Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book Readers > Amazon Kindle > Kindle Developer's Corner

Notices

Reply
 
Thread Tools Search this Thread
Old 11-09-2012, 07:03 PM   #1
knc1
Going Viral
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
Unlocking the Kindle Paperwhite

The location of the Kindle Paperwhite's serial port has been confirmed:
https://www.mobileread.com/forums/sho...40&postcount=4

(And prefixed and indexed)
This should open the door to unlocking the Kpw machines that have firmware 5.3.0 installed without a jailbreak or pre-installed.

Multiple ways should be possible, from manual command line access to setting u-boot to either network boot or to run an autoscript.

Just stick your solutions in this thread, I'll keep the prefix index updated.
knc1 is offline   Reply With Quote
Old 11-17-2012, 06:24 PM   #2
awh_tokyo
Enthusiast
awh_tokyo began at the beginning.
 
Posts: 33
Karma: 10
Join Date: Jun 2007
Location: Tokyo, Japan
Device: PRS-505
It's 1.8V, right?
awh_tokyo is offline   Reply With Quote
Old 11-17-2012, 06:39 PM   #3
knc1
Going Viral
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
Quote:
Originally Posted by awh_tokyo View Post
It's 1.8V, right?
Correct.
knc1 is offline   Reply With Quote
Old 11-18-2012, 09:14 AM   #4
h1uke
Zealot
h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.
 
Posts: 121
Karma: 82565
Join Date: Aug 2010
Location: Maryland, USA
Device: dxg, k3w,k4nt,kpw
Quote:
Originally Posted by knc1 View Post
Just stick your solutions in this thread, I'll keep the prefix index updated.
sorry, this is not a solution yet, but I'm pretty sure that by using a proper factory cable
one can put their KPW directly into a Diag Mode.
Analyzing the u-boot source code and 34708 PMIC datasheet almost confirmed that.
I already made a cable, but couldn't find a proper resistor around.. later.
h1uke is offline   Reply With Quote
Old 11-18-2012, 09:34 AM   #5
NiLuJe
BLAM!
NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.
 
NiLuJe's Avatar
 
Posts: 13,477
Karma: 26012492
Join Date: Jun 2010
Location: Paris, France
Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E
@h1uke: Huh, that reminds me of what could be done on the Samsung Galaxy SI on the models where the 'magic keys' to boot into recovery were borked...

Last edited by NiLuJe; 11-18-2012 at 10:13 AM.
NiLuJe is offline   Reply With Quote
Old 11-18-2012, 09:43 AM   #6
geekmaster
Carpe diem, c'est la vie.
geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.
 
geekmaster's Avatar
 
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
Quote:
Originally Posted by h1uke View Post
sorry, this is not a solution yet, but I'm pretty sure that by using a proper factory cable
one can put their KPW directly into a Diag Mode.
Analyzing the u-boot source code and 34708 PMIC datasheet almost confirmed that.
I already made a cable, but couldn't find a proper resistor around.. later.
That "factory cable" at your first link is just a homebrew microUSB cable, with the addition of a 1K resistor on the ID pin. Does the PW support that? It would be great if this can be done with such a cable.

Some "host mode" adapter cables already have such a jumper. It could be interesting to see if one of those can be used. EDIT: No, the ID pin connects to GND on an OTG host mode cable, but in a factory cable it connects to +5v.

Last edited by geekmaster; 11-18-2012 at 10:19 AM.
geekmaster is offline   Reply With Quote
Old 11-18-2012, 09:55 AM   #7
h1uke
Zealot
h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.
 
Posts: 121
Karma: 82565
Join Date: Aug 2010
Location: Maryland, USA
Device: dxg, k3w,k4nt,kpw
Quote:
Originally Posted by NiLuJe View Post
@h1uke: Huh, that reminds me of what could be done on the Samsung Galaxy SI
as we can see, exactly the same cable is used for Kindle Fire...
h1uke is offline   Reply With Quote
Old 11-18-2012, 10:11 AM   #8
h1uke
Zealot
h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.
 
Posts: 121
Karma: 82565
Join Date: Aug 2010
Location: Maryland, USA
Device: dxg, k3w,k4nt,kpw
Quote:
Originally Posted by geekmaster View Post
That "factory cable" at your first link is just a homebrew microUSB cable, with the addition of a 1K resistor on the ID pin. Does the PW support that? It would be great if this can be done with such a cable.
u-boot/ imx50_yoshi.c says (CONFIG_BIST, CONFIG_CMD_PMIC and CONFIG_CMD_IDME are defined):

Spoiler:
Code:
inline int check_boot_mode(void) 
{
	char boot_mode[20];
	char boot_cmd[20];

