Kindle Touch bricked without USB

[rastik]

After successful recovery from a brick-state of my Kindle Touch I got into a bigger trouble. I was installing additional tools by ipkg and the process has frozen. I was still able to work within SSH but was unable to access /mnt/us - every access attempt froze. So I decided to do a hard reboot.
I ended up with a device that keeps restarting and even though I can see USB drive for a while I cannot access it. After every restart my Windows host find a USB mass storage device, but I get "The device is not ready." error. After a while it restarts again. It seems that /mnt/us is corrupted and I lost the only known way how to communicate with Kindle apart from serial cable.

Now I'm searching for information how to build a serial cable and where to find required parts. Thankfully my soldering iron still works.

Is there any way to do a factory reset without GUI? With older Kindle it was possible.

In the meantime I left it restarting all over and I hope fsck would kick in and things will work out.

I'll keep you posted regarging my progress.

[geekmaster]

UPDATE: Great news! rastik has successfully debricked his kindle touch by using yifanlu's fastboot tool. You can read more about the details later in this thread.

Welcome to the Kindle Touch Brick Owner's Club! It has a rapidly growing membership. Fortunately, many of us have successfully debricked our Touch. I believe that I was the first, using the serial port method that I documented during my "adventure", but now there is a MUCH simpler way that does not require opening your kindle. See below for details.

You probably have a script that is loop mounting a file during boot. The touch has serious problems with having the GUI framework and a loop mount both running at the same time.

This has caused bricks.

The reason why the USB Drive disappears after 10 seconds that you booted unsuccessfully too many times and it halts in "repair needed" mode (even if you cannot see that screen) to prevent infinite reboot loops (ending only when the battery is severely depleted).
I fixed mine with a serial cable, but you can now repair it with the tar bug documented in the wiki.

You can make changes to the USB Drive during that 10 second window, including installing a tar bug payload. This payload can replace a damaged startup script with a good one. If you added a bad script (one that mounts a loop device), you can replace that script with a version that does NOT mount the loop device.

If you do not know what script to replace, the tar bug also looks for a script to run on the USB Drive (see the wiki). That script can put a directory listing of the startup directory on the USB Drive, and can copy scripts from the startup folder to the USB Drive, for later copying to the host PC during the 10 second reboot window. Use the startup script to gather information to create a tar payload to repair the damage. This payload can also enable SSH over wifi (iptables) and can reset the boot counter so it will not halt in 10 seconds.

If you cannot make this work, I have a jailbreak exploit that we have been saving, which has no shared dependencies with the published tar expoit, and which can run a repair script even if the root partition is severely damaged, on both the Touch and on the K4NT. Like the tar bug, it too can reset the boot counter, and can enable SSH over wifi. It can install the merged developer keystore as well (i.e. Touch jailbreak). It can also copy missing files from the diagnostics partition to enable SSH (i.e. K4NT jailbreak). Of course, you can do those things with the published tar exploit as well.

[rastik]

Thank you for a detailed explanation. How can I opt out from this club?

Last time I've bricked my KT your USB/tar/RUNME.sh method worked perfectly. But this time I never get the possibility to access USB drive. After a restart I can see the drive but not read/write, not even list contents of it. After cca. 30 seconds the drive disappears and KT reboots. This goes on and on without stop. I was only able to stop this loop by booting into USB download mode. But apparently the device was still on because today my battery was depleted. Once I charge it a bit I'll try it again.

EDIT: No luck with USB - I either get "The system cannot find the path specified." when drive is not mounted or "The device is not ready." when it is mounted.

[geekmaster]

Quote:

Originally Posted by rastik

Thank you for a detailed explanation. How can I opt out from this club?
...
EDIT: No luck with USB - I either get "The system cannot find the path specified." when drive is not mounted or "The device is not ready." when it is mounted.

You cannot leave the brick owners club. Once you own a brick, even after repairing it, you will always be known as a brick owner. Your only hope is to go far away where nobody knows you, and to change your identity.

If you have damaged your kindle deeply enough that there is no way to deliver a payload to the USB Drive, you either need a serial port cable, or you need to figure out how to build and use the tools you need to exploit USB HID mode.

