MobileRead Forums - View Single Post

yifanlu · 03-29-2011, 11:29 PM

I'm not going to start a new thread because I'm not releasing anything yet, but currently, I'm looking into the Kindle recovery script. Why? Because I accidentally deleted the "lib" folder from one of my Kindles and it refuses to boot now. (Stupid, I know). The problem is that recovery scripts are signed AND the "export MMC" feature that allows USB access to the entire NAND is password protected. I already patched the recovery script signature check with the jailbreak keys. Currently I've disassembled the recovery script and am trying to find the logic of the password check for the export MMC. I'm hoping to find a place in the code to patch where there will be the least amount of side effects. For example, I tried patching the CMP R0, #0 (check if check_pass function returned 0) with CMP R0, R0 (always return true), however, it's doing something weird by setting the Kindle into diagnostics mode.

Basically, the script isn't completely finished yet, but IF you have a bricked Kindle AND have access to the recovery port AND you know your Kindle is unrecoverable by any other means (for example, you pressed Enter on startup and choose "I" to reformat partitions or "U" to try to update and it doesn't work anymore). You can help me test by PMing me with your Kindle model and the problem. Again, it's not finished yet, but I'll be taking beta testers.

Also, if you know of a easier way to recover a Kindle that has the root partition formatted, PLEASE tell me. Anything is easier then disassembling an ARM binary.

03-29-2011, 11:29 PM	#263
yifanlu Kindle Dissector Posts: 662 Karma: 475607 Join Date: Jul 2010 Device: Amazon Kindle 3	I'm not going to start a new thread because I'm not releasing anything yet, but currently, I'm looking into the Kindle recovery script. Why? Because I accidentally deleted the "lib" folder from one of my Kindles and it refuses to boot now. (Stupid, I know). The problem is that recovery scripts are signed AND the "export MMC" feature that allows USB access to the entire NAND is password protected. I already patched the recovery script signature check with the jailbreak keys. Currently I've disassembled the recovery script and am trying to find the logic of the password check for the export MMC. I'm hoping to find a place in the code to patch where there will be the least amount of side effects. For example, I tried patching the CMP R0, #0 (check if check_pass function returned 0) with CMP R0, R0 (always return true), however, it's doing something weird by setting the Kindle into diagnostics mode. Basically, the script isn't completely finished yet, but IF you have a bricked Kindle AND have access to the recovery port AND you know your Kindle is unrecoverable by any other means (for example, you pressed Enter on startup and choose "I" to reformat partitions or "U" to try to update and it doesn't work anymore). You can help me test by PMing me with your Kindle model and the problem. Again, it's not finished yet, but I'll be taking beta testers. Also, if you know of a easier way to recover a Kindle that has the root partition formatted, PLEASE tell me. Anything is easier then disassembling an ARM binary.