#ifdef CONFIG_BIST
	setenv("bootdelay", "-1");
#endif

#if defined(CONFIG_CMD_IDME)
	if (idme_get_var("bootmode", boot_mode, 20)) 
#endif
	{
	    return -1;
	}

	boot_cmd[0] = 0;

	if (!strncmp(boot_mode, "diags", 5)) {
	    printf ("BOOTMODE OVERRIDE: DIAGS\n");
	    strcpy(boot_cmd, "run bootcmd_diags");
	} else if (!strncmp(boot_mode, "fastboot", 8)) {
	    printf ("BOOTMODE OVERRIDE: FASTBOOT\n");
	    strcpy(boot_cmd, "run bootcmd_fastboot");
	} else if (!strncmp(boot_mode, "factory", 7)) {
#if defined(CONFIG_PMIC)
	    if (pmic_charging()) {
		char *cmd = (char *) CONFIG_BISTCMD_LOCATION;		
		/* Ignore any bist commands */
		cmd[0] = 0;

		printf ("BOOTMODE OVERRIDE OVERRIDE: DIAGS\n");

#if defined(CONFIG_CMD_IDME)
		/* Update bootmode idme var */
		idme_update_var("bootmode", "diags");
#endif
		/* Set the bootcmd to diags and boot immediately */
		setenv("bootcmd", "run bootcmd_diags");
		setenv("bootdelay", "0");
		
		return 0;

	    }
#endif	//CONFIG_PMIC
	    printf ("BOOTMODE OVERRIDE: FACTORY\n");
	    strcpy(boot_cmd, "run bootcmd_factory");
	} else if (!strncmp(boot_mode, "reset", 7)) {
	    printf ("BOOTMODE OVERRIDE: RESET\n");
	    strcpy(boot_cmd, "bist reset");
	} else if (!strncmp(boot_mode, "main", 4)) {
	    /* clear bootargs */
	    setenv("bootargs", "\0");

	    /* set bootcmd back to default */
	    sprintf(boot_cmd, "bootm 0x%x", CONFIG_MMC_BOOTFLASH_ADDR);
	    return 0;
	} else {
	    return 0;
	}
	
	setenv("bootcmd", boot_cmd);

	return 0;
}


i.e. the diag mode is forced if pmic_charging() returns nonzero:

Spoiler:
Code:
int pmic_charging(void)
{
    int ret;
    unsigned sense_0 = 0;

    /* Detect if a cable is inserted */
    ret = pmic_read_reg(MC34708_REG_INT_SENSE0, &sense_0);
    if (!ret)
	return 0;

    DBG("snse: 0x%x\n\n", sense_0);

    return ((sense_0 & INT0_USBDETS) != 0);
}


and this, in turns, is based in INT0_USBDETS which, according to the datasheet reflects
the voltage applied to the ID pin (#4)

Quote:
Originally Posted by geekmaster View Post
Some "host mode" adapter cables already have such a jumper. It could be interesting to see if one of those can be used.
as far as I know, the host mode cables have this ID wire grounded.
h1uke is offline   Reply With Quote
Old 11-18-2012, 10:18 AM   #9
geekmaster
Carpe diem, c'est la vie.
geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.
 
geekmaster's Avatar
 
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
Quote:
Originally Posted by h1uke View Post
... as far as I know, the host mode cables have this ID wire grounded.
You are correct. I just tested an OTG host mode cable, which did not work. Then I looked up the pinout, and the ID pin is connected to GND. For the "factory cable" it needs to be pulled high, to the +5v pin.

EDIT: I see that you can buy a (fastboot) "factory cable" ready made if you lack soldering skills to make your own:
http://www.ebay.com/itm/251034207176

Last edited by geekmaster; 11-18-2012 at 10:38 AM.
geekmaster is offline   Reply With Quote
Old 11-18-2012, 10:44 AM   #10
eureka
but forgot what it's like
eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.eureka ought to be getting tired of karma fortunes by now.
 
Posts: 741
Karma: 2345678
Join Date: Dec 2011
Location: north (by northwest)
Device: Kindle Touch
Quote:
Originally Posted by h1uke View Post
u-boot/ imx50_yoshi.c says (CONFIG_BIST, CONFIG_CMD_PMIC and CONFIG_CMD_IDME are defined):

Code:
inline int check_boot_mode(void) 
{
	char boot_mode[20];
	char boot_cmd[20];

#ifdef CONFIG_BIST
	setenv("bootdelay", "-1");
#endif

#if defined(CONFIG_CMD_IDME)
	if (idme_get_var("bootmode", boot_mode, 20)) 
#endif
	{
	    return -1;
	}

	boot_cmd[0] = 0;

	if (!strncmp(boot_mode, "diags", 5)) {
	    printf ("BOOTMODE OVERRIDE: DIAGS\n");
	    strcpy(boot_cmd, "run bootcmd_diags");
	} else if (!strncmp(boot_mode, "fastboot", 8)) {
	    printf ("BOOTMODE OVERRIDE: FASTBOOT\n");
	    strcpy(boot_cmd, "run bootcmd_fastboot");
	} else if (!strncmp(boot_mode, "factory", 7)) {
#if defined(CONFIG_PMIC)
	    if (pmic_charging()) {
		char *cmd = (char *) CONFIG_BISTCMD_LOCATION;		
		/* Ignore any bist commands */
		cmd[0] = 0;

		printf ("BOOTMODE OVERRIDE OVERRIDE: DIAGS\n");

