Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book Readers > Amazon Kindle > Kindle Developer's Corner

Notices

Reply
 
Thread Tools Search this Thread
Old 10-02-2022, 01:43 PM   #1
trimen
Junior Member
trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'
 
Posts: 7
Karma: 10052
Join Date: Jul 2022
Location: Prague
Device: PW4,5
Getting UART and UART root shell on PW5

Hello,

I did a write-up about my progress with Kindle PW5.
So far, I've got working UART via USB C and I enabled root shell on it.

You can read about it here:
https://kb.taktpraha.cz/projects/kindlepw5
trimen is offline   Reply With Quote
Old 10-03-2022, 05:18 PM   #2
shamanNS
Wizard
shamanNS ought to be getting tired of karma fortunes by now.shamanNS ought to be getting tired of karma fortunes by now.shamanNS ought to be getting tired of karma fortunes by now.shamanNS ought to be getting tired of karma fortunes by now.shamanNS ought to be getting tired of karma fortunes by now.shamanNS ought to be getting tired of karma fortunes by now.shamanNS ought to be getting tired of karma fortunes by now.shamanNS ought to be getting tired of karma fortunes by now.shamanNS ought to be getting tired of karma fortunes by now.shamanNS ought to be getting tired of karma fortunes by now.shamanNS ought to be getting tired of karma fortunes by now.
 
Posts: 1,136
Karma: 12345678
Join Date: Feb 2010
Location: Serbia
Device: Kindle PW5, Kobo Libra 2, Kindle PW1
So, in summary: even that USB cable hardware mod couldn't restore a PW5 that was already bricked / bootlooped with storage not exported over USB?
shamanNS is offline   Reply With Quote
Advert
Old 10-04-2022, 02:30 AM   #3
Wolf-HRB
Enthusiast
Wolf-HRB began at the beginning.
 
Posts: 37
Karma: 18
Join Date: Feb 2022
Device: PW3, PW4 and PW5 Signature Edition
Could I use this method to downgrade my pw5 in order to jailbreak it?
Wolf-HRB is offline   Reply With Quote
Old 10-04-2022, 12:12 PM   #4
trimen
Junior Member
trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'
 
Posts: 7
Karma: 10052
Join Date: Jul 2022
Location: Prague
Device: PW4,5
By default, everything is disabled. You have no bootloader access, nor Linux shell.

In the u-boot source, I found that the u-boot determines the type of device by reading state of some GPIOs, but I didn't look into it properly yet.

I don't know, what will happen if some partitions become broken. I'll try it, but first I need to acquire HW for reading eMMC so I can do a full backup, before modifying the content of it.

My next plans are to reverse the u-boot binary to get some knowledge about functions, that were removed from the released source but are in present the production u-boot binary.

Also, the datasheet for the used CPU is unobtainable. Currently, I don't know about any process to load empty eMMC, as I'm still waiting for HW.

The whole point of my efforts is to be able to unlock the bootloader, which should enable low-level access to internal storage.
trimen is offline   Reply With Quote
Old 10-04-2022, 03:58 PM   #5
Wolf-HRB
Enthusiast
Wolf-HRB began at the beginning.
 
Posts: 37
Karma: 18
Join Date: Feb 2022
Device: PW3, PW4 and PW5 Signature Edition
if I support you a bootable pw5 full emmc backup, could you do more work on it?
Wolf-HRB is offline   Reply With Quote
Advert
Old 10-04-2022, 05:39 PM   #6
trimen
Junior Member
trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'
 
Posts: 7
Karma: 10052
Join Date: Jul 2022
Location: Prague
Device: PW4,5
I've got full eMMC backup via dd and netcat already.
The problem is not a missing eMMC image, but my current inability to restore eMMC content if I mess it up. (Or to be able to write to eMMCs in general)

So when I receive my eMMC reader, I'll do a backup.
Then I'll place a new empty eMMC chip inside and observe, what will happen. Maybe it will enter some kind of USB download mode.??

If not, then I'll try to look for JTAG on test pins with something like JTAGenum/JTAGulator.

If this will lead me nowhere, I'll make an automated test jig to periodically restart CPU with different logic levels on test pads that are static during startup and run and check UART/USB output.

In the datasheet for a different type of Mediatek CPU from the same family MT8x is information about bootloading, where you pull some GPIOs during start, and the CPU then enters UART download mode. Unfortunately, I found no other information about the process.

I'm mostly a HW guy, but I've got some friends that are experienced with binary reverse engineering. With them, we'll look into the u-boot binary to find out more about the unlocking feature.

