Mobileread
Tools Select Boot for K4 and Touch
#1  geekmaster 02-19-2012, 10:04 PM
UPDATE: Touch diags with SSH pre-installed! Download below. Fastboot for Windows, and Fastboot for Mac are now available in addition to the original Fastboot for Linux (download links below).

NOTE: This is not that difficult if you are careful. The following warning is not intended to strike fear into the hearts of mere mortals. Go ahead and use it if it will help you repair your bricked kindle. Just do not try things in fastboot or diagnostics that you do not understand, unless you are instructed to use them. For those who may find all the following English text difficult, here are step-by-step pictures showing how to install and use this tool:
http://www.mobileread.com/forums/sho....php?p=1972836

CAUTION: Diagnostic mode and fastboot mode give you a lot of power to repair your kindle from otherwise unrepairable conditions, but they also allow you to do things that can make it worse. With great power comes great responsibility, so please be very careful when you are in fastboot mode or in diagnostics mode. When we provide step-by-step instructions, follow them carefully.

The following text describes a little about how to boot your kindle touch or k4nt into recovery mode, and from there to diagnostics or fastboot mode. You can also use this "Select Boot" tool to boot back to the main mode.

I will update this post as I get more tools ready.

Attached are links to the Freescale MfgTool for Windows, needed to download custom code over USB port into kindle RAM memory and run it in the kindle, while in USB Recovery (USB HID / USB Dowload) mode.

After unzipping the MfgTool into a folder of your choice, delete the folders from inside the Profiles folder, and copy the folders from inside the Kindle_bootmode.zip file into Profiles folder inside the MfgTool folder.

To get your kindle touch or k4nt into USB Recovery mode, plug in the USB cable, the press and hold the power switch until the power LED turns off, then press and hold the "Magic Key", then release the power switch, then release the "Magic Key". The "Magic Key" is a special button that is different on each model of kindle, and is used to enter USB Recovery mode.

Kindle Model, Magic Key:
Touch, Home button
K4NT, Five-Way Down button
K3, Volume Down button (different VID/PID).

When your kindle is in USB Recovery mode the first time, Windows will detect new hardware, and it should automatically install USB/HID device drivers. The Windows device drivers and other unused files were removed from the previously posted downloads, to reduce the download size from about 70 MB to 0.5 MB. If your version of Windows does not install USB/HID device drivers automatically, you can request them here.

Then start MfgTool.exe, select a bootmode Profile from the drop-down menu (diags, fastboot, or main), and press the Start button in MfgTool. If all goes well, your kindle should boot into the mode that you selected, where you can repair your kindle.

From diagnostics (diags mode), you can export your USB Drive so that you can add files to it to repair your kindle, such as data.tar.gz and a special RUNME.sh file. If you have a K4NT, you can start SSH, and repair your kindle from a linux command shell. For a touch, I will provide additional tools and instructions. I recommend pushing a "reverse shell" using netcat (nc) to your host PC (similar to SSH), or crafting a special RUNME.sh, to assist.

I will provide additional tools and instructions, but what I have attached is enough for developers to assist you. I have supplied 3 additional methods to get root shell on a kindle to various developers, none of which have been published yet.

If you boot to fastboot mode, you can use yifanlu's kindle fastboot tool to flash the diags partition with a copy of mmcblk0p2_ssh. Then boot to diags and use SSH to flash the main partition with mmcblk0p1. Please see the "simple debricking" sticky thread for details.

Good luck. So far, I have provided a way that requires familiarity with linux shell commands. Additional tools will be provided soon to simplify this, and minimize the risk.

Again, this will get simpler and safer in the future.

Enjoy!

UPDATE: I have added a universal payload that should work with multiple kindles, if installed at /var/local/system/mntus.params, using whatever method is available for that device. For the K4NT and Touch, I have provided a data.tar.gz that contains my "universal" payload which launches RUNME.sh on the USB drive if it exists and there is not a RUNME.done file. The launcher creates a RUNME.done file before starting RUNME.sh, so that it will only run one time. To activate it so it can run again, delete RUNME.done from the USB Drive.

From the diagnostics menu, active USB Device Mode from the menu. Then copy RUNME.sh (from the zip file) and data.tar.gz onto the kindle USB drive.

This RUNME.sh just displays stuff on the screen to show that it works. Because this can be launched from main or diags mode, the script does not know which partition is root, so to copy files between them (like dropbear SSH) I recommend this:
Code
mntroot rw
mkdir -p /mnt/main
mkdir -p /mnt/diag
mntroot ro
mount /dev/mmcblk0p1 /mnt/main
mount /dev/mmcblk0p2 /mnt/diag
*** copy stuff between /mnt/main/ and /mnt/diag/ as needed ***
umount /mnt/main
umount /mnt/diag
mntroot rw
rm -f /mnt/main
rm -f /mnt/diag
mntroot ro
If you have the USBnetwork (dropbear SSH) files on your touch main partition, you can copy them to diags above. Or if not installed yet, you can extract them using yifanlu's installer, and copy them where they belong on /mnt/main or /mnt/diag.

