PW4 Help unbricking PW4 (Serial)

[SenorClean]

I have a PW4 here which won't boot past the 'boy under a tree' screen.

I have serial access now - and here is the output when booting normally:

https://pastebin.com/KeJhgY8R

Through the recovery menu - I can get the FAT32 partition to mount and have tried:

DO_FACTORY_RESTORE (didn't seem to do anything)
Copying the latest update to the device (applied the update, but didn't help at all)
Copying the factory image from the "Brand new PaperWhite 4 (2018) factory image JailBreaking" thread (update failed - but sounds like you can't 'downgrade' anyway).

Any more suggestions of things I can try?

[knc1]

Code:

Kernel command line: console=ttymxc0,115200  consoleblank=0 uart_at_4m root=/dev/mmcblk1p8 rootwait  quiet secure_cpu=1 androidboot.secure_cpu=1 androidboot.prod=1 androidboot.unlocked_kernel=false

That is going to make things a bit more difficult.

[SenorClean]

Quote:

Originally Posted by knc1

Code:

Kernel command line: console=ttymxc0,115200  consoleblank=0 uart_at_4m root=/dev/mmcblk1p8 rootwait  quiet secure_cpu=1 androidboot.secure_cpu=1 androidboot.prod=1 androidboot.unlocked_kernel=false

That is going to make things a bit more difficult.

... what does this mean? Is it possible to flash the factory image using fastboot?

[knc1]

Quote:

Originally Posted by SenorClean

... what does this mean? Is it possible to flash the factory image using fastboot?

Fastboot exists prior to execution of the kernel image.
Also, that was the kernel command line showing that the Android boot system is locked, at the time the kernel begins execution.
But perhaps not prior to the kernel execution.

Also in those messages you will note that they have started using encrypted signatures for the kernel and modules.
Lots of fun there also.

- - - -

Do not hold your breath for any chance I might try to break into what Amazon/lab126 has done.
Maybe younger minds, say half my age, will be better suited than myself.

[SenorClean]

It sounds like this is more of a mess than it was with the PW3..

This is the kindle that bricked when taken to PNG - something came over the cellular network and is preventing it from booting. It hadn't been flashed with anything wild - so I had hoped a factory reset would fix it. The PW3 I had which suffered the same fate is working fine after a 'fresh' flash.

DO_FACTORY_RESTORE doesn't seem to be doing anything - does this still work in the androidized models? Or is mine just crashing too early in the boot sequence?

Is there any other way I can factory reset? Nuke a particular partition from fastboot maybe?

There is also that mystery image from the PW3 thread - https://www.mobileread.com/forums/sh...3&postcount=10 - part of me wants to try flashing that, but I don't want to make things worse than they already are.

[knc1]

Quote:

Originally Posted by SenorClean

It sounds like this is more of a mess than it was with the PW3..

This is the kindle that bricked when taken to PNG - something came over the cellular network and is preventing it from booting. It hadn't been flashed with anything wild - so I had hoped a factory reset would fix it. The PW3 I had which suffered the same fate is working fine after a 'fresh' flash.

DO_FACTORY_RESTORE doesn't seem to be doing anything - does this still work in the androidized models? Or is mine just crashing too early in the boot sequence?

Is there any other way I can factory reset? Nuke a particular partition from fastboot maybe?

There is also that mystery image from the PW3 thread - https://www.mobileread.com/forums/sh...3&postcount=10 - part of me wants to try flashing that, but I don't want to make things worse than they already are.

You do have access to a Linux box (other than just Kindles), don't you?

Mystery image:
*) Use Kindletool to convert (just kindletool on command line gives help file).
*) Remove the rootfs.img file from the converted *.tar.gz compressed archive.
*) Create a new mount point (/mnt/pw4 would do nicely)
*) Mount that image (mount rootfs.img /mnt/pw4 <- all that is required of a modern Linux)
*) Make /mnt/pw4 the current directory (cd /mnt/pw4)
Everything in the file system below that new mount point is the Kindle's root file system image - enjoy.

If you want to actually RUN binaries of that file system image - -
Pick your favorite Linux distribution -
Enable qemu-user-binfmt and gemu-user-static of your distro -
(probably good to pick up a few how-tos at your local distro's forum)

How when you execute an ARMxx binary, the Linux system will just do it. Even if you are running an Intel x64 system.

And yes, you can also enable ARMxx-Java so you can play with the Kindle's GUI stuff.
But just viewing with a text editor scripts and such will give you a lot of information.

If you only have access to Windows, you are s.o.l. for any of the above.
(Yes, Virginia, there is a but you will not find him on Windows)

[SenorClean]

OK so I got the image mounted (diagrootfs.img in this case) in Ubuntu server and had a poke around.

Here is the output of 'tree' - https://pastebin.com/yHdEpGhW

There are some 'interesting' files in the root directory:

bin
dev
etc
INTERNAL_FEATURES_ENABLED__DO_NOT_RELEASE
lib
lost+found
mnt
MNTUS_EXEC
opt
PRE_GM_DEBUGGING_FEATURES_ENABLED__REMOVE_AT_GMC
proc
sbin
sys
system
usr
var


I'm not really sure what I'm looking at now...

[knc1]

Quote:

Originally Posted by SenorClean

OK so I got the image mounted (diagrootfs.img in this case) in Ubuntu server and had a poke around.

Here is the output of 'tree' - https://pastebin.com/yHdEpGhW

There are some 'interesting' files in the root directory:

bin
dev
etc
INTERNAL_FEATURES_ENABLED__DO_NOT_RELEASE
lib
lost+found
mnt
MNTUS_EXEC
opt
PRE_GM_DEBUGGING_FEATURES_ENABLED__REMOVE_AT_GMC
proc
sbin
sys
system
usr
var


I'm not really sure what I'm looking at now...

That is a build of Lab126's (factory) diagnostic - which for an Androidized firmware is the initramFS.

I.E: They took out the "dual boot" system of two system roots ("main" and "Diags") and just took the original (older, dual boot) initramFS and created all of the "Diags" (new and improved, right!) into what used to be the initramfs.

BIG NOTE: The above is all supposition on my part, but it seems to be consistent with the development direction that Lab126 is taking.
I have been at this C.S. game since 1962, but I could easily guess wrong.

- - - - -

If this image can be loaded somehow on a PW4, there should be a number of usable attack vectors.
Of course, I do not want to give any of this away in public.

[SenorClean]

I thought I'd give fastboot a shot - to at least get it running.

It seems to 'see' the kindle but every command I give it fails with "FAILED (command write failed (No error))"

https://pastebin.com/eNw5QZ6T

Any ideas?

I'm wondering if something like "fastboot erase userdata" would give me a factory reset and might let the kindle boot?