PW4 PW4 Serial Jailbreaking (OTA updated)

matko · 12-14-2018, 05:38 AM

Hi all,

Here is a placeholder for notes about jailbreaking OTA updated PW4 devices

As explained in coplate's thread "Brand new PaperWhite 4 (2018) factory image JailBreaking", the software JB method does not work for devices that have been OTA updated

While the best is to prevent the device from updating from OTA and follow this thread, some unaware people (as I was) let the device do the 5.10.1.2 update. Now, the only remaining possibility seems to use the device's serial port.

This implies to open the device case. Opening this PW is rather easy (easier than I thought).
Just look at https://www.mobileread.com/forums/sh...d.php?t=312360 and watch the Pro Repair Tech's PW4 teardown vid: https://www.youtube.com/watch?v=apt9NcJvcdo
In my case, I did not use specifics tools but only 3 standard guitar picks !

The serial connector is located on the top right of the motherboard and it is branded "S700".

But as the PW4 is waterproof, the motherboard pcb is "tropicalized" (e.g. a tropicalisation coating is applied on the motherboard).
I managed to solder TX and RX pin but not the GND. In the end, I just taped the GND wire on the cpu shield. It's not very clean, but it works.

To connect it to the computer, I use a FTDI ‎TTL-232RG-VREG1V8-WE‎ (USB to UART cable with +1.8V TTL level UART signals)

I then rebooted the device and stopped the autoboot. But I noticed that the previous kindle serial method does not work !

Code:

U-Boot 2016.03 (Oct 12 2018 - 17:30:31 -0700)

CPU:   Freescale i.MX6SLL rev1.1 996 MHz (running at 792 MHz)
CPU:   Commercial temperature grade (0C to 95C) at 50C
Reset cause: POR
Board: MX6SLL Rex
I2C:   ready
DRAM:  512 MiB
entering PMIC test mode
in PMIC test mode -- apply bootup workaround
switching back to PMIC user mode
setup_pmic_mode -- make sure pmic is in user mode
MMC:   FSL_SDHC: 0, FSL_SDHC: 1, FSL_SDHC: 2
idme_initialize
Idme version is 2.x and set related function to V2.x
IDME table version 2.1
hibernation: Not from hibernation
Core : f770ee83 2018/03/16 19:49:02 (Licensed to Amazon Fulfillment Services,Inc..)
SBIOS: v2.0 2018/10/16 15:53:04
TTBR:9fffc059
Platform: v2.0 2018/10/16 15:53:04
fl
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
force_idle_bus: sda=0 scl=1 sda.gp=0x1 scl.gp=0x0
force_idle_bus: failed to clear bus, sda=0 scl=1
Hardware Board: Unknown(12)
Board ID is P001************
WFO module
secure_cpu: 1, production: 1, unlocked: 0
Boot mode is 0
Hit any key to stop autoboot:  0
Enter fastboot mode, use Ctrl+C to exit.
Enter fastboot mode, use Ctrl+C to exit.

Indeed, the PW4 bootloader is a U-Boot version that includes a fastboot server which is launched automatically.

So, I used a kindle specific fastboot version (https://github.com/TobiasWooldridge/Fastboot-Kindle) to try to deal with it.

Unfortunatly, the "bootmode" variable is unknown and I can't change it to diags
I also tried to download and boot on the rootfs.img extracted from 5.10.0.1 factory *.bin package. Download is OK but boot command is locked !

Code:

Starting download of 460800000 bytes
..........................................................................

.....................................
downloading of 460800000 bytes finished
locked command: boot

At this point, I did not found other ways to get further.

There is one last thing I'd like to try:

Code:

fastboot flash system rootfs.img

(using rootfs.img extracted from 5.10.0.1 factory package)

but this is a one-way step. If it fails, my Kindle will probably be bricked ...

If anyone have some advices, let me know here ...

knc1 · 12-14-2018, 08:11 AM

Please make a note that the function labels on the first image are those of the cable wiring, not the normal, device relative, labels.

I.E: The Kindle's receive is always the center pin on S700 (designation has never (yet) changed).
The pin layout is such that any two adjacent pins may be shorted together (by assembly errors, not user) without harm to the Kindle.

matko · 12-14-2018, 08:55 AM

You're totally right, knc1. Thank you for the precision.
I updated the picture

knc1 · 12-14-2018, 09:29 AM

Quote:

Originally Posted by matko

You're totally right, knc1. Thank you for the precision.
I updated the picture

Probably the best picture we have.
If anyone mis-understands that one ...