#if defined(CONFIG_CMD_IDME)
		/* Update bootmode idme var */
		idme_update_var("bootmode", "diags");
#endif
		/* Set the bootcmd to diags and boot immediately */
		setenv("bootcmd", "run bootcmd_diags");
		setenv("bootdelay", "0");
		
		return 0;

	    }
#endif	//CONFIG_PMIC
	    printf ("BOOTMODE OVERRIDE: FACTORY\n");
	    strcpy(boot_cmd, "run bootcmd_factory");
	} else if (!strncmp(boot_mode, "reset", 7)) {
	    printf ("BOOTMODE OVERRIDE: RESET\n");
	    strcpy(boot_cmd, "bist reset");
	} else if (!strncmp(boot_mode, "main", 4)) {
	    /* clear bootargs */
	    setenv("bootargs", "\0");

	    /* set bootcmd back to default */
	    sprintf(boot_cmd, "bootm 0x%x", CONFIG_MMC_BOOTFLASH_ADDR);
	    return 0;
	} else {
	    return 0;
	}
	
	setenv("bootcmd", boot_cmd);

	return 0;
}
i.e. the diag mode is forced if pmic_charging() returns nonzero
It should work only if boot_mode is set to "factory", right? By default, boot_mode is set to "main". It's initialized from some configuration variable (idme variable), persistently stored at eMMC. You can change bootmode from U-Boot console (by idme command) or from root shell on device (by /usr/sbin/idme tool).
eureka is offline   Reply With Quote
Old 11-18-2012, 11:07 AM   #11
geekmaster
Carpe diem, c'est la vie.
geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.
 
geekmaster's Avatar
 
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
Quote:
Originally Posted by eureka View Post
It should work only if boot_mode is set to "factory", right? By default, boot_mode is set to "main". It's initialized from some configuration variable (idme variable), persistently stored at eMMC. You can change bootmode from U-Boot console (by idme command) or from root shell on device (by /usr/sbin/idme tool).
Another "catch-22" situation. The factory cable may only work if bootmode = factory, but you need root access to change that bootmode var. After you have root, you no longer need factory mode.
geekmaster is offline   Reply With Quote
Old 11-18-2012, 11:27 AM   #12
h1uke
Zealot
h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.h1uke can do the Funky Gibbon.
 
Posts: 121
Karma: 82565
Join Date: Aug 2010
Location: Maryland, USA
Device: dxg, k3w,k4nt,kpw
Quote:
Originally Posted by eureka View Post
It should work only if boot_mode is set to "factory", right?
Thank you for pointing to that.
There's a great chance that the 'factory' mode can be entered from the Settings menu.
Will check.
h1uke is offline   Reply With Quote
Old 03-12-2013, 02:39 PM   #13
hawhill
Wizard
hawhill ought to be getting tired of karma fortunes by now.hawhill ought to be getting tired of karma fortunes by now.hawhill ought to be getting tired of karma fortunes by now.hawhill ought to be getting tired of karma fortunes by now.hawhill ought to be getting tired of karma fortunes by now.hawhill ought to be getting tired of karma fortunes by now.hawhill ought to be getting tired of karma fortunes by now.hawhill ought to be getting tired of karma fortunes by now.hawhill ought to be getting tired of karma fortunes by now.hawhill ought to be getting tired of karma fortunes by now.hawhill ought to be getting tired of karma fortunes by now.
 
hawhill's Avatar
 
Posts: 1,379
Karma: 2155307
Join Date: Nov 2010
Location: Goettingen, Germany
Device: Kindle Paperwhite, Kobo Mini
Sorry to dig out such old stuff, but did you get any further with playing with the ID pin on the micro USB connector? I've just read PMIC datasheets - does the KPW really use the MC34708? I'm asking because the kernel on a running device reports a MC13892 instead. But the latter is not plausible on a i.MX50 device - maybe just re-used old code from the i.MX35 devices on the software side.

I'd be interested in whether the UART pass-through would work when it really is a MC34708 (and the cited uboot code seems to indicate that). The "factory mode" seems to be related to powering only (and the ID pin is pulled high for that, see ). The UART modes however seem to be triggered by pulling the ID pin low with a 150 kOhm resistor (table 95 in the MC34708 datasheet). For general circuit of UART operation, see figure 30. Then there are also the JIG UART cable resistance values.

Well, maybe I need to do a lab weekend myself.
hawhill is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
About unlocking the free 3G worldwide for full browsing experience. Giulio Kindle Developer's Corner 11 04-05-2012 07:53 AM
Unlocking internet on KIndle touch 3G tomeks85 Kindle Developer's Corner 6 12-26-2011 10:28 PM
Free (Kindle/Nook) The Root of Thought: Unlocking Glia arcadata Deals and Resources (No Self-Promotion or Affiliate Links) 5 10-10-2011 02:19 PM
Unlocking my PRS 505 malfromcessnock Sony Reader 1 06-23-2010 09:39 AM
Restarting/Unlocking after a crash tlrowley Calibre 3 03-22-2009 01:46 AM


All times are GMT -4. The time now is 02:11 AM.


MobileRead.com is a privately owned, operated and funded community.