MobileRead Forums - View Single Post

geekmaster · 02-10-2012, 12:22 AM

I successfully debricked my k4nt that had corrupted MMC including root partition and linux kernel and idme vars (serial number, MAC address, etc.). I was able to rewrite the MMC with a backup copy from my other k4nt, and then I rewrote the idme vars from original values I found in diagnostic log files.

I did not use the serial port. I only used the freescale mfgtool to download and run a patched copy of u-boot in the kindle RAM, to rewrite my idme "pcbsn" var so it could continue the boot process, and to switch my kindle to "fastboot" mode. I added forcing the pcbsn and fastboot mode to the u-boot source code in the amazon gpl source code for my kindle, then I compiled it using the latest debian arm-cross compiler installed with apt-get on my ubuntu host PC. Then I used yifanlu's fastboot tool to rewrite my backup images onto my kindle MMC. I extracted the main and diag linux kernels from a backup image of the first 32MB of /dev/mmcblk0 on my other (good) k4nt, using a hex editor. The length of the kernels is stored in a flash header at the beginning of each kernel in the backup image.

The only caveat was that my kindle could not be registered until a tech specialist at amazon manually associated my serial number and MAC address, which were not listed in their system as belonging together. I got them from an XML log file of diagnostic results originally from that damaged kindle, so either the report was not correct, or somehow trying to login with damaged idme confused my kindle info at amazon.

A side effect of amazon reassociating my kindle serial number with its MAC address is that registering made my "Special Offer" k4 into a non-SO k4. The ads disappeared after registering, and they have not come back.

Anyway, I have a special u-boot.bin that will switch the kindle to fastboot mode, where you can erase the /var/local partition in case it got filled up, then use fastboot to switch to main or diag mode, where you can do more repair work. When the kindle boots, it automatically reformats and builds a new mmcblk0p3 (/var/local) if it is erased, and it will also reformat and rebuild the USB Drive if it is erased. I erased both user partitions on my damaged k4nt from fastboot, when I rewrote the kernels and main and diag partitions.

On the k4nt, from diags, you can start SSH. On the touch, you can push a netcat reverse shell from the ixtab jailbreak runme.sh script. A reverse shell lets you run commands on your kindle just like SSH or telnet (but with no command prompt).

02-10-2012, 12:22 AM	#64
geekmaster Carpe diem, c'est la vie. Posts: 6,433 Karma: 10773670 Join Date: Nov 2011 Location: Multiverse 6627A Device: K1 to PW3	I successfully debricked my k4nt that had corrupted MMC including root partition and linux kernel and idme vars (serial number, MAC address, etc.). I was able to rewrite the MMC with a backup copy from my other k4nt, and then I rewrote the idme vars from original values I found in diagnostic log files. I did not use the serial port. I only used the freescale mfgtool to download and run a patched copy of u-boot in the kindle RAM, to rewrite my idme "pcbsn" var so it could continue the boot process, and to switch my kindle to "fastboot" mode. I added forcing the pcbsn and fastboot mode to the u-boot source code in the amazon gpl source code for my kindle, then I compiled it using the latest debian arm-cross compiler installed with apt-get on my ubuntu host PC. Then I used yifanlu's fastboot tool to rewrite my backup images onto my kindle MMC. I extracted the main and diag linux kernels from a backup image of the first 32MB of /dev/mmcblk0 on my other (good) k4nt, using a hex editor. The length of the kernels is stored in a flash header at the beginning of each kernel in the backup image. The only caveat was that my kindle could not be registered until a tech specialist at amazon manually associated my serial number and MAC address, which were not listed in their system as belonging together. I got them from an XML log file of diagnostic results originally from that damaged kindle, so either the report was not correct, or somehow trying to login with damaged idme confused my kindle info at amazon. A side effect of amazon reassociating my kindle serial number with its MAC address is that registering made my "Special Offer" k4 into a non-SO k4. The ads disappeared after registering, and they have not come back. Anyway, I have a special u-boot.bin that will switch the kindle to fastboot mode, where you can erase the /var/local partition in case it got filled up, then use fastboot to switch to main or diag mode, where you can do more repair work. When the kindle boots, it automatically reformats and builds a new mmcblk0p3 (/var/local) if it is erased, and it will also reformat and rebuild the USB Drive if it is erased. I erased both user partitions on my damaged k4nt from fastboot, when I rewrote the kernels and main and diag partitions. On the k4nt, from diags, you can start SSH. On the touch, you can push a netcat reverse shell from the ixtab jailbreak runme.sh script. A reverse shell lets you run commands on your kindle just like SSH or telnet (but with no command prompt).