08-10-2017, 09:22 PM | #1 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Refurbished Kindle Examination
The subject here is a "Amazon Certified Refurbished Kindle" (PW3-4Gbyte).
The device has been on the market nearly two years now, the point here is to see what can be learned about this device's past. It arrived in a rather plain brown box, Amazon logo on top, serial number seal on flap. So I removed it from its box. Not being satisfied with doing that, I next removed it from its case. And hooked up a serial port to it. (Note: I have not yet turned it on, I want to catch what I can before the 'first boot, run once' changes happen.) Once ready to turn it on for the first time, I stopped the auto-boot while in u-boot and then manually booted diags. Oh fun and games, the 'diags' system is much different than what we have written up in the serial jail breaking thread. No escape to the command line that I have been able to find yet. Ah, but - - 'Export USB' - Hookup usb cable - Find the usual customer view of USB storage - Eject the USB storage (leaving cable attached) and the menu gives you a choice of 'C' (continue) or 'X' (exit). Hmm... How do you continue after the device has been disconnected? Press: C And what do you know - Its idea of continuing brings up USBnetworking. (There are other messages, in other branches of the diags menu, that relate to mounting an NFS exported root file system and ones about enabling fastboot.) Now if I can just remember the USBnetworking (Lab126) defaults .... More as I find out what all of these changes mean (other than they broke our serial jail breaking thread). = = = = It is way past the time when they roll up the sidewalks here and sane people go to bed (or watch Star Trek reruns). I think I will test the 'Power Off' menu entry and continue this thread tomorrow. - - - - - Code:
diag>Power Suspend get_input_from_stdin Received [POWER SUSPEND] diag> MUSCAT_WFO - POWER SUSPEND - 75 ~~~~ 1.1.30.291999 ~~~~ pcbId:0670309164410CQB Device is now in Suspend mode Press power button to wake up the device [ 3478.937687] PM: Syncing filesystems ... done. [ 3478.944518] Freezing user space processes ... (elapsed 0.01 seconds) done. [ 3478.969061] Freezing remaining freezable tasks ... (elapsed 0.01 seconds) done. [ 3478.988891] Suspending console(s) (use no_console_suspend to debug) More tomorrow. Last edited by knc1; 08-10-2017 at 09:39 PM. |
08-10-2017, 10:37 PM | #2 |
Guru
Posts: 645
Karma: 1888888
Join Date: Jun 2009
Device: prs-505, Kindle Keyboard 3g, PW3
|
if that diags is same as whats on my pw3:
Tt says press o to exit, but you have to type 'exit' and it tells you some extra options. 'exit login' drops you to linux shell, but you dont want to let it finish the bootup. I was able to 'dd' the whole mmc block on mine Last edited by coplate; 08-10-2017 at 10:46 PM. |
Advert | |
|
08-10-2017, 10:45 PM | #3 | |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Quote:
two entries keyed by 'o' - I was going to do a string search of the diags system tomorrow to find the strings it does recognize. You can tell if it is the same by comparing the build number shown as the second or third line of the menu headers. Code:
~~~~ 1.1.30.291999 ~~~~ |
|
08-10-2017, 10:47 PM | #4 |
Guru
Posts: 645
Karma: 1888888
Join Date: Jun 2009
Device: prs-505, Kindle Keyboard 3g, PW3
|
but yeah, I realized you probably don't want to drop into linux... oh, will the diags kernal skip the first boot stuff, maybe. I lost my train of thought there, It doesnt make a lot of sense
diag>? get_input_from_stdin Received [?] diag> MUSCAT_WFO - System Diags - 97 ~~~~ 1.1.23.266370 ~~~~ pcbId:06702091528202NI (DS INFO)-Device Setting (TOUCH PLATE)-Touch Plate Test (OTS)-Operator test suite (o)-Misc individual diagnostics (WIFI NART)-nART factory test (USB EXPORT)-USB device mode (o)-Reboot or Disable Diags (POWER SUSPEND)-Lock screen (X)-Exit diag>exit get_input_from_stdin Received [EXIT] diag> EXIT : command not found Usage: EXIT DISABLE EXIT FASTBOOT EXIT LOGIN EXIT REBOOT EXIT WEB I know that 'exit login' drops me to linux shell Last edited by coplate; 08-10-2017 at 10:58 PM. |
08-10-2017, 10:57 PM | #5 | |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Quote:
/var/local (mmcblk0p3) is common to both systems. /mnt/us (mmcblk0p4) is common to both systems. But as a general rule, neither of those hold executable code. (Both are 'user data' - /var/local is 'user action, generated data'). Dropping to a command line shell is a key step in the serial jail breaking thread. So your way needs to work on all diags versions that do not have the old menu entry that is quoted in the current serial jail breaking thread. OR find an alternative. mounting the 'main' system and dropping a tar bomb on it would fixup everything in a single step. |
