Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book Readers > Amazon Kindle > Kindle Developer's Corner

Notices

Reply
 
Thread Tools Search this Thread
Old 06-27-2015, 09:22 AM   #1
knc1
99.44/100% On Holiday
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 17,184
Karma: 18200597
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
Inside PW1-5.6.1.1

Also: PW3-5.6.1.1 see: https://www.mobileread.com/forums/sho...d.php?t=262279

The following done on a Linux system. MacOSx should be similar.
Windows users, you will have to translate the following to whatever works.
  1. Make a work place
    The naming conventions of this pathname are just mine, they really don't matter.
    Use whatever fits your own work habits.
    Code:
    core2quad ~ $ mkdir -p /var1/Kindle/kpw/pw-fw5.6
    core2quad ~ $ cd /var1/Kindle/kpw/pw-fw5.6
    core2quad pw-fw5.6 $
  2. Get update package
    Official released pw1-5.6.1.1 is at:
    https://s3.amazonaws.com/G7G_Firmwar...le_5.6.1.1.bin
  3. Get current KindleTool
    Since the PW-1 at this point is running a firmware prior to the 5.6.x series, even an 'old' KindleTool should work just fine for unpacking the update.
    But use the most recent version anyway, from:
    https://www.mobileread.com/forums/sho...d.php?t=225030
  4. Starting workplace
    core2quad pw-fw5.6 $ ls -l
    total 212940
    -rw-rw-r-- 1 mszick mszick 302561 2015-06-27 07:04 kindletool-v1.6.4-linux-i686.tar.gz
    -rw-rw-r-- 1 mszick mszick 217523739 2015-06-27 06:51 update_kindle_5.6.1.1.bin
  5. Keep a copy
    KindleTool's default is to delete the input file, unless you specify --keep
    So make a copy of the update now, for when you fat finger the KindleTool command later.
    Code:
    core2quad pw-fw5.6 $ cp -a update_kindle_5.6.1.1.bin update_kindle_5.6.1.1.bin-bk
  6. Unpack KindleTool
    Note that I give the package its own sub-directory of the work place:
    Code:
    core2quad pw-fw5.6 $ mkdir kt
    core2quad pw-fw5.6 $ tar -C kt --extract --gzip --file=kindletool-v1.6.4-linux-i686.tar.gz
    core2quad pw-fw5.6 $ ls -l kt
    total 832
    -rw-r--r-- 1 mszick mszick 309303 2015-05-07 15:09 ChangeLog
    -rw-r--r-- 1 mszick mszick    839 2015-05-07 15:09 CREDITS
    -rwxr-xr-x 1 mszick mszick 502496 2015-05-07 15:09 kindletool
    -rw-r--r-- 1 mszick mszick   8115 2015-05-07 15:09 kindletool.1
    -rw-r--r-- 1 mszick mszick  10929 2015-05-07 15:09 README
    -rw-r--r-- 1 mszick mszick      7 2015-05-07 15:09 VERSION
  7. Check KindleTool
    If you have the one that matches your system, this should just display a help message:
    Code:
    core2quad pw-fw5.6 $ kt/kindletool
    No command was specified!
    
