No ACL setup yet! Denying access to everyone.
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
projects:kindlepw5 [2022/10/02 17:14] – trimen | projects:kindlepw5 [2024/06/14 16:17] (current) – trimen | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | < | ||
+ | < | ||
+ | <meta http-equiv=" | ||
+ | </ | ||
+ | </ | ||
+ | |||
=======Kindle hacking======= | =======Kindle hacking======= | ||
=====PW5: | =====PW5: | ||
Line 4: | Line 10: | ||
-< | -< | ||
-U-Boot CLI\\ | -U-Boot CLI\\ | ||
- | -< | + | -< |
-Reverse engineering of unlocking mechanism\\ | -Reverse engineering of unlocking mechanism\\ | ||
+ | -eMMC interposer (v2 needed!!)\ \ | ||
- | ====Overwirev==== | + | ====Overview==== |
In the new Kindle PW5, Amazon started using different CPU from previous models. Kindle PW5 is using Mediatek MT8113, bundled with 512Mb RAM.\\ | In the new Kindle PW5, Amazon started using different CPU from previous models. Kindle PW5 is using Mediatek MT8113, bundled with 512Mb RAM.\\ | ||
- | All production devices are locked, which means you cannot use u-boot CLI because on a locked device there is forced execution of fastboot command followed by boot command when you try to access u-boot CLI.\\ | + | All production devices are locked, which means you cannot use u-boot CLI because on a locked device there is forced execution of the fastboot command followed by the boot command when you try to access u-boot CLI.\\ |
- | With the u-boot in fastboot mode, it is possible to obtain some kind of magic string via getvar command that can probably be used to generate unlock key. Unfortunately, | + | With the u-boot in fastboot mode, it is possible to obtain some magic string via getvar command that can probably be used to generate unlock key. Unfortunately, |
Amazon also removed debug UART connector from the PCB.\\ | Amazon also removed debug UART connector from the PCB.\\ | ||
On the production devices, the UART Linux shell is disabled.\\ | On the production devices, the UART Linux shell is disabled.\\ | ||
+ | **28-10-2022: | ||
+ | If u-boot fails to load the kernel from eMMC, it enters fastboot.\\ | ||
+ | **03-11-2022: | ||
+ | If is used another eMMC on which the content of the previous is copied the ROM bootloader fails to load u-boot.\\ | ||
====Getting UART==== | ====Getting UART==== | ||
- | I suspected that there have to be UART somewhere, so I ordered yet another Kindle and started probing test pads on the bottom side of the PCB. This, unfortunately, | + | I suspected that there has to be UART somewhere, so I ordered yet another Kindle |
The next step was to look into [[https:// | The next step was to look into [[https:// | ||
In the u-boot source, there is code for [[https:// | In the u-boot source, there is code for [[https:// | ||
In the datasheet for MAX20342 is stated that the IC will enter DAM if it senses 5.1kΩ pull-up resistors on CC1 and CC2 pins and 30/150kΩ pull-down resistors on one of the SBU pins.\\ | In the datasheet for MAX20342 is stated that the IC will enter DAM if it senses 5.1kΩ pull-up resistors on CC1 and CC2 pins and 30/150kΩ pull-down resistors on one of the SBU pins.\\ | ||
- | Upon entering DAM mode MAX20342 connects USB D+ and D- pins of the connector to UART of the MT8113.\\ | + | Upon entering DAM mode MAX20342 connects |
- | This feature can be disabled by configuration | + | Configuration |
Be aware of the **1.8V logic levels** of the UART and **don' | Be aware of the **1.8V logic levels** of the UART and **don' | ||
There is a photo of such contraption: | There is a photo of such contraption: | ||
