MobileRead Forums - View Single Post - Restoring broken Kindle 3 Wi-Fi

yifanlu · 03-10-2011, 04:45 PM

I'm actually looking into the Kindle recovery process. My findings aren't complete, but I'm looking for a way to restore firmware without the recovery port. If anyone has more knowledge, please contribute.

The Kindle kernel (on a two seperate partitions (backup) from rootfs and fat32) contains a small initramfs that contains a recovery script. This script, unlike otaup, is hard-coded in ARM-binary and all resources (binaries, images, strings) are found in the file. Basically, this script can run without almost any dependencies. Now, this script is very similar to otaup. First it looks for update*.bin. Then it checks the bin headers for FB01 (recovery update). Then it extracts from it and looks for rootfs.img.gz rootfs.img.gz.sig diagsfs.img.gz diagsfs.img.gz.sig imx35_luigi/u-boot.bin imx35_luigi/u-boot.bin.sig imx35_luigi/uImage imx35_luigi/uImage.sig imx31_mario/u-boot.bin imx31_mario/u-boot.bin.sig imx31_mario/uImage imx31_mario/uImage.sig. Basically, compressed rootfs image, compressed diagsfs image (the script seems to ignore this though), bootloader and kernel. (imx35=kindle3, imx31=kindle2/dx) Then it SHA256 the file to get the digest and encodes it with a RSA1024 key and a different RSA2048 key, comparing it to the .sig. If the signature passes, it will extract rootfs.img.gz into the root partition and flash necessary kernel and bootloaders.

Now what I want to do is bypass signature checks. The public keys is stored in the binary as a hex sequence. It's the same public keys that is base64 coded in /etc/uks. I got my script to run after decompressing the kernel (twice), extracting the recovery script, modifying it to use the jailbreak keys, and recompressing it into the kernel. However, this is useless if your Kindle is already bricked. Maybe next jailbreak script will modify this recovery script? The upside is that so far, Amazon never used this recovery script outside their factory. It is most likely used to upload the first rootfs. However, if Amazon ever release a recovery image or a full update file, it would be unusable.

Another interesting thing is that if you make a diagsfs.img and place it along with ENABLE_DIAGS on the fat32 root, I THINK the recovery script will mount it. However, my ARM-asm knowledge is flakey, and after an hour of reading the IDA-pro disassemblies, I still am not sure how that works.

Finally, it is really interesting what is in this recovery script. Tons of code. Maybe after Amazon gets agressive with blocking jailbreaks, we can exploit this script to jailbreak or something.

Also: I wonder how often people brick their Kindles? I bricked my fair share of Kindles (thank god for TTL recovery port). Is it worth the effort to research and develop a recovery package?

03-10-2011, 04:45 PM	#4
yifanlu Kindle Dissector Posts: 662 Karma: 475607 Join Date: Jul 2010 Device: Amazon Kindle 3	I'm actually looking into the Kindle recovery process. My findings aren't complete, but I'm looking for a way to restore firmware without the recovery port. If anyone has more knowledge, please contribute. The Kindle kernel (on a two seperate partitions (backup) from rootfs and fat32) contains a small initramfs that contains a recovery script. This script, unlike otaup, is hard-coded in ARM-binary and all resources (binaries, images, strings) are found in the file. Basically, this script can run without almost any dependencies. Now, this script is very similar to otaup. First it looks for update*.bin. Then it checks the bin headers for FB01 (recovery update). Then it extracts from it and looks for rootfs.img.gz rootfs.img.gz.sig diagsfs.img.gz diagsfs.img.gz.sig imx35_luigi/u-boot.bin imx35_luigi/u-boot.bin.sig imx35_luigi/uImage imx35_luigi/uImage.sig imx31_mario/u-boot.bin imx31_mario/u-boot.bin.sig imx31_mario/uImage imx31_mario/uImage.sig. Basically, compressed rootfs image, compressed diagsfs image (the script seems to ignore this though), bootloader and kernel. (imx35=kindle3, imx31=kindle2/dx) Then it SHA256 the file to get the digest and encodes it with a RSA1024 key and a different RSA2048 key, comparing it to the .sig. If the signature passes, it will extract rootfs.img.gz into the root partition and flash necessary kernel and bootloaders. Now what I want to do is bypass signature checks. The public keys is stored in the binary as a hex sequence. It's the same public keys that is base64 coded in /etc/uks. I got my script to run after decompressing the kernel (twice), extracting the recovery script, modifying it to use the jailbreak keys, and recompressing it into the kernel. However, this is useless if your Kindle is already bricked. Maybe next jailbreak script will modify this recovery script? The upside is that so far, Amazon never used this recovery script outside their factory. It is most likely used to upload the first rootfs. However, if Amazon ever release a recovery image or a full update file, it would be unusable. Another interesting thing is that if you make a diagsfs.img and place it along with ENABLE_DIAGS on the fat32 root, I THINK the recovery script will mount it. However, my ARM-asm knowledge is flakey, and after an hour of reading the IDA-pro disassemblies, I still am not sure how that works. Finally, it is really interesting what is in this recovery script. Tons of code. Maybe after Amazon gets agressive with blocking jailbreaks, we can exploit this script to jailbreak or something. Also: I wonder how often people brick their Kindles? I bricked my fair share of Kindles (thank god for TTL recovery port). Is it worth the effort to research and develop a recovery package?