    usage:
    --- a whole lot of output snipped ---
  8. List package info
    Notice the use of option "--keep"
    Code:
    core2quad pw-fw5.6 $ kt/kindletool convert --info --keep update_kindle_5.6.1.1.bin
    Checking update package 'update_kindle_5.6.1.1.bin'.
    Bundle         SP01 (Signing Envelope)
    Cert number    2
    Cert file      pubprodkey02.pem (Official 2K)
    Bundle         FB03 (Fullbin [OTA?, fwo?])
    Bundle Type    Recovery V2
    Target OTA     2689890035
    MD5 Hash       b7b666b5600a1c34a45d54eb523570f1
    Magic 1        2048630901
    Magic 2        1897089723
    Minor          1
    Platform       Yoshime (Yoshime3)
    Header Rev     0
    Board          Unspecified
    Devices        6
    Device         Kindle PaperWhite Wifi
    Device         Kindle PaperWhite Wifi+3G Brazil
    Device         Kindle PaperWhite Wifi+3G Japan
    Device         Kindle PaperWhite Wifi+3G Europe
    Device         Kindle PaperWhite Wifi+3G Canada
    Device         Kindle PaperWhite Wifi+3G
    Looks like it should work.
  9. Extract package
    Make a sub-directory for the root of the package tree and extract.
    Code:
    core2quad pw-fw5.6 $ mkdir package
    core2quad pw-fw5.6 $ kt/kindletool extract update_kindle_5.6.1.1.bin package
    Extracting update package 'update_kindle_5.6.1.1.bin' to 'package'.
    Bundle         SP01 (Signing Envelope)
    Cert number    2
    Cert file      pubprodkey02.pem (Official 2K)
    Bundle         FB03 (Fullbin [OTA?, fwo?])
    Bundle Type    Recovery V2
    Target OTA     2689890035
    MD5 Hash       b7b666b5600a1c34a45d54eb523570f1
    Magic 1        2048630901
    Magic 2        1897089723
    Minor          1
    Platform       Yoshime (Yoshime3)
    Header Rev     0
    Board          Unspecified
    Devices        6
    Device         Kindle PaperWhite Wifi
    Device         Kindle PaperWhite Wifi+3G Brazil
    Device         Kindle PaperWhite Wifi+3G Japan
    Device         Kindle PaperWhite Wifi+3G Europe
    Device         Kindle PaperWhite Wifi+3G Canada
    Device         Kindle PaperWhite Wifi+3G
    x update-payload.dat
    x imx50_yoshime/uImage
    x imx50_yoshime/uImage.sig
    x rootfs.img.gz
    x rootfs.img.gz.sig
    x update-payload.dat.sig
  10. See what that got us
    Note: this is ls option -one, not -ell
    Code:
    core2quad pw-fw5.6 $ ls -1 package/*
    package/rootfs.img.gz
    package/rootfs.img.gz.sig
    package/update-payload.dat
    package/update-payload.dat.sig
    
    package/imx50_yoshime:
    uImage
    uImage.sig
    Note that each part is signed.
  11. Update Payload
    Code:
    core2quad pw-fw5.6 $ cd package
    core2quad package $ cat update-payload.dat
    1 898a5d0d2c0903643b1149c1f134be89 imx50_yoshime/uImage 37 main_kernel
    128 fdbd14b1c79e12fba0ba2c9bb618955a rootfs.img.gz 1645 update_image_rootfs
    core2quad package $ cd -
    /var1/Kindle/kpw/pw-fw5.6
    core2quad pw-fw5.6 $
  12. Uncompress the rootfs
    Code:
    core2quad pw-fw5.6 $ cd package
    core2quad package $ gunzip rootfs.img.gz
    core2quad package $ file rootfs.img
    rootfs.img: Linux rev 1.0 ext3 filesystem data, UUID=380c7f4e-6e00-41a1-a03f-9af1686e2334
    As expected.
  13. Make a mount point and mount
    Code:
    core2quad package $ sudo mkdir -p /mnt/kpw
    core2quad package $ sudo mount rootfs.img /mnt/kpw
    core2quad package $ ls /mnt/kpw
    bin  dev  etc  lib  lost+found  mnt  opt  proc  sbin  sys  usr  var
    That is the tree **before** it is mounted and running by the Kindle.
    That is, the various parts of the file system tree which live inside of cramfs files have not been mounted by the Kindle's start-up process.
    Although you could do that here and now. Details should be in mtn-pt/etc/fstab.
  14. Check the logins
    I'll spoiler the outputs for this section.
    Code:
    core2quad package $ cd /mnt/kpw/etc
    core2quad etc $ cat inittab
    Spoiler:

    # /etc/inittab: init(8) configuration.
    # $Id: inittab,v 1.91 2002/01/25 13:35:21 miquels Exp $

    # The default runlevel.
    id:2:initdefault:

    # Boot-time system configuration/initialization script.
    # This is run first except when booting in emergency (-b) mode.
    si::sysinit:/etc/init.d/rcS
    #si::sysinit:/bin/sh

    # What to do in single-user mode.
    ~~:S:wait:/sbin/getty -L 115200 ttymxc0 -l /bin/login
    #~~:S:wait:/sbin/getty -L 115200 ttymxc0 -l /bin/sh

    # /etc/init.d executes the S and K scripts upon change
    # of runlevel.
    #
    # Runlevel 0 is halt.
    # Runlevel 1 is single-user.
    # Runlevels 2-5 are multi-user.
    # Runlevel 6 is reboot.

    l0:0:wait:/etc/init.d/rc 0
    l1:1:wait:/etc/init.d/rc 1
    l2:2:wait:/etc/init.d/rc 2
    l3:3:wait:/etc/init.d/rc 3
    l4:4:wait:/etc/init.d/rc 4
    l5:5:wait:/etc/init.d/rc 5
    l6:6:wait:/etc/init.d/rc 6

    # Normally not reached, but fallthrough in case of emergency.
    #z6:6:respawn:/sbin/halt -d -f -p

    mxc0:2345:respawn:/sbin/getty -L 115200 ttymxc0 -l /bin/login
    #mxc0:2345:respawn:/sbin/getty -L 115200 ttymxc0 -l /bin/sh

    So login will be running on the serial port.
    Code:
    core2quad etc $ cat passwd
    Spoiler:

    root:x:0:0:root:/tmp/root:/bin/sh
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
    bin:x:2:2:bin:/bin:/bin/sh
    sys:x:3:3:sys:/dev:/bin/sh
    sync:x:4:100:sync:/bin:/bin/sync
    operator:x:37:37:Operator:/var:/bin/sh
    sshd:x:103:99:Operator:/var:/bin/sh
    messagebus:x:92:92:messagebus:/bin/false
    nobody:x:99:99:nobody:/tmp:/bin/sh
    default:x:1000:1000efault non-root user:/dev/null:/bin/sh
    framework:x:9000:150:Framework User:/tmp/framework:/bin/sh

    And password table references the shadow table.
    Code:
    core2quad etc $ cat shadow
    Spoiler:

    root:!:10933:0:99999:7:::
    daemon:*:10933:0:99999:7:::
    bin:*:10933:0:99999:7:::
    sys:*:10933:0:99999:7:::
    sync:*:10933:0:99999:7:::
    operator:*:10933:0:99999:7:::
    sshd:*:10933:0:99999:7:::
    messagebus:*:10933:0:99999:7:::
    nobody:*:10933:0:99999:7:::
    default:!:10933:0:99999:7:::
    framework:!:14033:0:99999:7:::

    Users root, default and framework do not accept passwords of any sort.
    Other users are disabled.

    Ref: http://www.tldp.org/LDP/lame/LAME/li...e-formats.html
  15. Return to package
    Code:
    core2quad etc $ cd /var1/Kindle/kpw/pw-fw5.6/
    Then into the kernel part of the package.
    Code:
    core2quad pw-fw5.6 $ cd package/imx50_yoshime
  16. uImage file
    The kernel in u-boot, bootable format.
  17. Remove kernel from header
    Code:
    core2quad imx50_yoshime $ dd if=uImage ibs=64 skip=1 of=raw_image
    75775+0 records in
    9471+1 records out
    4849600 bytes (4.8 MB) copied, 0.0878131 s, 55.2 MB/s
    core2quad imx50_yoshime $ ls -l
    total 14252
    -rw-rw-r-- 1 mszick mszick 4849600 2015-06-27 09:50 Image
    -rw-rw-r-- 1 mszick mszick 4849600 2015-06-27 10:45 raw_image
    -rw-r--r-- 1 mszick mszick 4849664 2015-06-23 06:29 uImage
    -rw-rw-r-- 1 mszick mszick     256 2015-06-23 07:33 uImage.sig
    Either way works for a Kindle uImage, since they don't use the 8 byte ARM specific header option.
  18. Kernel's InitRamFS
    For more descriptive text on what I am doing here than anyone can stand, see the thread:
    https://www.mobileread.com/forums/sho...d.php?t=206188
    Lots of examples there of taking apart kernel images.

