How to downgrade JAILBROKEN 5.8.9.2 to factory initial.

[coplate]

Quote:

Originally Posted by hius07

Thank you, I will ask the user if he agrees to explore, he was a little bit nervous of bricking the device.

Another user got a problem after installing hotfix on the PW3 5.9.2 - his device works fine, jb ok, but it became invisible for computer - just charging, no usb-device detected.
He is not sure that it was caused with the hotfix (he tried to use a cable with magnetic connection at the same time).
How do you think, is hotfix dangerous to 5.9.2?

I don't think hotfix is dangerouse to 5.9.2 It is more likely to simply not do anything.

You can look at the code of the hotfix here, ( updated for new kindle oasis2 )
https://github.com/coplate/KindleJai...ree/master/src

bridge.conf runs on every startup, and it runs the script called 'bridge'

there is nothing in them that should affect the usb port.


But if he also had 'rescue pack', or 'cowards rescue pack', i think those do change the usb behavior, but I have never looked into them, so I am unsure.

[hius07]

Just for your information, the latest bundle of vlasovsoft Coolreader (there is his thread in this forum) contains new program Wi-Fi Server - you can connect to the device at ssh and sftp over wi-fi.

[knc1]

Quote:

Originally Posted by coplate

yeah, that is the same failure - the SP01 header missing.

Do you know if your user is using windows, mac, or linux?

And I would need to be reminded which file he is using.

I think I can give you a command to combine the headers with the existing package, and it will not require kindletool

it would be a very small file, and the command would look roughly like this, but it depends on the operating system.

copy sp01.header + update_factory.bin = update_factory.signed.bin

And then you would use that signed file. - This would only work if the device is already properly jailbroken.

Here is how I tested it on linux - but I did not install

I did those kindletool command I showed to create the FB03 package type. ( recovery2 )

The signature part of the file only includes the actual data, not the package type.

Then I ran this:

Code:

dd if=update.fb03.bin bs=192 skip=0 count=1 of=sp01.header
cat sp01.header update.bin > update.sp01.bin

It may be easier to get your person to download kindletool and run those command I gave though.

Or if you can do these commands And give them this fle to try. I dont have a good place to do this and make the file public

the FB03 ( recovery2) packages are safer, bucause you can put the device type in them, so you are less likely to brick someones device, buy using the wrong package.

There is a problem with any system image package signed with our key -
We only put our key into the 'main' system.

System image packages must be installed while the Kernel is still running its ram resident system.
And we do not put our key into its initramFS.

For a very good reason we have never put our key into the initramFS.
Specifically to prevent the Kernel from installing anything (from our KindleTool) while running ram resident.
The only way something from our KindleTool can be installed is while running in 'main' and the user intentionally puts the package onto the system.

It is a security thing.

[coplate]

Quote:

Originally Posted by hius07

Thank you, I will ask the user if he agrees to explore, he was a little bit nervous of bricking the device.

Another user got a problem after installing hotfix on the PW3 5.9.2 - his device works fine, jb ok, but it became invisible for computer - just charging, no usb-device detected.
He is not sure that it was caused with the hotfix (he tried to use a cable with magnetic connection at the same time).
How do you think, is hotfix dangerous to 5.9.2?

There is anotther file listed in the linux kernel in teh section regarding downgrades.

If you have someone willing to experiment, you an have them backup bundle_type.txt, and then remove it, or change the contents to FB02?


/PRE_GM_DEBUGGING_FEATURES_ENABLED__REMOVE_AT_GMC

/etc/bundle_type.txt

[hius07]

Thanks, I'll advise him.

[hius07]

...continued
The user just deleted /etc/bundle_type.txt (didn't look into it, no backup), so he cannot try changing the contents.
Deleting the file had no result: factory 5.7.4 bin was destroyed immediately after disconnecting the device from the computer.

[coplate]

Quote:

Originally Posted by hius07

...continued
The user just deleted /etc/bundle_type.txt (didn't look into it, no backup), so he cannot try changing the contents.
Deleting the file had no result: factory 5.7.4 bin was destroyed immediately after disconnecting the device from the computer.

I assume thet have command line access, since they can remove that file.

Have him try this:

Code:

mntroot rw
echo "Bundle: FB02" > /etc/bundle_type.txt
touch /PRE_GM_DEBUGGING_FEATURES_ENABLED__REMOVE_AT_GMC
mntroot ro

And then try it again.

I don;t know if it will work, but it is the last thing I can think of.

[coplate]

Quote:

Originally Posted by coplate

I assume thet have command line access, since they can remove that file.

Have him try this:

Code:

mntroot rw
echo "Bundle: FB02" > /etc/bundle_type.txt
touch /PRE_GM_DEBUGGING_FEATURES_ENABLED__REMOVE_AT_GMC
mntroot ro

And then try it again.

I don;t know if it will work, but it is the last thing I can think of.

I just took the time to try this, and it did not work for me, but I will need to try one more time, because you have to reboot for PRE_GM_DEBUGGING_FEATURES_ENABLED__REMOVE_AT_GMC to take effect.

It still did not work, so it looks like they have closed this loophole completely.

I forked kindletool again in order to add the SP01 header to the new Kindle Oasis 2017, but it didnt work either. The 'full image' recovery system must not be allowed to use our jailbreak security key, even though regular patches can. Or something more confusing.

[knc1]

The 'full image' recovery system is in the kernel's initramfs (memory resident file system).
We do not put our key into initramfs (on purpose).

