02-25-2012, 05:02 AM | #1 |
Carpe diem, c'est la vie.
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
|
Fastboot Manifesto
Summary The kindles have a "Magic Bullet" that will ALWAYS allow custom code to be installed on them, including anything from just adding a jailbreak key, custom screensaver or custom fonts, all the way up to installing a completely different operating system on them, like Android OS. These tools already exist and we know how to use them. Simple step-by-step instructions will be provided, along with custom partition images that already contain the custom changes that we want. Why Not Fastboot Mode? Up until now, I was thinking that because fastboot is TOO powerful (and therefore too dangerous for beginners) that we should avoid it and use the tools that amazon provided us as much as possible, as close to their default configuration as possible. That means using as simple a method as possible to install custom code onto the kindle. Jailbreak Because all kindle models are able to install signed update packages, the normal jailbreak procedure adds a custom key so that developer-signed update packages can be installed using the "Update your kindle" menu item, just as though they were amazon-signed update packages. These developer-signed updates contain installation scripts that run during the installation, and can make any changes to your kindle including adding new screensavers, new fonts, or even USB networking so you can use SSH to get a root shell. Rooting The real problem when a kindle model comes out, or a new firmware update for existing kindles, is how to get that custom key installed onto the main system root partition in the first place. That requires a lot of research to locate a method of gaining root access (usually calling "rooting" the device) so that custom code can be run. For kindles, the first thing that rooting it does is to install the custom key, so that user-selected custom apps can be installed using developer-signed updates. On the new k4 (kindle mini), it turned out that root access was provided directly in the USBnet menu item in diags. Just add ENABLE_DIAGS to the USB drive and reboot, then enable USBnet from the diags menu and use SSH to get a root shell. With a root shell, you can make any changes you want and install any programs you want. One of the first things you want is to copy the dropbear files from diags to main so you can use SSH to get a root shell when booted from main. Another thing you want is to install the custom key so that developer-signed updates can be installed from the "Update your kindle" menu, just like all the other kindles. For the Touch, things are a little different than the K4, because diags is missing files needed to allow SSH when you enable USBnet from the diags menu. In that case it was necessary to find a bug to exploit. The first one found was the "MP3 bug" that allowed a specially designed MP3 file to execute code that it contained. This was used to create the MP3 Jailbreak, that installed the custom key so that developer-signed updates can be installed from the "Update your kindle" menu. Firmware Updates Then firmware version 5.0.3 came out, which fixed the MP3 bug, so a new method was needed to jailbreak new kindles that come with 5.0.3 firmware. The replacement jailbreak uses the current "tar root path bug", which uses data.tar.gz to install custom code to writable locations but does NOT execute this custom code. It was necessary to study the startup scripts to locate locations where custom code could be written by data.tar.gz AND to find a method to trigger execution of that code. Multiple places were found in /var/local that can contain custom script code that gets executed during startup. The first location used was /var/local/system/locale, but this only worked on the touch, and only when booting from main. The search continued for other locations and trigger methods, in case new firmware disables the existing method. Multiple locations and trigger methods were discovered, some of which only work in main, and some only in diags, and some only on the Touch, and others on the K4. The one we will use in this thread is the "/var/local/system/mntus.params" payload script. This one is particularly powerful because it runs on the Touch in both main and in diags, and it runs on the K4 in both main and in diags, and it runs on the K3, and DX and DXG. Besides this particular payload destination being powerful, it is also dangerous. If you use a mntus.params designed for a different kindle model, it can make the startup scripts erase your USB Drive. If you make even a small mistake when using it to run custom code, it can brick your kindle severely so that you cannot boot to main or diags, and you cannot access the USB drive. In this case, only "USB Downloader" mode can access it. It can be deployed on the K4 and Touch in a data.tar.gz file. USB Downloader Mode and the Magic Key We can get to USB Downloader mode by plugging in the USB cable so the power LED is on, then holding the power button until the LED turns off, then before releasing the power button we need to hold the "Magic Key" while releasing the power button. Each kindle model has a different "Magic Key" (what it is actually called in the source code). The Touch uses the Home button (its only button) as