    Code:
    core2quad imx50_yoshime $ od -A d -t x1 raw_image | grep '30 37 30 37 30 31'
    0102688 30 37 30 37 30 31 30 30 30 30 30 32 44 31 30 30
    - - - lots of output snipped here - - -
    
    core2quad imx50_yoshime $ dd if=raw_image bs=1 skip=102688 of=kpw-trim-00.cpio
    4746912+0 records in
    4746912+0 records out
    4746912 bytes (4.7 MB) copied, 13.6347 s, 348 kB/s
    
    core2quad imx50_yoshime $ file kpw-trim-00.cpio
    kpw-trim-00.cpio: ASCII cpio archive (SVR4 with no CRC)
    
    core2quad imx50_yoshime $ mkdir cpio
    core2quad imx50_yoshime $ cd cpio
    core2quad cpio $ sudo cpio -i -d -m  --no-absolute-filenames -I ../kpw-trim-00.cpio
    cpio: Removing leading `/' from member names
    2017 blocks
    
    core2quad cpio $ ls -l
    total 28
    drwxr-xr-x 2 root root 4096 2015-06-27 11:14 bin
    drwxr-xr-x 7 root root 4096 2015-06-27 11:14 dev
    lrwxrwxrwx 1 root root   18 2015-06-27 11:14 init -> /bin/recovery-util
    drwxr-xr-x 3 root root 4096 2015-06-27 11:14 lib
    drwxr-xr-x 3 root root 4096 2015-06-27 11:14 mnt
    drwxr-xr-x 2 root root 4096 2015-06-23 06:28 proc
    drwx------ 2 root root 4096 2015-06-23 06:28 root
    drwxr-xr-x 2 root root 4096 2015-06-23 06:28 sys
  19. Looking a bit deeper
    Code:
    core2quad cpio $ cd bin
    core2quad bin $ ls -l
    total 800
    -rwxr-xr-x 1 root root  24398 2015-06-23 06:27 hotplug
    -rwxr-xr-x 1 root root  13240 2015-06-23 06:04 ipconfig
    -rwxr-xr-x 1 root root  76392 2015-06-23 06:04 kinit
    -rwxr-xr-x 1 root root  30707 2015-06-23 06:28 mkdosfs
    -rwxr-xr-x 1 root root   7644 2015-06-23 06:04 nfsmount
    -rwxr-xr-x 1 root root 571603 2015-06-23 06:27 recovery-util
    -rwxr-xr-x 1 root root   2116 2015-06-23 06:04 run-init
    -rwxr-xr-x 1 root root  66224 2015-06-23 06:04 sh
    
    core2quad bin $ file *
    hotplug:       ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), not stripped
    ipconfig:      ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked (uses shared libs), stripped
    kinit:         ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, stripped
    mkdosfs:       ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked (uses shared libs), not stripped
    nfsmount:      ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked (uses shared libs), stripped
    recovery-util: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), not stripped
    run-init:      ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked (uses shared libs), stripped
    sh:            ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked (uses shared libs), stripped
    All compiled code, but they left us some of the symbol tables.

