MobileRead Forums - View Single Post

knc1 · 08-11-2017, 04:05 PM

This post is not complete or ready to use!

A note to anyone who might not do this all in one day:
The battery charger is off while running "Diags" - after 4 days, I just got a 'Battery Critical' screen and it rebooted to 'main' to run the charger.

Abstract
This updated tutorial on serial jailbreaking illustrates the use of the newer Diag system menu.
The procedure has been slightly simplified.
Some of the materials have been repackaged and are used differently.
tl;dr: The Cliff's Notes version
- log into diags
- (optional) run /mnt/us/mkbackup.sh
- run /mnt/us/unjail.sh
- reboot
  (wait)
- in main searchbar, enter:
  ;log mrpi
  (wait)
your done - jail broken and everything you had in /my_packs is installed.

Spoiler:

Reference Materials
This tutorial is based on the earlier tutorial:
Serial Jailbreaking FW >= 5.6 for Dummys
Includes the setting up of PuTTY under Windows and making the connection to the serial port.
Also includes links to methods of connection other than the use of hot solder.

Installation and setup of the MiniCom terminal emulator under Linux (also available for MacOSx and *BSD).
MinCom Setup

Additional information may be found in the Master Index, see:
Hardware Index

You will need to use the above reference materials to create the serial port connection and get a serial port terminal emulator working.
Collecting Required Materials
- You will need some of the usual add-in packages, gathered from NiLuJe's snapshots thread:
  - KindleTool
    Scroll through the package listings to near the bottom, pick the build that will run on your PC.
  - MR Package Installer
    At the time of this writing it was in the: "KUAL and KUAL Extensions" section.
  - KUAL
  The text of that post above the package listing tells you how to deal with the *.xz compressed archives if you are using a Windows PC.
  If you have a Linux/BSD/MacOSx based PC of relatively recent vintage, the system provided archive handler should 'just work'.
- You will need the actual jail break (signature certificate) from Branch Delay's post and a package from coplate's snapshots thread:
  - Unlike prior directions, we only need the actual certificate, which I have compressed and attached below as a single file zip archive.
  - coplate's Master Survival Code
    This one does not require MrPI to install, it uses the UYK (Update Your Kindle) built-in function.
Password Discovery
The next preparation step is to find out what the administrator's (root) password is when running the 'Diags' system.

Unpack the KindleTool package for your system.
If you put it in your current directory, you can check if it is working (and see its built-in help) by just entering:
Code:
```
knc1:PW3-Serial> ./kindletool
```
That should have produced a long list of instructions and no error messages.
Meaning you are ready to find the 'Diags' system password for root.

You will need the serial number of your Kindle found:
- On the label of its box
- On its entry in your Amazon account "Manage Devices" web page
- In the "Device Info" panel of the Settings menu.
- From an entry in the 'Diags' system menu. (I know, we aren't that far along yet.)
Note: The serial number is UPPER CASE letters and Numbers (only - not the dots that I have obscured my serial number with).
Code:
```
knc1:PW3-Serial> ./kindletool info G090G1.....
Device uses the new device ID scheme
Platform is Wario or newer
Root PW            fionaed4
Recovery PW        fionaed48
```
The first password is for user: root in the 'Diags' system.
That is all the need for KindleTool in this exercise, but hang on to it, you may need it in the future.
Entering u-boot
At this point, you need to have your Kindle talking to your PC over the serial port.

Are you ready? This next step can pass you by in a hurry if not prepared.
Serial port adapter is connected?
Terminal emulator window open, window is selected?
Finger is hovering near the 'enter' key of the keyboard?

All yes? Continue:

If the Kindle is off, turn it on by pressing the power button.
If the Kindle is on, press and hold the power button until you get a pop-up panel. On that panel, touch: "Restart".

Finger hovering over 'Enter' key, watch for:
Code:
```
U-Boot 2009.08-lab126 (Jan 16 2017 - 03:44:52)

CPU: Freescale i.MX6 family TO0.0 at 996 MHz
Temperature:   34 C, calibration data 0x59e5245f
* * * lots more * * *
```
Just as soon as you see that header, press and hold the 'Enter' key, until you see:
Code:
```
Hit any key to stop autoboot:  0 
uboot > 
uboot > 
uboot > 
* * * However many times your keyboard repeated 'Enter' while you held it. * * *
```
You can release the 'Enter' key now.

