Quote:
Originally Posted by the-equinoxe
Hi yifanlu,
This is an interesting problem.
Am I correct when I think:
>uboot ->initramfs =>rootfs ?
and the nand-password and signature keys are hardcoded into the initramfs?
If so, how can I dump the initramfs of a K3w?
Is it possible to use uboot to load an altered initramfs?
Would it be possible for us (with an non bricked device) to load ourselves an patched loader to give us the ability use our own dumped rootfs signed by ourselves?
Thanks for the info,
EqX
|
It IS possible to load an altered initramfs. However the offsets between uboot and the kernel is different. It is much easier (but not easy) to edit the initramfs and recompile the kernel with the new initramfs and flash the new kernel (which is what I did).
Also, I'm happy to say that I have successfully recovered my Kindle, which was completely formatted and had the rootfs destroyed. What I did was extract the initramfs, open recovery-utils in IDA Pro, find the logic of the password check. Luckly, it was easy just a change from
Quote:
BL 000092DC // Jump to pass_check function
CMP R0, #0 // Compare return value with 0
...
BEQ loc_9604 // If previous instruction is true, jump to password failure
|
to
Quote:
NOP // no instruction
CMN R0, R0 // Negative compare a value with it's self
...
BEQ loc_9604 // If previous instruction is true, jump to password failure
|
(I also patched the key for update packages to the jailbreak key just in case)
Then I placed my new recovery-utils into initramfs.cpio using a hex editor and compiled a kernel with it. Then I flashed the uImage through HyperTerminal (in uboot: run prg_kernel_serial) and ran it. I was able to export MMC0 without a password. Then I used ubuntu to recreate the partitions and restore the files.