I was not able to test this version on my Touch, but it should work.

REMINDER: To launch RUNME.sh again, you need to delete RUNME.done from the USB drive.

Please post your results.

Fastboot for Windows: http://www.mobileread.com/forums/sho....php?p=2001687

Fastboot for Mac: http://www.mobileread.com/forums/sho....php?p=2029696

Russian translation of my work: http://beznervov.com/computers/hard/elektronnye-knigi/kindlu-touch-unbrick-debrick-i-polnyj-navorot/

Read the "simple debricking" thread too: http://www.mobileread.com/forums/sho...d.php?t=170929

Kindle touch diags partition image (mmcblk0p2_ssh.img.gz) with pre-installed SSH:
http://gitbrew.org/~dasmoover/kindle/touch/forensic/mmcblk0p2_ssh.img.gz
You should extract this partition image and install to the diags partition with fastboot. To use SSH, boot to diags and select menu options N) U) Z) X) then wait about 20 seconds for dropbear to start up. Then SSH in. The root password is mario.
[zip] KindleSelectBoot.zip (508.5 KB, 14395 views)
[gz] data.tar.gz (796 Bytes, 5695 views)
[zip] RUNME.zip (249 Bytes, 4283 views)
Reply 

#2  geekmaster 02-19-2012, 10:28 PM
Attention developers: please feel free to add to this thread, showing details on how to use the MfgTool and custom boot profiles to boot a bricked kindle to your choice of diags, fastboot, or main mode. You can modifiy ixtab's jailbreak to deposit a script into /var/local/wan/info, then run the ar11g diagnostic to trigger it. When /var/local/wan/info executes, it should check for and run /mnt/us/RUNME.sh.

Be sure to NOT change the diagnostics boot partition. Instead, do "mount /dev/mmcblk0p1 /mnt/mmc" and make repairs inside /mnt/mnc/etc/*.

Okay? Thanks for helping with this.

Inside the custom boot profiles are kindle touch u-boot.bin files that have had an additional line of code added. Where the original code reads the bootmode idme var, then decides which partition to boot, the new code replaces the local memory copy of bootmode with either "diags", "fastboot", or "main". The idme vars are NOT changed. The boot process continues using the modified bootmode in memory.
Reply 

#3  Poetcop 02-20-2012, 09:40 AM
I'd like to make a report that Geekmaster's tool worked for me! My formerly dead Kindle is now in Diags mode!! Here's an account of the nature of my bricking (probably due only to the 3rd partition filling up):
http://www.mobileread.com/forums/sho....php?p=1957448

I followed Geekmaster's instructions, and found it to be very straightforward. The only discrepancy on my particular system (which is Windows XP SP3) is that when I booted the Kindle into recovery mode it did not pop up a message identifying it as new hardware. So I went and found it in the Device Manager (under Human Interface Devices -> USB Human Interface Device) and found that it already had a driver associated with it, apparently from Microsoft. I tried to replace it with the driver in the Mfgtools directory, imxusb.inf, but got the message "Specified location doesn't include information about your hardware". Luckily Mfgtools worked anyway (after one attempt failed because I was overly hasty and it was in low battery mode - so for anyone as silly as me, make sure it's charged first).

I don't want to start pressing menu options in Diags mode that I don't have a good idea what they do, so I need a little more advice to fully unbrick: can I erase the partition from here, or do I need to boot into fastboot (after doing a little reading about how that works)? But from Diags mode I was able to mount my /mnt/us (with the menu option "USB device mode"), letting me back up my /Documents folder, including notes I'd taken on books, which I was afraid I'd lost forever. So already life is better. Thanks Geekmaster!
Reply 

#4  geekmaster 02-20-2012, 10:45 AM
Pictorial Guide to Installation and Usage:

NOTE: This is not that difficult if you are careful. The following warning is not intended to strike fear into the hearts of mere mortals. Go ahead and use it if it will help you repair your bricked kindle. Just do not try things in fastboot or diagnostics that you do not understand, unless you are instructed to use them. For those who may find lengthy detailed English text difficult, here are step-by-step pictures showing how to install and use this tool:

CAUTION: Diagnostic mode and fastboot mode give you a lot of power to repair your kindle from otherwise unrepairable conditions, but they also allow you to do things that can make it worse. With great power comes great responsibility, so please be very careful when you are in fastboot mode or in diagnostics mode. When we provide step-by-step instructions, follow them carefully.