That prompt is from u-boot, the system bootloader.
u-boot is fussy, it will only talk to you over the serial port, which is why we hooked up the serial port.

A question mark entered at the prompt will show a list of available commands.
The menus for this version and build of u-boot are here:
u-boot menus
Safety Net
Just in case a re-boot is required, or happens accidentally and we fail to catch the u-boot prompt:
Code:
```
u-boot >idme bootmode diag
```
If things do get away from us, it will at least return to the diag system, not the main system.

Booting the Alternate System
The Kindles (since the K4) are dual boot systems.
The 'Main' system (which is what you normally see) starts in memory at address: 0x041000
The 'Diag' system (which is what we want now) starts in memory at address: 0xE41000
And if those values ever change, you could persuade u-boot into telling you what they are at this point.

Boot up the alternate ('Diag') system from its memory location:

Code:

uboot > bootm 0xE41000
## Booting kernel from Legacy Image at 80800000 ...
   Image Name:   Linux-3.0.35-lab126
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2634732 Bytes =  2.5 MB
   Load Address: 80008000
   Entry Point:  80008000
   Verifying Checksum ... OK
   Loading Kernel Image ... OK
OK

Starting kernel ...
* * * a whole lot of stuff output * * *
system: I mntroot:def:Making root filesystem writable
[    9.981878] EXT3-fs (mmcblk0p2): using internal journal
[   10.368287] g_ether gadget: high speed config #1: CDC Ethernet (ECM)
[   10.591710] KERNEL: I pmic:charger chgina::charger disconnected
sock_init 1888

diag>

Note: You might have to press 'Enter' (once this time) to get the system to show its prompt (its a Unix thing).

The Diag Menus
This 'Diag' system is menu driven. The menu can be operated from the touch screen or from the serial port.
What has happened in the prior section, is that when u-boot gave up control to the Linux kernel, it also handed over the serial port, which Linux is now using as the "Operator's Console Port". Another (mainframe) Unix thing.

We only need the top level of the menu system, entering: ? will list the choices:
Code:
```
diag>?
get_input_from_stdin Received [?]
diag>   MUSCAT_WFO - System Diags -  94
   ~~~~  1.1.30.291999  ~~~~ 
     pcbId:0670309164410CQB
(DS INFO)-Device Setting  
(TOUCH PLATE)-Touch Plate Test     
(OTS)-Operator test suite     
(o)-Misc individual diagnostics     
(WIFI NART)-nART factory test     
(USB EXPORT)-USB device mode     
(o)-Reboot or Disable Diags     
(POWER SUSPEND)-Lock screen     
(X)-Exit
```
Accessing USB Storage
Export the USB storage over the USB cable to your PC (similar to normal operation).
Put a known good USB cable between the Kindle and your PC and then enter:
Code:
```
diag>usb export

get_input_from_stdin Received [USB EXPORT]
* * * snip * * *
   USB device exported
    
