Inside PW1-5.6.1.1

[knc1]

Also: PW3-5.6.1.1 see: https://www.mobileread.com/forums/sho...d.php?t=262279

The following done on a Linux system. MacOSx should be similar.
Windows users, you will have to translate the following to whatever works.

1. Make a work place
   The naming conventions of this pathname are just mine, they really don't matter.
   Use whatever fits your own work habits.
   
   Code:

   core2quad ~ $ mkdir -p /var1/Kindle/kpw/pw-fw5.6
   core2quad ~ $ cd /var1/Kindle/kpw/pw-fw5.6
   core2quad pw-fw5.6 $

2. Get update package
   Official released pw1-5.6.1.1 is at:
   https://s3.amazonaws.com/G7G_Firmwar...le_5.6.1.1.bin
3. Get current KindleTool
   Since the PW-1 at this point is running a firmware prior to the 5.6.x series, even an 'old' KindleTool should work just fine for unpacking the update.
   But use the most recent version anyway, from:
   https://www.mobileread.com/forums/sho...d.php?t=225030
4. Starting workplace
   core2quad pw-fw5.6 $ ls -l
   total 212940
   -rw-rw-r-- 1 mszick mszick 302561 2015-06-27 07:04 kindletool-v1.6.4-linux-i686.tar.gz
   -rw-rw-r-- 1 mszick mszick 217523739 2015-06-27 06:51 update_kindle_5.6.1.1.bin
5. Keep a copy
   KindleTool's default is to delete the input file, unless you specify --keep
   So make a copy of the update now, for when you fat finger the KindleTool command later.
   
   Code:

   core2quad pw-fw5.6 $ cp -a update_kindle_5.6.1.1.bin update_kindle_5.6.1.1.bin-bk

6. Unpack KindleTool
   Note that I give the package its own sub-directory of the work place:
   
   Code:

   core2quad pw-fw5.6 $ mkdir kt
   core2quad pw-fw5.6 $ tar -C kt --extract --gzip --file=kindletool-v1.6.4-linux-i686.tar.gz
   core2quad pw-fw5.6 $ ls -l kt
   total 832
   -rw-r--r-- 1 mszick mszick 309303 2015-05-07 15:09 ChangeLog
   -rw-r--r-- 1 mszick mszick    839 2015-05-07 15:09 CREDITS
   -rwxr-xr-x 1 mszick mszick 502496 2015-05-07 15:09 kindletool
   -rw-r--r-- 1 mszick mszick   8115 2015-05-07 15:09 kindletool.1
   -rw-r--r-- 1 mszick mszick  10929 2015-05-07 15:09 README
   -rw-r--r-- 1 mszick mszick      7 2015-05-07 15:09 VERSION

7. Check KindleTool
   If you have the one that matches your system, this should just display a help message:
   
   Code:

   core2quad pw-fw5.6 $ kt/kindletool
   No command was specified!
   
   usage:
   --- a whole lot of output snipped ---

8. List package info
   Notice the use of option "--keep"
   
   Code:

   core2quad pw-fw5.6 $ kt/kindletool convert --info --keep update_kindle_5.6.1.1.bin
   Checking update package 'update_kindle_5.6.1.1.bin'.
   Bundle         SP01 (Signing Envelope)
   Cert number    2
   Cert file      pubprodkey02.pem (Official 2K)
   Bundle         FB03 (Fullbin [OTA?, fwo?])
   Bundle Type    Recovery V2
   Target OTA     2689890035
   MD5 Hash       b7b666b5600a1c34a45d54eb523570f1
   Magic 1        2048630901
   Magic 2        1897089723
   Minor          1
   Platform       Yoshime (Yoshime3)
   Header Rev     0
   Board          Unspecified
   Devices        6
   Device         Kindle PaperWhite Wifi
   Device         Kindle PaperWhite Wifi+3G Brazil
   Device         Kindle PaperWhite Wifi+3G Japan
   Device         Kindle PaperWhite Wifi+3G Europe
   Device         Kindle PaperWhite Wifi+3G Canada
   Device         Kindle PaperWhite Wifi+3G

   Looks like it should work.
9. Extract package
   Make a sub-directory for the root of the package tree and extract.
   
