Thread: Inside PW1-5.6.1.1
View Single Post
Old 06-27-2015, 09:22 AM   #1
knc1
Going Viral
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
Inside PW1-5.6.1.1
Also: PW3-5.6.1.1 see: https://www.mobileread.com/forums/sho...d.php?t=262279

The following done on a Linux system. MacOSx should be similar.
Windows users, you will have to translate the following to whatever works.
  1. Make a work place
    The naming conventions of this pathname are just mine, they really don't matter.
    Use whatever fits your own work habits.
    Code:
    core2quad ~ $ mkdir -p /var1/Kindle/kpw/pw-fw5.6
core2quad ~ $ cd /var1/Kindle/kpw/pw-fw5.6
core2quad pw-fw5.6 $
  2. Get update package
    Official released pw1-5.6.1.1 is at:
    https://s3.amazonaws.com/G7G_Firmwar...le_5.6.1.1.bin
  3. Get current KindleTool
    Since the PW-1 at this point is running a firmware prior to the 5.6.x series, even an 'old' KindleTool should work just fine for unpacking the update.
    But use the most recent version anyway, from:
    https://www.mobileread.com/forums/sho...d.php?t=225030
  4. Starting workplace
    core2quad pw-fw5.6 $ ls -l
    total 212940
    -rw-rw-r-- 1 mszick mszick 302561 2015-06-27 07:04 kindletool-v1.6.4-linux-i686.tar.gz
    -rw-rw-r-- 1 mszick mszick 217523739 2015-06-27 06:51 update_kindle_5.6.1.1.bin
  5. Keep a copy
    KindleTool's default is to delete the input file, unless you specify --keep
    So make a copy of the update now, for when you fat finger the KindleTool command later.
    Code:
    core2quad pw-fw5.6 $ cp -a update_kindle_5.6.1.1.bin update_kindle_5.6.1.1.bin-bk
  6. Unpack KindleTool
    Note that I give the package its own sub-directory of the work place:
    Code:
    core2quad pw-fw5.6 $ mkdir kt
core2quad pw-fw5.6 $ tar -C kt --extract --gzip --file=kindletool-v1.6.4-linux-i686.tar.gz
core2quad pw-fw5.6 $ ls -l kt
total 832
-rw-r--r-- 1 mszick mszick 309303 2015-05-07 15:09 ChangeLog
-rw-r--r-- 1 mszick mszick    839 2015-05-07 15:09 CREDITS
-rwxr-xr-x 1 mszick mszick 502496 2015-05-07 15:09 kindletool
-rw-r--r-- 1 mszick mszick   8115 2015-05-07 15:09 kindletool.1
-rw-r--r-- 1 mszick mszick  10929 2015-05-07 15:09 README
-rw-r--r-- 1 mszick mszick      7 2015-05-07 15:09 VERSION
  7. Check KindleTool
    If you have the one that matches your system, this should just display a help message:
    Code:
    core2quad pw-fw5.6 $ kt/kindletool
No command was specified!

