The only issue is that there doesn't seem to be a simple way to access the main MMC partition from the provided u-boot - a custom initramfs solves that easily.
I've compiled an image to perform modifications quickly with a serial cable - available here
http://dl.free.fr/pN6Hu6beI (gpl'ed kernel + /dev prepared with the devices list from the preloaded u-boot image + klibc utils + dropbear)
How to use it :
- Connect 3 wires to rx/tx/gnd (if you only have a 3.3V Serial-TTL converter like me, my Kindle didn't explode with a /2 voltage divider on TX - just for information), interrupt u-boot
- Upload the image with loady 0x84000000 and an Y-Modem client (minicom, hyperterminal)
- Boot the image with bootm 0x84000000
- After a few seconds you'll end up on a minimalist shell with no prompt
- Create a mount point with mkdir /root
- Mount the main partition with mount -t ext3 /dev/mmcblk0p1 /root
- Chroot to a better shell with chroot /root /bin/sh
From now on, you can do whatever you want - for example edit /etc/shadow with vi, then sync, exit the shell, and reboot. Just do it quickly, or find a way to disable the power management, otherwise it'll kick in and serial communication doesn't seem to wake up the device
For quick & dirty tests without the cable, I've included a (statically compiled & ugly) dropbear binary in /drop of the initramfs - remember to tweak the firewall in /etc/sysconfig/iptables if you want to use it. It'll be better to properly compile your own version though.
There is an account without password too, named default.