   Code:

   core2quad pw-fw5.6 $ mkdir package
   core2quad pw-fw5.6 $ kt/kindletool extract update_kindle_5.6.1.1.bin package
   Extracting update package 'update_kindle_5.6.1.1.bin' to 'package'.
   Bundle         SP01 (Signing Envelope)
   Cert number    2
   Cert file      pubprodkey02.pem (Official 2K)
   Bundle         FB03 (Fullbin [OTA?, fwo?])
   Bundle Type    Recovery V2
   Target OTA     2689890035
   MD5 Hash       b7b666b5600a1c34a45d54eb523570f1
   Magic 1        2048630901
   Magic 2        1897089723
   Minor          1
   Platform       Yoshime (Yoshime3)
   Header Rev     0
   Board          Unspecified
   Devices        6
   Device         Kindle PaperWhite Wifi
   Device         Kindle PaperWhite Wifi+3G Brazil
   Device         Kindle PaperWhite Wifi+3G Japan
   Device         Kindle PaperWhite Wifi+3G Europe
   Device         Kindle PaperWhite Wifi+3G Canada
   Device         Kindle PaperWhite Wifi+3G
   x update-payload.dat
   x imx50_yoshime/uImage
   x imx50_yoshime/uImage.sig
   x rootfs.img.gz
   x rootfs.img.gz.sig
   x update-payload.dat.sig

10. See what that got us
    Note: this is ls option -one, not -ell
    
    Code:

    core2quad pw-fw5.6 $ ls -1 package/*
    package/rootfs.img.gz
    package/rootfs.img.gz.sig
    package/update-payload.dat
    package/update-payload.dat.sig
    
    package/imx50_yoshime:
    uImage
    uImage.sig

    Note that each part is signed.
11. Update Payload
    
    Code:

    core2quad pw-fw5.6 $ cd package
    core2quad package $ cat update-payload.dat
    1 898a5d0d2c0903643b1149c1f134be89 imx50_yoshime/uImage 37 main_kernel
    128 fdbd14b1c79e12fba0ba2c9bb618955a rootfs.img.gz 1645 update_image_rootfs
    core2quad package $ cd -
    /var1/Kindle/kpw/pw-fw5.6
    core2quad pw-fw5.6 $

12. Uncompress the rootfs
    
    Code:

    core2quad pw-fw5.6 $ cd package
    core2quad package $ gunzip rootfs.img.gz
    core2quad package $ file rootfs.img
    rootfs.img: Linux rev 1.0 ext3 filesystem data, UUID=380c7f4e-6e00-41a1-a03f-9af1686e2334

    As expected.
13. Make a mount point and mount
    
    Code:

    core2quad package $ sudo mkdir -p /mnt/kpw
    core2quad package $ sudo mount rootfs.img /mnt/kpw
    core2quad package $ ls /mnt/kpw
    bin  dev  etc  lib  lost+found  mnt  opt  proc  sbin  sys  usr  var

    That is the tree **before** it is mounted and running by the Kindle.
    That is, the various parts of the file system tree which live inside of cramfs files have not been mounted by the Kindle's start-up process.
    Although you could do that here and now. Details should be in mtn-pt/etc/fstab.
14. Check the logins
    I'll spoiler the outputs for this section.
    
    Code:

    core2quad package $ cd /mnt/kpw/etc
    core2quad etc $ cat inittab

    Spoiler:

    
    # /etc/inittab: init(8) configuration.
    # $Id: inittab,v 1.91 2002/01/25 13:35:21 miquels Exp $
    
    # The default runlevel.
    id:2:initdefault:
    
    # Boot-time system configuration/initialization script.
    # This is run first except when booting in emergency (-b) mode.
    si::sysinit:/etc/init.d/rcS
    #si::sysinit:/bin/sh
    
    # What to do in single-user mode.
    ~~:S:wait:/sbin/getty -L 115200 ttymxc0 -l /bin/login
    #~~:S:wait:/sbin/getty -L 115200 ttymxc0 -l /bin/sh
    
    # /etc/init.d executes the S and K scripts upon change
    # of runlevel.
    #
    # Runlevel 0 is halt.
    # Runlevel 1 is single-user.
    # Runlevels 2-5 are multi-user.
    # Runlevel 6 is reboot.
    
    l0:0:wait:/etc/init.d/rc 0
    l1:1:wait:/etc/init.d/rc 1
    l2:2:wait:/etc/init.d/rc 2
    l3:3:wait:/etc/init.d/rc 3
    l4:4:wait:/etc/init.d/rc 4
    l5:5:wait:/etc/init.d/rc 5
    l6:6:wait:/etc/init.d/rc 6
    
    # Normally not reached, but fallthrough in case of emergency.
    #z6:6:respawn:/sbin/halt -d -f -p
    
    mxc0:2345:respawn:/sbin/getty -L 115200 ttymxc0 -l /bin/login
    #mxc0:2345:respawn:/sbin/getty -L 115200 ttymxc0 -l /bin/sh
    
    
    So login will be running on the serial port.
    
