Unbrick a PW3 (Fastboot)

[knc1]

Primary kernel.

You want:

Code:

fastboot flash kernel uimage

Then re-boot the device.
I expect it to display the recovery menu and wait for your input.

- - - - -

I got sidetracked yesterday by reading the code to see if it was possible to eliminate the limit on transfer size so we could transfer the rootfs.img with fastboot.
Sorry, I didn't have time to find that in the code.

Lets see a capture file of the device booting into the recovery menu (we might have to tweak the kernel command line in the u-boot environment).

[MadMAXXX]

I were able to flash the kernel attached the Log File.
After Flashing the kernel I did a reboot via Fastboot so I get to a rapair screen. I did a reboot again and was able to get to the recovery menu by pressing ENTER at the right point.

Note:
I always have to restart PuTTY on reboot because of a reading error. So its hard to log from a beginning of a reboot.

Now I also remember that I brick it by erasing the MMC0 (Recovery Menu - 4. Erase MMC0)!

[knc1]

Super! (en_IBM)
The recovery menu has the 'simple way' to re-install the most recent u-boot, kernel, and 'main' file system image.

(We are still stuck with not having a 'diags' kernel and 'diags' file system image - but we can deal with that later.)

This should do the trick:
Edit: The start-up log of flashing uimage shows that the system has already done the I step. You can start with the export step (E).

• I - initialize partition table and format FAT
  It doesn't say anything about /var/local - but we know that a 'normal' start-up will re-format that if required.
• E - export FAT partition
• Connect Kindle to PC with the normal USB cable.
• Copy the Amazon update package (just as you downloaded it) to the root (highest level directory shown) of user storage.
• Safely remove
• Disconnect USB cable to PC
• U - update (main) system from file on user storage
• Reboot
  It should 'just work'.

Again, capture all that you can to a log file.
We are documenting this 'invented' recovery method for future readers.

The other OS - 'diags' - that we will deal with after the above works.

But before dealing with the missing 'diags' we will try to JB the just installed 'main' system over the serial port.

[knc1]

Re-read above - see the edit entry.

Edit and note to someone with time on their hands:
What we (the Kindle developer's corner) need is a "jail broken" uImage -
I.E: With our developer certificate installed in the initramfs of the uImage file.

I **think** all that fastboot checked above when flashing it was the crc32 of the file.
(Because 'secure boot' is hardcoded as set to "no".)

Then we could use fastboot to install a JB uImage - that could use its recovery menu to install a JB main image file.

[MadMAXXX]

Great success!

The first update package we saw (update_kindle_5.6.5.bin) was the wrong one. So i took a look again and found the german update_kindle_all_new_paperwhite_5.6.5.bin
http://www.amazon.de/gp/help/custome...deId=201756220

Attached the Log of the Recovery.

[knc1]

Quote:

Originally Posted by MadMAXXX

Great success!

The first update package we saw (update_kindle_5.6.5.bin) was the wrong one. So i took a look again and found the german update_kindle_all_new_paperwhite_5.6.5.bin
http://www.amazon.de/gp/help/customer/display.html/ref=hp_left_cn?nodeId=201756220

Attached the Log of the Recovery.

That probably explains that 27Mbyte difference in size.
And no harm done, the recovery log shows that it replaced the uImage file that we installed with the correct one.

Note that I had a moderator prefix this thread.

I have also PM someone I think may have a PW-3 'diags' kernel and system image.
Those are both small enough that we can 'fastboot' them into the device when we get them.

I have to get on with my life today - more tomorrow (but you are back to the point where you pushed the wrong button when doing the serial JB).

Edit: Maybe not.
I think that tutorial is written to require the use of 'diags' system.
Give me 24 to think on this problem.

[knc1]

Comparing GeekMaster's "getkernels" script with the log file information shows that it **should** still work with the PW-3.
https://www.mobileread.com/forums/sho...d.php?t=174674

The diags_kernel.img recovered with that script and a copy of /dev/mmcblk0p2 are the two parts that we still need to finish this job.

[MadMAXXX]

Quote:

Originally Posted by knc1

Comparing GeekMaster's "getkernels" script with the log file information shows that it **should** still work with the PW-3.
https://www.mobileread.com/forums/sho...d.php?t=174674

The diags_kernel.img recovered with that script and a copy of /dev/mmcblk0p2 are the two parts that we still need to finish this job.

But I cant use the script, because i erased the diags, right?

[knc1]

Quote:

Originally Posted by MadMAXXX

But I cant use the script, because i erased the diags, right?

Correct.
We have to find someone with a serial port PW-3 that has not (yet) erased all.

But for the future reader of this thread, that is what will be used.

= = = =

PS: I do have a PW-3, (currently) without a serial port.
If we do not find someone else, I guess I will have to open mine up.

Or

Use the 'diags' kernel and file system from a KT-2 (which I already have open).

Or

I could modify the 'main' uImage file to install the Jailbreak (and probably anything in mrpackages) into the 'main' filesystem.