Missing the datasheet for the MT8113 is a problem, as I cannot find anything about it, and the only info that I can get is from other CPU type datasheets.
trimen is offline   Reply With Quote
Old 10-04-2022, 05:46 PM   #7
shamanNS
Wizard
shamanNS ought to be getting tired of karma fortunes by now.shamanNS ought to be getting tired of karma fortunes by now.shamanNS ought to be getting tired of karma fortunes by now.shamanNS ought to be getting tired of karma fortunes by now.shamanNS ought to be getting tired of karma fortunes by now.shamanNS ought to be getting tired of karma fortunes by now.shamanNS ought to be getting tired of karma fortunes by now.shamanNS ought to be getting tired of karma fortunes by now.shamanNS ought to be getting tired of karma fortunes by now.shamanNS ought to be getting tired of karma fortunes by now.shamanNS ought to be getting tired of karma fortunes by now.
 
Posts: 1,136
Karma: 12345678
Join Date: Feb 2010
Location: Serbia
Device: Kindle PW5, Kobo Libra 2, Kindle PW1
Quote:
Originally Posted by trimen View Post
I don't know, what will happen if some partitions become broken.
What I did to my first (jailbreak-ed) PW5 was: I broke the Upstart by introducing a syntax error ( by commenting-out the only line of code in a if/then block , a function call that calls the function that creates "/PRE_GM_DEBUGGING_FEATURES_ENABLED__REMOVE_AT_GMC" flag file) while editing (jailbreak) bridge.sh [edited all 3 copies of that file so in upstart services directory, in /var/local/mkk or wherever the fist backup is, and /mnt/us/mkk].

No idea if perhaps something bad happened to partitions and to eMMC chip while the device was stuck in bootloops for ~2 days until it drained the battery / until it displayed battery low screen.
Since then I charge the battery every couple of months and then unplug the battery to stop the bootloops. The behavior of that PW5 unit is still exactly the same as it was since that first reboot after botched bridge.sh edit.

Last edited by shamanNS; 10-04-2022 at 05:49 PM.
shamanNS is offline   Reply With Quote
Old 10-04-2022, 06:03 PM   #8
j.p.s
Grand Sorcerer
j.p.s ought to be getting tired of karma fortunes by now.j.p.s ought to be getting tired of karma fortunes by now.j.p.s ought to be getting tired of karma fortunes by now.j.p.s ought to be getting tired of karma fortunes by now.j.p.s ought to be getting tired of karma fortunes by now.j.p.s ought to be getting tired of karma fortunes by now.j.p.s ought to be getting tired of karma fortunes by now.j.p.s ought to be getting tired of karma fortunes by now.j.p.s ought to be getting tired of karma fortunes by now.j.p.s ought to be getting tired of karma fortunes by now.j.p.s ought to be getting tired of karma fortunes by now.
 
Posts: 5,832
Karma: 104935873
Join Date: Apr 2011
Device: pb360
Quote:
Originally Posted by trimen View Post
I've got full eMMC backup via dd and netcat already.
The problem is not a missing eMMC image, but my current inability to restore eMMC content if I mess it up. (Or to be able to write to eMMCs in general)
I think there is more in the eMMC than reachable by dd. I don't know anything about eMMC layout and contents, but member eddie.t.h does, including writing to eMMC. There are things like serial numbers and more whose values need to be present in the correct places.
j.p.s is offline   Reply With Quote
Old 10-04-2022, 10:24 PM   #9
Wolf-HRB
Enthusiast
Wolf-HRB began at the beginning.
 
Posts: 37
Karma: 18
Join Date: Feb 2022
Device: PW3, PW4 and PW5 Signature Edition
One of my friends took off the emmc chip and make the mirror of the full disk, not the dd method
Wolf-HRB is offline   Reply With Quote
Old 10-05-2022, 02:50 PM   #10
trimen
Junior Member
trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'trimen knows the difference between 'who' and 'whom'
 
Posts: 7
Karma: 10052
Join Date: Jul 2022
Location: Prague
Device: PW4,5
Quote:
Originally Posted by Wolf-HRB View Post
One of my friends took off the emmc chip and make the mirror of the full disk, not the dd method
In that case, I would like to get it. It'll be useful for comparison.
trimen is offline   Reply With Quote
Old 10-05-2022, 05:32 PM   #11
NiLuJe
BLAM!
NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.
 
NiLuJe's Avatar
 
Posts: 13,506
Karma: 26047202
Join Date: Jun 2010
Location: Paris, France
Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E
Quote:
Originally Posted by trimen View Post
Missing the datasheet for the MT8113 is a problem, as I cannot find anything about it, and the only info that I can get is from other CPU type datasheets.
At a quick glance, it appears that the MT8110 is based on the MT8512... which is already a custom job for Amazon ;o). (But whose existence is at least acknowledged by MTK, which is more than can be said of its little brother ;p).

So, it's a custom job on top of a custom job, which doesn't really bode well for getting access to spec sheets :/.
NiLuJe is offline   Reply With Quote
Old 10-06-2022, 12:10 AM   #12
Wolf-HRB
Enthusiast
Wolf-HRB began at the beginning.
 