image »
Download and unzip KindleSelectBoot.zip (download here)

Place the Kindle into USB Recovery mode:
Plug Kindle into USB port. Press Kindle power switch until LED off.
Press "Magic Key" (K4NT = Five-Way Down button, Touch = Home button).
Release power switch. Release "Magic Key".

image »
Kindle Detected in USB Recovery Mode (USB/HID Devices)

image »
Run MfgTool.exe

image »
MfgTool Bootmode Menu

image »
MfgTool Booting Kindle to Diagnostics Menu

image »
Kindle Touch Diagnostics Menu
From SSH: "dd if=/dev/fb0 of=/mnt/us/fb0.raw",
then use IrfanView to crop/resize/convert
608x1792 RAW image to 300x400 PNG image.

Repair your Kindle in Diagnostics (or fastboot) Mode,
using instructions and tools provided in following posts (below).


Good luck. But more importantly, have fun learning stuff!

EDIT: There are more downloads in the original post, including a sample RUNME.sh that can be launched from a diagnostics boot. It works on the Touch and the K4NT. You can install USBnet (dropbear SSH) into the diagnostics menu with it (when configured to do that).
Reply 

#5  geekmaster 02-20-2012, 12:00 PM
Quote Poetcop
I'd like to make a report that Geekmaster's tool worked for me! My formerly dead Kindle is now in Diags mode!!
...
The only discrepancy on my particular system (which is Windows XP SP3) is that when I booted the Kindle into recovery mode it did not pop up a message identifying it as new hardware. So I went and found it in the Device Manager (under Human Interface Devices -> USB Human Interface Device) and found that it already had a driver associated with it, apparently from Microsoft. I tried to replace it with the driver in the Mfgtools directory, imxusb.inf, but got the message "Specified location doesn't include information about your hardware". Luckily Mfgtools worked anyway (after one attempt failed because I was overly hasty and it was in low battery mode - so for anyone as silly as me, make sure it's charged first).
I added comments in the text and pictures that the supplied Windows Device drivers should be used ONLY if needed. Some versions of Windows install these automatically. EDIT: I removed the Windows device drivers and other unused stuff from the combined download package after reading the MfgTool source code EULA, so it is smaller to download and simpler to install. Instructions and screen captures have been updated as well.

Also, if your kindle battery is empty and will not charge, it appears to charge faster while in fastboot mode. You can just reboot your computer when done, and it will boot to its previously save bootmode.

You can recover a damaged kindle from Diagnostics mode by mounting the root partition and replacing missing or damaged files on it. You can also replace the root partition with a copy of a backup image file.

To recover from a full /var/local (collections database too large), you can delete files in /var/local, or you can copy /dev/zero onto /dev/mmcblk0p3 to destroy /var/local, and the next reboot will create a fresh empty /var/local.
Reply 

#6  idoit 02-20-2012, 02:42 PM
Quote geekmaster
You can recover a damaged kindle from Diagnostics mode by mounting the root partition and replacing missing or damaged files on it. You can also replace the root partition with a copy of a backup image file.
First and foremost, thank you very much geekmaster AGAIN. Diags mode was successful and I recovered my documents and books I bought... AWESOME!

1. So in diags mode, I'd imagine simply putting the following line in RUNME.sh and rebooting the Touch, will replace root partition with my backup image?
Code
dd -if /mnt/us/bak/mmcblk0p1.bin -of /dev/mmcblk0p1 bs=1024
or is it more detailed, e.g. involving mount -o loop /dev/loop1 and such?

2. Is there a command for faculty restoring (factory resetting)? (oops brain-fart )

Feedback for fastboot mode: I rebooted my Touch and did the same procedure as for diags mode... in MfgTool, I Started the fastboot mode, Windows began automatically searching for driver, couldn't locate and gave error "No driver found". Checking Device Manager, I see a device called Kindle in "Other devices" section, but by setting the path for drivers manually (Driver folder of MfgTool) it still says suitable driver not found!!!... so nothing happens on my Kindle Touch in fastboot mode! O_o

3. Misc. individual dignostics > Utilities > Enable USBnet gives out correct information regarding IP... I wonder why it doesn't work out with ssh and we have to push reverse shell!
Reply 

#7  Emrexcem 02-20-2012, 04:52 PM
Quote cscat
First and foremost, thank you very much geekmaster AGAIN. Diags mode was successful and I recovered my documents and books I bought... AWESOME!

1. So in diags mode, I'd imagine simply putting the following line in RUNME.sh and rebooting the Touch, will replace root partition with my backup image?
Code
dd -if /mnt/us/bak/mmcblk0p1.bin -of /dev/mmcblk0p1 bs=1024
or is it more detailed, e.g. involving mount -o loop /dev/loop1 and such?

