Restore ;log command for 5.12.* firmware

[Junket]

Quote:

Originally Posted by knc1

it says "securecpu" (that SoC option blows a physical fuse, which results in '0' being the secure state).

This is news to me and I owe you an apology. Every OTP, SOC or fused eMMC that I've ever worked with has secure = 1 (logically denoted as "1", I know that a blown fuse for an old school masked chip is an electrical open). So news to me that secure = 0 for Kindle.

Thanks for explaining & I'll drink more coffee before posting next time.

takes a seat in the corner and looks around for a pointy hat. or a data sheet even

[MrTick]

I'm not 100% sure regarding this particular secureCpu mechanism, nor how trip-able is et here, however I can see following piece of code in the Amazon's published source:

uboot/board/lab126/mx6sll_rex/secure_boot_cfg.c:

Code:

static int is_secure_cpu(void)
{
    u32 val;
    int n = 0;

	if (!is_hab_enabled()) {
		printf("is_secure_cpu: SEC_CONFIG is not set\n");
		return 0;
	}

	for (n=0; n<SRK_HASH_BANK_SIZE; n++) {
		if (fuse_read(SRK_HASH_BANK, n, &val)) {
			printf("is_secure_cpu: fuse reading bank %d word %d failed\n", SRK_HASH_BANK, n);
			return 0;
		}
		if ( val != srk_hash[n] ) {
			printf("is_secure_cpu: bank %d word %d reading not matching (0x%x)\n", SRK_HASH_BANK, n, val);
			return 0;
		}
	}

    return 1;
}

So cpu is secure when secure_cpu returns 1.
This function is then used to prepare kernel boot command parameters:

Code:

secure_cpu = is_secure_cpu();
(...)
sprintf(secure_args, "secure_cpu=%d androidboot.secure_cpu=%d androidboot.prod=%d androidboot.unlocked_kernel=%s",
			secure_cpu, secure_cpu, production, unlocked ? "true" : "false");

I can be totally wrong here: SRK_HASH_BANK is a fuse bank, but not a tripable one.
They can probably be reset to 0 but that'll likely also purge the kernel verification keys/certificates (for some Snapdragon SoCs it was purging also the DRM partition, I'm not sure how it works here, I'm still searching for some docs)

After the system is already started the value of secureCpu, prodVersion and unlockedKernel is not taken from the fusebank anymore but from /proc/cmdline that is set during uboot and does not change in runtime.

Example content of /proc/cmdline from a locked and secured device:

Code:

"console=ttymxc0,115200 consoleblank=0 uart_at_4m root=/dev/mmcblk1p8 rootwait quiet secure_cpu=1 androidboot.secure_cpu=1 androidboot.prod=1 androidboot.unlocked_kernel=false"

As for the code:

Code:

if [ "$prodVersion" == "0" -o "$unlockedKernel" == "true" -o "$secureCpu" = "0" ]; then

This single equal sign is probably a typo, but a harmless one, as for bash == is same as =

[NiLuJe]

IIRC, there's a depgraph tool in the upstart distribution *itself* (except it's of course not shipped on Kindle).

I can't for the life of me remember its name, though (hell, I couldn't even remember the name "upstart" yesterday -_-").

[MrTick]

There was initctl2dot tool added to upstart ~2012. Unfortunately Kindle uses upstart build from 2010...
I tried to port it directly from the upstart package as it actually a python3 script, but kindle upstart implementation does not provide necessary interfaces for the script to work... (initctl show-config)

[Junket]

FWIW, sounds like initctl2dot hails from March 2011.

[MrTick]

Soooo... I've written a script that mimics initctl show-convig -e functionality on a given folder.

I've transferred whole /etc/upstart to PC:

Code:

> ./initctl_show_config.sh upstart/ > upstart.txt # this took many seconds :)
> python initctl2dot.py -f upstart.txt -o upstart.dot
> dot -Tjpg -o kindle_upstart.jpg upstart.dot

Result is attached: kindle_upstart_PW4_5.10.3.jpg

Quote:

Emits denoted by green lines.
Start on denoted by blue lines.
Stop on denoted by red lines.

