Un-Demo Kindle Paperwhite

tommytomtom · 02-11-2014, 06:11 PM

Hi,

I am sorry that I open another thread about undemoing the Kindle Paperwhite 1 (B01B). I just want to make sure that I got all the news concerning the current state. There still is no way to get a Paperwhite into Fastboot mode? No Magic key? I tried all kinds of things with plugging the cable in and out, touching the display, using the "strange" buttons where the LEDs are (metal things over those can wake the kindle up - probably used for the covers). All without luck unfortunately. Also nobody figured out a factory cable build for it? I read there were quite promising code passages...
Lastly, there is not even a way to mount the Paperwhite in Demo mode? From the Link, I thought that it could be mounted and the factory image put on /mnt/us/ without the need of disassembling it and soldering a serial cable to it, but I guess I did not read it right?

Thank you guys in advance for your help!

Greetings,
TommyTomTom

knc1 · 02-11-2014, 07:28 PM

One data point:
The PW1 does not recognize the "factory cable" used with the color display Kindles.

tommytomtom · 02-12-2014, 07:34 AM

Thanks for the reply, knc1. But maybe a custom factory cable might work? The documentary of the chip hints toward that, unfortunately I don't have any expertise in that field.

I managed to open the browser on the demo unit and connected to my wifi, so I know can actually surf the net. I was hoping to download the update.bin, but of course it only lets you download txt, mobi, azw, ... maybe there is a way of downloading something vis the html5 abilities, or just plain simple javascript. I don't know if it actually downloads it or "just" open it. One could of course download the update.bin as a txt file and maybe change the filename somehow. But the question is if there is a way to execute scripts locally to actually change the filename from .txt back to .bin. There probably is not much hope, but since you can actually access the browser, what one should not have been able to do, maybe somebody finds a way, like the first jailbreak for the touch with playing mp3s that have code in them. Thank you for your thoughts on this topic, even something like "NO WAY" might be appreciated (so I don't waste my time on it). Since I am studying abroad and I was stupid enough not to take my serial cable with me, I don't want to buy a new one or pay way too much in shipping in order to un-demo my new Paperwhite. and waiting until summer sounds horrible...

BTW.: I used PW2 because there is no PW.

knc1 · 02-12-2014, 09:41 AM

Quote:

Originally Posted by tommytomtom

Thanks for the reply, knc1. But maybe a custom factory cable might work? The documentary of the chip hints toward that, unfortunately I don't have any expertise in that field.
- - -
Thank you for your thoughts on this topic, even something like "NO WAY" might be appreciated (so I don't waste my time on it).
- - -
BTW.: I used PW2 because there is no PW.

Sorry, don't have any ideas about a "custom" factory cable.

Just that you need not waste your time with the "factory cable". (I have already wasted my own going in that direction.)

tommytomtom · 02-12-2014, 10:07 AM

Thanks again... now the last idea I have is using the webbrowser. As fare as I know all the known security holes have been worked on

Anyhow, maybe somebody knows how to download a file that does not end in .AZW, .PRC, .MOBI OR .TXT. Solutions that use a jailbreaked Paperwhite do not help here because I try to undemo a Paperwhite. I played with php, but "header('Content-Type: application/x-mobipocket-ebook');" and "header('Content-Disposition: attachment; filename="update.bin"');" did not work. Downloading files work, but just if the filename has one of the above four file-endings. Is there any way to have a script in the prc, azw or mobi to change the file ending and take a file from the /mtn/us/documents folder one directory up?
Thanks

tommytomtom · 02-12-2014, 10:57 AM

Update: writing data in /mnt/us/ successful (at least it works on the current touch, I don't have a paperwhite to play around with)! Unfortunately the problem is still the ending of the file! I was thinking that maybe code can be written into the filename like for the old paperwhite jailbreak. Does that only work for update*.bin or also for other file-types???

knc1 · 02-12-2014, 11:22 AM

Quote:

Originally Posted by tommytomtom

- - -
I was thinking that maybe code can be written into the filename like for the old paperwhite jailbreak. Does that only work for update*.bin or also for other file-types???

"Poison filenames" should "work" independent of the file-type.

