No ACL setup yet! Denying access to everyone.

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
projects:kindlepw5 [2022/10/02 17:14] trimenprojects:kindlepw5 [2024/06/14 16:17] (current) trimen
Line 1: Line 1:
 +<html>
 +  <head>
 +    <meta http-equiv="refresh" content="0; url=https://wiki.taktpraha.cz/projects/kindlehax">
 +  </head>
 +</html>
 +
 =======Kindle hacking======= =======Kindle hacking=======
 =====PW5:===== =====PW5:=====
Line 4: Line 10:
 -<del>HW UART</del>\\ -<del>HW UART</del>\\
 -U-Boot CLI\\ -U-Boot CLI\\
--<del>UART Linux shell</del>\\+-<del>UART Linux shell</del>  (require jailbreak)\\
 -Reverse engineering of unlocking mechanism\\ -Reverse engineering of unlocking mechanism\\
 +-eMMC interposer (v2 needed!!)\ \
  
-====Overwirev====+====Overview====
 In the new Kindle PW5, Amazon started using different CPU from previous models. Kindle PW5 is using Mediatek MT8113, bundled with 512Mb RAM.\\ In the new Kindle PW5, Amazon started using different CPU from previous models. Kindle PW5 is using Mediatek MT8113, bundled with 512Mb RAM.\\
-All production devices are locked, which means you cannot use u-boot CLI because on a locked device there is forced execution of fastboot command followed by boot command when you try to access u-boot CLI.\\ +All production devices are locked, which means you cannot use u-boot CLI because on a locked device there is forced execution of the fastboot command followed by the boot command when you try to access u-boot CLI.\\ 
-With the u-boot in fastboot mode, it is possible to obtain some kind of magic string via getvar command that can probably be used to generate unlock key. Unfortunately, that cannot be verified (yet), because there are some source codes missing.\\+With the u-boot in fastboot mode, it is possible to obtain some magic string via getvar command that can probably be used to generate unlock key. Unfortunately, that cannot be verified (yet), because there are some source codes missing.\\
 Amazon also removed debug UART connector from the PCB.\\ Amazon also removed debug UART connector from the PCB.\\
 On the production devices, the UART Linux shell is disabled.\\ On the production devices, the UART Linux shell is disabled.\\
 +**28-10-2022:**\\
 +If u-boot fails to load the kernel from eMMC, it enters fastboot.\\
 +**03-11-2022:**\\
 +If is used another eMMC on which the content of the previous is copied the ROM bootloader fails to load u-boot.\\
  
  
 ====Getting UART==== ====Getting UART====
-I suspected that there have to be UART somewhere, so I ordered yet another Kindle and started probing test pads on the bottom side of the PCB. This, unfortunately, led nowhere and only a couple of I2C buses were discovered that way. \\+I suspected that there has to be UART somewhere, so I ordered yet another Kindle :) and started probing test pads on the bottom side of the PCB. This, unfortunately, led nowhere and only a couple of I2C buses were discovered that way. \\
 The next step was to look into [[https://www.amazon.com/gp/help/customer/display.html?nodeId=200203720 | source codes]] released by Amazon thanks to the GPL license.\\ The next step was to look into [[https://www.amazon.com/gp/help/customer/display.html?nodeId=200203720 | source codes]] released by Amazon thanks to the GPL license.\\
 In the u-boot source, there is code for [[https://datasheets.maximintegrated.com/en/ds/MAX20342.pdf|MAX20342]] which is a USB type C detector IC for detecting different types of chargers, it also features USB C debug accessory mode (DAM) ([[https://www.usb.org/sites/default/files/USB%20Type-C%20Spec%20R2.0%20-%20August%202019.pdf|USB Type C specification pg. 314]]) in which <del>all</del> some data pins can be used for non-USB purposes such as JTAG debugging. \\ In the u-boot source, there is code for [[https://datasheets.maximintegrated.com/en/ds/MAX20342.pdf|MAX20342]] which is a USB type C detector IC for detecting different types of chargers, it also features USB C debug accessory mode (DAM) ([[https://www.usb.org/sites/default/files/USB%20Type-C%20Spec%20R2.0%20-%20August%202019.pdf|USB Type C specification pg. 314]]) in which <del>all</del> some data pins can be used for non-USB purposes such as JTAG debugging. \\
 In the datasheet for MAX20342 is stated that the IC will enter DAM if it senses 5.1kΩ pull-up resistors on CC1 and CC2 pins and 30/150kΩ pull-down resistors on one of the SBU pins.\\ In the datasheet for MAX20342 is stated that the IC will enter DAM if it senses 5.1kΩ pull-up resistors on CC1 and CC2 pins and 30/150kΩ pull-down resistors on one of the SBU pins.\\
-Upon entering DAM mode MAX20342 connects USB D+ and D- pins of the connector to UART of the MT8113.\\ +Upon entering DAM mode MAX20342 connects the USB D+ and D- pins of the connector to the UART of the MT8113.\\ 
-This feature can be disabled by configuration registers, but right now, they are at factory default (ver. 5.14.2)\\+Configuration registers can disable this feature, but right now, they are at factory default (ver. 5.14.2)\\
 Be aware of the **1.8V logic levels** of the UART and **don't try to connect 3.3V logic levels UART converted** as you can damage your Kindle.\\ Be aware of the **1.8V logic levels** of the UART and **don't try to connect 3.3V logic levels UART converted** as you can damage your Kindle.\\
  
