[Progress] Jailbreaking Kindle 4.0 (Touch/No Keyboard)

[yifanlu]

I won't have free time for a while, so I'll dump some stuff I've learned so far here and hope someone can make some progress while I'm gone.

First of all: The Kindle 4 and Kindle Touch contains "fastboot". This is a program usually found in Android phones installed in the bootloader. It allows you to flash kernels, system images, and stuff. On Android phones, this is what most people mean by "rooting" or "unlocking the bootloader". It's to get fastboot access and flash custom images. We have known that the new kindles have fastboot for a while now since we have the bootloader source code from amazon. However, I found out two things 1) unlike what I previously though, you CAN access fastboot without serial access. 2) the bootloader is unlocked so you CAN flash custom images/kernels/etc (however I have not explored this so there may be other limitations that are currently unknown).

Firstly, accessing fastboot:
IMPORTANT!!! When you put the Kindle into fastboot mode, you CANNOT exit it until you run the fastboot tool on your computer and reset the bootmode (or use the serial console). This tool is very unfinished and has only been tested on my OSX computer so don't do this unless you know what you're doing!!!
1) Plug in the device into your computer and in the mounted USB drive, make a blank file named "ENABLE_DIAGS" (just like previous Kindles)
2) Remove the usb cable and restart the kindle through the settings menu.
3) Once you have booted into diags mode, choose "Exit, Reboot or Disable Diags" either by tapping on it (touch) or scrolling to it (kindle 4)
4) Choose "Fastboot Bundle Install" and confirm your choice
5) The screen will now freeze. It is in fastboot mode. You can plug in your device to your computer. I don't know if you need drivers on windows or not, if so try a fastboot driver from some phone. On osx/linux you do not need drivers.

Secondly, using fastboot:
I ported the fastboot tool from the android SDK to work with the Kindle (and removed support for other devices to make things easier): https://github.com/yifanlu/Fastboot-Kindle
It is highly alpha and I have not compiled it for any other platforms yet. Once you compile it, you can run it on your computer. I'll post the commands here:

Code:

usage: fastboot [ <option> ] <command>

commands:
  getvar <variable>                        display a bootloader or idme variable
  setvar <variable> <value>                sets an idme variable
  download <filename>                      download data to memory for use with 
                                             future commands
  verify <partition> [ <filename> ]        verify downloaded data. required if 
                                             bootloader is secure
  flash <partition> [ <filename> ]         flash downloaded data
  eraseall                                 wipe the entire flash memory
  erase <partition>                        erase a flash partition
  check <partition>                        crc32 hash test the flash memory
  boot [ <filename> ]                      boot downloaded data
  continue                                 exit fastboot and return to 
                                             bootloader
  reboot                                   reboot the device
  powerdown                                shuts down the device
  pass                                     sets LED to green
  fail                                     sets LED to red

variables:
  version-bootloader                       (read only) version string for the 
                                             bootloader
  version                                  (read only) version of fastboot 
                                             protocol supported
  product                                  (read only) name of the product
  serialno                                 (read only) fastboot serial number
  secure                                   (read only) if "yes" boot images 
                                             must be signed
  serial                                   (read write) serial number
  accel                                    (read write) accelerometer 
                                             calibration data
  mac                                      (read write) MAC address
  sec                                      (read write) manufacturing code
  pcbsn                                    (read write) PCB serial number
  bootmode                                 (read write) diags, fastboot, 
                                             factory, reset, or main (default)
  postmode                                 (read write) slow, factory, or 
                                             normal (default)

partitions:
  bootloader                               bootloader, 376KiB
  prod                                     overlaps bootloader, 120KiB
  bist                                     bist, 256KiB
  userdata                                 userdata, 5KiB
  userpartition                            userpartition
  mbr                                      master boot record
  kernel                                   primary kernel
  diags_kernel                             diags kernel
  system                                   main system (root) partition
  diags                                    secondary system (diags) partition
  data                                     user data

options:
  -s <serial number>                       specify device serial number
  -i <vendor id>                           specify a custom USB vendor id

(I know I don't have to say this if you're experienced enough to run the tool, but note that you WILL brick your device if you flash the wrong image or flash to the wrong partition, or if my tool is coded improperly and breaks so have your serial cable ready)

To get out of fastboot, run "fastboot setvar bootmode main" and you may need to delete the "ENABLE_DIAGS" file or it might go back to diags mode.