- | -On the PCB there is FT232 USB to UART converter and buck regulator to generate 1.8V for powering the VCCIO pin of the converter.\\ | + | -On the PCB there is the FT232 USB to UART converter and buck regulator to generate 1.8V for powering the VCCIO pin of the converter.\\ |
- | -I tried the CP2104 and CH340 converters | + | -I also tried the CP2104 and CH340 converters, but they are struggling to run with 1.8V power for IO pins. |
{{https:// | {{https:// | ||
Line 66: | Line 77: | ||
</ | </ | ||
+ | *note: there is most likely a better way, like spawning /bin/sh on UART directly, but let's keep things simple. | ||
==== Internal photos: ==== | ==== Internal photos: ==== | ||
Line 74: | Line 86: | ||
{{https:// | {{https:// | ||
+ | ====eMMC interposer: | ||
+ | In order to be able to easily modify, read out, and backup content of the eMMC chip, I created an interposer with the connector on which the board with the eMMC chip is placed.\\ | ||
+ | Pinout was chosen to match the PINE64 eMMC module and [[https:// | ||
+ | Files are available at GitLab [[https:// | ||
+ | |||
+ | **31-10-2022: | ||
+ | PCBs arrived along with the reballing stencils and balls. | ||
+ | **03-11-2022: | ||
+ | I assembled and tested the boards, but I wasn't able to get PW5 running with the interposer installed. When I tried it, the Mediatek ROM bootloader just printed output and went to shutdown. I suspect that the signal integrity might be causing this. But there will be probably another catch as when I tried to make a copy of stock eMMC binary content to the new larger eMMC (just dd it) the bootloader also refused to boot properly. (with larger eMMC soldered directly on board)\\ | ||
+ | |||
+ | I wasn't able to find much information about the Mediatek ROM bootloader. Links [[https:// | ||
+ | |||
+ | From what I was able to get together you need access to UART0 and UART1 in order to use the tool for flashing. UART0 is outputted through a USB C connector, but UART1 is inaccessible. It might be somewhere on the bottom test pads. | ||
+ | |||
+ | The ROM bootloader output: | ||
+ | < | ||
+ | F0: 102B 0000 | ||
+ | F3: 4000 0036 [0200] | ||
+ | F3: 4000 0036 | ||
+ | F6: 380C 0000 | ||
+ | F1: 5003 FF1E [0001] | ||
+ | F1: 5003 FF1E | ||
+ | 00: 1005 0000 | ||
+ | F3: 4000 0036 [0200] | ||
+ | F3: 4000 0036 | ||
+ | F6: 380C 0000 | ||
+ | F1: 5003 FF1E [0001] | ||
+ | F1: 5003 FF1E | ||
+ | 01: 1005 0000 | ||
+ | F6: 380C 0000 | ||
+ | 02: 1005 0000 | ||
+ | F6: 380C 0000 | ||
+ | 03: 102A 0003 | ||
+ | 04: 0007 8000 | ||
+ | 05: 1005 0000 | ||
+ | BP: 0800 0288 [0003] | ||
+ | EC: 0000 0000 [0001] | ||
+ | T0: 0000 014C [000F] | ||
+ | System halt! | ||
+ | |||
+ | |||
+ | F0: 102B 0000 | ||
+ | F3: 4000 0036 [0200] | ||
+ | F3: 4000 0036 | ||
+ | F6: 380E 00A8 | ||
+ | F1: 5003 FF1E [0001] | ||
+ | F1: 5003 FF1E | ||
+ | 00: 1005 0000 | ||
+ | F3: 4000 0036 [0200] | ||
+ | F3: 4000 0036 | ||
+ | F6: 380E 00A8 | ||
+ | F1: 5003 FF1E [0001] | ||
+ | F1: 5003 FF1E | ||
+ | 01: 1005 0000 | ||
+ | F6: 380E 00A8 | ||
+ | 02: 1005 0000 | ||
+ | F6: 380E 00A8 | ||
+ | 03: 102A 0003 | ||
+ | 04: 0007 8000 | ||
+ | 05: 1005 0000 | ||
+ | BP: 0800 0288 [0003] | ||
+ | EC: 0000 0000 [0001] | ||
+ | T0: 0000 019D [000F] | ||
+ | System halt! | ||
+ | </ | ||
+ | I think the first section is without any eMMC and the second section is with blank/other than stock eMMC as the output was the same. | ||
====Boot log:==== | ====Boot log:==== | ||
< | < | ||
Line 507: | Line 585: | ||
====Misc.: | ====Misc.: | ||
+ | TODO, to do, to do, to do, to do, to do, to dooooo | ||
-OpenVPN\\ | -OpenVPN\\ | ||
-fw_printenv\\ | -fw_printenv\\ |