Note: Such a modified uImage file **would not** be flashed (it would be too big) but it could be loaded into ram and run-once from there.
(u-boot can do that, and I think fastboot can also).

= = = =

Meanwhile, we are on our own.

All we need is a way to remove a single character from the password file (or replace it with a space).
The only 'trick' in that is the 'whatever' has to be able to mount an ext2/ext3 file system.
(A newer version of u-boot might be able to do that. Something else for me to check on.)

= = = = =

Another way -
In u-boot, modify the kernel command line (getenv/setenv) to include:
rdinit=/bin/sh
Then when the (installed) kernel boots, it will jump to the busybox command shell **before** doing any system initialization.

but if you have never initialized a Linux run-time system "by hand from the shell command line" - this probably isn't the time to learn.

= = = = =

Another way -
Since I am supposing we want to (temporarily) modify the kernel command line for a single start up -
Use u-boot getenv/setenv to change that ip=0 into a valid ip address on your home network of your pc -
Then when that kernel starts up, it will mount the file system image physically provided (by a server application) on your PC rather than the one in flash.
(called: netboot(ing) if you want to google that.)

= = = = =

Translation:
Your device isn't dead, this is just a speed bump in the recovery process.

[knc1]

Phooey.
I did want to own a Kindle that had never been torn open.

device_info.xml (reformatted for this post):

Code:

<!-- Info -->
<DeviceSettingInfo
    SOFTWARE_VERSION="1.1.23.266370"
    CHANGE_NUMBER="018-b5-diags_muscat_wario-266370"
    serialNumber="G090G1xxxxxxxx"
    pcbId="0670209152460FE5" 
    macAddress="747548D044AC"
    manufacturingCode="WS42BKBSQEP0P7FT34B8"
    EINK_PANEL_ID="EE3YBR401G060155GEN60F5051013234A"
    EINK_WAVEFORM="00_11_0028_00_503801_00_6a_000012e4_85"
    EMMC_NUM_BLOCK="7634944"
    EMMC_SIZE="4GB"
    BATTERY_CAPACITY="67"
    BATTERY_LMD="1408"
    Customer_Software_Version="033-juno_6011_muscat_wario-263413"
/>

Now, all I have to do is dig out the 'diags' kernel and system from it.

Edit:
One of the easiest Kindles to open yet.
Some double sided tape top and bottom edges holding the bezel -
Eleven screws and a couple of friction clips holding the MB/Screen assembly in the case -
And its apart.

Edit: (following day)
Darn but those serial port pads are tiny.
Six hours to solder one end of each of 4 wires.
And yes, these are not the first solder connections I have ever made in my life.

Edit: (another day passed)
but those connections work as if they where my first.
just love it when I have to troubleshoot my own handy work.

[knc1]

Here is the basic outline of what needs to happen:
http://www.isysop.com/unpacking-and-...-uimage-files/
There are some considerations to keep in mind while reading that:

• The directions are written for FreeBSD, not Linux
• The u-boot used by Amazon/Lab126 is probably too old to handle a mult-file uImage (at least the shipped uImages are single-file).
  Somewhere here I have posted the step-by-step of taking apart a recent Amazon uImage (fw-5.6.1.1 IIRC) and posted the initramfs as an attachment (its GPLv2).
• In addition to adding the MR signature certificate, we would want to re-code some of the scripting (which is compiled code).
  Drat! Why don't they make this system's stuff simple?
• The 'recovery menu' IS Linux, so no problem mounting /dev/mmcblk0p1 (or p2, p3, p4)

Anyway, there is a start towards a "Recovery Menu" with a "Jailbreak Main" selection.
(Yes, Virginia, there is a . It will fit, the current image is 2.8Mbyte in the 4.0Mbyte allocated space.)

Translation:
The Amazon/Lab126 kernel **SHOULD** be re-usable with a customized initramfs WITHOUT re-compiling.

[nigredo]

hi knc1,
I managed to extract the initramfs from the last uImage shipped in the 5.6.5 update (voyage).
Update: the uImage for the pw3 is the same...

P.S. I made a python script for it, it complains extracting the gzipped image and the cpio too seems not very good, but this uImage format is very old...

[knc1]

Thanks.
Maybe we can find some more people interested in helping.

[nigredo]

hi knc1,
I'll be in the fight if possible, somehow trashed the serial jailbreak chance (ripped off the tx line... ), so now only with software...

Already searched the main partition for some trick, and will continue. Discover how to get the usb downloader mode would be great too, perhaps I'll open the voyage again for this.

I think possible lab26 used the sense pin of the usb port, reading the datasheet it is clear that only a external device could tie the boot pin in the proper state at reset.

Or there is a retriggerable monostable multivibrator secured by a watchdog issued by software. If so a way to freeze the kindle could give way.

[knc1]

There is that pad outline of a non-supplied switch that is labeled: USB Boot.
I haven't had a chance to play with that.

Look at the photos in (I forget) either my KT2 or PW3 threads for the few details I know about that.
(Should be the same on the KV)

The other two switch outline pads have been tested and they do just as labeled.