 There is a photo of such contraption:\\ There is a photo of such contraption:\\
--On the PCB there is FT232 USB to UART converter and buck regulator to generate 1.8V for powering the VCCIO pin of the converter.\\ +-On the PCB there is the FT232 USB to UART converter and buck regulator to generate 1.8V for powering the VCCIO pin of the converter.\\ 
--I tried the CP2104 and CH340 converters as well, but they are struggling to run with 1.8V power for IO pins.+-I also tried the CP2104 and CH340 converters, but they are struggling to run with 1.8V power for IO pins.
  
 {{https://trimen.org/kindle/ftdi.jpg?nolink&800}} {{https://trimen.org/kindle/ftdi.jpg?nolink&800}}
Line 66: Line 77:
 </code> </code>
  
 +*note: there is most likely a better way, like spawning /bin/sh on UART directly, but let's keep things simple.
  
 ==== Internal photos: ==== ==== Internal photos: ====
Line 74: Line 86:
 {{https://trimen.org/kindle/pcb_bot.jpg?nolink&1000}} {{https://trimen.org/kindle/pcb_bot.jpg?nolink&1000}}
  
 +====eMMC interposer:====
 +In order to be able to easily modify, read out, and backup content of the eMMC chip, I created an interposer with the connector on which the board with the eMMC chip is placed.\\
 +Pinout was chosen to match the PINE64 eMMC module and [[https://pine64.com/product/usb-adapter-for-emmc-module |reader]]. Unfortunately, the connector used on the PINE64 eMMC module and reader is hard to get, so I used the same pitch, but different dimensions connector. As I check it, it should be possible to place chosen connector to the reader PCB.
  
 +Files are available at GitLab [[https://git.taktpraha.cz/trimen/keib|KEIB]]
 +
 +**31-10-2022:**\\
 +PCBs arrived along with the reballing stencils and balls.
 +**03-11-2022:**\\
 +I assembled and tested the boards, but I wasn't able to get PW5 running with the interposer installed. When I tried it, the Mediatek ROM bootloader just printed output and went to shutdown. I suspect that the signal integrity might be causing this. But there will be probably another catch as when I tried to make a copy of stock eMMC binary content to the new larger eMMC (just dd it) the bootloader also refused to boot properly. (with larger eMMC soldered directly on board)\\ 
 +
 +I wasn't able to find much information about the Mediatek ROM bootloader. Links [[https://mediatek.gitlab.io/aiot/doc/aiot-dev-guide/sw/yocto/board-bringup.html|here]] and [[https://forum.xda-developers.com/t/unlock-root-twrp-unbrick-fire-tv-stick-2nd-gen-tank.3907002/page-56|here]].\\
 +
 +From what I was able to get together you need access to UART0 and UART1 in order to use the tool for flashing. UART0 is outputted through a USB C connector, but UART1 is inaccessible. It might be somewhere on the bottom test pads.
 +
 +The ROM bootloader output:
 +<code>
 +F0: 102B 0000
 +F3: 4000 0036 [0200]
 +F3: 4000 0036
 +F6: 380C 0000
 +F1: 5003 FF1E [0001]
 +F1: 5003 FF1E
 +00: 1005 0000
 +F3: 4000 0036 [0200]
 +F3: 4000 0036
 +F6: 380C 0000
 +F1: 5003 FF1E [0001]
 +F1: 5003 FF1E
 +01: 1005 0000
 +F6: 380C 0000
 +02: 1005 0000
 +F6: 380C 0000
 +03: 102A 0003
 +04: 0007 8000
 +05: 1005 0000
 +BP: 0800 0288 [0003]
 +EC: 0000 0000 [0001]
 +T0: 0000 014C [000F]
 +System halt!
 +
 +
 +F0: 102B 0000
 +F3: 4000 0036 [0200]
 +F3: 4000 0036
 +F6: 380E 00A8
 +F1: 5003 FF1E [0001]
 +F1: 5003 FF1E
 +00: 1005 0000
 +F3: 4000 0036 [0200]
 +F3: 4000 0036
 +F6: 380E 00A8
 +F1: 5003 FF1E [0001]
 +F1: 5003 FF1E
 +01: 1005 0000
 +F6: 380E 00A8
 +02: 1005 0000
 +F6: 380E 00A8
 +03: 102A 0003
 +04: 0007 8000
 +05: 1005 0000
 +BP: 0800 0288 [0003]
 +EC: 0000 0000 [0001]
 +T0: 0000 019D [000F]
 +System halt!
 +</code>
 +I think the first section is without any eMMC and the second section is with blank/other than stock eMMC as the output was the same.
 ====Boot log:==== ====Boot log:====
 <code> <code>
Line 507: Line 585:
  
 ====Misc.:==== ====Misc.:====
 +TODO,  to do,  to do, to do, to do, to do, to dooooo  :D\\
 -OpenVPN\\ -OpenVPN\\
 -fw_printenv\\ -fw_printenv\\