NiLuJe · 12-14-2018, 12:52 PM

Random possibly useless comment: take a look at the KT3 serial threads, I think that was the most recent device with a quirky bootloader.

matko · 12-15-2018, 11:05 AM

Thank you NiLuJe, I will take a look.

My last idea was to extract rootfs.img from the 5.10.0.1 factory .bin package and use it to flash the system partition (fastboot flash system rootfs.img) -- if 'flash' command is not locked

NiLuJe and knc1, as kindle hack dev gurus, does this idea makes sense to you or do you think this is a stupid idea ?

Anyway, I will not try this until the XMas and New Year celebrations are over (I need too much of my kindle during it

)

NiLuJe · 12-15-2018, 11:21 AM

There used to be a size limitation that made flashing the main system impossible because it was too large.

No idea if that still holds now that there's no separate diags, but I think that if it fails that definitely means a brick now?

matko · 12-15-2018, 11:36 AM

Yes, I too suppose a brick if it fails. Not sure if I will take that risk!

About the size limitation, I already download succesfully the rootfs.img with fastboot (460800000 bytes). I suppose the PW4 has enough memory (512MB) to hold it

knc1 · 12-15-2018, 12:25 PM

Quote:

Originally Posted by matko

Yes, I too suppose a brick if it fails. Not sure if I will take that risk!

About the size limitation, I already download succesfully the rootfs.img with fastboot (460800000 bytes). I suppose the PW4 has enough memory (512MB) to hold it

OR
You have just been mislead by the fact that it does the transfer without any error reporting.

matko · 12-15-2018, 12:53 PM

Wow, scary but, sadly possible...

NiLuJe · 12-15-2018, 12:57 PM

Spoiler: Yes it did, if memory serves me. The only clue that something was amiss is that it returned far too quickly for what it was being asked to do.

matko · 12-19-2018, 12:03 PM

From uboot-rex/doc/README.android-fastboot:

Code:

The fastboot protocol requires a large memory buffer for downloads. This buffer should be as large as possible for a platform. The location of the
buffer and size are set with CONFIG_FASTBOOT_BUF_ADDR and
CONFIG_FASTBOOT_BUF_SIZE.

So, for the PW4, the size limitation for fastboot downloads is in uboot-rex/include/configs/mx6sll_rex_android.h

Code:

#define CONFIG_FASTBOOT_BUF_SIZE   0x1C000000l /* 448MB */

469 762 048 bytes, just enough to hold rootfs.img (460 800 000 bytes)

(OK, this does not solve the non-reporting of transfer errors)

stmusic · 02-24-2019, 01:58 PM

Is this cable good for serial port for pw 4 TXD 1.8v PL2303 USB to TTL UART Converter Serial Download Cable module ?

knc1 · 02-24-2019, 02:28 PM

Quote:

Originally Posted by stmusic

Is this cable good for serial port for pw 4 TXD 1.8v PL2303 USB to TTL UART Converter Serial Download Cable module ?

Yes.
That is a China Clone of the one we recommend.
Functionally the same for this purpose.

stmusic · 02-24-2019, 02:53 PM

I find and this on ali 1.8V USB to TTL line USB transfer serial line 1.8V brush line download line
is this same like that from ebay ?