the Magic Key. The K4 uses the Five-way Down button as the Magic Key. The K3 uses the Volume Down button (Vol-) as the Magic Key, but it also uses a different VID/PID and needs a different tool to communicate with it. As we learned more about USB Downloader mode, what we called it kept changing. In these forums it can be called "USB HID" mode (because that is how it appears in Windows Device Manager), and it can be called "USB Recovery" mode (because that is what we want to use it for), but in the manufacturer documentation they call it "USB Downloader" mode (which is the official name for it). When in USB Downloader mode, the K4 and Touch appear to be a USB HID device with VID/PID 0x15a2/0x0052. Special software that can be downloaded from the manufacturer website (freescale.com) can communicate with a kindle using that VID/PID. The software that we use in this thread is called "MfgTool". It allows many things, including writing new firmware to the mmc storage device. But we use it to load and execute custom code in the kindle RAM memory. In this thread, we use custom u-boot bootloader code to select which bootmode we want and to boot to that mode. The bootmodes provided here are main, diags, and fastboot. For a kindle bricked so badly that it can only boot to fastboot mode, we need to repair it either using MfgTool (which works in USB Downloader mode) or we can repair it in fastboot mode using the kindle fastboot tool. Fastboot Mode -- Why Use It? It is a lot faster and easier to use the fastboot tool which does everything with command line parameters, than to use MfgTool, which can do many of the same things as fastboot, but requires custom XML files to configure each and every thing you want to do. Fastboot is easier, so we will use that. We only use MfgTool to boot to main, diags, or fastboot mode. Fastboot is very powerful, and can easily erase or reprogram anything or everything in your kindle mmc storage device (including the USB drive, and the main firmware, and the diags firmware). Where the danger lies is that it can even destroy the part of the firmware that the fastboot tool talks to, making even fastboot no longer work. In that case you can fall back to MfgTool, which will ALWAYS work, because it ONLY relies on features built into the CPU chip (iMX50 SoC). That makes fastboot somewhat less dangerous, because even if you disable fastboot support by using fastboot incorrectly, you can ALWAYS recover your kindle with MfgTool. With MfgTool as a backup method, we can feel less fear using fastboot. So, the reason for using fastboot in the first place is when a kindle is bricked so it cannot boot to main or diags, but can still boot to fastboot, we can use fastboot to repair our kindles. And even if we damage it so fastboot no longer works, then we can EVENTUALLY develop custom XML files so that we can use MfgTool to repair fastboot mode, so that we can again use fastboot mode to repair our kindles. The Power of Fastboot Fastboot can write an image file to the main partition, and to the diags partition, and to the data partition. It can also write new bootloader code, which if done incorrectly can disable fastboot as mentioned above. But, (and this is the breakthrough realization that just occurred to me this evening) the data partition contains the USB drive that is the normal way of getting content onto the kindle. The real breakthrough idea here is that when you need to get a special data.tar.gz and RUNME.sh onto your kindle when you cannot access the USB drive, you CAN put those files on the USB drive using fastboot! How? Create an image file in vfat format that contains those files, then flash it to the data partition using fastboot. It is that easy! And we can even use fastboot to flash custom main or diags partition images, which are backup images of official partitions to which extra files have been added, such as the custom jailbreak key, and missing SSH files, and anything else you want like custom screensavers and custom fonts. There is no need to install anything, and it does not matter if the preinstalled factory firmware has ALL bugs fixed so that it cannot have custom code added by any other method. This way will always work as long as fastboot is not disabled by amazon, and even then, MfgTool can still be used to install custom code onto the kindle, just like the fastboot tool but a little more complicated to configure. Of course, after MfgTool XML config files are created, they can be used many times. A Permanent Solution The only way that amazon can prevent us from installing custom firmware is if they disable "unlocked" USB Downloader mode on new kindles, so that only firmware signed with their official (secret) key can be flashed to the mmc storage device. According to the manufacturer documentation, it appears that the CPU SoC comes from the factory in the "encrypted firmware" mode, and an internal fuse must be permanently burned when it is first configured, to allow unencrypted (open) firmware to be flashed like the kindles now support. That means that any kindle that can now run custom code will ALWAYS be able to run custom code. Only NEW kindles can be locked to prevent this by NOT burning the fuse that allows custom code. The K5 u-boot source code includes support for multiple kindle models, including a future model that