Tools Serial Jailbreaking your fw >= 5.6.x Kindle for Dummies

[NiLuJe]

I don't think the new partition layout affected older devices, so I'm going to go with "yes", but that's a theoretical answer.

[meteorinc]

Quote:

Originally Posted by sirius7

i made Jb on my PW3 with 5.10.1.1 so yes this instructions work, but on some point it's need to use screen instead of terminal.

Confirming that this jailbreak works on my PW2 with 5.10.1.1 and had to use the screen to select the prompts.

I used the no-soldering method to get to serial. Made a custom connector attached to a binder clip using moldable plastic to make the TX/RX connection and tape for ground. Only three wires needed.

Thank you all for such a well-written & detailed guide.

[fitz0303]

Is there any way to jailbreak a Kindle Paperwhite 4 (S/N G000

PP07 **** ****) that has been updated OTA with firmware version

5.10.1.3 ?

I understand that there is no software way to do it but is it

possible using the Serial Bus ?

If yes I need some help or instructions.

I'm OK with the instructions at the beginning of this thread

until "Part 4: Hackery stuff" step "3. Run the jailbreak", which

as far as I can tell will only work with a factory image (which I

clearly don't have).

Thanks in advance even if it's just a no.

fitz

[j.p.s]

See this thread to get the PW4 factory image:
https://www.mobileread.com/forums/sh...d.php?t=312489

[fitz0303]

Thanks for your response

My understanding of the post you reference is that the factory images available in it can only be used to update firmware versions 5.10.0.1 or 5.10.0.2. The version I'm trying to jailbreak is 5.10.1.3. I would be very happy to be proved wrong however.

fitz

[j.p.s]

That is where using the serial port comes in. I have no experience at all using kindle serial ports, so I can not help with that. Your first post said you are using the serial port, but do not know how to get the factory image.

[knc1]

Quote:

Originally Posted by fitz0303

. . . . .
"Part 4: Hackery stuff" step "3. Run the jailbreak", which

as far as I can tell will only work with a factory image (which I

clearly don't have).

Thanks in advance even if it's just a no.

fitz

So ask yourself, what does "run the jailbreak" actually do?
If unsure, read the script.

Hint: The "JB" is to add our signature certificate to the Kindle's key store.
Hint: The location in the file system tree of the Kindle's key store has never changed, why do you think it must have changed on your device?

WARNING: The directions you are reading are for the legacy, dual boot, file system layout.
Your PW4 (and the KOA2) does not have that layout, it has the "Androidized" file system layout.

All of the principles have remained the same (other than no dual boot), just implemented differently.

Don't waste time looking for the "Androidized" layout directions, nobody has written them (yet).
Although you are welcome to write them for us.

[fitz0303]

OK just to be clear before I start poking about,

If I understand what you are saying (and I'm not entirely sure

that I do) all I need to do to enable the jailbreak is to write

the developer key to /etc/uks (followed by hotfix etc.) and it

will take succesfully with the version of firmware previously updated OTA by

Amazon, in my case 5.10.1.3).

In other words, either 5.10.1.3 is a factory image or I don't need to load a specific factory image to execute the jailbreak ?

Thanks for your time

fitz

[knc1]

Quote:

Originally Posted by fitz0303

OK just to be clear before I start poking about,

If I understand what you are saying (and I'm not entirely sure

that I do) all I need to do to enable the jailbreak is to write

the developer key to /etc/uks (followed by hotfix etc.) and it

will take succesfully with the version of firmware previously updated OTA by

Amazon, in my case 5.10.1.3).

In other words, either 5.10.1.3 is a factory image or I don't need to load a specific factory image to execute the jailbreak ?

Thanks for your time

fitz

Since neither the location nor our certificate has changed for the life time of the Kindle devices so far - - -
It is fairly certain that it is firmware version and firmware build type in-dependent.
(Only the software delivery vector has changed over time, as required by other firmware changes.)

1) put our certificate at top most visible level of USB storage.
2) disconnect USB cable.
3) at Kindle command line:
mv -f /mnt/us/<cert-file-name> /etc/uks


Done.
Everything else can be done via the software jb instructions.

[fitz0303]

OK and thankyou, I'll give it a go.

fitz

[fitz0303]

OK, I've got a functional serial connection, when i interrupt the boot sequence it runs into a loop showing "Enter fastboot mode, use Ctrl+C to exit" and the only input that has any effect is Ctrl-C which simply echos the "Enter fastboot mode ...." line again.

The Kindle USB port shows up on my Windows 7 machine as a "USB Download gadget" but I have not been able to find a driver for it on my PC.

any ideas on how to proceed would be gratefully received.