   Once you are done
   Eject the USB device from the PC then

   Battery capacity  94
 
(C)-to continue  
(X)-Exit
```
That 'exported' message will repeat at regular intervals.
Populating USB Storage
Most of this section's context is in the pictures.
1. At the top of visible USB storage, make two new directories (folders):
  
  The directory added with the name of: "unjail" will be where we organize the files to be used.
  The directory added with the name of: "update.bin.partial.tmp" should block any new update downloads.
2. Add the new "Master HotFix" to the topmost level:
  
  This will not have any effect until we re-boot the device into the 'Main" operating system.
3. Populate the Kindle:/unjail directory.
  
  I have added the KUAL and MrPI archives from NiLuJe's snapshots thread.
  I have unarchived them into corresponding folders.
  The highlighted packages are not required to be installed at this time, but they are recommended.
  The actual jail-breaking script was still a WIP when this screenshot was taken.
4. Install MrPI
  1. Enter the MrPI sub-directory and select the two directories contained there:
  2. Copy them and paste them in the top level of visible USB storage:
    
    Which makes the top level now contain copies of those two directories (folders).
5. Populate USB with KUAL
  The next step has two, alternative, procedures.
  Read carefully, you should only follow the pair with applies to your model of Kindle.
  - For 8th. generation devices (KT3 and KOA):
    The 8th. generation devices must use the booklet form of KUAL, which has to be installed by MrPI.
  - From:
  - To:
  - For all older models:
    All earlier Kindle models may still use the document form of KUAL.
  - From:
  - To:
6. Place KUAL's configuration file.
  Both the booklet and the document form of KUAL use the same configuration file.
  - From:
  - To:
A work in progress

08-11-2017, 04:05 PM	#1
knc1 Going Viral Posts: 17,212 Karma: 18210809 Join Date: Feb 2012 Location: Central Texas Device: No K1, PW2, KV, KOA	Serial Jailbreaking FW >= 5.6.1.1 This post is not complete or ready to use! A note to anyone who might not do this all in one day: The battery charger is off while running "Diags" - after 4 days, I just got a 'Battery Critical' screen and it rebooted to 'main' to run the charger. Abstract This updated tutorial on serial jailbreaking illustrates the use of the newer Diag system menu. The procedure has been slightly simplified. Some of the materials have been repackaged and are used differently. tl;dr: The Cliff's Notes version log into diags (optional) run /mnt/us/mkbackup.sh run /mnt/us/unjail.sh reboot (wait) in main searchbar, enter: ;log mrpi (wait) your done - jail broken and everything you had in /my_packs is installed. Spoiler: Reference Materials This tutorial is based on the earlier tutorial: Serial Jailbreaking FW >= 5.6 for Dummys Includes the setting up of PuTTY under Windows and making the connection to the serial port. Also includes links to methods of connection other than the use of hot solder. Installation and setup of the MiniCom terminal emulator under Linux (also available for MacOSx and BSD). MinCom Setup Additional information may be found in the Master Index, see: Hardware Index You will need to use the above reference materials to create the serial port connection and get a serial port terminal emulator working. Collecting Required Materials* You will need some of the usual add-in packages, gathered from NiLuJe's snapshots thread: KindleTool Scroll through the package listings to near the bottom, pick the build that will run on your PC. MR Package Installer At the time of this writing it was in the: "KUAL and KUAL Extensions" section. KUAL The text of that post above the package listing tells you how to deal with the .xz compressed archives if you are using a Windows PC. If you have a Linux/BSD/MacOSx based PC of relatively recent vintage, the system provided archive handler should 'just work'. You will need the actual jail break (signature certificate) from Branch Delay's post and a package from coplate's snapshots thread: Unlike prior directions, we only need the actual certificate, which I have compressed and attached below as a single file zip archive. coplate's Master Survival Code This one does not require MrPI to install, it uses the UYK (Update Your Kindle) built-in function. Password Discovery* The next preparation step is to find out what the administrator's (root) password is when running the 'Diags' system. Unpack the KindleTool package for your system. If you put it in your current directory, you can check if it is working (and see its built-in help) by just entering: Code: knc1:PW3-Serial> ./kindletool That should have produced a long list of instructions and no error messages. Meaning you are ready to find the 'Diags' system password for root. You will need the serial number of your Kindle found: On the label of its box On its entry in your Amazon account "Manage Devices" web page In the "Device Info" panel of the Settings menu. From an entry in the 'Diags' system menu. (I know, we aren't that far along yet.) Note: The serial number is UPPER CASE letters and Numbers (only - not the dots that I have obscured my serial number with). Code: knc1:PW3-Serial> ./kindletool info G090G1..... Device uses the new device ID scheme Platform is Wario or newer Root PW fionaed4 Recovery PW fionaed48 The first password is for user: root in the 'Diags' system. That is all the need for KindleTool in this exercise, but hang on to it, you may need it in the future. Entering u-boot