UnJailbreaking Kindle 4 NT - Page 2

knc1 · 06-27-2012, 03:45 PM

Quote:

Originally Posted by vitalidon

I am not "bricked". I just was not able to flash the new software update 4.1.0 (error code u006) so I used a main image for kindle 4NT (version 4.0.1) to restore it to brand new state. Then I was able to update the device to the new firmware 4.1.0. The only one problem is that I am not able to get root access because my old root password does not work anymore.

Translation: You did not change the "diags mode" software.

My answer, and your solution, remains the same. Use your "diags mode" access to fix the "main mode" software image contents of <mount-point>/etc/shadow.

geekmaster · 06-28-2012, 05:45 AM

Quote:

Originally Posted by vitalidon

I am not "bricked". I just was not able to flash the new software update 4.1.0 (error code u006) so I used a main image for kindle 4NT (version 4.0.1) to restore it to brand new state. Then I was able to update the device to the new firmware 4.1.0. The only one problem is that I am not able to get root access because my old root password does not work anymore. I also have tried root,mario. The only combination that works is framework,mario, but it does not give you the root rights to the device. And I am not sure when the root password has changed: when I flashed the main image file mmcblk0p1.img from http://pastebin.com/Wdw4L7yT or after I did the update to new firmware 4.1.0

You need hostar's root pw. You can use john the ripper with the fiona wordlist, or ask hostar for the pw...

When I added ssh to dasmoover's 5.0.0 diags, I replace HIS diags root password hash with the "mario" pw hash from my K4, in /etc/shadow (using a text editor). It would be a good idea for all uploaded main and diags partitions to have their passwords changed to DES mario (using a text editor to copy the hash), just to prevent people not knowing the root password (or serial number) of the original owner of that partition image.

From a framework:mario login, you can do "cat /etc/shadow", then copy paste that to a file on your host PC, then use john (the ripper) to crack it "instantly" using the fiona wordlist in the tools index. It would be helpful to publish that pw here for others who have this problem.

Aleyst · 06-28-2012, 08:13 AM

Root pw for hostar's img is mario

geekmaster · 06-28-2012, 08:26 AM

Quote:

Originally Posted by Aleyst

Root pw for hostar's img is mario

That is good news. I hope to keep using "mario" as the root password for all archived forensic images, so that people do not have password problems after debricking (or restoring unhacked firmware).

knc1 · 06-28-2012, 08:35 AM

Or use the character Fiona's last name: Glenanne

If there was ever any question of the truth to the saying that: "Too much TV rots the mind" - just look what it has done to the staff of lab126.

kirokko · 06-28-2012, 02:40 PM

Quote:

Originally Posted by geekmaster

That is good news. I hope to keep using "mario" as the root password for all archived forensic images, so that people do not have password problems after debricking (or restoring unhacked firmware).

After update to 4.1.0 password was changed. /etc/shadow file in diags partition was replaced (maybe it was done another way) with /etc/shadow- in main (mmcblk0p1) partition. Main partition also has /etc/shadow with mario password. What if somebody edit image file and replce /etc/shadow- with /etc/shadow? Will this hack work? It might break the firmware update if it will check the shadow file during update (not only 4.1.0 but future updates).

geekmaster · 06-28-2012, 11:18 PM

Quote:

Originally Posted by kirokko

After update to 4.1.0 password was changed. /etc/shadow file in diags partition was replaced (maybe it was done another way) with /etc/shadow- in main (mmcblk0p1) partition. Main partition also has /etc/shadow with mario password. What if somebody edit image file and replce /etc/shadow- with /etc/shadow? Will this hack work? It might break the firmware update if it will check the shadow file during update (not only 4.1.0 but future updates).

I think the firmware update uses a calculated (original serial-number based) password, not the one stored in /etc/shadow. Others had changed the root pw with no OTA update breakage.

vitalidon · 06-29-2012, 02:44 PM

Quote:

Originally Posted by geekmaster

From a framework:mario login, you can do "cat /etc/shadow", then copy paste that to a file on your host PC, then use john (the ripper) to crack it "instantly" using the fiona wordlist in the tools index. It would be helpful to publish that pw here for others who have this problem.

I did all this and the password that works is "fionaadc". Thank you.

geekmaster · 06-29-2012, 03:16 PM

Quote:

Originally Posted by vitalidon

I did all this and the password that works is "fionaadc". Thank you.

You are welcome. I am glad it worked for you. And thanks for posting that password. When I get pastebin access again, I will add the pw to the pastebin (until we get all images to be mario root pw).

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Can I walk my kindle 3 into the Jail? aka UnJailbreaking or restore to stock	beterhans	Kindle Developer's Corner	5	01-06-2012 11:29 AM
$0.01 in Kindle Store: Interactive Sudoku for Kindle 2 and Kindle DX - Volume 1	Xia	Deals and Resources (No Self-Promotion or Affiliate Links)	2	11-07-2009 10:06 AM

06-28-2012, 08:13 AM	#18
Aleyst Zealot Posts: 109 Karma: 2800 Join Date: Jul 2010 Location: Australia Device: PW (7th Gen), PW (10th Gen)	Root pw for hostar's img is mario

06-28-2012, 08:35 AM	#20
knc1 Going Viral Posts: 17,212 Karma: 18210809 Join Date: Feb 2012 Location: Central Texas Device: No K1, PW2, KV, KOA	Or use the character Fiona's last name: Glenanne If there was ever any question of the truth to the saying that: "Too much TV rots the mind" - just look what it has done to the staff of lab126.