|
Advert | |
|
08-10-2017, 11:04 PM | #6 | |
Guru
Posts: 645
Karma: 1888888
Join Date: Jun 2009
Device: prs-505, Kindle Keyboard 3g, PW3
|
Quote:
|
|
08-10-2017, 11:08 PM | #7 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
[Export USB]
works the same as before. and I did copy the entire 3Gbyte of visible USB storage before letting 'diags' write test results on it. which was the point of this exercise, as I am sure you will recall from our PMs. Anything else I learn about this thing is just gravy. |
08-11-2017, 08:37 AM | #8 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
USB networking
Connect USB cable, Kindle-to-PC
From top level of Diags menu (with some whitespace editing): Code:
diag> ? diag> MUSCAT_WFO - System Diags - 76 ~~~~ 1.1.30.291999 ~~~~ pcbId:0670309164410CQB (DS INFO)-Device Setting (TOUCH PLATE)-Touch Plate Test (OTS)-Operator test suite (o)-Misc individual diagnostics (WIFI NART)-nART factory test (USB EXPORT)-USB device mode (o)-Reboot or Disable Diags (POWER SUSPEND)-Lock screen (X)-Exit diag> usb export get_input_from_stdin Received [USB EXPORT] diag>[ 1973.276384] unregistered gadget driver 'g_ether' ERROR: Module g_serial does not exist in /proc/modules [ 1973.327902] g_file_storage gadget: controller 'fsl-usb2-udc' not recognized [ 1973.355936] g_file_storage gadget: File-backed Storage Gadget, version: 1 September 2010 [ 1973.372144] g_file_storage gadget: Number of LUNs=1 [ 1973.379591] fsl-usb2-udc: bind to driver g_file_storage MUSCAT_WFO - USB EXPORT - 76 ~~~~ 1.1.30.291999 ~~~~ pcbId:0670309164410CQB USB device exported Once you are done Eject the USB device from the PC then Battery capacity 76 (C)-to continue (X)-Exit *** Repeats at regular intervals as a reminder *** When done - - Do not remove cable - Eject the Kindle - Do not remove cable - Enter: c with the result of: Code:
get_input_from_stdin Received [C] diag>Cannot open xmlFile /mnt/base-us/USBnet.xml NOT Found NFS path [ 2023.245334] unregistered gadget driver 'g_file_storage' ERROR: Module g_serial does not exist in /proc/modules [ 2023.328600] usb0: MAC ee:59:00:00:00:15 [ 2023.332444] usb0: HOST MAC ee:29:00:00:00:15 [ 2023.356473] g_ether gadget: controller 'fsl-usb2-udc' not recognized; trying CDC Ethernet (ECM) [ 2023.365208] g_ether gadget: Ethernet Gadget, version: Memorial Day 2008 [ 2023.383334] g_ether gadget: g_ether ready [ 2023.387789] fsl-usb2-udc: bind to driver g_ether system: I mntroot:def:Making root filesystem writeable [ 2023.443418] EXT3-fs (mmcblk0p2): using internal journal ls: /var/local/log/messages_*.gz: No such file or directory USB EXPORT: RESULT <PASS> [ 2023.826147] g_ether gadget: high speed config #1: CDC Ethernet (ECM) Code:
knc1:PW3-Serial> ip add - - - - 6: enp3s9f3u5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether ee:29:00:00:00:15 brd ff:ff:ff:ff:ff:ff knc1:PW3-Serial> sudo ip address add 192.168.15.201/24 dev enp3s9f3u5 knc1:PW3-Serial> sudo ip link set up dev enp3s9f3u5 knc1:PW3-Serial> ip addr - - - - 7: enp3s9f3u5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000 link/ether ee:29:00:00:00:15 brd ff:ff:ff:ff:ff:ff inet 192.168.15.201/24 scope global enp3s9f3u5 valid_lft forever preferred_lft forever inet6 fe80::ec29:ff:fe00:15/64 scope link valid_lft forever preferred_lft forever Code:
knc1:PW3-Serial> nmap 192.168.15.0/24 Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-11 06:59 CDT Nmap scan report for kpw1 (192.168.15.201) Host is up (0.00011s latency). Not shown: 996 closed ports - - - - Nmap scan report for 192.168.15.244 Host is up (0.0083s latency). All 1000 scanned ports on 192.168.15.244 are closed Nmap done: 256 IP addresses (2 hosts up) scanned in 7.16 seconds The expected endpoint addresses have not change since the original K5. Code:
knc1:PW3-Serial> telnet 192.168.15.244 Trying 192.168.15.244... telnet: connect to address 192.168.15.244: Connection refused knc1:PW3-Serial> ssh 192.168.15.244 ssh: connect to host 192.168.15.244 port 22: Connection refused knc1:PW3-Serial> ping -c 3 192.168.15.244 PING 192.168.15.244 (192.168.15.244) 56(84) bytes of data. 64 bytes from 192.168.15.244: icmp_seq=1 ttl=64 time=0.410 ms 64 bytes from 192.168.15.244: icmp_seq=2 ttl=64 time=0.280 ms 64 bytes from 192.168.15.244: icmp_seq=3 ttl=64 time=0.403 ms --- 192.168.15.244 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2026ms rtt min/avg/max/mdev = 0.280/0.364/0.410/0.061 ms Code:
Cannot open xmlFile /mnt/base-us/USBnet.xml NOT Found NFS path Last edited by knc1; 08-11-2017 at 08:48 AM. |
08-11-2017, 08:46 AM | #9 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
hmm....