12-14-2018, 05:38 AM	#1
matko Enthusiast Posts: 25 Karma: 12 Join Date: Nov 2018 Location: Lyon, France Device: Kindle Oasis 3, Kindle PW4	PW4 Serial Jailbreaking (OTA updated) Hi all, Here is a placeholder for notes about jailbreaking OTA updated PW4 devices As explained in coplate's thread "Brand new PaperWhite 4 (2018) factory image JailBreaking", the software JB method does not work for devices that have been OTA updated While the best is to prevent the device from updating from OTA and follow this thread, some unaware people (as I was) let the device do the 5.10.1.2 update. Now, the only remaining possibility seems to use the device's serial port. This implies to open the device case. Opening this PW is rather easy (easier than I thought). Just look at https://www.mobileread.com/forums/sh...d.php?t=312360 and watch the Pro Repair Tech's PW4 teardown vid: https://www.youtube.com/watch?v=apt9NcJvcdo In my case, I did not use specifics tools but only 3 standard guitar picks ! The serial connector is located on the top right of the motherboard and it is branded "S700". But as the PW4 is waterproof, the motherboard pcb is "tropicalized" (e.g. a tropicalisation coating is applied on the motherboard). I managed to solder TX and RX pin but not the GND. In the end, I just taped the GND wire on the cpu shield. It's not very clean, but it works. To connect it to the computer, I use a FTDI ‎TTL-232RG-VREG1V8-WE‎ (USB to UART cable with +1.8V TTL level UART signals) I then rebooted the device and stopped the autoboot. But I noticed that the previous kindle serial method does not work ! Code: U-Boot 2016.03 (Oct 12 2018 - 17:30:31 -0700) CPU: Freescale i.MX6SLL rev1.1 996 MHz (running at 792 MHz) CPU: Commercial temperature grade (0C to 95C) at 50C Reset cause: POR Board: MX6SLL Rex I2C: ready DRAM: 512 MiB entering PMIC test mode in PMIC test mode -- apply bootup workaround switching back to PMIC user mode setup_pmic_mode -- make sure pmic is in user mode MMC: FSL_SDHC: 0, FSL_SDHC: 1, FSL_SDHC: 2 idme_initialize Idme version is 2.x and set related function to V2.x IDME table version 2.1 hibernation: Not from hibernation Core : f770ee83 2018/03/16 19:49:02 (Licensed to Amazon Fulfillment Services,Inc..) SBIOS: v2.0 2018/10/16 15:53:04 TTBR:9fffc059 Platform: v2.0 2018/10/16 15:53:04 fl * Warning - bad CRC, using default environment In: serial Out: serial Err: serial force_idle_bus: sda=0 scl=1 sda.gp=0x1 scl.gp=0x0 force_idle_bus: failed to clear bus, sda=0 scl=1 Hardware Board: Unknown(12) Board ID is P001********** WFO module secure_cpu: 1, production: 1, unlocked: 0 Boot mode is 0 Hit any key to stop autoboot: 0 Enter fastboot mode, use Ctrl+C to exit. Enter fastboot mode, use Ctrl+C to exit. Indeed, the PW4 bootloader is a U-Boot version that includes a fastboot server which is launched automatically. So, I used a kindle specific fastboot version (https://github.com/TobiasWooldridge/Fastboot-Kindle) to try to deal with it. Unfortunatly, the "bootmode" variable is unknown and I can't change it to diags I also tried to download and boot on the rootfs.img extracted from 5.10.0.1 factory .bin package. Download is OK but boot command is locked ! Code: Starting download of 460800000 bytes .......................................................................... ..................................... downloading of 460800000 bytes finished locked command: boot At this point, I did not found other ways to get further. There is one last thing I'd like to try: Code: fastboot flash system rootfs.img (using rootfs.img extracted from 5.10.0.1 factory package) but this is a one-way step. If it fails, my Kindle will probably be bricked ... If anyone have some advices, let me know here ... Attached Thumbnails Last edited by matko; 12-14-2018 at 08:54 AM.*

12-14-2018, 08:11 AM	#2
knc1 Going Viral Posts: 17,212 Karma: 18210809 Join Date: Feb 2012 Location: Central Texas Device: No K1, PW2, KV, KOA	Please make a note that the function labels on the first image are those of the cable wiring, not the normal, device relative, labels. I.E: The Kindle's receive is always the center pin on S700 (designation has never (yet) changed). The pin layout is such that any two adjacent pins may be shorted together (by assembly errors, not user) without harm to the Kindle. Last edited by knc1; 12-14-2018 at 08:14 AM.

12-15-2018, 11:36 AM	#8
matko Enthusiast Posts: 25 Karma: 12 Join Date: Nov 2018 Location: Lyon, France Device: Kindle Oasis 3, Kindle PW4	Yes, I too suppose a brick if it fails. Not sure if I will take that risk! About the size limitation, I already download succesfully the rootfs.img with fastboot (460800000 bytes). I suppose the PW4 has enough memory (512MB) to hold it Last edited by matko; 12-15-2018 at 11:38 AM.