But what makes them work is getting the system to access them.
In the case of update*.bin files - the system always tries to access them.
I.E: The system automagically tries to use the filename'd file-type.
So maybe they should be called: "Suicide filenames".

tommytomtom · 02-12-2014, 01:25 PM

Thank you again for your clarification!
Update: I played a little bit more around, and figured out that one can actually access the search bar shortcuts. So the Paperwhite Demo is - as expected - in version 5.2.0 and does not "see" any updates. I wasn't able to enter shipping mode: "Shipping Mode Failed - Unable to enter shipping mode due to missing dictionary files". I could however reset the device but that does not help anything. Furthermore, a restart through the menu is possible. Stopping the stupid screensaver however makes playing around with it a lot less painful!
Maybe somebody (e.g. ixtab) could explain to me how the jailbreak.mobi method works, I don't see anything in the actual, mobi, probably it is just creating an error and thus opens the "MOBI8_DEBUG"? In this case that would not help me because I still cannot create any files with other file endings as .txt, .mobi, .azw3, .prc.

tommytomtom · 02-13-2014, 08:57 AM

I am stuck...

I was playing way too much around with it already! Still I unfortunately think a great hacker could do it! I will tell you guys what it did so far and I will try not to waste too much more time unless somebody gives me some ideas or hints or understanding of the kindle itself.

This is what I "accomplished"/found so far:

-Search Bar Shortcuts work (;311, ;411, ...), so one can get all kind of information like the kindle is running 5.2.0, stop the screensavers (~ds), but shipping mode does not work "Unable to enter shipping mode due to missing dictionary files", even though I downloaded them all, are there other dictionary files I should know about???
-Accessing the browser (searching wikipedia and NOT clicking "cancel" but just somewhere to get rid of the message that the browser is not part of this demo kindle, but then one can use the browser, connect to wifi and download .txt, .prc, .mobi and .azw files, also with "../test.txt" into the directory /mnt/us/. Furthermore one can see all files in the directory /mnt/us/ and its subdirectories with "file:///mnt/us"
-restart/reset the kindle: just use ;411 and then use the menu, this gets also rid of the stupid ads (maybe because I do not live in the us, maybe because I used different language that english in the beginning)
-almost access the settings menu: ;311 and there is the settings menu in the background. I imagine one could maybe click cancel and be lucky enough to click something in the settings menu right after
-files survive reboot/long idle/... this happened somehow, probably because the screensavers etc. are gone, however, I cannot switch it off other than making it restart

Well that is all I could figure out. What I want is to use some security hole in the kindle, more specifically the 5.2.0 firmware in order to download update*.bin as a bin and not as a .txt, restart and voilà! maybe somehow one could download a file with some javascript exploit with a different ending, use code injection or a too long filename in order to get a .bin file. Also, maybe one can put some script or something inside a .mobi, .prc or .azw file to manipulate something. Unfortunately I cannot create a MOBI8_DEBUG without one of those stupid file-type-endings that the browser want to handle.
Anyway, the device can be used to download mobi and one can read them on there...

Any idea is greatly appreciated!!! Thank you sooo much in advance

knc1 · 02-13-2014, 09:13 AM

I have a PW1 "Demo" unit in **Italian** - -
Right!
I don't read it, speak it, and certainly don't need the Kindle flashing demo stuff at me in it.

But thanks for your posted effort summary - you made more progress than I have.

I guess I will have to either tear mine open or stomp it to death.

dsmid · 02-13-2014, 09:14 AM

Quote:

Originally Posted by tommytomtom

but shipping mode does not work "Unable to enter shipping mode due to missing dictionary files", even though I downloaded them all, are there other dictionary files I should know about???

This is the list of files/dirs you need to have in your Kindle in order to be able to enter the shipping mode:

Code:

./documents/dictionaries/de/Duden_Deutsches_Universalwörterbuch.azw
./documents/dictionaries/de
./documents/dictionaries/zh-Hans/FLTRP_Modern_English-Chinese_Dictionary.azw
./documents/dictionaries/zh-Hans/Xin_Hua_Dictionary.azw
./documents/dictionaries/zh-Hans/Chinese_Engish_Dictionary.azw
./documents/dictionaries/zh-Hans
./documents/dictionaries/es/Diccionario_de_la_lengua_española.azw
./documents/dictionaries/es
./documents/dictionaries/en/The_New_Oxford_American_Dictionary.azw
./documents/dictionaries/en
./documents/dictionaries/en-GB/Oxford_Dictionary_of_English.azw
./documents/dictionaries/en-GB
./documents/dictionaries/ja/Shogakukan_Digital_Daijisen.azw
./documents/dictionaries/ja/Shogakukan_Progressive_Eiwa_Chujiten.azw
./documents/dictionaries/ja
./documents/dictionaries/fr/Dictionnaire_français_de_définitions.azw
./documents/dictionaries/fr
./documents/dictionaries/it/lo_Zingarelli_Vocabolario_della_Lingua_Italiana.azw
./documents/dictionaries/it
./documents/dictionaries/pt/Dicionário_Priberam_da_Língua_Portuguesa.azw
./documents/dictionaries/pt
./documents/dictionaries
./documents
./system/fonts/zh-Hans.font
./system/fonts/ja.font
./system/fonts
./system

