View Single Post
Old 10-02-2013, 05:42 AM   #36
knc1
Going Viral
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
Quote:
Originally Posted by npoland View Post
I have also gained root access to the diag partition. Which seems to be...
Code:
#!/usr/bin/env python
import hashlib
print("fiona%s"%hashlib.md5("XXXYOURSERIALXXX\n".encode('utf-8')).hexdigest()[13:16])
This is for the diag partition.
Which is one step on the path.

Once you can login as root on the 'diag' partition (/dev/mmcblk0p2), then you have permissions that allow you to mount the 'main' partition (/dev/mmcblk0p1).
(just make a mount point in /tmp of some name)

With the 'main' partition mounted (say, at: /tmp/main) you can then navigate to the passwd and shadow files of the main partition.

Then give the password cracker utility a go at root's password in the 'main' partition.

Then you will have access as 'root' in either 'diags' or 'main' mode.
You do need both, because you can not reliably copy the contents of a partition that is in-use.
I.E: You have to be in 'diags' to copy out /dev/mmcblk0p1 and you have to be in 'main' to copy out /dev/mmcblk0p2.

(and you have to be in the ram-resident, 'recovery mode' to copy out the hidden partitions of the flash chip.
That gets a bit technical, you have diddle registers on the flash chip.
So for that, then the pictures that show part numbers is required. Have to id the flash chip part number and look up its datasheet.)

- - - well, back to the 'user' visible parts of the flash storage - - -

Flash storage is copied in units of an 'erase block' size.
Without knowing the flash chip part number, assume: 4096 bytes.

The eMMC flash chip will have a DOS format disk label at the start of the device.
You can read that using:
Code:
fdisk -l /dev/mmcblk0
that option is lower case ell.

You will find in that output that the partitioned portion of the flash does not start immediately after the disk label.
It starts some 'offset' amount into the raw device.

The area from the end of the disk label to the start of the first partition (outside of any file system) is in use.
That holds device and user specific data.
You will want a back-up copy of that, but DO NOT post it. (although one or more of the Kindle-Krackers may PM you for a copy of that - those people you can trust not to mis-use the information - you can tell who they are from their post history here)

With a post of the output of that fdisk -l command, we can tell you how many erase blocks to copy.

ok - that takes care of the storage area outside of the main partitioned, user visible.

while running in 'diags' mode, you can copy-out the 'main' mode filesytem storage area (/dev/mmcblk0p1)

while running in 'main' mode, you can copy-out the 'diags' mode filesystem storage area (/dev/mmcblk0p2)

there is a partition of persistent system data, known as the /var/local/* sub-tree in either 'diags' or 'main' mode.
Same, same partition is used by both modes.
that will /dev/mmcblk0p3
You will want to make a back-up copy of that for yourself, but no need to post that (again, one or more of the Kindle-Krackers may PM you for a copy of that).

and then there is the partition used for the "user storage" area, visible over the USB cable by the end-user.

This one is a bit tricky - it is a DOS disk label partitioned storage area, located in the fourth partition for the primary DOS disk label.
(Yes - that is legal, although MS never used that, that I know of, although it is in their specs.)

So that disk label can also be read with the fdisk -l(ist) command.
Just tell it to read /dev/mmcblk0p4 as if that was the physical start of the storage device.

Here, you will find another "outside of the (second level) partitioned area.
You will want a backup of that.
The file system within the (second level) disk label partition is already accessible when the kindle is in 'mass storage mode' using the usb cable.

That will be the destination of all the copies made above (so that those binary copies will end up as files in the user's usb storage area when the device is running normally).

pant, pant, pant - - -
rather long, and I left out the copy commands in the above.
they aren't 'secret' by any means, but it would be better to work through this the first time interactively.
mostly because the above is all from memory of prior kindle system structure - and a new device may have hidden surprises.

See the sticky at the top of the forum index page about the IRC, kindle-dev channel.
Somebody (ixtab, NiLuJe, twobob, myself) will be there to meet you and walk you through all the commands and option numbers when you have some more free hobby time.
knc1 is offline   Reply With Quote