    Note the really interesting one: nfsmount (in the initramfs system?).
    That will make for some interesting nights work for someone.
  20. Misc. Strings
    This is just a quick and dirty use of:
    Code:
    core2quad bin $ od --strings=16 recovery-util | less
    Like I wrote, quick and dirty.
    Code:
    0332340 nfs_boot_default
    0332370   Make sure the Ethernet interface is configured on your host machine.
    0332477 ipconfig -d nfsaddrs=%s:%s:%s:%s:%s:%s
    0332715 nfsmount -o v3,tcp %s:%s /root
    Well, that sort of makes it look like nfsmount is there for a reason.
    Code:
    0334360 /proc/sys/vm/drop_caches
    0334760 /mnt-us/update-failed.log
    0335643 /bin/mkdosfs -F 32 -s 16 -B 4 -P %llu -n Kindle -v %s
    0336554 %s: (%u of %u MiB)
    Parameters to rebuild your USB storage with.
    Code:
    0343154 /mnt-us/system/SKIP_BATTERY_CHECK_FOR_UPDATE
    No comment.
    Code:
    0350112 /mnt-us/data.stgz
  21. BIG NOTE:
    This initramfs is statically linked into the kernel binary (not dynamically loaded by the kernel) which makes it GPLv2 (same as the kernel).

    So disassemble and post (somewhere other than MR) to your heart's content.
Attached Files
File Type: gz cpio.tar.gz (514.6 KB, 172 views)

Last edited by knc1; 06-30-2015 at 08:01 AM.
knc1 is offline   Reply With Quote
Old 06-27-2015, 12:49 PM   #2
knc1
99.44/100% On Holiday
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 17,184
Karma: 18200597
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
That is all of the typing fun I can stand for one day.

Maybe I'll jail break the raw image and post it somewhere, mostly that depends on free time between now and next Tuesday.
knc1 is offline   Reply With Quote
Advert
Old 06-27-2015, 05:45 PM   #3
knc1
99.44/100% On Holiday
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 17,184
Karma: 18200597
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
nfs boot

Thanks to IDA PRO demo (screenshot) -
It does indeed look like 5.6.x (at least 5.6.1.1) will nfs_boot either over Wifi or Ethernet (usbnet).
see attached:
Attached Thumbnails
Click image for larger version

Name:	nfs_boot.png
Views:	441
Size:	96.1 KB
ID:	139736  
knc1 is offline   Reply With Quote
Old 06-27-2015, 10:38 PM   #4
NiLuJe
BLAM!
NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.NiLuJe ought to be getting tired of karma fortunes by now.
 
NiLuJe's Avatar
 
Posts: 10,005
Karma: 17701112
Join Date: Jun 2010
Location: Paris, France
Device: Kindle 2i, 3g, 4, 5w, (PW) & PW2; Kobo H2O & Forma
Thanks for the detailed writeup, that'll probably save me another round of googling the next time I want to get at the recovery shell of the initramfs .
NiLuJe is online now   Reply With Quote
Old 06-28-2015, 04:43 AM   #5
knc1
99.44/100% On Holiday
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 17,184
Karma: 18200597
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
Quote:
Originally Posted by NiLuJe View Post
Thanks for the detailed writeup, that'll probably save me another round of googling the next time I want to get at the recovery shell of the initramfs .
I suppose there is a French equivalent of this one - - -

A policeman saw a drunk stumbling around, looking at the ground under a corner street light;

He asked the drunk what he was doing and the drunk replied: "I lost my wallet in the alley and I am looking for it";

P: But why are you looking here, on the street corner?

D: The light is better here.

- - - - -

I just thought I'd turn on a few lights in that alley (the initramfs system) for people still looking for a jail break vector.
knc1 is offline   Reply With Quote
Advert
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Firmware Update fw5.6.1.1 comes to the PW1 eschwartz Amazon Kindle 2 06-26-2015 04:16 PM
PW1 upgrade to... What? Or at all? bethany7 Which one should I buy? 5 11-11-2014 08:24 AM
Bricked PW1 inarcs Kindle Developer's Corner 12 08-01-2014 04:55 PM
IMG inside SVG inside TD? Kasper Hviid Sigil 4 05-25-2014 06:57 AM
PW1: Can't downgrade from fw 5.4.4? Snorkledorf Kindle Developer's Corner 3 03-09-2014 01:31 AM


All times are GMT -4. The time now is 06:25 PM.


MobileRead.com is a privately owned, operated and funded community.