    Code:

    core2quad etc $ cat passwd

    Spoiler:

    
    root:x:0:0:root:/tmp/root:/bin/sh
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
    bin:x:2:2:bin:/bin:/bin/sh
    sys:x:3:3:sys:/dev:/bin/sh
    sync:x:4:100:sync:/bin:/bin/sync
    operator:x:37:37:Operator:/var:/bin/sh
    sshd:x:103:99:Operator:/var:/bin/sh
    messagebus:x:92:92:messagebus:/bin/false
    nobody:x:99:99:nobody:/tmp:/bin/sh
    default:x:1000:1000efault non-root user:/dev/null:/bin/sh
    framework:x:9000:150:Framework User:/tmp/framework:/bin/sh
    
    
    And password table references the shadow table.
    
    Code:

    core2quad etc $ cat shadow

    Spoiler:

    
    root:!:10933:0:99999:7:::
    daemon:*:10933:0:99999:7:::
    bin:*:10933:0:99999:7:::
    sys:*:10933:0:99999:7:::
    sync:*:10933:0:99999:7:::
    operator:*:10933:0:99999:7:::
    sshd:*:10933:0:99999:7:::
    messagebus:*:10933:0:99999:7:::
    nobody:*:10933:0:99999:7:::
    default:!:10933:0:99999:7:::
    framework:!:14033:0:99999:7:::
    
    
    Users root, default and framework do not accept passwords of any sort.
    Other users are disabled.
    
    Ref: http://www.tldp.org/LDP/lame/LAME/li...e-formats.html
    
15. Return to package
    
    Code:

    core2quad etc $ cd /var1/Kindle/kpw/pw-fw5.6/

    Then into the kernel part of the package.
    
    Code:

    core2quad pw-fw5.6 $ cd package/imx50_yoshime

16. uImage file
    The kernel in u-boot, bootable format.
    • U-Image extractor
      With reading, at:
      http://buffalo.nas-central.org/wiki/...ract_an_uImage
      
      As code in a public repo:
      https://github.com/claas/tools/blob/...ract-uimage.sh
      
      Copy&Paste to text editor, save script and make executable, or:
    • Using dd on Kindle U-Image
      
      Code:

      dd if=uImage bs=64 skip=1 of=Image

17. Remove kernel from header
    
    Code:

    core2quad imx50_yoshime $ dd if=uImage ibs=64 skip=1 of=raw_image
    75775+0 records in
    9471+1 records out
    4849600 bytes (4.8 MB) copied, 0.0878131 s, 55.2 MB/s
    core2quad imx50_yoshime $ ls -l
    total 14252
    -rw-rw-r-- 1 mszick mszick 4849600 2015-06-27 09:50 Image
    -rw-rw-r-- 1 mszick mszick 4849600 2015-06-27 10:45 raw_image
    -rw-r--r-- 1 mszick mszick 4849664 2015-06-23 06:29 uImage
    -rw-rw-r-- 1 mszick mszick     256 2015-06-23 07:33 uImage.sig

    Either way works for a Kindle uImage, since they don't use the 8 byte ARM specific header option.
18. Kernel's InitRamFS
    For more descriptive text on what I am doing here than anyone can stand, see the thread:
    https://www.mobileread.com/forums/sho...d.php?t=206188
    Lots of examples there of taking apart kernel images.
    
    
    Code:

    core2quad imx50_yoshime $ od -A d -t x1 raw_image | grep '30 37 30 37 30 31'
    0102688 30 37 30 37 30 31 30 30 30 30 30 32 44 31 30 30
    - - - lots of output snipped here - - -
    
    core2quad imx50_yoshime $ dd if=raw_image bs=1 skip=102688 of=kpw-trim-00.cpio
    4746912+0 records in
    4746912+0 records out
    4746912 bytes (4.7 MB) copied, 13.6347 s, 348 kB/s
    
    core2quad imx50_yoshime $ file kpw-trim-00.cpio
    kpw-trim-00.cpio: ASCII cpio archive (SVR4 with no CRC)
    
    core2quad imx50_yoshime $ mkdir cpio
    core2quad imx50_yoshime $ cd cpio
    core2quad cpio $ sudo cpio -i -d -m  --no-absolute-filenames -I ../kpw-trim-00.cpio
    cpio: Removing leading `/' from member names
    2017 blocks
    