usage:
--- a whole lot of output snipped ---
  8. List package info
    Notice the use of option "--keep"
    Code:
    core2quad pw-fw5.6 $ kt/kindletool convert --info --keep update_kindle_5.6.1.1.bin
Checking update package 'update_kindle_5.6.1.1.bin'.
Bundle         SP01 (Signing Envelope)
Cert number    2
Cert file      pubprodkey02.pem (Official 2K)
Bundle         FB03 (Fullbin [OTA?, fwo?])
Bundle Type    Recovery V2
Target OTA     2689890035
MD5 Hash       b7b666b5600a1c34a45d54eb523570f1
Magic 1        2048630901
Magic 2        1897089723
Minor          1
Platform       Yoshime (Yoshime3)
Header Rev     0
Board          Unspecified
Devices        6
Device         Kindle PaperWhite Wifi
Device         Kindle PaperWhite Wifi+3G Brazil
Device         Kindle PaperWhite Wifi+3G Japan
Device         Kindle PaperWhite Wifi+3G Europe
Device         Kindle PaperWhite Wifi+3G Canada
Device         Kindle PaperWhite Wifi+3G
    Looks like it should work.
  9. Extract package
    Make a sub-directory for the root of the package tree and extract.
    Code:
    core2quad pw-fw5.6 $ mkdir package
core2quad pw-fw5.6 $ kt/kindletool extract update_kindle_5.6.1.1.bin package
Extracting update package 'update_kindle_5.6.1.1.bin' to 'package'.
Bundle         SP01 (Signing Envelope)
Cert number    2
Cert file      pubprodkey02.pem (Official 2K)
Bundle         FB03 (Fullbin [OTA?, fwo?])
Bundle Type    Recovery V2
Target OTA     2689890035
MD5 Hash       b7b666b5600a1c34a45d54eb523570f1
Magic 1        2048630901
Magic 2        1897089723
Minor          1
Platform       Yoshime (Yoshime3)
Header Rev     0
Board          Unspecified
Devices        6
Device         Kindle PaperWhite Wifi
Device         Kindle PaperWhite Wifi+3G Brazil
Device         Kindle PaperWhite Wifi+3G Japan
Device         Kindle PaperWhite Wifi+3G Europe
Device         Kindle PaperWhite Wifi+3G Canada
Device         Kindle PaperWhite Wifi+3G
x update-payload.dat
x imx50_yoshime/uImage
x imx50_yoshime/uImage.sig
x rootfs.img.gz
x rootfs.img.gz.sig
x update-payload.dat.sig
  10. See what that got us
    Note: this is ls option -one, not -ell
    Code:
    core2quad pw-fw5.6 $ ls -1 package/*
package/rootfs.img.gz
package/rootfs.img.gz.sig
package/update-payload.dat
package/update-payload.dat.sig

package/imx50_yoshime:
uImage
uImage.sig
    Note that each part is signed.
  11. Update Payload
    Code:
    core2quad pw-fw5.6 $ cd package
core2quad package $ cat update-payload.dat
1 898a5d0d2c0903643b1149c1f134be89 imx50_yoshime/uImage 37 main_kernel
128 fdbd14b1c79e12fba0ba2c9bb618955a rootfs.img.gz 1645 update_image_rootfs
core2quad package $ cd -
/var1/Kindle/kpw/pw-fw5.6
core2quad pw-fw5.6 $
  12. Uncompress the rootfs
    Code:
    core2quad pw-fw5.6 $ cd package
core2quad package $ gunzip rootfs.img.gz
core2quad package $ file rootfs.img
rootfs.img: Linux rev 1.0 ext3 filesystem data, UUID=380c7f4e-6e00-41a1-a03f-9af1686e2334
    As expected.
  13. Make a mount point and mount
    Code:
    core2quad package $ sudo mkdir -p /mnt/kpw
core2quad package $ sudo mount rootfs.img /mnt/kpw
core2quad package $ ls /mnt/kpw
bin  dev  etc  lib  lost+found  mnt  opt  proc  sbin  sys  usr  var
    That is the tree **before** it is mounted and running by the Kindle.
    That is, the various parts of the file system tree which live inside of cramfs files have not been mounted by the Kindle's start-up process.
    Although you could do that here and now. Details should be in mtn-pt/etc/fstab.
  14. Check the logins
    I'll spoiler the outputs for this section.
    Code:
    core2quad package $ cd /mnt/kpw/etc
core2quad etc $ cat inittab
    Spoiler:

    # /etc/inittab: init(8) configuration.
    # $Id: inittab,v 1.91 2002/01/25 13:35:21 miquels Exp $

    # The default runlevel.
    id:2:initdefault:

    # Boot-time system configuration/initialization script.
    # This is run first except when booting in emergency (-b) mode.
    si::sysinit:/etc/init.d/rcS
    #si::sysinit:/bin/sh

    # What to do in single-user mode.
    ~~:S:wait:/sbin/getty -L 115200 ttymxc0 -l /bin/login
    #~~:S:wait:/sbin/getty -L 115200 ttymxc0 -l /bin/sh

    # /etc/init.d executes the S and K scripts upon change
    # of runlevel.
    #
    # Runlevel 0 is halt.
    # Runlevel 1 is single-user.
    # Runlevels 2-5 are multi-user.
    # Runlevel 6 is reboot.