tommytomtom · 02-13-2014, 10:07 AM

Thanks, knc1, if you didn't figure out anything more, than that makes feel better :P
Also thank you, dsmid! But unfortunately, I cannot create folders and there is neither a font folder, nor a the two character language folders... so no luck. I have the dictionaries, but they are just in documents... at any rate, I don't know if entering the shipping mode would have helped any...

tommytomtom · 02-13-2014, 04:59 PM

one more update...
My heart was close to getting an attack when I saw the message: "Download update.bin?" Unfortunately it didn't download it as update.bin, showed it being successfully downloaded as "update.bin%3Ctest.mobi" because I tried to download update.bin<test.mobi, but actually I couldn't find a file being downloaded at all. Any idea what happens if the browser "thinks" it actually downloaded something but it did not save it anywhere? Anyhow, so it looks like some kind of code injection works in the browser; unfortunately, I tried a lot and still didn't succeed

Maybe somebody else has an idea? maybe the browser has some kind of download command?
Another idea I have (I unfortunately have no knowledge in that field) is to push an update directly to the kindle by rerouting the connection to the amazon server and making the kindle auto update. It is interesting anyhow why the kindle thinks it has the current firmware version wit 5.2.0 (1750160011).

knc1 · 02-13-2014, 05:12 PM

Quote:

Originally Posted by tommytomtom

one more update...
My heart was close to getting an attack when I saw the message: "Download update.bin?" Unfortunately it didn't download it as update.bin, showed it being successfully downloaded as "update.bin%3Ctest.mobi" because I tried to download update.bin<test.mobi, but actually I couldn't find a file being downloaded at all. Any idea what happens if the browser "thinks" it actually downloaded something but it did not save it anywhere? Anyhow, so it looks like some kind of code injection works in the browser, unfortunately, I tried a lot and still didn't succeed

Maybe somebody else has an idea? maybe the browser has some kind of download command?
Another idea I have (I unfortunately have no knowledge in that field) is to push an update directly to the kindle by rerouting the connection to the amazon server and make the kindle auto update. It is intresting anyhow way the kindle things it has the current firmware version wit 5.2.0 (1750160011).

And package up a 5.2.2 version update package with "poison" in its file name?

It will not "update" - since it will not be signed by Amazon's key, but the system will have to open it to find that out.

And doing a system function such as "open" on the poison name is all that should be required.

tommytomtom · 02-13-2014, 05:34 PM

I do not quite know which part you are referring to, but if we can get a file with update*.bin in the root directory, we do not need "poison" in the filename, we can just put the real update_5.3.9.bin there and after a restart, we should have a regular kindle!

02-11-2014, 06:11 PM	#1
tommytomtom Enthusiast Posts: 49 Karma: 59420 Join Date: Feb 2012 Device: Kindle Touch	Un-Demo Kindle Paperwhite Hi, I am sorry that I open another thread about undemoing the Kindle Paperwhite 1 (B01B). I just want to make sure that I got all the news concerning the current state. There still is no way to get a Paperwhite into Fastboot mode? No Magic key? I tried all kinds of things with plugging the cable in and out, touching the display, using the "strange" buttons where the LEDs are (metal things over those can wake the kindle up - probably used for the covers). All without luck unfortunately. Also nobody figured out a factory cable build for it? I read there were quite promising code passages... Lastly, there is not even a way to mount the Paperwhite in Demo mode? From the Link, I thought that it could be mounted and the factory image put on /mnt/us/ without the need of disassembling it and soldering a serial cable to it, but I guess I did not read it right? Thank you guys in advance for your help! Greetings, TommyTomTom