uses signed firmware packages, so some future kindle model may prevent flashing firmware images. In that case, we will have to return to our current method of exploiting bugs to gain root access. What's in it for Me? My kindle is now in "fastboot only" mode (it cannot boot main or diags, and has no USB drive access). It is this way because mmcblk0p3 contains a damaged mntus.params file, and I do not know how to fix this using fastboot. I know that the bricking happens because mntus.params does not exit back to the script that sourced it AFTER the RUNME.sh script is called. I can use a DIFFERENT RUNME.sh script to repair the damaged mntus.params file (by replacing or deleting it, or by destroying mmcblk0p3). But I cannot add those files to my USB drive by ordinary methods. If the problem had been to the main partition, it could have been repaired by booting to diags. But it is on mmcblk0p3, and I do not know how (or if) I can use fastboot to reflash that partition. So I will use what I do know how to do. I will create a USB drive image file that contains the RUNME.sh file I need to repair it, and the data.tar.gz file I need to launch that RUNME.sh file. I will use fastboot to write that image file to the data partition. Then I will reboot to diags mode. At this point, I believe that this will do the job. What's in it for You? Even if mmcblk0p3 AND main and diags were ALL damaged, we can use fastboot to write repaired (original) images to main (system) and diags partitions, and a custom USB drive image to the data partition, that contains a RUNME.sh and data.tar.gz to repair mmcblk0p3. This worked for me to repair my K4 when it was bricked, but there are reports of problems flashing firmware images to a Touch using fastboot. This can be overcome by using a bist (built-in self-test) build of u-boot for the MfgTool Profiles, that includes "fixed" fastboot code (if it has any bugs to fix). The Grand Conclusion So, good news all around. Not just for me, but for everybody. Yes? Let's hear some feedback! At a bare minimum, the kindles recharge their batteries a lot faster in fastboot mode, so it is at least useful for that. EDIT: Since this was written, we discovered a size limitation that prevents fastboot from writing large image files such as the main system partition (mmcblk0p1). I debricked my kindle touch, and many others have successfully debricked their kindles as well, by using fastboot to write the smaller diagnostics partition (mmcblk0p2) from an image containing SSH preinstalled, then boot to diagnostics mode and write the larger main system partition from a backup image using the linux "dd" command. This method of restoring a bricked kindle back to health has been greatly simplified from previous methods, and is documented in the "simple kindle touch (and k4nt) debricking method" thread: https://www.mobileread.com/forums/sho...d.php?t=170929 UPDATE: There is now a fastboot for windows: https://www.mobileread.com/forums/sho....php?p=2001690 Last edited by geekmaster; 03-12-2012 at 06:05 PM. Reason: add fastboot for windows link |
02-25-2012, 05:31 AM | #2 |
Time Waster
Posts: 422
Karma: 289160
Join Date: May 2011
Device: Kobo Glo and Aura HD
|
That's what I thought all along, fastboot is like the swiss knife for running custom code
In android it can also boot custom images like "fastboot boot boot.img", can the one on kindle do this? If it's the case, easiest way to make a recovery tool would be to create a custom recovery image with tools to export partitions over usb, and even performs automatical checks. This could also allow installing additional code using flashable .zip, like on android. |
Advert | |
|
02-25-2012, 05:46 AM | #3 | |
Carpe diem, c'est la vie.
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
|
Quote:
I have not developed for android before. I do not have an android device (yet). So this idea of recovery (or jailbreaking) by installing an image file is new to me. It was a long and convoluted path for me, as I slowly came to this conlusion, beginning with my "kindle touch serial port recovery" thread, through the "kindle select boot" thread, and ending with this new "fastboot manifesto" thread. I am currently in agreement with you about fastboot. |
|
02-25-2012, 06:47 AM | #4 |
Time Waster
Posts: 422
Karma: 289160
Join Date: May 2011
Device: Kobo Glo and Aura HD
|
Fastboot is not there on kindle 3, is there? Maybe we just.missed it for whole this time...
|
02-25-2012, 09:19 AM | #5 | |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Word power
Quote:
A sudden, intuitive perception of or insight into, the reality or essential meaning of something, usually initiated by some simple, homely, or commonplace occurrence or experience. A.K.A: Brain Fart Seriously, nice write-up. All presuming a minimum of technical background on the part of the end user. For those with a bit more technical background: If the kernel will run, the console operator's serial port. If the SoC will run u-boot, the u-boot serial port (same as above). And as long as the SoC hasn't internally melted down to silicon slag - JTAG. Which might even enable blowing any internal fuses to change the SoC behavior. |
|
Advert | |
|
02-25-2012, 09:29 AM | #6 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Which reminds me of something missing from this site.
