eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.
 
Posts: 715
Karma: 2290994
Join Date: Dec 2011
Location: north (by northwest)
Device: Kindle Touch
Just a note: /proc entries used by idme are set by kernel at arch/arm/mach-mx5/boardid.c. There is a comment for init procedure: "copy the serial numbers from the special area of memory into the kernel". And these /proc files are read-only.
eureka is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
[Kindle Touch] Boot over USB HID serial / "USB downloader" mode eureka Kindle Developer's Corner 16 02-25-2012 10:21 PM
Kindle Touch bricked? LittleLui Kindle Developer's Corner 4 12-30-2011 03:18 PM
Abusing the internal USB-port of a kindle touch WiFi Crackpot Kindle Developer's Corner 12 12-27-2011 05:04 PM
Kindle apps...iPod touch...can I use usb to download to an iPod touch? aznativegirl Amazon Kindle 1 09-20-2009 11:21 AM
completely bricked, tried all the tricks, but still have USB access Magnum6 Sony Reader 3 08-08-2007 03:03 PM


All times are GMT -4. The time now is 10:51 AM.


MobileRead.com is a privately owned, operated and funded community.