No ACL setup yet! Denying access to everyone.

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
projects:kindlepw5 [2022/10/02 17:14] trimenprojects:kindlepw5 [2022/10/31 12:49] – [eMMC interposer:] trimen
Line 4: Line 4:
 -<del>HW UART</del>\\ -<del>HW UART</del>\\
 -U-Boot CLI\\ -U-Boot CLI\\
--<del>UART Linux shell</del>\\+-<del>UART Linux shell</del>  (require jailbreak)\\
 -Reverse engineering of unlocking mechanism\\ -Reverse engineering of unlocking mechanism\\
 +-<del>eMMC interposer</del>\\
  
-====Overwirev====+====Overview====
 In the new Kindle PW5, Amazon started using different CPU from previous models. Kindle PW5 is using Mediatek MT8113, bundled with 512Mb RAM.\\ In the new Kindle PW5, Amazon started using different CPU from previous models. Kindle PW5 is using Mediatek MT8113, bundled with 512Mb RAM.\\
 All production devices are locked, which means you cannot use u-boot CLI because on a locked device there is forced execution of fastboot command followed by boot command when you try to access u-boot CLI.\\ All production devices are locked, which means you cannot use u-boot CLI because on a locked device there is forced execution of fastboot command followed by boot command when you try to access u-boot CLI.\\
Line 13: Line 14:
 Amazon also removed debug UART connector from the PCB.\\ Amazon also removed debug UART connector from the PCB.\\
 On the production devices, the UART Linux shell is disabled.\\ On the production devices, the UART Linux shell is disabled.\\
 +28-10-2022:\\
 +If u-boot fails to load the kernel from eMMC, it enters fastboot.\\
 +
  
  
 ====Getting UART==== ====Getting UART====
-I suspected that there have to be UART somewhere, so I ordered yet another Kindle and started probing test pads on the bottom side of the PCB. This, unfortunately, led nowhere and only a couple of I2C buses were discovered that way. \\+I suspected that there has to be UART somewhere, so I ordered yet another Kindle :) and started probing test pads on the bottom side of the PCB. This, unfortunately, led nowhere and only a couple of I2C buses were discovered that way. \\
 The next step was to look into [[https://www.amazon.com/gp/help/customer/display.html?nodeId=200203720 | source codes]] released by Amazon thanks to the GPL license.\\ The next step was to look into [[https://www.amazon.com/gp/help/customer/display.html?nodeId=200203720 | source codes]] released by Amazon thanks to the GPL license.\\
 In the u-boot source, there is code for [[https://datasheets.maximintegrated.com/en/ds/MAX20342.pdf|MAX20342]] which is a USB type C detector IC for detecting different types of chargers, it also features USB C debug accessory mode (DAM) ([[https://www.usb.org/sites/default/files/USB%20Type-C%20Spec%20R2.0%20-%20August%202019.pdf|USB Type C specification pg. 314]]) in which <del>all</del> some data pins can be used for non-USB purposes such as JTAG debugging. \\ In the u-boot source, there is code for [[https://datasheets.maximintegrated.com/en/ds/MAX20342.pdf|MAX20342]] which is a USB type C detector IC for detecting different types of chargers, it also features USB C debug accessory mode (DAM) ([[https://www.usb.org/sites/default/files/USB%20Type-C%20Spec%20R2.0%20-%20August%202019.pdf|USB Type C specification pg. 314]]) in which <del>all</del> some data pins can be used for non-USB purposes such as JTAG debugging. \\
Line 25: Line 29:
  
 There is a photo of such contraption:\\ There is a photo of such contraption:\\
--On the PCB there is FT232 USB to UART converter and buck regulator to generate 1.8V for powering the VCCIO pin of the converter.\\+-On the PCB there is the FT232 USB to UART converter and buck regulator to generate 1.8V for powering the VCCIO pin of the converter.\\
 -I tried the CP2104 and CH340 converters as well, but they are struggling to run with 1.8V power for IO pins. -I tried the CP2104 and CH340 converters as well, but they are struggling to run with 1.8V power for IO pins.
  
Line 66: Line 70:
 </code> </code>
  
 +*note: there is most likely a better way, like spawning /bin/sh on UART directly, but let's keep things simple.
  
 ==== Internal photos: ==== ==== Internal photos: ====
Line 74: Line 79:
 {{https://trimen.org/kindle/pcb_bot.jpg?nolink&1000}} {{https://trimen.org/kindle/pcb_bot.jpg?nolink&1000}}
  
 +====eMMC interposer:====
 +In order to be able to easily modify, read out, and backup content of the eMMC chip, I created an interposer with the connector on which the board with the eMMC chip is placed.\\
 +Pinout was chosen to match the PINE64 eMMC module and [[https://pine64.com/product/usb-adapter-for-emmc-module |reader]]. Unfortunately, the connector used on the PINE64 eMMC module and reader is hard to get, so I used the same pitch, but different dimensions connector. As I check it, it should be possible to place chosen connector to the reader PCB.
 +
 +Files are available at GitLab [[https://git.taktpraha.cz/trimen/keib|KEIB]]
  
 +31-10-2022\\
 +PCBs arrived along with the reballing stencils and balls.
 ====Boot log:==== ====Boot log:====
 <code> <code>
Line 507: Line 519:
  
 ====Misc.:==== ====Misc.:====
 +TODO,  to do,  to do, to do, to do, to do, to dooooo  :D\\
 -OpenVPN\\ -OpenVPN\\
 -fw_printenv\\ -fw_printenv\\
projects/kindlepw5.txt · Last modified: 2022/11/03 22:02 by trimen


  • Show page
  • Old revisions
  • Backlinks
  • Recent Changes
  • Media Manager
  • Sitemap