At this point, you need to have your Kindle talking to your PC over the serial port. Are you ready? This next step can pass you by in a hurry if not prepared. Serial port adapter is connected? Terminal emulator window open, window is selected? Finger is hovering near the 'enter' key of the keyboard? All yes? Continue: If the Kindle is off, turn it on by pressing the power button. If the Kindle is on, press and hold the power button until you get a pop-up panel. On that panel, touch: "Restart". Finger hovering over 'Enter' key, watch for: Code: U-Boot 2009.08-lab126 (Jan 16 2017 - 03:44:52) CPU: Freescale i.MX6 family TO0.0 at 996 MHz Temperature: 34 C, calibration data 0x59e5245f * * * lots more * * * Just as soon as you see that header, press and hold the 'Enter' key, until you see: Code: Hit any key to stop autoboot: 0 uboot > uboot > uboot > * * * However many times your keyboard repeated 'Enter' while you held it. * * * You can release the 'Enter' key now. That prompt is from u-boot, the system bootloader. u-boot is fussy, it will only talk to you over the serial port, which is why we hooked up the serial port. A question mark entered at the prompt will show a list of available commands. The menus for this version and build of u-boot are here: u-boot menus Safety Net Just in case a re-boot is required, or happens accidentally and we fail to catch the u-boot prompt: Code: u-boot >idme bootmode diag If things do get away from us, it will at least return to the diag system, not the main system. Booting the Alternate System The Kindles (since the K4) are dual boot systems. The 'Main' system (which is what you normally see) starts in memory at address: 0x041000 The 'Diag' system (which is what we want now) starts in memory at address: 0xE41000 And if those values ever change, you could persuade u-boot into telling you what they are at this point. Boot up the alternate ('Diag') system from its memory location: Code: uboot > bootm 0xE41000 ## Booting kernel from Legacy Image at 80800000 ... Image Name: Linux-3.0.35-lab126 Image Type: ARM Linux Kernel Image (uncompressed) Data Size: 2634732 Bytes = 2.5 MB Load Address: 80008000 Entry Point: 80008000 Verifying Checksum ... OK Loading Kernel Image ... OK OK Starting kernel ... * * * a whole lot of stuff output * * * system: I mntroot:def:Making root filesystem writable [ 9.981878] EXT3-fs (mmcblk0p2): using internal journal [ 10.368287] g_ether gadget: high speed config #1: CDC Ethernet (ECM) [ 10.591710] KERNEL: I pmic:charger chgina::charger disconnected sock_init 1888 diag> Note: You might have to press 'Enter' (once this time) to get the system to show its prompt (its a Unix thing). The Diag Menus This 'Diag' system is menu driven. The menu can be operated from the touch screen or from the serial port. What has happened in the prior section, is that when u-boot gave up control to the Linux kernel, it also handed over the serial port, which Linux is now using as the "Operator's Console Port". Another (mainframe) Unix thing. We only need the top level of the menu system, entering: ? will list the choices: Code: diag>? get_input_from_stdin Received [?] diag> MUSCAT_WFO - System Diags - 94 ~~~~ 1.1.30.291999 ~~~~ pcbId:0670309164410CQB (DS INFO)-Device Setting (TOUCH PLATE)-Touch Plate Test (OTS)-Operator test suite (o)-Misc individual diagnostics (WIFI NART)-nART factory test (USB EXPORT)-USB device mode (o)-Reboot or Disable Diags (POWER SUSPEND)-Lock screen (X)-Exit Accessing USB Storage Export the USB storage over the USB cable to your PC (similar to normal operation). Put a known good USB cable between the Kindle and your PC and then enter: Code: diag>usb export get_input_from_stdin Received [USB EXPORT] * * * snip * * * USB device exported Once you are done Eject the USB device from the PC then Battery capacity 94 (C)-to continue (X)-Exit That 'exported' message will repeat at regular intervals. Populating USB Storage Most of this section's context is in the pictures. At the top of visible USB storage, make two new directories (folders): The directory added with the name of: "unjail" will be where we organize the files to be used. The directory added with the name of: "update.bin.partial.tmp" should block any new update downloads. Add the new "Master HotFix" to the topmost level: This will not have any effect until we re-boot the device into the 'Main" operating system. Populate the Kindle:/unjail directory. I have added the KUAL and MrPI archives from NiLuJe's snapshots thread. I have unarchived them into corresponding folders. The highlighted packages are not required to be installed at this time, but they are recommended. The actual jail-breaking script was still a WIP when this screenshot was taken. Install MrPI Enter the MrPI sub-directory and select the two directories contained there: Copy them and paste them in the top level of visible USB storage: Which makes the top level now contain copies of those two directories (folders). Populate USB with KUAL The next step has two, alternative, procedures. Read carefully, you should only follow the pair with applies to your model of Kindle. For 8th. generation devices (KT3 and KOA): The 8th. generation devices must use the booklet form of KUAL, which has to be installed by MrPI. From: To: For all older models: All earlier Kindle models may still use the document form of KUAL. From: To: Place KUAL's configuration file. Both the booklet and the document form of KUAL use the same configuration file. From: To: A work in progress Last edited by knc1; 08-17-2017 at 09:36 AM. Reason: to be continued