Usbnetwork/ssh on kindle 3?

[yifanlu]

I don't have a kindle 3 yet, but anyone got usbnetwork working yet? Or some other way to access root?

P.S: What I'm curious about is how the rootfs has changed. If you have ssh/telnet working, it'd be nice if you can gzip the root fs and PM it to me, because I would love to poke around the os. If you don't know how to gzip the root fs, just type this in a shell "tar cvzf /mnt/us/root.tar.gz /" and the archive should be on the fat32 USB storage.

[NiLuJe]

I'll get right on that as soon as I get my K3 (Monday/Tuesday) .

Hopefully they won't have broken our actual jailbreak method...

[yifanlu]

Quote:

Originally Posted by NiLuJe

I'll get right on that as soon as I get my K3 (Monday/Tuesday) .

Hopefully they won't have broken our actual jailbreak method...

Do a quick ;debugOn and `help when you get it to see if "usbNetworking" is still a command. If so, good, if not, you may have to use the Serily TTL line to get root access

[hondamarlboro]

";debugOn" command successfully acceptable, but "`help" doesn't work Prefix of command may be changed...

[hondamarlboro]

Quote:

Originally Posted by hondamarlboro

";debugOn" command successfully acceptable, but "`help" doesn't work Prefix of command may be changed...

Got one successfully!
After ";debugOn", hit "~help" in command line, not "`help". usbNetwork is still alive

[NiLuJe]

... And they broke our current jailbreak method.

The installer now wants a *signed* bundle file (.dat)...

I'm trying a few things right now, but I may have to pass the torch on this one...

EDIT: Worse. It wants *everything* signed, even if it's not listed in the bundle file. AFAICT, we're pretty much screwed.

Code:

100830:163929 system: I _otaupexec:def:processing update /mnt/us/update_jailbreak_k3g_install.bin
100830:163929 system: I _otaupexec:def:version is "FC02"
100830:163929 system: I _otaupexec:def:update image checksum OK
100830:163929 system: E _otaupexec:def:signature does not exist for "/tmp/.update-tmp.7378/update-adds.tar.gz"
100830:163930 system: E _otaupexec:def:signature verification failed

That was with a signed .dat from a minor official OTA update (without an update-adds.tar.gz). Without a signed dat:

Code:

100830:152004 system: I _otaupexec:def:processing update /mnt/us/update_jailbreak_k3g_install.bin
100830:152004 system: I _otaupexec:def:version is "FC02"
100830:152004 system: I _otaupexec:def:update image checksum OK
100830:152004 system: E _otaupexec:def:signature does not exist for "/tmp/.update-tmp.20788/update_jailbreak_k3g_install.dat"
100830:152005 system: E _otaupexec:def:signature verification failed

If anyone has an idea (software wise, because I guess we could always use the serial console and brute-force the root passwd...), I'm all ears... Until then, there's not much more I can do... ;/

EDIT²: Oops, forgot to attach the updated packager. (UPDATE: Moved the the packager thread)

EDIT Ter: Some random ideas I haven't checked out:

FB01 Manual updates. Don't know which scripts handle these, and if it's as much strict as otaup. And if we can roll proper manual updates with the current packager tool.
FD03 OTA updates. otaup handles these on the K2, but treats them the exact same way as FC02 updates.

UPDATE: Huh. Turns out, we didn't need to try so hard. We did have to update the packager though, .

[vega07]

*cries*

[karthwyne]

Quote:

Originally Posted by vega07

*cries*

Agreed. Here's to hoping a method is found.

[clarknova]

Quote:

Originally Posted by NiLuJe

... And they broke our current jailbreak method.

Major bummer.


I've got a program running right now that's trying to brute force a sha 256 collision against known kindle checksums, but since nobody has ever found a sha 256 collision before, this method is stupidly far fetched.

[test011]

Quote:

Originally Posted by vega07

*cries*

agreed.

[markatlnk]

Would any of the PDF buffer overrun exploits work, I have a bunch of pdf files that will crash my K3.

[yifanlu]

Is the problem with getting shell through serial TTL really that you don't have the password? I know people read the kernel partition through uBoot, why not do the same for the root partition (/dev/mmcblk0p1), then modify passwd file, and re-flash it onto the kindle? (or do this with the initramfs)?