No top menu bar entry for a "HowTo" list of links into the information of the site. Worked example (requires javascript enabled in browser): http://MiniModding.com A very popular feature - even with the site closed for over a year to new information those "HowTo" links are still bringing in over a million hits a month. Not bad for a closed site. |
02-25-2012, 09:47 AM | #7 |
Connoisseur
Posts: 55
Karma: 46
Join Date: Feb 2012
Device: Kindle
|
This is wonderful work geekmaster, which sounds like an answer to two of the most pressing questions for me as a Kindle owner: 1) will amazon be able to permanently lock my kindle away from me? and 2) will I ever be able to unbrick my badly bricked Kindle? You work on the fundamentals, and you share your knowledge (also thinking of the other thread where you gave me some great hints), which makes you a sterling member of the community.
|
02-25-2012, 12:06 PM | #8 | |
Carpe diem, c'est la vie.
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
|
Quote:
1) amazon cannot lock the kindle to prevent us replacing the firmware with custom firmware images. According to my understanding of information in the Freescale iMX50 Reference Manual, once an iMX50 processor is unlocked to allow custom firmware, it cannot be locked again. 2) you can always unbrick a kindle by writing a replacement firmware image to it. See #1 above. Of course, writing custom firmware requires detailed knowledge of how to control the peripheral devices in the kindle, but because amazon use GPL code in the kindles, we have source code that shows how to control all important devices in our kindles. This could be a very easy project. Yifanlu wants somebody to do it, as documented in the Kindle Touch wiki. We can take an existing alternate operating system such as android OS and port it to the kindle using information provided by the amazon GPL source code. We can replace the u-boot bootloader with a modified version (as used in KindleSelectBoot), or with a completely different bootloader. Just for fun, we could include the QEMU x86 emulator into the bootloader and boot a foreign OS, such as MS-DOS or even a stripped-down Windows OS (that can run in 256MB of RAM). On modern processors, this emulated OS would still run faster than the old computers that I grew up with, and old computers could do useful things even back in the old days. Even though it may be difficult, I recommend reading the entire manifesto in the original post for this thread. It will be worth the effort to expand you knowledge in this area. We are limited only by our imagination and the amount of personal time and energy that we wish to invest in this "kindle hacking" hobby. Last edited by geekmaster; 02-25-2012 at 12:13 PM. |
|
02-25-2012, 12:19 PM | #9 | |
Carpe diem, c'est la vie.
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
|
Quote:
Fastboot is in the bist (built-in self-test) build of the u-boot bootloader in newer kindles, which loads from mmc and runs when you boot with idme bootmode fastboot. USB Downloader mode has much of the same functionality as fastboot, and it cannot be locked to prevent flashing unsigned custom code once it has been unlocked (by burning a configuration fuse in the SoC). It is unlocked in all the kindles shipped so far. There are comments in the kindle 5 (touch) u-boot source code showing configuring settings for a future kindle device that uses signed firmware images, so this future kindles might be locked to prevent custom firmware, and then we can only exploit firmware bugs to run custom code, like we have been doing in the past. The kindle 3 uses the freescale iMX35 CPU SoC, which also has USB Downloader mode. It uses a different USB VID/PID than the iMX50 CPU SoC, and requires a different downloader tool (AdvancedToolKit, instead of MfgTool). I have AdvancedToolKit install on my host PC, and I verified that it reports that it successfully downloaded and ran code in my kindle 3. If you really want fastboot on the Kindle 3, you could backport it from kindle 4 GPL source code. Last edited by geekmaster; 02-25-2012 at 12:49 PM. |
|
02-25-2012, 12:27 PM | #10 |
Connoisseur
Posts: 55
Karma: 46
Join Date: Feb 2012
Device: Kindle
|
Hope this doesn't stray too far from the point of this thread, but has anyone succeeded in compiling the fastboot tool for Windows? MfgTool works only for Windows, and I only have fastboot for OS X, so I have to keep rebooting to go between them, since I use Bootcamp on a mac, very time consuming. I *think* I have got my Kindle of Black Death into Fastboot mode with MfgTool, since it pops up "Found New Hardware - Kindle", which it doesn't do in the other modes, but when I reboot the computer and run the fastboot tool in OS X it isn't able to connect to the Kindle. Hoping that my fastboot mode isn't hooped too - maybe running it while I'm still in windows would work. Otherwise my only way to progress is going through custom u-boot images, which definitely stretches my ability.