2. Is there a command for faculty restoring?

Feedback for fastboot mode: I rebooted my Touch and did the same procedure as for diags mode... in MfgTool, I Started the fastboot mode, Windows began automatically searching for driver, couldn't locate and gave error "No driver found". Checking Device Manager, I see a device called Kindle in "Other devices" section, but by setting the path for drivers manually (Driver folder of MfgTool) it still says suitable driver not found!!!... so nothing happens on my Kindle Touch in fastboot mode! O_o

3. Misc. individual dignostics > Utilities > Enable USBnet gives out correct information regarding IP... I wonder why it doesn't work out with ssh and we have to push reverse shell!
i need that too
Reply 

#8  geekmaster 02-20-2012, 04:53 PM
Quote cscat
First and foremost, thank you very much geekmaster AGAIN. Diags mode was successful and I recovered my documents and books I bought... AWESOME!

1. So in diags mode, I'd imagine simply putting the following line in RUNME.sh and rebooting the Touch, will replace root partition with my backup image?
Code
dd -if /mnt/us/bak/mmcblk0p1.bin -of /dev/mmcblk0p1 bs=1024
or is it more detailed, e.g. involving mount -o loop /dev/loop1 and such?

2. Is there a command for faculty restoring?

Feedback for fastboot mode: I rebooted my Touch and did the same procedure as for diags mode... in MfgTool, I Started the fastboot mode, Windows began automatically searching for driver, couldn't locate and gave error "No driver found". Checking Device Manager, I see a device called Kindle in "Other devices" section, but by setting the path for drivers manually (Driver folder of MfgTool) it still says suitable driver not found!!!... so nothing happens on my Kindle Touch in fastboot mode! O_o

3. Misc. individual dignostics > Utilities > Enable USBnet gives out correct information regarding IP... I wonder why it doesn't work out with ssh and we have to push reverse shell!
There are a number of options available to you.

From diags you can export the USB Drive to add a data.tar.gz to launch RUNME.sh, like is used in ixtab's jailbreak. You can make a backup copy of mmcblk0p1 with:
dd if=/dev/mmcblk0p1 of=/mnt/us/mmcblk0p1.img bs=1024
You can then export that to a host PC, where you can mount it, modify it, and use dd to write it back to /dev/mmcblk0p1. Or you can write it back with fastboot.

Or you can push a reverse shell to a host PC, then type linux commands at a root shell running in your kindle. You can repair your main partition from a root shell with:
mount /dev/mmcblk0p1 /mnt/mmc
then make repairs in /mnt/mmc/ which is where your "main" root is now mounted. Do not make changes to the diags root "/" that you booted from.

There will be more tools available soon (especially to assist with running RUNME.sh on a touch).

I do not know of any "driver" for fastboot mode. Yifanlu's kindle fastboot program communicates directly with the raw USB port using libusb (or equivalent), so no device driver is required. I have not tried the windows version. I use the linux version which works quite well (at least the parts that I needed). Thanks yifanlu!

Some files are removed from kindles before they are shipped. The touch is missing files needed to use SSH from diagnostics mode. Perhaps you can added the missing files later, to enable those menu items to function properly.
Reply 

#9  geekmaster 02-20-2012, 10:52 PM
Quote cscat
2. Is there a command for faculty restoring?
Actually, there are additional bootmodes of "factory" and "reset". I could create additional u-boots and add MfgTool Profiles for them. I did not do that because I have not tested those boot modes and I am not sure what they do at this time.

You can also set those bootmode values with the "idme" command, and I may try that later when my recovery tools are more complete.

There are also scripts in the kindles to do factory reset, and to place it in shipping mode (like when it first came out of the box).

*** Also, I have a tool similar to MfgTool for use by the Kindle 3, and I have source code so I can do custom u-boots for it too. I plan to add Kindle 3 "Select Boot" support in the future.

P.S. A reverse shell is easy, but I am trying to get dropbear SSH working. Getting close. I will provide a package that will be easy to install from diags, to provide SSH and to run RUNME.sh on the USB Drive if it finds one. I will use one of my "secret" jailbreak methods to do this, but it will make NO changes to the main or diags boot partitions, unless you select those options from a menu.
Reply 

#10  ixtab 02-20-2012, 11:33 PM
Whoa, this looks awesome!

Is there any chance of having this for us non-Windows users?

I'm talking Linux, specifically, but maybe some MacOS folks would also be interested. If I missed something along the way and there is a way to do this on Linux (MacOS), any pointers are appreciated

Thanks!
Reply 

  Next »  Last »  (1/31)
Today's Posts | Search this Thread | Login | Register