Select Boot for K4 and Touch

[geekmaster]

UPDATE: Touch diags with SSH pre-installed! Download below. Fastboot for Windows, and Fastboot for Mac are now available in addition to the original Fastboot for Linux (download links below).

NOTE: This is not that difficult if you are careful. The following warning is not intended to strike fear into the hearts of mere mortals. Go ahead and use it if it will help you repair your bricked kindle. Just do not try things in fastboot or diagnostics that you do not understand, unless you are instructed to use them. For those who may find all the following English text difficult, here are step-by-step pictures showing how to install and use this tool:
https://www.mobileread.com/forums/sho....php?p=1972836

CAUTION: Diagnostic mode and fastboot mode give you a lot of power to repair your kindle from otherwise unrepairable conditions, but they also allow you to do things that can make it worse. With great power comes great responsibility, so please be very careful when you are in fastboot mode or in diagnostics mode. When we provide step-by-step instructions, follow them carefully.

The following text describes a little about how to boot your kindle touch or k4nt into recovery mode, and from there to diagnostics or fastboot mode. You can also use this "Select Boot" tool to boot back to the main mode.

I will update this post as I get more tools ready.

Attached are links to the Freescale MfgTool for Windows, needed to download custom code over USB port into kindle RAM memory and run it in the kindle, while in USB Recovery (USB HID / USB Dowload) mode.

After unzipping the MfgTool into a folder of your choice, delete the folders from inside the Profiles folder, and copy the folders from inside the Kindle_bootmode.zip file into Profiles folder inside the MfgTool folder.

To get your kindle touch or k4nt into USB Recovery mode, plug in the USB cable, the press and hold the power switch until the power LED turns off, then press and hold the "Magic Key", then release the power switch, then release the "Magic Key". The "Magic Key" is a special button that is different on each model of kindle, and is used to enter USB Recovery mode.

Kindle Model, Magic Key:
Touch, Home button
K4NT, Five-Way Down button
K3, Volume Down button (different VID/PID).

When your kindle is in USB Recovery mode the first time, Windows will detect new hardware, and it should automatically install USB/HID device drivers. The Windows device drivers and other unused files were removed from the previously posted downloads, to reduce the download size from about 70 MB to 0.5 MB. If your version of Windows does not install USB/HID device drivers automatically, you can request them here.

Then start MfgTool.exe, select a bootmode Profile from the drop-down menu (diags, fastboot, or main), and press the Start button in MfgTool. If all goes well, your kindle should boot into the mode that you selected, where you can repair your kindle.

From diagnostics (diags mode), you can export your USB Drive so that you can add files to it to repair your kindle, such as data.tar.gz and a special RUNME.sh file. If you have a K4NT, you can start SSH, and repair your kindle from a linux command shell. For a touch, I will provide additional tools and instructions. I recommend pushing a "reverse shell" using netcat (nc) to your host PC (similar to SSH), or crafting a special RUNME.sh, to assist.

I will provide additional tools and instructions, but what I have attached is enough for developers to assist you. I have supplied 3 additional methods to get root shell on a kindle to various developers, none of which have been published yet.

If you boot to fastboot mode, you can use yifanlu's kindle fastboot tool to flash the diags partition with a copy of mmcblk0p2_ssh. Then boot to diags and use SSH to flash the main partition with mmcblk0p1. Please see the "simple debricking" sticky thread for details.

Good luck. So far, I have provided a way that requires familiarity with linux shell commands. Additional tools will be provided soon to simplify this, and minimize the risk.

Again, this will get simpler and safer in the future.

Enjoy!

UPDATE: I have added a universal payload that should work with multiple kindles, if installed at /var/local/system/mntus.params, using whatever method is available for that device. For the K4NT and Touch, I have provided a data.tar.gz that contains my "universal" payload which launches RUNME.sh on the USB drive if it exists and there is not a RUNME.done file. The launcher creates a RUNME.done file before starting RUNME.sh, so that it will only run one time. To activate it so it can run again, delete RUNME.done from the USB Drive.

From the diagnostics menu, active USB Device Mode from the menu. Then copy RUNME.sh (from the zip file) and data.tar.gz onto the kindle USB drive.

This RUNME.sh just displays stuff on the screen to show that it works. Because this can be launched from main or diags mode, the script does not know which partition is root, so to copy files between them (like dropbear SSH) I recommend this:

Code:

mntroot rw
mkdir -p /mnt/main
mkdir -p /mnt/diag
mntroot ro
mount /dev/mmcblk0p1 /mnt/main
mount /dev/mmcblk0p2 /mnt/diag
*** copy stuff between /mnt/main/ and /mnt/diag/ as needed ***
umount /mnt/main
umount /mnt/diag
mntroot rw
rm -f /mnt/main
rm -f /mnt/diag
mntroot ro

If you have the USBnetwork (dropbear SSH) files on your touch main partition, you can copy them to diags above. Or if not installed yet, you can extract them using yifanlu's installer, and copy them where they belong on /mnt/main or /mnt/diag.

I was not able to test this version on my Touch, but it should work.

REMINDER: To launch RUNME.sh again, you need to delete RUNME.done from the USB drive.

Please post your results.

Fastboot for Windows: https://www.mobileread.com/forums/sho....php?p=2001687

Fastboot for Mac: https://www.mobileread.com/forums/sho....php?p=2029696

Russian translation of my work: http://beznervov.com/computers/hard/...olnyj-navorot/

Read the "simple debricking" thread too: https://www.mobileread.com/forums/sho...d.php?t=170929

Kindle touch diags partition image (mmcblk0p2_ssh.img.gz) with pre-installed SSH:

http://gitbrew.org/~dasmoover/kindle...0p2_ssh.img.gz

You should extract this partition image and install to the diags partition with fastboot. To use SSH, boot to diags and select menu options N) U) Z) X) then wait about 20 seconds for dropbear to start up. Then SSH in. The root password is mario.

