Is the problem with getting shell through serial TTL really that you don't have the password? I know people read the kernel partition through uBoot, why not do the same for the root partition (/dev/mmcblk0p1), then modify passwd file, and re-flash it onto the kindle? (or do this with the initramfs)?
Also, here's variables dumped from the uBoot source from Amazon:
Quote:
#define CONFIG_EXTRA_ENV_SETTINGS \
"uboot_net=tftpboot 0x84000000 u-boot.bin\0" \
"uboot_serial=loady 0x84000000\0" \
"uboot_ram=go 0x84000000\0" \
"bootargs_diag=setenv bootargs tests=all\0" \
"diags_net=tftpboot 0x84000000 diagmon.uimage; run bootargs_diag; bootm 0x84000000\0" \
"diags_serial=loady 0x84000000; run bootargs_diag; bootm 0x84000000\0" \
"bootargs_base=console=ttymxc0,115200 mem=256M panic=10\0" \
"bootcmd_root_nfs=setenv bootargs $(bootargs_base) root=/dev/nfs rw nfsroot=$(nfsrootfs),v3,tcp rw ip=$(ipaddr):$(serverip):$(serverip):$(netmask):ma rio1 rootdelay=3\0" \
"bootcmd_root_mmc=setenv bootargs $(bootargs_base) root=/dev/mmcblk1p1 rw ip=none\0" \
"bootcmd_root_mvn=setenv bootargs $(bootargs_base) root=/dev/mmcblk0p1 rw ip=none\0" \
"bootcmd_kernel_nfs=nfs 0x87f40400 $(nfsrootfs)/uImage; bootm\0" \
"bootcmd_kernel_tftp=tftp 0x87f40400 uImage; bootm\0" \
"bootcmd_nfs=run bootcmd_root_nfs; run bootcmd_kernel_nfs\0" \
"bootcmd_flash=run bootcmd_root_mvn; run bootcmd_kernel_nor\0" \
"bootcmd_card=run bootcmd_root_mmc; run bootcmd_kernel_nor\0" \
"bootcmd_recovery=run bootcmd_root_recovery; run bootcmd_kernel_nor\0" \
"bootcmd_defaultflash=setenv bootargs; run bootcmd_kernel_nor\0" \
"bootcmd=bootm 0x87f40400\0" \
"testmem=mtest 0x80000000 0x86ffffff\0" \
"nfsrootfs=/nfsboot\0" \
"ethaddr=00:22:33:44:55:66\0" \
"cfgreset=protect off all ; erase " TOSTRING(CFG_ENV_ADDR) " +" TOSTRING(CFG_ENV_SECT_SIZE) "\0" \
"bootretry=-1\0" \
|