02-13-2014, 04:59 PM	#13
tommytomtom Enthusiast Posts: 49 Karma: 59420 Join Date: Feb 2012 Device: Kindle Touch	one more update... My heart was close to getting an attack when I saw the message: "Download update.bin?" Unfortunately it didn't download it as update.bin, showed it being successfully downloaded as "update.bin%3Ctest.mobi" because I tried to download update.bin<test.mobi, but actually I couldn't find a file being downloaded at all. Any idea what happens if the browser "thinks" it actually downloaded something but it did not save it anywhere? Anyhow, so it looks like some kind of code injection works in the browser; unfortunately, I tried a lot and still didn't succeed Maybe somebody else has an idea? maybe the browser has some kind of download command? Another idea I have (I unfortunately have no knowledge in that field) is to push an update directly to the kindle by rerouting the connection to the amazon server and making the kindle auto update. It is interesting anyhow why the kindle thinks it has the current firmware version wit 5.2.0 (1750160011). Last edited by tommytomtom; 02-13-2014 at 05:28 PM.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Kindle Paperwhite stucks in demo mode. How to sovle it.	sirbill	Kindle Developer's Corner	13	08-17-2018 09:21 PM
Kindle Fire Demo Unit...Remove Demo 'Software'?	JayOf72	Kindle Fire	23	11-11-2016 09:41 PM
Got a Demo Kindle (k5) from work, need to remove demo software.	Stea1th	Kindle Developer's Corner	71	09-02-2014 02:46 PM
Paperwhite Demo at eBay	SampleAndy	Kindle Developer's Corner	31	07-29-2013 10:53 PM
Demo: Jetbook mini official demo	bookwarm	Ectaco jetBook	36	09-21-2010 12:18 PM

02-11-2014, 07:28 PM	#2
knc1 Going Viral Posts: 17,212 Karma: 18210809 Join Date: Feb 2012 Location: Central Texas Device: No K1, PW2, KV, KOA	One data point: The PW1 does not recognize the "factory cable" used with the color display Kindles.

02-12-2014, 07:34 AM	#3
tommytomtom Enthusiast Posts: 49 Karma: 59420 Join Date: Feb 2012 Device: Kindle Touch	Thanks for the reply, knc1. But maybe a custom factory cable might work? The documentary of the chip hints toward that, unfortunately I don't have any expertise in that field. I managed to open the browser on the demo unit and connected to my wifi, so I know can actually surf the net. I was hoping to download the update.bin, but of course it only lets you download txt, mobi, azw, ... maybe there is a way of downloading something vis the html5 abilities, or just plain simple javascript. I don't know if it actually downloads it or "just" open it. One could of course download the update.bin as a txt file and maybe change the filename somehow. But the question is if there is a way to execute scripts locally to actually change the filename from .txt back to .bin. There probably is not much hope, but since you can actually access the browser, what one should not have been able to do, maybe somebody finds a way, like the first jailbreak for the touch with playing mp3s that have code in them. Thank you for your thoughts on this topic, even something like "NO WAY" might be appreciated (so I don't waste my time on it). Since I am studying abroad and I was stupid enough not to take my serial cable with me, I don't want to buy a new one or pay way too much in shipping in order to un-demo my new Paperwhite. and waiting until summer sounds horrible... BTW.: I used PW2 because there is no PW.

02-12-2014, 10:07 AM	#5
tommytomtom Enthusiast Posts: 49 Karma: 59420 Join Date: Feb 2012 Device: Kindle Touch	Thanks again... now the last idea I have is using the webbrowser. As fare as I know all the known security holes have been worked on Anyhow, maybe somebody knows how to download a file that does not end in .AZW, .PRC, .MOBI OR .TXT. Solutions that use a jailbreaked Paperwhite do not help here because I try to undemo a Paperwhite. I played with php, but "header('Content-Type: application/x-mobipocket-ebook');" and "header('Content-Disposition: attachment; filename="update.bin"');" did not work. Downloading files work, but just if the filename has one of the above four file-endings. Is there any way to have a script in the prc, azw or mobi to change the file ending and take a file from the /mtn/us/documents folder one directory up? Thanks

02-12-2014, 10:57 AM	#6
tommytomtom Enthusiast Posts: 49 Karma: 59420 Join Date: Feb 2012 Device: Kindle Touch	Update: writing data in /mnt/us/ successful (at least it works on the current touch, I don't have a paperwhite to play around with)! Unfortunately the problem is still the ending of the file! I was thinking that maybe code can be written into the filename like for the old paperwhite jailbreak. Does that only work for update*.bin or also for other file-types???