Code:
diag>exit get_input_from_stdin Received [EXIT] diag> EXIT : command not found Usage: EXIT DISABLE EXIT FASTBOOT EXIT LOGIN EXIT REBOOT EXIT WEB I know that 'exit login' drops me to linux shell Dropping to a linux shell at this point is what the "Serial jail breaking" directions would need. (It is also what I want at the moment, just to copy some things over to the USB storage area.) I will leave the network up over the USB cable while I play with the options you have shown. (Since I don't think you played with them while networking was running.) |
08-11-2017, 08:56 AM | #10 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Diags, with USBnetworking up, EXIT to WEB
See what that option buys us:
Code:
diag>? get_input_from_stdin Received [?] diag> MUSCAT_WFO - System Diags - 74 ~~~~ 1.1.30.291999 ~~~~ pcbId:0670309164410CQB (DS INFO)-Device Setting (TOUCH PLATE)-Touch Plate Test (OTS)-Operator test suite (o)-Misc individual diagnostics (WIFI NART)-nART factory test (USB EXPORT)-USB device mode (o)-Reboot or Disable Diags (POWER SUSPEND)-Lock screen (X)-Exit exit get_input_from_stdin Received [EXIT] diag> EXIT : command not found Usage: EXIT DISABLE EXIT FASTBOOT EXIT LOGIN EXIT REBOOT EXIT WEB exit web get_input_from_stdin Received [EXIT WEB] diag>sh: /usr/local/bin/mongoose: not found ls: /var/local/log/messages_*.gz: No such file or directory EXIT WEB: RESULT <PASS> https://en.wikipedia.org/wiki/Mongoose_(web_server) |
08-11-2017, 09:07 AM | #11 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Diags, with USBnetworking up, EXIT to Login
Time to see if the serial number to password generated by the Python snippet in "Serial jail breaking" still generates the correct fiona password.
Code:
diag>? get_input_from_stdin Received [?] diag> MUSCAT_WFO - System Diags - 74 ~~~~ 1.1.30.291999 ~~~~ pcbId:0670309164410CQB (DS INFO)-Device Setting (TOUCH PLATE)-Touch Plate Test (OTS)-Operator test suite (o)-Misc individual diagnostics (WIFI NART)-nART factory test (USB EXPORT)-USB device mode (o)-Reboot or Disable Diags (POWER SUSPEND)-Lock screen (X)-Exit exit login get_input_from_stdin Received [EXIT LOGIN] diag>ls: /var/local/log/messages_*.gz: No such file or directory EXIT LOGIN: RESULT <PASS> sock_close Sock close Waiting to stop Closing /dev/input/event0 Closing /dev/input/event1 Closing server_socket Stopped Exit to login prompt: 1 /etc/init.d/rcS: line 121: boot_milestone: not found starting pid 2086, tty '': '/bin/sh /etc/getty-diags' Welcome to Kindle! [192_168_15_244] login: Code:
mszick:PW3-Serial> ping -c 3 192.168.15.244 PING 192.168.15.244 (192.168.15.244) 56(84) bytes of data. 64 bytes from 192.168.15.244: icmp_seq=1 ttl=64 time=0.410 ms 64 bytes from 192.168.15.244: icmp_seq=2 ttl=64 time=0.280 ms 64 bytes from 192.168.15.244: icmp_seq=3 ttl=64 time=0.403 ms --- 192.168.15.244 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2026ms rtt min/avg/max/mdev = 0.280/0.364/0.410/0.061 ms mszick:PW3-Serial> ping -c 3 192.168.15.244 PING 192.168.15.244 (192.168.15.244) 56(84) bytes of data. 64 bytes from 192.168.15.244: icmp_seq=1 ttl=64 time=6.88 ms 64 bytes from 192.168.15.244: icmp_seq=2 ttl=64 time=0.301 ms 64 bytes from 192.168.15.244: icmp_seq=3 ttl=64 time=0.409 ms --- 192.168.15.244 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2017ms rtt min/avg/max/mdev = 0.301/2.533/6.889/3.080 ms And trying the password output by the Python snippet in "Serial jail breaking": **Edit** There have been some changes to that in the past, let me take a break and see what password the current KindleTool generates. Code:
knc1:PW3-Serial> kindletool info G090G1..... Device uses the new device ID scheme Platform is Wario or newer Root PW fionaed4 Recovery PW fionaed48 That is different than the output from that Python snippet. I either typo'd something last night, made an error in transcription, or that Python snippet in "Serial jail breaking" is out of date. I typo'd something last night, the output of the Python snippet in "Serial jail breaking" is correct. Code:
[192_168_15_244] login: root Password: [root@[192_168_15_244] root]# Our networking? Code:
[root@[192_168_15_244] root]# ping -c3 192.168.15.201 PING 192.168.15.201 (192.168.15.201): 56 data bytes 64 bytes from 192.168.15.201: seq=0 ttl=64 time=10.933 ms 64 bytes from 192.168.15.201: seq=1 ttl=64 time=1.151 ms 64 bytes from 192.168.15.201: seq=2 ttl=64 time=1.201 ms --- 192.168.15.201 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 1.151/4.428/10.933 ms But that is only because the PC I have the USB cable plugged into has packet forwarding disabled. What is needed at the PC end of the cable is shown in /etc/hosts: Code:
127.0.0.1 localhost.localdomain localhost kindle 192.168.15.200 usbnet-host-gw With that local-to-my-setup thing fixed, we do have a network connection from the 'diags' system while logged into the Kindle as the administrator: root. That might be useful for serial jailbreaking, I will be giving that one some thought. Last edited by knc1; 08-11-2017 at 11:27 AM. |
08-11-2017, 09:32 AM | #12 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Diags, with USBnetworking up, 'main' system access
As shown in the post above, while networking is still up and logged in (over serial port) as 'root':
Code:
[root@[192_168_15_244] root]# mount rootfs on / type rootfs (rw) /dev/root on / type ext3 (rw,noatime,nodiratime,barrier=0,data=writeback) proc on /proc type proc (rw,relatime) sysfs on /sys type sysfs (rw,relatime) tmpfs on /dev type tmpfs (rw,relatime,mode=755) tmpfs on /dev/shm type tmpfs (rw,relatime) devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620) tmpfs on /var type tmpfs (rw,relatime,size=0k) /dev/mmcblk0p3 on /var/local type ext3 (rw,relatime,errors=continue,barrier=0,data=writeback) fsp on /mnt/us type fuse.fsp (rw,nosuid,nodev,noatime,user_id=0,group_id=0) /dev/mmcblk0p1 on /cust type ext3 (ro,sync,relatime,barrier=0,data=writeback) /dev/loop/0 on /mnt/base-us type vfat (rw,noexec,noatime,nodiratime,fmask=0022,dmask=0022,codepage=cp437,iocharset=iso8859-1,shortn) Code:
[root@[192_168_15_244] root]# ls /mnt/base-us diagnostic_logs documents system voice [root@[192_168_15_244] root]# ls /mnt/us diagnostic_logs documents system voice [root@[192_168_15_244] root]# ls /cust bin dev lib opt sbin tmp var chroot etc mnt proc sys usr For the moment, just make a 'fix-it' mark on your to-do list (or when reading currently posted directions). = = = = I need to feed the person - more later today. |
08-11-2017, 12:26 PM | #13 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Diags Gottcha
If you let the screensaver time out while logged into the 'diags' command line -
The 'diags' system turns off the touch screen interface, leaving a tiny message in the graphic: "use serial port to exit diags" yeah buddy - you are no longer looking at the menu interface over the serial port but instead at the command line. I think the solution (which I did not think of at the time) would have been: Code:
idme bootmode diag reboot |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Free (nook/Kindle/iTunes/DRM-free) Christianish [Xtian Faith Re-Examination Critique] | ATDrake | Deals and Resources (No Self-Promotion or Affiliate Links) | 1 | 12-02-2016 02:26 PM |
Free (nook/Kindle/iTunes/DRM-free) Pursuit of the Holy [Xtian Spiritual Examination] | ATDrake | Deals and Resources (No Self-Promotion or Affiliate Links) | 0 | 05-22-2015 02:29 PM |
Free (nook/Kindle/ePub/DRM-free) Relearning Jesus [Xtian Faith Re-Examination Advice] | ATDrake | Deals and Resources (No Self-Promotion or Affiliate Links) | 1 | 02-27-2015 07:16 AM |
Free (nook/Kindle/iTunes/DRM-free) Let God Change Your Life [Xtian Faith Examination] | ATDrake | Deals and Resources (No Self-Promotion or Affiliate Links) | 0 | 01-15-2015 02:11 AM |
Remove Kindle books for examination | curiousgeorge | Amazon Kindle | 2 | 03-12-2013 10:24 AM |