[coplate]

Quote:

Originally Posted by knc1

The 'full image' recovery system is in the kernel's initramfs (memory resident file system).
We do not put our key into initramfs (on purpose).

yeah, looking at the updater log though, it mounts the regular file system, I am not sure if it uses the signatures from there, but it does mount them
Mounted /mnt-rootfs (/dev/mmcblk2p5)

Code:

171123:174712 <12>[    4.689153] INFO:bundle/unbundle_cognac.c:1503:do_unbundle():do_unbundle: filename=/mnt-us/update-18446744073709551615-f6dbd96f-e1f4-4043-a2bf-82fafcfe1275.bin, new_file=0x000137a0
171123:174712 <12>[    4.697373] INFO:bundle/unbundle_common.c:320:validate_device_code():Device code matched (34A).
171123:174712 <6>[    4.710934] kjournald starting.  Commit interval 5 seconds
171123:174712 <6>[    4.712187] EXT3-fs (mmcblk2p5): using internal journal
171123:174712 <6>[    4.712203] EXT3-fs (mmcblk2p5): mounted filesystem with ordered data mode
171123:174712 system: I milestone:8.29:3:
171123:174712 <12>[    4.712261] DEBUG:mount.c:260:mount_rootfs():Mounted /mnt-rootfs (/dev/mmcblk2p5)
171123:174712 <12>[    4.755619] INFO:bundle/unbundle_cognac.c:1645:do_unbundle():Signed with developer 1K cert.
171123:174712 <12>[    4.755649] INFO:bundle/unbundle_cognac.c:1672:do_unbundle():Verifying signature (len: 128)
171123:174712 <12>[   42.437712] ERROR: signature is not the correct length (256 bytes versus 128 bytes)
171123:174712 <12>[   42.437756] ERROR:bundle/unbundle_cognac.c:1694:do_unbundle():do_unbundle: signature check failed.

After playing with that a bit more, it looks like they may have made it so that you had to sign it with the production signing key, which is already 2K, and I'm not prepared to try to change that just to do a downgrade.

I cannot find the old thread that explained how to do the flashing manually, I think I remember a script that had a tool called 'flasher' that may give me somewhere to start.

[knc1]

You should be able to pass the pem file among the KindleTool arguments.
(I might be thinking of the Python version of KindleTool)

[coplate]

Yeah, i realized even if It does use the key in the user space, I can't do this, by just signing the fb02 package.

All of the packages inside of the fb02 bundle are also signed, and I would have to repackage those too, which would be more work than I can do before my vacation.

When if the updated does mount user space to check the key, I cannot mix the keys, by having the package signed with my custom prod key, but the stuff in it with the real prod key

[coplate]

So, I re-flashed just the 'android ' bootloader from my kindle oasis, from when it was shipped. This is letting me do the downgrade with the 'reboot without unplugging' method.

Code:

$ file mmcblk2p1.img
mmcblk2p1.img: Android bootimg, kernel, ramdisk, second stage, page size: 2048

Again, this only works if you have already made this image of your device. I have no idea what is in this partition - in terms of hardware specific date - but this is the partition that has the actual installers in it that installs when you reboot.


In the 5.9.2 package, there is a boot.img that has the same file type listed, I would suppose that is the one that replaces it.


It did the progress bar, showing it installing. but then on the tree screen, it showed the bridge code running, which I don't remember from previos goes of downgrading my PW3.

It also installed a lot faster than I remember the factory image installing.

the Version # does show this factory version number

for paperwhite 3 and earlier, there have been similar instrucations, though I cannot find them.

I know there is a specific partition that has the kernel image in it, and I believe that kerenl has the update-installer in it, so you have to have backed that up properly, and re-flash it.

[knc1]

Is that change something to be preserved by the bridge code?
Or would that be a runme.sh that is used at the user's option?

If it is a runme.sh, please add it to the runme.sh examples thread.
(Note: I am not attaching files, they are only examples for coding suggestions to be used WITH THOUGHT by the user in their own problem solvers.)

[rnb86]

Hi everyone. I have PW3 with JB. All worked good, but I installed an update.
Now Kindle Launcher won't start, same as Vlasovsoft. But I can start my app (KOReader, Coolreader etc.) from KUAL menu. I'm not sure what was the FW before an update (may be 5.8.4 or so), but I remember I used a factory image 5.7.4 to downgrade and to install JB.

My Kindles SN starts: G090 G105 ........
Current FW: 5.9.7

May I use this instruction to downgrade my PW3 safely?
Is there any way to make a backup so I could roll back if downgrade fails?

Quote:

Originally Posted by coplate

Hi, I had upgraded to 5.8.9.2, and I wanted to downgrade back to 5.7.4 to test some more things. I did not want to flash over serial, so I found a change introduced in 5.8.9.2 that works.

Again, this only works if you are already jailbroken, and can SSH to your device, but it's any easy downgrade path, you are going to want to be in airplane mode because of step 4 and the note I put between 7 and 8.

1. enable usbnet
1. ssh to device
2. mntroot rw
3. touch /PRE_GM_DEBUGGING_FEATURES_ENABLED__REMOVE_AT_GMC
4. disable usbnet
5. plug in device and copy initial factory firmware from SW jailbreak thread.
6. eject
7. settings->update kindle

Now I am back on 5.7.4, but I have not reset my kindle, and I still have that
/PRE_GM_DEBUGGING_FEATURES_ENABLED__REMOVE_AT_GMC, also, now there is a new entry on my home screen called "Kindle Feedback" with a chat icon on it, I don't think it's a good Idea to click that.

I might be able to skip # 8-10, but no instructions talked about doing a reset on the factory firmware, and I didn't think it was a good idea.

8. update to 5.8.1
9. System menu reset
10. downgrade back to 5.7.4

Now I have done steps 1-4 of the main jailbreak thread, I can start over with actually jailbreaking again.

Main jailbreak thread for reference:
https://www.mobileread.com/forums/sh...d.php?t=275877