Console output as follows :

[ 583.335857] reboot: Restarting system

HW

U-Boot 2016.03 (Oct 12 2018 - 17:30:31 -0700)

CPU: Freescale i.MX6SLL rev1.1 996 MHz (running at 792 MHz)
CPU: Commercial temperature grade (0C to 95C) at 42C
Reset cause: POR
Board: MX6SLL Rex
I2C: ready
DRAM: 512 MiB
entering PMIC test mode
in PMIC test mode -- apply bootup workaround
switching back to PMIC user mode
setup_pmic_mode -- make sure pmic is in user mode
MMC: FSL_SDHC: 0, FSL_SDHC: 1, FSL_SDHC: 2
idme_initialize
Idme version is 2.x and set related function to V2.x
IDME table version 2.1
hibernation: Not from hibernation
Core : f770ee83 2018/03/16 19:49:02 (Licensed to Amazon Fulfillment Services,Inc..)
SBIOS: v2.0 2018/11/27 03:26:04
TTBR:9fffc059
Platform: v2.0 2018/11/27 03:26:04
fl
*** Warning - bad CRC, using default environment

In: serial
Out: serial
Err: serial
Hardware Board: Unknown(12)
Board ID is P001F209835503C9
WFO module
secure_cpu: 1, production: 1, unlocked: 0
Boot mode is 0
Hit any key to stop autoboot: 0
Enter fastboot mode, use Ctrl+C to exit.
Enter fastboot mode, use Ctrl+C to exit.
Enter fastboot mode, use Ctrl+C to exit.

[knc1]

So enter fastboot mode.
Which requires you to run a fastboot client on your connected PC.
Note also that Kindles use a special build of the fastboot client.

[fitz0303]

Some progress, got nowhere on Windows, so decided to recompile the kindle fastboot executeable on a Raspberry Pi and to my great surprise they are talking. Not very informative as conversations go :
fastboot devices returns - a string of ????????????
fastboot getvar bootmode returns - FAILED (remote: Variable not implemented)
however at the same time the serial bus console displays - WARNING :unknown variable: bootmode (same result with getvar serial)
however
fastboot reboot - reboots the kindle.

Is there someway I can test this implementation of fastboot by writing data to the kindle without risking overwriting something important, and ultimately when I do have to write something important , what do I need to write (the developer key would be good) and where to ?

fitz

[fitz0303]

Sorry this is so long but I wanted to be thorough, unfortunately I have come to the conclusion that it is not possible to jailbreak an OTA updated Kindle 4 Paperwhite using the Serial Bus.

There is no Diag partition on the new Paperwhites (Androidized) which limits the options available.

There are two times during the boot process that the boot can be interrupted (you need to be quick, neither will wait for long) :

The first is in response to the following prompt

secure_cpu: 1, production: 1, unlocked: 0
Boot mode is 0
Hit any key to stop autoboot: 0

in previous versions this would allow you to get to a login prompt, this is no longer the case and execution continues into a loop with the following prompt:

Enter fastboot mode, use Ctrl+C to exit.

I couldn't get the Kindle version of fastboot to work on my W7 PC (the kindle presents itself as a "USB Download gadget" and I couldn't find a driver for this device on the PC), Fortunately linux/unix does recognize it and the kindle specific fastboot program works, unfortunately most of the useful fastboot commands are locked out or not implemented.

fastboot setvar bootmode returns - FAILED (remote: Variable not implemented)

fastboot flash system rootfs.img gives
.................................................. ........................
.
.
.................................................. ........................
.....................................
downloading of 460800000 bytes finished
locked command: flash:system.

To exit from the fastboot loop you can use "fastboot reboot" or hold the kindle power button through the amber flashing leds and release.

If you let the boot sequence run through the above option without stopping it runs into a recovery menu with a short countdown,

Menu
====
3. Load MMC over USB storage
E. Export FAT partition
U. Update using update*.bin file on FAT partition
D. dmesg / kernel printk ring buffer.
Q. quit
Choose: 3 |

typing Upper Case E will halt the countdown and allow the usb connection in storage mode, you can then install an update...bin file on the kindle.

[FAT32]
1. done
R. Reboot

Typing 1 will return to the recovery menu and then rapidly typing U will initiate an update.

Unfortunately you cannot use this path to downgrade the version as it is downgrade protected, dmesg shows the following :

<12>[ 98.806642] ERROR:bundle/unbundle_common.c:351:valid_version_to_update():OT A version is less then current device version
<12>[ 98.806665] ERROR:bundle/unbundle_cognac.c:1636:do_unbundle():do_unbundle: validate_version failed.
.
.
<12>[ 98.815014] ERROR:update.c:262:update_os():Could not unbundle /mnt/us/update_kindle_all_new_paperwhite_v2_5.10.0.2_facto ry.bin,error_code=12

This will work if the version of the update is >= to the currently installed version so could be used to recover from a partialy bricked kindle.

Out of desperation I tried typing 3 as a recovery option, and the kindle replies "unkown option 3"

for info; the factory updates contain a populated /usr/local/bin directory, which includes the "installHtml" and the "usbnetwork" shell commands amongst many others, the OTA updates do not, in fact there is no /usr/local directory at all in the normal updates.

I briefly looked at using MfgTool, but couldn't get it to connect, I beleive the kindle usb connection needs to be in a different mode for MfgTool to see it and I don't know how to put the kindle into that mode.

In conclusion, if anyone has any ideas on what else can done I am certainly willing to give them a try and lastly if anyone is thinking about investing in a usb to serial converter in order to jailbreak their OTA updated Kindle 4 Paperwhite, you might want to think again until a clear route forward is available.

Regards to everyone

fitz

[NiLuJe]

Was the fastboot flash successful? Because if that's the main rootfs, you just need to unpack it from the factory image, and bob's your uncle.