    l0:0:wait:/etc/init.d/rc 0
    l1:1:wait:/etc/init.d/rc 1
    l2:2:wait:/etc/init.d/rc 2
    l3:3:wait:/etc/init.d/rc 3
    l4:4:wait:/etc/init.d/rc 4
    l5:5:wait:/etc/init.d/rc 5
    l6:6:wait:/etc/init.d/rc 6

    # Normally not reached, but fallthrough in case of emergency.
    #z6:6:respawn:/sbin/halt -d -f -p

    mxc0:2345:respawn:/sbin/getty -L 115200 ttymxc0 -l /bin/login
    #mxc0:2345:respawn:/sbin/getty -L 115200 ttymxc0 -l /bin/sh

    So login will be running on the serial port.
    Code:
    core2quad etc $ cat passwd
    Spoiler:

    root:x:0:0:root:/tmp/root:/bin/sh
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
    bin:x:2:2:bin:/bin:/bin/sh
    sys:x:3:3:sys:/dev:/bin/sh
    sync:x:4:100:sync:/bin:/bin/sync
    operator:x:37:37:Operator:/var:/bin/sh
    sshd:x:103:99:Operator:/var:/bin/sh
    messagebus:x:92:92:messagebus:/bin/false
    nobody:x:99:99:nobody:/tmp:/bin/sh
    default:x:1000:1000efault non-root user:/dev/null:/bin/sh
    framework:x:9000:150:Framework User:/tmp/framework:/bin/sh

    And password table references the shadow table.
    Code:
    core2quad etc $ cat shadow
    Spoiler:

    root:!:10933:0:99999:7:::
    daemon:*:10933:0:99999:7:::
    bin:*:10933:0:99999:7:::
    sys:*:10933:0:99999:7:::
    sync:*:10933:0:99999:7:::
    operator:*:10933:0:99999:7:::
    sshd:*:10933:0:99999:7:::
    messagebus:*:10933:0:99999:7:::
    nobody:*:10933:0:99999:7:::
    default:!:10933:0:99999:7:::
    framework:!:14033:0:99999:7:::

    Users root, default and framework do not accept passwords of any sort.
    Other users are disabled.

    Ref: http://www.tldp.org/LDP/lame/LAME/li...e-formats.html
  15. Return to package
    Code:
    core2quad etc $ cd /var1/Kindle/kpw/pw-fw5.6/
    Then into the kernel part of the package.
    Code:
    core2quad pw-fw5.6 $ cd package/imx50_yoshime
  16. uImage file
    The kernel in u-boot, bootable format.
  17. Remove kernel from header
    Code:
    core2quad imx50_yoshime $ dd if=uImage ibs=64 skip=1 of=raw_image
75775+0 records in
9471+1 records out
4849600 bytes (4.8 MB) copied, 0.0878131 s, 55.2 MB/s
core2quad imx50_yoshime $ ls -l
total 14252
-rw-rw-r-- 1 mszick mszick 4849600 2015-06-27 09:50 Image
-rw-rw-r-- 1 mszick mszick 4849600 2015-06-27 10:45 raw_image
-rw-r--r-- 1 mszick mszick 4849664 2015-06-23 06:29 uImage
-rw-rw-r-- 1 mszick mszick     256 2015-06-23 07:33 uImage.sig
    Either way works for a Kindle uImage, since they don't use the 8 byte ARM specific header option.
  18. Kernel's InitRamFS
    For more descriptive text on what I am doing here than anyone can stand, see the thread:
    https://www.mobileread.com/forums/sho...d.php?t=206188
    Lots of examples there of taking apart kernel images.