02-12-2014, 01:25 PM	#8
tommytomtom Enthusiast Posts: 49 Karma: 59420 Join Date: Feb 2012 Device: Kindle Touch	Thank you again for your clarification! Update: I played a little bit more around, and figured out that one can actually access the search bar shortcuts. So the Paperwhite Demo is - as expected - in version 5.2.0 and does not "see" any updates. I wasn't able to enter shipping mode: "Shipping Mode Failed - Unable to enter shipping mode due to missing dictionary files". I could however reset the device but that does not help anything. Furthermore, a restart through the menu is possible. Stopping the stupid screensaver however makes playing around with it a lot less painful! Maybe somebody (e.g. ixtab) could explain to me how the jailbreak.mobi method works, I don't see anything in the actual, mobi, probably it is just creating an error and thus opens the "MOBI8_DEBUG"? In this case that would not help me because I still cannot create any files with other file endings as .txt, .mobi, .azw3, .prc.

02-13-2014, 08:57 AM	#9
tommytomtom Enthusiast Posts: 49 Karma: 59420 Join Date: Feb 2012 Device: Kindle Touch	I am stuck... I was playing way too much around with it already! Still I unfortunately think a great hacker could do it! I will tell you guys what it did so far and I will try not to waste too much more time unless somebody gives me some ideas or hints or understanding of the kindle itself. This is what I "accomplished"/found so far: -Search Bar Shortcuts work (;311, ;411, ...), so one can get all kind of information like the kindle is running 5.2.0, stop the screensavers (~ds), but shipping mode does not work "Unable to enter shipping mode due to missing dictionary files", even though I downloaded them all, are there other dictionary files I should know about??? -Accessing the browser (searching wikipedia and NOT clicking "cancel" but just somewhere to get rid of the message that the browser is not part of this demo kindle, but then one can use the browser, connect to wifi and download .txt, .prc, .mobi and .azw files, also with "../test.txt" into the directory /mnt/us/. Furthermore one can see all files in the directory /mnt/us/ and its subdirectories with "file:///mnt/us" -restart/reset the kindle: just use ;411 and then use the menu, this gets also rid of the stupid ads (maybe because I do not live in the us, maybe because I used different language that english in the beginning) -almost access the settings menu: ;311 and there is the settings menu in the background. I imagine one could maybe click cancel and be lucky enough to click something in the settings menu right after -files survive reboot/long idle/... this happened somehow, probably because the screensavers etc. are gone, however, I cannot switch it off other than making it restart Well that is all I could figure out. What I want is to use some security hole in the kindle, more specifically the 5.2.0 firmware in order to download update*.bin as a bin and not as a .txt, restart and voilà! maybe somehow one could download a file with some javascript exploit with a different ending, use code injection or a too long filename in order to get a .bin file. Also, maybe one can put some script or something inside a .mobi, .prc or .azw file to manipulate something. Unfortunately I cannot create a MOBI8_DEBUG without one of those stupid file-type-endings that the browser want to handle. Anyway, the device can be used to download mobi and one can read them on there... Any idea is greatly appreciated!!! Thank you sooo much in advance

02-13-2014, 09:13 AM	#10
knc1 Going Viral Posts: 17,212 Karma: 18210809 Join Date: Feb 2012 Location: Central Texas Device: No K1, PW2, KV, KOA	I have a PW1 "Demo" unit in Italian - - Right! I don't read it, speak it, and certainly don't need the Kindle flashing demo stuff at me in it. But thanks for your posted effort summary - you made more progress than I have. I guess I will have to either tear mine open or stomp it to death.

02-13-2014, 10:07 AM	#12
tommytomtom Enthusiast Posts: 49 Karma: 59420 Join Date: Feb 2012 Device: Kindle Touch	Thanks, knc1, if you didn't figure out anything more, than that makes feel better :P Also thank you, dsmid! But unfortunately, I cannot create folders and there is neither a font folder, nor a the two character language folders... so no luck. I have the dictionaries, but they are just in documents... at any rate, I don't know if entering the shipping mode would have helped any...

02-13-2014, 05:34 PM	#15
tommytomtom Enthusiast Posts: 49 Karma: 59420 Join Date: Feb 2012 Device: Kindle Touch	I do not quite know which part you are referring to, but if we can get a file with update*.bin in the root directory, we do not need "poison" in the filename, we can just put the real update_5.3.9.bin there and after a restart, we should have a regular kindle!

Advert

Advert