Kindle Voyage 5.6.2.1 Serial Jailbreak Step-by-Step

[noismaster]

Things you will need for a successful jailbreak:

• Kindle Voyage
• USB TTL Serial Cable 1.8V
  
  • I used the FTDI TTL-232RG-VREG1V8-WE (from Farnell for 23€ + shipping)
    
• Thin wire (best 28g…36g)
• Soldering equipment
• Linux PC or Linux Virtual Machine (where you can attach USB devices)
  
  • I used a Ubuntu 14.04 VMWare Virtual machine (no extra drivers were needed)
    
• Kindle jailbreak from here
• KUAL from here

I’ll assume that you will use the TTL-232RG-VREG1V8-WE and Ubuntu 14.04

1. Connect you're kindle to your PC and copy the content of 'kindle-5.4-jailbreak.zip' to the root folder of you're kindle
2. Copy the KUAL-KDK-2.0.azw2 to the kindle documents folder
3. Write down kindles serial nr. ('Home' -> 'Menu' -> 'Setting' -> 'Menu' -> 'Device info')
4. Unconnect your kindle
5. Open the device and remove the battery connection (you can follow these instructions up to step 5)
6. Solder the thin wire to the kindle as shown
   
   
   
7. Now connect the thin wire to the USB TLL Serial Cable.
   
   • If you use the TTL-232RG-VREG1V8-WE USB TTL Serial Cable then connect as:
     
     1. Kindle TX -> USB Serial RX (Yellow)
        
     2. Kindle RX -> USB Serial TX (Orange)
        
     3. Kindle GND -> USB Serial GND (Black)
        
   • If you use other USB to Serial connector you’re on your own
     
8. Connect the USB cable to your PC (if using VM also connect the USB device to the virtual machine)
9. Lets find you're kindle root password (serial number should be without spaces!), open a terminal window and execute
   
   Quote:

   python -c 'import hashlib,sys;print "fiona%s" % hashlib.md5("%s\n" % sys.argv[1]).hexdigest()[13:16]' YOUR_SERIAL_NUMBER

   Should see something like
   
   Quote:

   fionac5f

10. Next you need to find the tty device name linux assigned
    
    Quote:

    sudo dmesg | grep tty

    You should see somethind like this, my tty interface is ttyUSB0
    
    Quote:

    [ 0.000000] console [tty0] enabled
    [ 0.925346] 00:06: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
    [ 0.952802] 00:07: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A
    [ 103.111933] usb 2-2.1: FTDI USB Serial Device converter now attached to ttyUSB0

11. Now you need to setup minicom
    
    Quote:

    sudo minicom -s

    Select 'Serial port setup' then insert into 'A - Serial device' -> '/dev/ttyUSB0'
    and 'F - Hardware Flow Control' set to 'No'
    
    
    
    Next 'Save setup as dfl' and 'Exit from Minicom'
    
12. Start minicom console
    
    Quote:

    sudo minicom

    You should see somthing like this
    
    
    
13. Now you need to connect you're kindles battery and power up the kindle (you can connect a USB power adapter to charge your kindle)
14. When the kindle is starting you should see some output from your kindle startup in minicom console. You need to stop the autoboot by pressing any key. You must be quick because you have only 1 second delay. If you miss it, you have to restart your kindle.
    
    Quote:

    ...
    sing default environment
    
    In: serial
    Out: serial
    Err: serial
    Quick Memory Test 0x80000000, 0xfff0000
    POST done in 59 ms
    Battery voltage: 4163 mV
    
    Hit any key to stop autoboot: 1

15. If you were successful then run command
    
    Quote:

    bootm 0xE41000

16. On the kinle tap 'Exit' and then 'Reboot or Disable Diags', then 'Exit to login prompt'
    
17. Now you should have a login prompt in mincom type user 'root' and password from above
    
    
    Quote:

    Welcome to Kindle!
    
    kindle login: root
    password: *****

18. Lets create a mount point in /tmp
    
    Quote:

    mkdir /tmp/main

19. Then mount the main file system at that point:
    
    Quote:

    mount /dev/mmcblk0p1 /tmp/main

20. Now you need to edit the root password for the main login
    
    Quote:

    vi /tmp/main/etc/passwd

    On the first line there should be
    
    
    Quote:

    root:!:0:0:root:/:/bin/sh

    delete the ! and save
    
21. Now you can reboot, by typing in 'reboot' and wait for the kindel to boot fully
22. Now you can log in to the main system with username 'root' and password ''
23. You can change the root password by executing
    
    Quote:

    passwd

24. Next we need to apply the jailbreak, by executing the following commands
    
    Quote:

    cd /mnt/us && sh jb.sh

25. Finaly we have to reboot and the jailbreak is complete
    
    
    Quote:

    reboot

26. To test that the jailbreak works open the KUAL from your kindle book list
    
27. Now you can disconnect the kindle from the USB TLL Serial Cable and tape the thin wire and close your Kindle Voyage
    

I hope this step by step guide was useful, let me know if you see any mistakes!