12-19-2018, 12:03 PM	#12
matko Enthusiast Posts: 25 Karma: 12 Join Date: Nov 2018 Location: Lyon, France Device: Kindle Oasis 3, Kindle PW4	From uboot-rex/doc/README.android-fastboot: Code: The fastboot protocol requires a large memory buffer for downloads. This buffer should be as large as possible for a platform. The location of the buffer and size are set with CONFIG_FASTBOOT_BUF_ADDR and CONFIG_FASTBOOT_BUF_SIZE. So, for the PW4, the size limitation for fastboot downloads is in uboot-rex/include/configs/mx6sll_rex_android.h Code: #define CONFIG_FASTBOOT_BUF_SIZE 0x1C000000l /* 448MB */ 469 762 048 bytes, just enough to hold rootfs.img (460 800 000 bytes) (OK, this does not solve the non-reporting of transfer errors)

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Tools Serial Jailbreaking your fw >= 5.6.x Kindle for Dummies	grant2	Kindle Developer's Corner	563	12-13-2022 08:12 PM
Placeholder for PW4 jailbreaking notes - reminder - DO NOT UPDATE	coplate	Kindle Developer's Corner	12	11-09-2018 10:11 AM
How much would people pay for easy serial jailbreaking their paperwhite?	coplate	Kindle Developer's Corner	3	02-21-2018 12:45 PM
Serial Jailbreaking FW >= 5.6.1.1	knc1	Kindle Developer's Corner	6	08-14-2017 08:38 AM
PW4 ?	Scarpad	Amazon Kindle	5	11-29-2015 04:51 PM

12-14-2018, 08:55 AM	#3
matko Enthusiast Posts: 25 Karma: 12 Join Date: Nov 2018 Location: Lyon, France Device: Kindle Oasis 3, Kindle PW4	You're totally right, knc1. Thank you for the precision. I updated the picture

12-14-2018, 12:52 PM	#5
NiLuJe BLAM! Posts: 13,497 Karma: 26047188 Join Date: Jun 2010 Location: Paris, France Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E	Random possibly useless comment: take a look at the KT3 serial threads, I think that was the most recent device with a quirky bootloader.

12-15-2018, 11:05 AM	#6
matko Enthusiast Posts: 25 Karma: 12 Join Date: Nov 2018 Location: Lyon, France Device: Kindle Oasis 3, Kindle PW4	Thank you NiLuJe, I will take a look. My last idea was to extract rootfs.img from the 5.10.0.1 factory .bin package and use it to flash the system partition (fastboot flash system rootfs.img) -- if 'flash' command is not locked NiLuJe and knc1, as kindle hack dev gurus, does this idea makes sense to you or do you think this is a stupid idea ? Anyway, I will not try this until the XMas and New Year celebrations are over (I need too much of my kindle during it )

12-15-2018, 11:21 AM	#7
NiLuJe BLAM! Posts: 13,497 Karma: 26047188 Join Date: Jun 2010 Location: Paris, France Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E	There used to be a size limitation that made flashing the main system impossible because it was too large. No idea if that still holds now that there's no separate diags, but I think that if it fails that definitely means a brick now?

12-15-2018, 12:53 PM	#10
matko Enthusiast Posts: 25 Karma: 12 Join Date: Nov 2018 Location: Lyon, France Device: Kindle Oasis 3, Kindle PW4	Wow, scary but, sadly possible...

12-15-2018, 12:57 PM	#11
NiLuJe BLAM! Posts: 13,497 Karma: 26047188 Join Date: Jun 2010 Location: Paris, France Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E	Spoiler: Yes it did, if memory serves me. The only clue that something was amiss is that it returned far too quickly for what it was being asked to do.

02-24-2019, 01:58 PM	#13
stmusic Enthusiast Posts: 40 Karma: 94 Join Date: Jul 2017 Device: Kindle	Is this cable good for serial port for pw 4 TXD 1.8v PL2303 USB to TTL UART Converter Serial Download Cable module ?

02-24-2019, 02:53 PM	#15
stmusic Enthusiast Posts: 40 Karma: 94 Join Date: Jul 2017 Device: Kindle	I find and this on ali 1.8V USB to TTL line USB transfer serial line 1.8V brush line download line is this same like that from ebay ?

Advert

Advert