Also, here's variables dumped from the uBoot source from Amazon:

Quote:

#define CONFIG_EXTRA_ENV_SETTINGS \
"uboot_net=tftpboot 0x84000000 u-boot.bin\0" \
"uboot_serial=loady 0x84000000\0" \
"uboot_ram=go 0x84000000\0" \
"bootargs_diag=setenv bootargs tests=all\0" \
"diags_net=tftpboot 0x84000000 diagmon.uimage; run bootargs_diag; bootm 0x84000000\0" \
"diags_serial=loady 0x84000000; run bootargs_diag; bootm 0x84000000\0" \
"bootargs_base=console=ttymxc0,115200 mem=256M panic=10\0" \
"bootcmd_root_nfs=setenv bootargs $(bootargs_base) root=/dev/nfs rw nfsroot=$(nfsrootfs),v3,tcp rw ip=$(ipaddr):$(serverip):$(serverip):$(netmask):ma rio1 rootdelay=3\0" \
"bootcmd_root_mmc=setenv bootargs $(bootargs_base) root=/dev/mmcblk1p1 rw ip=none\0" \
"bootcmd_root_mvn=setenv bootargs $(bootargs_base) root=/dev/mmcblk0p1 rw ip=none\0" \
"bootcmd_kernel_nfs=nfs 0x87f40400 $(nfsrootfs)/uImage; bootm\0" \
"bootcmd_kernel_tftp=tftp 0x87f40400 uImage; bootm\0" \
"bootcmd_nfs=run bootcmd_root_nfs; run bootcmd_kernel_nfs\0" \
"bootcmd_flash=run bootcmd_root_mvn; run bootcmd_kernel_nor\0" \
"bootcmd_card=run bootcmd_root_mmc; run bootcmd_kernel_nor\0" \
"bootcmd_recovery=run bootcmd_root_recovery; run bootcmd_kernel_nor\0" \
"bootcmd_defaultflash=setenv bootargs; run bootcmd_kernel_nor\0" \
"bootcmd=bootm 0x87f40400\0" \
"testmem=mtest 0x80000000 0x86ffffff\0" \
"nfsrootfs=/nfsboot\0" \
"ethaddr=00:22:33:44:55:66\0" \
"cfgreset=protect off all ; erase " TOSTRING(CFG_ENV_ADDR) " +" TOSTRING(CFG_ENV_SECT_SIZE) "\0" \
"bootretry=-1\0" \

[Zafkin]

The only issue is that there doesn't seem to be a simple way to access the main MMC partition from the provided u-boot - a custom initramfs solves that easily.

I've compiled an image to perform modifications quickly with a serial cable - available here http://dl.free.fr/pN6Hu6beI (gpl'ed kernel + /dev prepared with the devices list from the preloaded u-boot image + klibc utils + dropbear)

How to use it :

- Connect 3 wires to rx/tx/gnd (if you only have a 3.3V Serial-TTL converter like me, my Kindle didn't explode with a /2 voltage divider on TX - just for information), interrupt u-boot
- Upload the image with loady 0x84000000 and an Y-Modem client (minicom, hyperterminal)
- Boot the image with bootm 0x84000000
- After a few seconds you'll end up on a minimalist shell with no prompt
- Create a mount point with mkdir /root
- Mount the main partition with mount -t ext3 /dev/mmcblk0p1 /root
- Chroot to a better shell with chroot /root /bin/sh

From now on, you can do whatever you want - for example edit /etc/shadow with vi, then sync, exit the shell, and reboot. Just do it quickly, or find a way to disable the power management, otherwise it'll kick in and serial communication doesn't seem to wake up the device

For quick & dirty tests without the cable, I've included a (statically compiled & ugly) dropbear binary in /drop of the initramfs - remember to tweak the firewall in /etc/sysconfig/iptables if you want to use it. It'll be better to properly compile your own version though.

There is an account without password too, named default.

[yifanlu]

So you got shell access? Can you please do me a favor and send me a copy of the root fs, so I can play around with it before I get my kindle 3? Thank you !

[blkhawk]

A short Powerbutton slide triggers a wakeup from sleep.

-blkhawk