Something weird about this black screen mode: when the battery runs down (which it seems to do fairly fast in this mode), it displays the "plug me in" symbol, but more importantly mounts an (inaccessible) USB drive, just as it did before the blackness descended. Just some clues I'm pondering. |
02-25-2012, 01:13 PM | #11 | |
Carpe diem, c'est la vie.
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
|
Quote:
When the battery is low, u-boot runs in low-power mode, with SDRAM and mmc turned off. It runs just enough to recharge the battery. In this mode, it exports a 0-byte USB "Fake Storage" device, to prevent the host PC "green" mode from turning off the power to that USB port. In u-boot this is called "fstor" mode. When the battery has charged enough, it will change modes. You can read the GPL source code to learn more about how this works. By monitoring the serial port messages while recovering my K4NT, it appears to charge quickly when in fastboot mode. I recommend booting a bricked kindle to fastboot mode to recharge the battery. Last edited by geekmaster; 02-25-2012 at 01:15 PM. |
|
02-25-2012, 01:40 PM | #12 | |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Quote:
git://git.denx.de/u-boot.git http://git.denx.de/u-boot.git and the uboot_2009.08 was pulled from the freescale repository: http://opensource.freescale.com/pub/.../uboot-imx.git Which is __supposed__ to be referencing the up-stream project, but watch out for surprises. Last edited by knc1; 02-25-2012 at 02:02 PM. |
|
02-25-2012, 04:41 PM | #13 |
Carpe diem, c'est la vie.
Posts: 6,433
Karma: 10773668
Join Date: Nov 2011
Location: Multiverse 6627A
Device: K1 to PW3
|
The GPL for k4 and k5 u-boot is standalone, so no denx or freescale dependencies. I built it, but it is stripped down to fit smaller mmc. The k5 (touch) u-boot is bigger and supports more devices including the k4. I used that in my KindleSelectBoot. Depending on available size, perhaps you can just replace the k3 u-boot image in the mmc with a k4 or k5 u-boot image. You could test with AdvanceToolKit (K3 version of MfgTool) to download and run a k5 uboot image. K3 Magic Key = Vol-.
|
02-25-2012, 07:09 PM | #14 | |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Quote:
And on an earlier note. The hw udev rules for the MX31 - that where not included in the Amazon source code releases - there is a GPL'd copy of them in the OpenEmbedded tree. |
|
02-26-2012, 08:43 AM | #15 |
Connoisseur
Posts: 67
Karma: 10
Join Date: Feb 2012
Device: Kindle Touch SO
|
How exactly can I compile Yifanlu fastboot using Cygwin?
He provided the code for OSX, but not for windows. |
Tags |
kindle fastboot manifesto |
Thread Tools | Search this Thread |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Simple linux fastboot installing command | aditya3098 | Kindle Developer's Corner | 20 | 04-23-2019 05:13 PM |
Fastboot GUI | hostar | Kindle Developer's Corner | 53 | 07-31-2017 10:52 AM |
Fastboot not working | aditya3098 | Kindle Developer's Corner | 10 | 05-12-2012 02:44 PM |
fastboot for win32 | geekmaster | Kindle Developer's Corner | 30 | 03-13-2012 03:39 PM |
help me get out of fastboot kindle nontouch please | 123123 | Kindle Developer's Corner | 30 | 02-10-2012 06:14 AM |