Posts: 37
Karma: 18
Join Date: Feb 2022
Device: PW3, PW4 and PW5 Signature Edition
Cool

Here is the partition structure of the KPW5 8GB EMMC, if you need the real image file (which is a .bin file), I will upload it to my google drive after I get the share permission from my friend.
Attached Thumbnails
Click image for larger version

Name:	KPW5_Partitions.jpg
Views:	451
Size:	177.6 KB
ID:	197000  

Last edited by Wolf-HRB; 10-06-2022 at 12:12 AM. Reason: Missing core information
Wolf-HRB is offline   Reply With Quote
Old 11-02-2022, 02:21 PM   #13
studynet
Enthusiast
studynet began at the beginning.
 
Posts: 31
Karma: 10
Join Date: Oct 2019
Device: kindle 10th
I need help, I tried to install the latest KUAL (coplate) thinking that the jalibreak would be updated, it failed, I got an error and it restarted.
It got stuck and I had to force restart it.
Now I have a paperweight, which I can do.
It restarts all the time and I can't do anything even by pressing the power button for 40 seconds and the computer doesn't detect it.
I find it incredible what happened.
It's a Kindle Power White 11th signature edition, I was delighted with everything.
what can i do??

My kindle is like this
https://www.youtube.com/watch?v=5QdSN8JQ0Ic
There is a moment when the pc detects a storage unit without access, but it disappears and I can't do anything.
In the end he will die and I understand that it is not good for the memory.
Can it be recovered?

I already had the kindle with a jailbreak done and the koreader working, the previous version.
I was very happy with how it worked and downloaded the new version and installed straight away.
It was supposed to update, but it didn't, it gave me an error and it crashed trying to install.

Update_KUALBooklet_hotfix_eb7e23d_install.bin

What I have installed was this file I put it in the MRPI folder and then start installation with KUAL package installer.
Something like that.
I'm surprised there's nothing to recover.
It's on an infinite reset and obviously this won't be good for memory I understand.
when I connect it to the computer it detects a drive and disconnects.
The device it detects is: Kindle Internal Storage USB Device
Any ideas?
studynet is offline   Reply With Quote
Old 11-08-2022, 11:44 PM   #14
eddie.t.h
Addict
eddie.t.h is an accomplished Snipe hunter.eddie.t.h is an accomplished Snipe hunter.eddie.t.h is an accomplished Snipe hunter.eddie.t.h is an accomplished Snipe hunter.eddie.t.h is an accomplished Snipe hunter.eddie.t.h is an accomplished Snipe hunter.eddie.t.h is an accomplished Snipe hunter.eddie.t.h is an accomplished Snipe hunter.eddie.t.h is an accomplished Snipe hunter.eddie.t.h is an accomplished Snipe hunter.eddie.t.h is an accomplished Snipe hunter.
 
eddie.t.h's Avatar
 
Posts: 201
Karma: 123456
Join Date: Jan 2018
Device: Too Much Kindle :-)
Quote:
Originally Posted by Wolf-HRB View Post
Here is the partition structure of the KPW5 8GB EMMC, if you need the real image file (which is a .bin file), I will upload it to my google drive after I get the share permission from my friend.
emmc memories have other areas such as two areas of the bootloader and rpmb, i.e. the encrypted part. Older kindle models kept all sensitive data (serial numbers, etc.) in this encrypted area. This area, as far as I know, cannot be copied to another memory using a programmer.
eddie.t.h is offline   Reply With Quote
Old 11-09-2022, 04:51 AM   #15
Wolf-HRB
Enthusiast
Wolf-HRB began at the beginning.
 
Posts: 37
Karma: 18
Join Date: Feb 2022
Device: PW3, PW4 and PW5 Signature Edition
what about the emmc mirroring? disregard the encryption, just full mirror. Because my friend is a 3rd party Kindle repair man, he fixed tonnes of KPW5 which stuck at the Tree screen (stuck at booting)
Wolf-HRB is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
PRS-T1 PRS-T1 run from SD card / UART recovery from broken internal flash jpa Sony Reader Dev Corner 22 08-03-2025 04:10 PM
PRS-500 PRS-500; UART, U-Boot experts: HELP! Melongasoil Sony Reader Dev Corner 0 01-12-2010 04:09 PM
PRS-900 Any luck getting a root shell? or debug mode? raisinbrain Sony Reader 0 01-05-2010 11:33 PM
Getting a root shell guylhem Sony Reader Dev Corner 4 02-27-2009 05:24 AM
PRS-500 UART found. Console output demonstrated. obelix Sony Reader Dev Corner 1 12-20-2007 09:47 PM


All times are GMT -4. The time now is 06:27 PM.


MobileRead.com is a privately owned, operated and funded community.