I wrote the commands list based on the Kindle bootloader source, so all commands might not work. You can also see that you can also see that you can write the serial number and MAC address. I hesitated to put those options in, but I figured that if you're smart enough to compile the tool and get everything working, you will find out yourself anyways. That being said, don't be naughty.

When I have the time, I might write an "autoroot" kernel that you can flash and it'll install SSH or something on startup. However, as you can see, it would be very complicated to install so if I do this, it will most likely be a "developer unlock" or something for experienced users so developers can get a head start writing Kindle Touch apps (I've already expressed my excitement at the extendibility of the operating system).

P.S: If anyone know anything about autorooting kernels, tell me, because I sure as hell don't.

[giorgio130]

Didn't you say there's a check on the kernel at startup? I remember you saying you wouldn't make a recovery kernel for k4 because of this.

[yifanlu]

Quote:

Originally Posted by giorgio130

Didn't you say there's a check on the kernel at startup? I remember you saying you wouldn't make a recovery kernel for k4 because of this.

Sorry, when did I say this? If I did, I was wrong. Also, I have not tried flashing a kernel yet, only know of its existence so it may not work completely.

[seaniko7]

How about dumping kernel and modifying initramfs init file to create temporary file system and load unionfs module ? Maybe using this we could replace/include some scripts with these from tempfs.

[giorgio130]

"-Kernel update are now delta! It reads the kernel, hashes it, if it matches, the kernel is patched and then reflashed. Custom kernels will prevent updates! (I think the only custom kernel is mine, so I won't make one for 4.0 anyways)."

Sorry, I didn't remember quite right However, if this works I'd say we're done. It'll be much simpler than rooting most android phones, I don't see the need for finding something simpler.

[yifanlu]

Quote:

Originally Posted by seaniko7

How about dumping kernel and modifying initramfs init file to create temporary file system and load unionfs module ? Maybe using this we could replace/include some scripts with these from tempfs.

I was thinking of something with the initramfs. It is really limited, aka no shell utils, but luckily, the included recovery-utils script has many great functions like mounting mmc and copying files so we can always import stuff from it. I was just hoping there's a easier way (and I guess that's already easy). More specifically, I want to know how those android auto-root kernels work. Or are they just auto-root startup scripts.

Quote:

Originally Posted by giorgio130

"-Kernel update are now delta! It reads the kernel, hashes it, if it matches, the kernel is patched and then reflashed. Custom kernels will prevent updates! (I think the only custom kernel is mine, so I won't make one for 4.0 anyways)."

Sorry, I didn't remember quite right However, if this works I'd say we're done. It'll be much simpler than rooting most android phones, I don't see the need for finding something simpler.

I was talking about the updater. The updater for Kindle 4 will only update "vanilla" kernels because it no longer includes the entire kernel in each update, so the patcher will fail.

[dionoea]

Hello,

I believe that I've found an easy to reproduce method to get an ssh root shell on the kindle 4 (no touch) in 3 easy steps:
1. Reboot into diag mode
2. Enable usbnetworking and configure the computer side of the link to 192.168.15.1 (or anything in that subnet)
3. ssh to 192.168.15.244 using "root" as login and "mario" as password.
That's it

A few items worth mentioning:
* My kindle answers "yes" to the question "is this a prototype board" in some init scripts. I'm lucky I guess. This might mean that the above instructions won't work on all the other kindles. For example yifanlu's kindle touch doesn't have the dropbear binary in the diag image so it doesn't work.
* I have a working serial port on the kindle which helped find the password for the diag image.
* usbnetworking can be found in the following menu in the diag menu: Misc individual diagnostics > Utilities > Enable USBnet.
* The "normal" 4.0 image used init.d while the diag image uses upstart.

I'll be putting information and pics on http://dionoea.chewa.net/kindle/

[yifanlu]

On my touch, the ssh binary is not included and the computer connects to it, but you can't do anything.

[geekmaster]

That is great news, dionoea!

EDIT: dionoea's results have been duplicated! amic successfully connected to his Kindle 4 (no Touch) over usbnet with ssh, following dionoea's instructions posted above. amic does not have a /test directory, so it appears that dionoea has a "special" kindle. UPDATE: amic reports that he DOES have a /test folder after mounting the first partition.