    core2quad cpio $ ls -l
    total 28
    drwxr-xr-x 2 root root 4096 2015-06-27 11:14 bin
    drwxr-xr-x 7 root root 4096 2015-06-27 11:14 dev
    lrwxrwxrwx 1 root root   18 2015-06-27 11:14 init -> /bin/recovery-util
    drwxr-xr-x 3 root root 4096 2015-06-27 11:14 lib
    drwxr-xr-x 3 root root 4096 2015-06-27 11:14 mnt
    drwxr-xr-x 2 root root 4096 2015-06-23 06:28 proc
    drwx------ 2 root root 4096 2015-06-23 06:28 root
    drwxr-xr-x 2 root root 4096 2015-06-23 06:28 sys

19. Looking a bit deeper
    
    Code:

    core2quad cpio $ cd bin
    core2quad bin $ ls -l
    total 800
    -rwxr-xr-x 1 root root  24398 2015-06-23 06:27 hotplug
    -rwxr-xr-x 1 root root  13240 2015-06-23 06:04 ipconfig
    -rwxr-xr-x 1 root root  76392 2015-06-23 06:04 kinit
    -rwxr-xr-x 1 root root  30707 2015-06-23 06:28 mkdosfs
    -rwxr-xr-x 1 root root   7644 2015-06-23 06:04 nfsmount
    -rwxr-xr-x 1 root root 571603 2015-06-23 06:27 recovery-util
    -rwxr-xr-x 1 root root   2116 2015-06-23 06:04 run-init
    -rwxr-xr-x 1 root root  66224 2015-06-23 06:04 sh
    
    core2quad bin $ file *
    hotplug:       ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), not stripped
    ipconfig:      ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked (uses shared libs), stripped
    kinit:         ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, stripped
    mkdosfs:       ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked (uses shared libs), not stripped
    nfsmount:      ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked (uses shared libs), stripped
    recovery-util: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), not stripped
    run-init:      ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked (uses shared libs), stripped
    sh:            ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked (uses shared libs), stripped

    All compiled code, but they left us some of the symbol tables.
    
    Note the really interesting one: nfsmount (in the initramfs system?).
    That will make for some interesting nights work for someone.
20. Misc. Strings
    This is just a quick and dirty use of:
    
    Code:

    core2quad bin $ od --strings=16 recovery-util | less

    Like I wrote, quick and dirty.
    
    Code:

    0332340 nfs_boot_default
    0332370   Make sure the Ethernet interface is configured on your host machine.
    0332477 ipconfig -d nfsaddrs=%s:%s:%s:%s:%s:%s
    0332715 nfsmount -o v3,tcp %s:%s /root

    Well, that sort of makes it look like nfsmount is there for a reason.
    
    Code:

    0334360 /proc/sys/vm/drop_caches
    0334760 /mnt-us/update-failed.log
    0335643 /bin/mkdosfs -F 32 -s 16 -B 4 -P %llu -n Kindle -v %s
    0336554 %s: (%u of %u MiB)

    Parameters to rebuild your USB storage with.
    
    Code:

    0343154 /mnt-us/system/SKIP_BATTERY_CHECK_FOR_UPDATE

    No comment.
    
    Code:

    0350112 /mnt-us/data.stgz

    
21. BIG NOTE:
    This initramfs is statically linked into the kernel binary (not dynamically loaded by the kernel) which makes it GPLv2 (same as the kernel).
    
    So disassemble and post (somewhere other than MR) to your heart's content.

[knc1]

That is all of the typing fun I can stand for one day.

Maybe I'll jail break the raw image and post it somewhere, mostly that depends on free time between now and next Tuesday.

[knc1]

Thanks to IDA PRO demo (screenshot) -
It does indeed look like 5.6.x (at least 5.6.1.1) will nfs_boot either over Wifi or Ethernet (usbnet).
see attached:

[NiLuJe]

Thanks for the detailed writeup, that'll probably save me another round of googling the next time I want to get at the recovery shell of the initramfs .

[knc1]

Quote:

Originally Posted by NiLuJe

Thanks for the detailed writeup, that'll probably save me another round of googling the next time I want to get at the recovery shell of the initramfs .

I suppose there is a French equivalent of this one - - -

A policeman saw a drunk stumbling around, looking at the ground under a corner street light;

He asked the drunk what he was doing and the drunk replied: "I lost my wallet in the alley and I am looking for it";

P: But why are you looking here, on the street corner?

D: The light is better here.

- - - - -

I just thought I'd turn on a few lights in that alley (the initramfs system) for people still looking for a jail break vector.