@rastik: Read the PM I sent you.

[rastik]

I'm waiting for my converter cable (TTL-232RG-VREG1V8-WE), it should arrive on Tuesday. Until then I'm going to solder cable as you (geekmaster) mentioned in your earlier posts. I tried to order the connector (Molex 78172-0003), but I either have to pay $40 shipping or order 100 pieces.
I hope I'll be able to get to shell console, because everyone who tried it and wrote about it here mentioned the way via ENABLE_DIAGS. I cannot do it this way.

[rastik]

I'm still not a lucky boy. My cable arrived and I connected it to KT. Whatever I did, the terminal was numb.

I use PuTTY (Win) and 115200 8N1 with no hw and sw flow control. When I interconnect TxD and RxD lines I can see typed characters echoed in the terminal. When Kindle is laying on the desk screen down and the connector is away from me (device upside down) I connected lines GND, RXD, TXD in left-to-right order. Matching colors on my cable were black, yellow, orange. Cable is decribed here on page 8.

Code:

http://www.ftdichip.com/Support/Documents/DataSheets/Cables/DS_TTL-232RG_CABLES.pdf

Other three lines (CTS, RTS, VCC) I didn't connect.

EDIT: It works! It's just the other way around - pinout is TXD, RDX, GND from KT viewpoint. Cable lines are RXD, TXD, GND or yellow, orange, black.

[rastik]

To put it shortly - I made it even worse

Trying to find out what is wrong I got:

Code:

BOOTING DEFAULT.
  argc == 10
  argv[0]: "kinit"
  argv[1]: "consoleblank=0"
  argv[2]: "rootwait"
  argv[3]: "ro"
  argv[4]: "ip=off"
  argv[5]: "root=/dev/mmcblk0p1"
  argv[6]: "quiet"
  argv[7]: "eink=fslepdc"
  argv[8]: "video=mxcepdcfb:E60,bpp=8"
  argv[9]: "console=ttymxc0,115200"
  argc == 4
  argv[0]: "IP-Config"
  argv[1]: "-i"
  argv[2]: "Linux kinit"
  argv[3]: "ip=off"
IP-Config: no devices to configure
kinit: do_mounts
kinit: name_to_dev_t(/dev/mmcblk0p1) = dev(179,1)
kinit: root_dev = dev(179,1)
kinit: /dev/root appears to be a ext3 filesystem
kinit: trying to mount /dev/root on /root with type ext3
kinit: Mounted root (ext3 filesystem) readonly.
info firsttime:mount_rw:time=3880:Mounting root RW for first boot
info firsttime:mount_ro:time=4250:Mounting root RO
info modules:modprobe:loading module g_file_storage:
init.exe: system pre-start process (465) terminated with status 1
info modules:modprobe:loading module fuse:
crit system_monitor:job=system,sts=1,sig=:hard-reboot in 20 seconds:
info modules:modprobe:loading module ppp_async:
info modules:modprobe:loading module whitney_button:
info zforce:start:version=2.0b0r12:
/home/build/src/yoshi/juno/OFFICIAL/kernel/linux-2.6.31/dist/drivers/usb/gadget/file_storage.c, line 3394: kobject_uevent_atomic failed
Restarting system.
Restarting Yoshi

It seems that I had some problems with the rootfs.
Goind further and while in recovery menu:

Code:

Menu
====
3. Load MMC0 over USB storage
4. Erase MMC0
I. Initialize Partition Table (fdisk) and format FAT
O. Format and overwrite FAT partition
E. Export FAT partition
U. Update using update*.bin file on FAT partition
M. Update using update*.bin file on FAT partition of second MMC port
D. dmesg / kernel printk ring buffer.
Q. quit

I tried to enter 3 - but I always got

Code:

Unknown option '3'

While I was trying that again and again I accidentaly entered 4 and I lost all partitions. I'm soooo stupid. Now I cannot boot:

Code:

BOOTING DEFAULT.
  argc == 10
  argv[0]: "kinit"
  argv[1]: "consoleblank=0"
  argv[2]: "rootwait"
  argv[3]: "ro"
  argv[4]: "ip=off"
  argv[5]: "root=/dev/mmcblk0p1"
  argv[6]: "quiet"
  argv[7]: "eink=fslepdc"
  argv[8]: "video=mxcepdcfb:E60,bpp=8"
  argv[9]: "console=ttymxc0,115200"
  argc == 4
  argv[0]: "IP-Config"
  argv[1]: "-i"
  argv[2]: "Linux kinit"
  argv[3]: "ip=off"
IP-Config: no devices to configure
kinit: do_mounts
kinit: name_to_dev_t(/dev/mmcblk0p1) = dev(179,1)
kinit: root_dev = dev(179,1)
kinit: failed to identify filesystem /dev/root, trying all
kinit: trying to mount /dev/root on /root with type ext3
kinit: trying to mount /dev/root on /root with type ext2
kinit: trying to mount /dev/root on /root with type ext4
kinit: trying to mount /dev/root on /root with type cramfs
kinit: trying to mount /dev/root on /root with type vfat
kinit: trying to mount /dev/root on /root with type msdos
kinit: Unable to mount root fs on device dev(179,1)
kinit: init not found!
Kernel panic - not syncing: Attempted to kill init!

Nor can I boot from diag partition:

Code:

BOOTING DEFAULT.
  argc == 11
  argv[0]: "kinit"
  argv[1]: "consoleblank=0"
  argv[2]: "rootwait"
  argv[3]: "ro"
  argv[4]: "ip=off"
  argv[5]: "root=/dev/mmcblk0p2"
  argv[6]: "quiet"
  argv[7]: "user_debug=31"
  argv[8]: "eink=fslepdc"
  argv[9]: "video=mxcepdcfb:E60,bpp=8"
  argv[10]: "console=ttymxc0,115200"
  argc == 4
  argv[0]: "IP-Config"
  argv[1]: "-i"
  argv[2]: "Linux kinit"
  argv[3]: "ip=off"
IP-Config: no devices to configure
kinit: do_mounts
kinit: name_to_dev_t(/dev/mmcblk0p2) = dev(179,2)
kinit: root_dev = dev(179,2)
kinit: failed to identify filesystem /dev/root, trying all
kinit: trying to mount /dev/root on /root with type ext3
kinit: trying to mount /dev/root on /root with type ext2
kinit: trying to mount /dev/root on /root with type ext4
kinit: trying to mount /dev/root on /root with type cramfs
kinit: trying to mount /dev/root on /root with type vfat
kinit: trying to mount /dev/root on /root with type msdos
kinit: Unable to mount root fs on device dev(179,2)
kinit: init not found!
Kernel panic - not syncing: Attempted to kill init!

I can only access USB storage that was of course empty after my erase. I copied there my backups and now I'm going to try to boot using that. Either creating whole file structure on FAT or trying to boot from loop mount on FAT - if that's possible at all.

EDIT: It seems that I cannot alter boot args, I might still be able to apply updates. If I can create update bin file that overwrite partitions with dd, it should work.

[geekmaster]

Problem 1:
I do not know why your menu option 3 did not work. Is your serial cable putting out the correct voltage levels on its TxD line? Is it rated as a 1.8v cable? If not, the kindle could be receiving the wrong character codes. You might need to shift the voltage levels, which can be done with a resistor and two silicon diodes (refer to the "level shifter" thread).

Problem 2:
You erased device mmc0, which contains all partitions, including main@mmcblk0p1, diag@mmcblk0p2, /var/local@mmcblk0p3, and /mnt/us@mmcblk0p4.

Luckily, uboot is usually stored in a small i2c or spi memory device on embedded systems like this, and it is responsible for mounting and mapping an mmc device into memory (as either a block device or an xip* device), and then continuing the boot process from mmc. You should be able to boot to that uboot menu and try option 3 again after your serial adpater TxD is putting out the correct 1.8v ttl voltage levels.

If you have mmcblk0p1 backup up, you should be able to restore it so you can boot up main. Booting main will automatically format and populate the /var/local and /mnt/us partitions. From main, you can restore mmcblk0p2 (after jailbreak and usbnet).

If you are missing backups, you can use somebody elses, but you will need to use diagnostic tools to change the serial number and board ID to match what yours needs to register with amazon.