WARNING: when in diagnostic mode, yifanlu warns "don't choose random options". This is considered a "Developer Mode" (for experts), and a true jailbreak is still being sought.

[yifanlu]

Ok, I can confirm that the K4 dump I have does contain the SSH binary. I must have missed it before because I thought "no way they would have left it." My Touch still does not have the binary though, but I guess K4 users can now ssh! Thanks dionoea

[yifanlu]

Let's just add some more stuff into our kindle knowledgebase. Here's the "commands" you can type into the Kindle. Type them into the search bar. You can also pass arguments with a space, but no enabled commands take arguments.

Quote:

;dm - Dump messages to /documents
;dh - Dump cvm heap
;dt - Dump cvm stack
;shpm - set device to shipping mode
;urst - Reset user partition (aka delete all books) NO CONFIRMATION!
;debugOn - verbose logging
;debugPaint - log painting functions
;debugOff - non-verbose logging
;debugPerf - pref level logging
;dP - alias of ;debugPref
;311 - change carrier settings
;411 - server information
;611 - wan information
;711 - wifi information
;setTime - sets kindle time to unix clock
;st - alias of ;setTime
~ds - Never show screen saver

These commands are disabled:

Quote:

;dmcc - unknown
;wifipopup - show wifi dialog
;sandbox - unknown
;sbx - alias of ;sandbox
;usbnetwork - turn on usbnetwork
;un - alias of ;usbnetwork
;di - disable indexing
`stopIndexing - stop indexing
`startIndexing - start indexing
`disableIndexing - alias of ;di
`indexStatus - show index status
;ddc - dynconfig, unknown
;resetConfig - resets config? unknown
;rc - alias of ;resetConfig
;twoFingerChromeOn - unknown, something with browser?
;homeKeyChromeOn - unknown
;normalChrome - unknown

[geekmaster]

Quote:

Originally Posted by yifanlu

;611 - unknown, what is it on older kindles?

;611 - G3 information?

On older kindles, 611 from settings menu gives realtime G3 modem info, including signal strength, amazon proxy IP address, SIM card info for GSM, GPS location for US CDMA modems. Next> and <Prev buttons scroll through 6 pages of 611 info (some "packet dumps" changing so fast that it is not readable on eInk).

[seaniko7]

Actually "mario" password didn't seem to work for me, but by generating fionaXXXX from serial number I've successfully ssh'd to my Kindle 4 and played a little with rootfs ( screensavers, some init.d scripting etc. ). Thanks dionoea
Now I made myself nice nice screensaver and font "hacks".

[kkasmire]

Confirmed that Kindle Touch does NOT allow SSH login. According to yifanlu, the SSH binary is not onboard.

The following steps were taken (I was using a fresh laptop):

Code:

Install Windows Mobile Device Center Driver 6.1
Install puTTY
Adjust TCP/IP of laptop to 192.168.15.1
Connect Kindle USB cable
Create empty file ENABLE_DIAGS on Kindle
Disconnect Kindle USB cable
Reboot Kindle (menu > settings > menu > reset)
Diagnostics Mode
Select Enable USBnet
Connect Kindle USB cable
puTTY to 192.168.15.244
Successful port connection, but no SSH

I notice in the Diagnostics in the exit menu, there is an option to exit to console. Is it possible to exit to console and install SSH server, right there on the device from the console?

NOTE: Exiting Diagnostics Mode is tricky. In the exit menu, there is an option to Disable Diagnostics. It doesn't work. Neither does deleting ENABLE_DIAGS. After several reboots attempting to shake out of Diagnostics Mode, I finally discovered Device Settings has to be clicked at least once before Disable Diagnostics works. Before I found this workaround, the Disable Diagnostics gave me the following error:

Code:

device_info.xml not found

I guess that selecting the Device Settings menu creates the required XML file for the Disable Diagnostics to shutdown properly.

Can anyone confirm this?

[dionoea]

"exit to console" exits to a login prompt on the serial port. I'm afraid that it doesn't do anything on the kindle itself. (feel free to prove me wrong )

Have you tried running nmap on the kindle to see if it's listening on any other port once usbnet is enabled?