This is a little modded system, so we can se i.e. following block:

[Hzj_jie]

I did not remember I have installed the hotfix, but it works perfectly fine for my voyage and pw4. Thank you.

[exile2]

Quote:

Originally Posted by MrTick

This will work if and only if recent jailbreak hotfix was installed before the update.

This script modifies debug_cmds.json file so it includes again ;log command.
It also adds ;mrpi command that launches mrpi (has to be installed in the default extensions location)

Code:

{
    ";log" : "/usr/bin/logThis.sh",
    ";mrpi" : "/mnt/us/extensions/MRInstaller/bin/mrinstaller.sh launch_installer",

This is most useful for people that have Kindle updated to >=5.12.2 with jailbreak only.
KUAL installation requires MRPI and MRPI requires ;log command to install KUAL (or maybe there's an easier method I've missed somewhere?...)

Installation:

1. copy emergency.sh to the root USB folder
2. restart your Kindle (Menu->Settings->Restart)
3. verify the script was executed: following files will apper:
   • done_emergency.sh
   • old_debug_cmds.json
   • new_debug_cmds.json
4. restart your Kindle again

If the files from 3. did not appear and you can still see emergency.sh file then try reinstalling the JB hotfix.

After successful execution you can unpack MRPI to USB root, add KUAL package to mrpackages folder and run ;mrpi command.

Note: if anything goes wrong, i.e new_debug_cmds.json looks malformed, copy emergency_revert.sh to USB root, rename it to emergency.sh and restart the Kindle.

EDIT: this debug-list fix can probably be included in JB hotfix, but quoting logThis.sh code:

Great, thanks a lot for that!! For my Voyage and FW 5.12.3 the actual hotfix didn't work. Your solution did.

[Lepri]

Thanks a lot! It restored access to the jb. I thought I lost my JB when updated with 1.15 hotfix.

[lucasrato]

I love you so so so so much!!!

It restored my JB as well, after updating to the 5.12.2. It's been a couple months since I wasn't turning the airplane mode off, awaiting for a solution. Today I found it!

Thanks!!!!!

[tannenba]

Thank you Mr Tick for sharing!

The steps you listed in your first post worked perfectly for me,
I now can play chess again on my Kindle PW 3 running 5.12.3.

FWIW, the new KUAL hotfix via UYK did not work for me, I got an error 7. But following the steps in the first post of this thread restored everything.

Happy new year everyone.

[rogerinnyc]

Another vote of "Thanks" to MrTick for this jailbreak restore technique. I had given up hope when my Kindle Voyage updated to 5.12.3 and lost the screensavers and font hacks. Following the steps in the first post completely restored them. As noted in the post immediately above, the Kual hotfix (from the coplate) archive does not install via Update Your Kindle. Since you've got ;log mrpi working again, you should just use the regular install bin (not the hotfix) from the coplate archive and drop it into mrpackages.

[NiLuJe]

Nope, don't use coplate's packages, the code is *horribly* outdated, and will *NOT* protect your JB on current FW versions.

When you've restored ;log like this, use the *bridge* install package from the JB instead.

[dayveeboi]

Hi, I'm trying to follow along here but I think I have hit a wall. I have a PW3 and lost my JB after an OTA. I'm not sure when exactly it happened, but I only noticed the other day.

The device has a G090 serial number, and has firmware version 5.12.3

I used the script from this thread to restore the ;log command but I am unable to install packages with mrpi (error 126), and if I use UYK I get Error 007.

I will include a pastebin to my MRPI log if anyone is interested and has the time to take a look and has any advice for me - https://pastebin.com/tHuJyUUC

Thanks.

[NiLuJe]

Same issue as https://www.mobileread.com/forums/sh...d.php?t=327855 (your bridge was too old, it suffers from the 5.10 bug, among potentially a host of other bugs).

I *think* at the time we fixed that via a JB hotfix, but if you've accumulated enough issues that make a hotfix unusable, you're now mostly screwed.