*xip = execute-in-place (not used by kindles).

[rastik]

Quote:

Originally Posted by geekmaster

If you have mmcblk0p1 backup up, you should be able to restore it so you can boot up main.

I have all backups. But how can I do that? Menu option 3 in recovery to export MMC0 via USB is somehow disabled. Even though it is listed, I always get Unknown option '3'. I've found a discussion of yifanlu and ichinomoto, wherethey weren't able to overcome that:

Code:

https://www.mobileread.com/forums/showpost.php?p=1802059&postcount=44

[geekmaster]

Quote:

Originally Posted by rastik

I've found a discussion of yifanlu and ichinomoto, wherethey weren't able to overcome that:

Code:

https://www.mobileread.com/forums/showpost.php?p=1802059&postcount=44

Nasty! You might have to order a JTAG cable now (and find the JTAG pads on the PCB).

Unless you wish to explore JTAG recovery for educational purposes, if you have better things to do with your time, I suggest buying a replacement and keeping this one for parts (eInk screen, battery, etc.).

Bummer...

[rastik]

Quote:

Originally Posted by geekmaster

Nasty! You might have to order a JTAG cable now (and find the JTAG pads on the PCB).

Unless you wish to explore JTAG recovery for educational purposes, if you have better things to do with your time, I suggest buying a replacement and keeping this one for parts (eInk screen, battery, etc.).

Thank you for the idea. Quick search didn't find anything useful regarding JTAG, I will have to dig deeper. I'm currently trying to build yifanlu's fastboot tool, that might help too.

I'm already thinking of buying a new one. It's just such a hassle to get it across the ocean - shipping within US, shipping to Europe, customs, VAT, etc. It can take up to a month.

[geekmaster]

Quote:

Originally Posted by rastik

I'm currently trying to build yifanlu's fastboot tool, that might help too.

Does uboot support USB HID mode? How do you get it into fastboot mode?

Another possibility would be to rebuild /mnt/us using uboot menu, then export it and stick an official amazon firmware image on it. Then use uboot menu to install the firmware package. You would need a full update (not differential) and signed with the amazon key (i.e. "official").

Unfortunately, you can only download firmware for every kindle model EXCEPT the touch:
http://www.amazon.com/gp/help/custom...deId=200324680

EDIT: After looking at the available firmware updates above, I see that my v4.0 K4NT can be updated to v4.0.1. Are there any benefits in NOT updating my firmware?

[dasmoover]

http://kindle.s3.amazonaws.com/Kindl...0280073.tar.gz

edit: nvm

[geekmaster]

Quote:

Originally Posted by dasmoover

http://kindle.s3.amazonaws.com/Kindl...0280073.tar.gz

edit: nvm

Source link ^^, but need a signed update package to install from uboot.

[p.s. what is "nvm"?]

Edit: nvm has 15 definitions here:
http://acronyms.thefreedictionary.com/NVM
(I strongly suspect that "nevermind" was the intended definition above.)

[rastik]

Quote:

Originally Posted by geekmaster

Does uboot support USB HID mode? How do you get it into fastboot mode?

I don't know about USB HID, I wasn't able to activate it from uboot. Only with pressing Home button during restart. But I wouldn't know what to with it anyway.

Quote:

Originally Posted by geekmaster

Another possibility would be to rebuild /mnt/us using uboot menu, then export it and stick an official amazon firmware image on it. Then use uboot menu to install the firmware package. You would need a full update (not differential) and signed with the amazon key (i.e. "official").

Unfortunately, you can only download firmware for every kindle model EXCEPT the touch:
http://www.amazon.com/gp/help/custom...deId=200324680

Amazon releases only incremental firmware updates. All of them at that web site are incremental ones.
I have /mnt/us working and I tried usbnet update, but it was rejected.

I have fastboot tool working. I am able to flash system and diags partitions - at least uboot and fastboot tools say so. But after reboot nothing is there.
I'm trying to export whole storage - in uboot I enter "bist" and there "fstor". I get the device (I see it as /dev/sdb), but accessing it I get "No medium found". But this way look promising. Best way would be fastboot, but somehow it does not do what I expect.