I have successfully installed the LibrarianSync to synchronize my collections between calibre and kindle, if there is interest I can make a guide for that to

Some images & text were copied from the following threads, thank you for your hard work

• https://www.mobileread.com/forums/sho...d.php?t=249869
• https://www.mobileread.com/forums/sho...d.php?t=254400
• https://www.mobileread.com/forums/sho...d.php?t=247480

[thoreau]

And that's how you write a step by step... Bravo.

[knc1]

Step 26 - That only tests if the MKK installation step of the consolidated Jail Break package was installed.

To test the jail break, you have to attempt to install one of our update_*.bin packages (I.E: One of the signed packages).

26.1 Install MrPI (a KUAL menu extension for installing packages).
Note: Package installation on firmware 5.6.x series **must** use the Mobileread Package Installer.

26.2 Pick a package to be installed, USBnetworking is a good choice, then you can put away your serial cable (and use ssh / telnet / sftp).

26.3 Follow the MrPI directions to put the selected package in the special MrPI directory.

26.4 In the KUAL menu, start MrPI.

26.5 Did it work? It will if the "jail break" (our package signature certificate) was installed.

26.6 If it did not work, first check the common errors (wrong version - these are "model locked", too old a version - always check NiLuJe's snapshot thread for most recent, etc).

26.7 Still not working, post here - something isn't correct.
(Because if MKK was installed (a KUAL requirement), the certificate was almost certainly installed also.)

- - - - -

Other #26 nit-picking, a very nice job.

[eschwartz]

Nice job! Karma coming your way...

[x23are]

can we use this tutorial for paperwhites and kindle touchs??

[eschwartz]

Yes, the general idea is the same for the PW1/2 and KT2, specific values might vary.
e.g. location of the serial ports.

[knc1]

Quote:

Originally Posted by x23are

can we use this tutorial for paperwhites and kindle touchs??

For any Kindle from K4 to present.

They all use the same serial port connector pad pin-out, it just varies in its location on the mother board.
Note: Some K4's had the connector mounted on the board, some did not, just had the bare pads (like all other model since).

The one thing that **might** be different is the memory address to use in the 'bootm 0x<something hex>' command.
This is specially true of the K4 - it was a little bit different than the devices running 5.x series firmware (all since the K5).

That memory address is where the kernel with the recovery initramfs is stored, which is the one this step-by-step uses.
I.E: Your running in RAM here, when you mount and modify the password file of the 'main' system (the 'diag' system is never used in this example).
Note: Some of the 'HowTo' write-ups here **do** use the 'diag' system.
So stick with one, single post/thread, or you may get a mixed up set of directions that will not help you very much.

**Usually** that bootm address will be reported by u-boot message during the process of a normal boot.
So just enable 'capture to a file' on your terminal emulator, so you get a complete set of messages to look through.

**Otherwise** that bootm address will be used in one of more of the u-boot scripts (u-boot is scripted) - those are store in its environment and can be displayed with u-boot (probable the full (bist) build of u-boot).

- - - - -

Dangerous brain-fart:
The Kindles have 8,192 bytes of flash that is "never" used in any of the models or firmwares **AND** it is always at a easy to find address **AND** it can be reached over USB in 'storage mode'.

It would be possible (except for lack of time) to write a 'recovery mode shim' to store in that space, then the user would just have to 'bootm 0x<wherever the shim is>' for any Kindle.

A project for some ARM Assembly Language Guru to write for us.

[verbatrium]

@noismaster

Really good step by step,
Made JB my new PW3 possible with little knowledge of Linux.

Thanks.

[knc1]

Quote:

Originally Posted by verbatrium

@noismaster

Really good step by step,
Made JB my new PW3 possible with little knowledge of Linux.

Thanks.

Which in turn means that the memory location the recovery kernel is stored at is the same on the KV and the PW-3.
Ah...
That step 15 "bootm 0xE41000" address (Linux starts execution at the first instruction in the file, in the format used in Kindles).

[Dr. Drib]

Moderator Notice

Noismaster
Please take a few moments to read our Posting Guidelines, in particular the part about the maximum image size allowed (600x600 pixels). Images that violate those guidelines will be deleted.

It is every member's responsibility to read our Posting Guidelines and follow them.

Thanks.

[knc1]

That notice and the guidelines refer to **in-line** images.
You can attach a larger image to a post if it must be larger.

[noismaster]

Fixed oversized images

[Dr. Drib]

Quote:

Originally Posted by noismaster

Fixed oversized images

Thank you for your prompt attention.


Don
(Moderator)

[thoreau]

Question on reassembly of the voyage case. Does the plastic part at the top of the back simply stick back on or is there reapplication of glue/adhesive necessary?

That's really the only thing preventing me hacking the kindle at this point.

[noismaster]

It sticks right back, no glue necessary.

You need to be careful when closing. Don't press the top down, but slide it in at an slight angle (so it doesn't stick) and then press the bottom side in.

Else you will deform the little latches and the cover won't close properly.

Took me 3 tries to close it because I put the bottom side in first and then pressed on top to close and deformed the little latches (needed to bend them back for the case to close)