Kindle hacking

HW UART
U-Boot CLI
UART Linux shell
Reverse engineering of unlocking mechanism

In the new Kindle PW5, Amazon started using different CPU from previous models. Kindle PW5 is using Mediatek MT8113, bundled with 512Mb RAM.
All production devices are locked, which means you cannot use u-boot CLI because on a locked device there is forced execution of fastboot command followed by boot command when you try to access u-boot CLI.
With the u-boot in fastboot mode, it is possible to obtain some kind of magic string via getvar command that can probably be used to generate unlock key. Unfortunately, that cannot be verified (yet), because there are some source codes missing.
Amazon also removed debug UART connector from the PCB.
On the production devices, the UART Linux shell is disabled.

I suspected that there have to be UART somewhere, so I ordered yet another Kindle and started probing test pads on the bottom side of the PCB. This, unfortunately, led nowhere and only a couple of I2C buses were discovered that way.
The next step was to look into source codes released by Amazon in favor of the GPL license.
In the u-boot source, there is code for MAX20342 which is a USB type C detector IC for detecting different types of chargers, it also features USB C debug accessory mode (DAM) (USB Type C specification pg. 314) in which all some data pins can be used for non-USB purposes such as JTAG debugging.
In the datasheet for MAX20342 is stated that the IC will enter DAM if it senses 5.1kΩ pull-up resistors on CC1 and CC2 pins and 30/150kΩ pull-down resistors on one of the SBU pins.
Upon entering DAM mode MAX20342 connects USB D+ and D- pins of the connector to UART of the MT8113.
Be aware of the 1.8V logic levels of the UART and don't try to connect 3.3V logic levels UART converted as you can damage your Kindle.

There is a photo of such contraption:
-On the PCB there is FT232 USB to UART converter and buck type regulator to generate 1.8V for powering the VCCIO pin of the converter.
-I tried the CP2104 and CH340 converters as well, but they are struggling to run with 1.8V power for IO pins.

Fotka desky převodníku.

Currently, I have no method to enable the UART shell on the production device. The only possible way is to jailbreak your Kindle by the method provided by MobileRead forum member katadelos

In order to enable the UART root shell, you need to do two things:
- Modify /etc/shadow file to enable the root account.

root:!:10933:0:99999:7:::

to

root::10933:0:99999:7:::

- Modify /etc/init/console.conf (start at line ~66)

#We determine to execute getty, which prompts for the login password using the values in the /proc/cmdline file
#The locked variable is used lock the prompt

if [ "$prodVersion" = "0" -o "$unlockedKernel" = "true" -o "$secureCpu" = "0" ]; then
    #Unlocked Prompt if: unlockedKernel or not prod or not secure cpu
    exec getty -L $BAUD /dev/$UART 2>> $STDERR
else
    exec getty -L $BAUD /dev/$UART -i -n -l /etc/upstart/custom-login 2>> $STDERR
fi

to

#We determine to execute getty, which prompts for the login password using the values in the /proc/cmdline file
#The locked variable is used lock the prompt

if [ "$prodVersion" = "0" -o "$unlockedKernel" = "true" -o "$secureCpu" = "0" ]; then
    #Unlocked Prompt if: unlockedKernel or not prod or not secure cpu
    exec getty -L $BAUD /dev/$UART 2>> $STDERR
else
#exec console on locked device
    exec getty -L $BAUD /dev/$UART 2>> $STDERR
fi

Fotka desky Fotka desky bez krytu

For now that's all.