    Code:
    core2quad imx50_yoshime $ od -A d -t x1 raw_image | grep '30 37 30 37 30 31'
0102688 30 37 30 37 30 31 30 30 30 30 30 32 44 31 30 30
- - - lots of output snipped here - - -

core2quad imx50_yoshime $ dd if=raw_image bs=1 skip=102688 of=kpw-trim-00.cpio
4746912+0 records in
4746912+0 records out
4746912 bytes (4.7 MB) copied, 13.6347 s, 348 kB/s

core2quad imx50_yoshime $ file kpw-trim-00.cpio
kpw-trim-00.cpio: ASCII cpio archive (SVR4 with no CRC)

core2quad imx50_yoshime $ mkdir cpio
core2quad imx50_yoshime $ cd cpio
core2quad cpio $ sudo cpio -i -d -m  --no-absolute-filenames -I ../kpw-trim-00.cpio
cpio: Removing leading `/' from member names
2017 blocks

core2quad cpio $ ls -l
total 28
drwxr-xr-x 2 root root 4096 2015-06-27 11:14 bin
drwxr-xr-x 7 root root 4096 2015-06-27 11:14 dev
lrwxrwxrwx 1 root root   18 2015-06-27 11:14 init -> /bin/recovery-util
drwxr-xr-x 3 root root 4096 2015-06-27 11:14 lib
drwxr-xr-x 3 root root 4096 2015-06-27 11:14 mnt
drwxr-xr-x 2 root root 4096 2015-06-23 06:28 proc
drwx------ 2 root root 4096 2015-06-23 06:28 root
drwxr-xr-x 2 root root 4096 2015-06-23 06:28 sys
  19. Looking a bit deeper
    Code:
    core2quad cpio $ cd bin
core2quad bin $ ls -l
total 800
-rwxr-xr-x 1 root root  24398 2015-06-23 06:27 hotplug
-rwxr-xr-x 1 root root  13240 2015-06-23 06:04 ipconfig
-rwxr-xr-x 1 root root  76392 2015-06-23 06:04 kinit
-rwxr-xr-x 1 root root  30707 2015-06-23 06:28 mkdosfs
-rwxr-xr-x 1 root root   7644 2015-06-23 06:04 nfsmount
-rwxr-xr-x 1 root root 571603 2015-06-23 06:27 recovery-util
-rwxr-xr-x 1 root root   2116 2015-06-23 06:04 run-init
-rwxr-xr-x 1 root root  66224 2015-06-23 06:04 sh

core2quad bin $ file *
hotplug:       ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), not stripped
ipconfig:      ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked (uses shared libs), stripped
kinit:         ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, stripped
mkdosfs:       ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked (uses shared libs), not stripped
nfsmount:      ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked (uses shared libs), stripped
recovery-util: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), not stripped
run-init:      ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked (uses shared libs), stripped
sh:            ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked (uses shared libs), stripped
    All compiled code, but they left us some of the symbol tables.

    Note the really interesting one: nfsmount (in the initramfs system?).
    That will make for some interesting nights work for someone.
  20. Misc. Strings
    This is just a quick and dirty use of:
    Code:
    core2quad bin $ od --strings=16 recovery-util | less
    Like I wrote, quick and dirty.
    Code:
    0332340 nfs_boot_default
0332370   Make sure the Ethernet interface is configured on your host machine.
0332477 ipconfig -d nfsaddrs=%s:%s:%s:%s:%s:%s
0332715 nfsmount -o v3,tcp %s:%s /root
    Well, that sort of makes it look like nfsmount is there for a reason.
    Code:
    0334360 /proc/sys/vm/drop_caches
0334760 /mnt-us/update-failed.log
0335643 /bin/mkdosfs -F 32 -s 16 -B 4 -P %llu -n Kindle -v %s
0336554 %s: (%u of %u MiB)
    Parameters to rebuild your USB storage with.
    Code:
    0343154 /mnt-us/system/SKIP_BATTERY_CHECK_FOR_UPDATE
    No comment.
    Code:
    0350112 /mnt-us/data.stgz
  21. BIG NOTE:
    This initramfs is statically linked into the kernel binary (not dynamically loaded by the kernel) which makes it GPLv2 (same as the kernel).

    So disassemble and post (somewhere other than MR) to your heart's content.
Attached Files
File Type: gz cpio.tar.gz (514.6 KB, 317 views)
Last edited by knc1; 06-30-2015 at 08:01 AM.
knc1 is offline   Reply With Quote