[geekmaster]

Attention developers: please feel free to add to this thread, showing details on how to use the MfgTool and custom boot profiles to boot a bricked kindle to your choice of diags, fastboot, or main mode. You can modifiy ixtab's jailbreak to deposit a script into /var/local/wan/info, then run the ar11g diagnostic to trigger it. When /var/local/wan/info executes, it should check for and run /mnt/us/RUNME.sh.

Be sure to NOT change the diagnostics boot partition. Instead, do "mount /dev/mmcblk0p1 /mnt/mmc" and make repairs inside /mnt/mnc/etc/*.

Okay? Thanks for helping with this.

Inside the custom boot profiles are kindle touch u-boot.bin files that have had an additional line of code added. Where the original code reads the bootmode idme var, then decides which partition to boot, the new code replaces the local memory copy of bootmode with either "diags", "fastboot", or "main". The idme vars are NOT changed. The boot process continues using the modified bootmode in memory.

[Poetcop]

I'd like to make a report that Geekmaster's tool worked for me! My formerly dead Kindle is now in Diags mode!! Here's an account of the nature of my bricking (probably due only to the 3rd partition filling up):
https://www.mobileread.com/forums/sho....php?p=1957448

I followed Geekmaster's instructions, and found it to be very straightforward. The only discrepancy on my particular system (which is Windows XP SP3) is that when I booted the Kindle into recovery mode it did not pop up a message identifying it as new hardware. So I went and found it in the Device Manager (under Human Interface Devices -> USB Human Interface Device) and found that it already had a driver associated with it, apparently from Microsoft. I tried to replace it with the driver in the Mfgtools directory, imxusb.inf, but got the message "Specified location doesn't include information about your hardware". Luckily Mfgtools worked anyway (after one attempt failed because I was overly hasty and it was in low battery mode - so for anyone as silly as me, make sure it's charged first).

I don't want to start pressing menu options in Diags mode that I don't have a good idea what they do, so I need a little more advice to fully unbrick: can I erase the partition from here, or do I need to boot into fastboot (after doing a little reading about how that works)? But from Diags mode I was able to mount my /mnt/us (with the menu option "USB device mode"), letting me back up my /Documents folder, including notes I'd taken on books, which I was afraid I'd lost forever. So already life is better. Thanks Geekmaster!

[geekmaster]

Pictorial Guide to Installation and Usage:

NOTE: This is not that difficult if you are careful. The following warning is not intended to strike fear into the hearts of mere mortals. Go ahead and use it if it will help you repair your bricked kindle. Just do not try things in fastboot or diagnostics that you do not understand, unless you are instructed to use them. For those who may find lengthy detailed English text difficult, here are step-by-step pictures showing how to install and use this tool:

CAUTION: Diagnostic mode and fastboot mode give you a lot of power to repair your kindle from otherwise unrepairable conditions, but they also allow you to do things that can make it worse. With great power comes great responsibility, so please be very careful when you are in fastboot mode or in diagnostics mode. When we provide step-by-step instructions, follow them carefully.

Download and unzip KindleSelectBoot.zip (download here)

Place the Kindle into USB Recovery mode:
Plug Kindle into USB port. Press Kindle power switch until LED off.
Press "Magic Key" (K4NT = Five-Way Down button, Touch = Home button).
Release power switch. Release "Magic Key".


Kindle Detected in USB Recovery Mode (USB/HID Devices)


Run MfgTool.exe

Attachment 161384
MfgTool Bootmode Menu


MfgTool Booting Kindle to Diagnostics Menu


Kindle Touch Diagnostics Menu
From SSH: "dd if=/dev/fb0 of=/mnt/us/fb0.raw",
then use IrfanView to crop/resize/convert
608x1792 RAW image to 300x400 PNG image.

Repair your Kindle in Diagnostics (or fastboot) Mode,
using instructions and tools provided in following posts (below).

Good luck. But more importantly, have fun learning stuff!

EDIT: There are more downloads in the original post, including a sample RUNME.sh that can be launched from a diagnostics boot. It works on the Touch and the K4NT. You can install USBnet (dropbear SSH) into the diagnostics menu with it (when configured to do that).

[geekmaster]

Quote:

Originally Posted by Poetcop

I'd like to make a report that Geekmaster's tool worked for me! My formerly dead Kindle is now in Diags mode!!
...
The only discrepancy on my particular system (which is Windows XP SP3) is that when I booted the Kindle into recovery mode it did not pop up a message identifying it as new hardware. So I went and found it in the Device Manager (under Human Interface Devices -> USB Human Interface Device) and found that it already had a driver associated with it, apparently from Microsoft. I tried to replace it with the driver in the Mfgtools directory, imxusb.inf, but got the message "Specified location doesn't include information about your hardware". Luckily Mfgtools worked anyway (after one attempt failed because I was overly hasty and it was in low battery mode - so for anyone as silly as me, make sure it's charged first).

I added comments in the text and pictures that the supplied Windows Device drivers should be used ONLY if needed. Some versions of Windows install these automatically. EDIT: I removed the Windows device drivers and other unused stuff from the combined download package after reading the MfgTool source code EULA, so it is smaller to download and simpler to install. Instructions and screen captures have been updated as well.

Also, if your kindle battery is empty and will not charge, it appears to charge faster while in fastboot mode. You can just reboot your computer when done, and it will boot to its previously save bootmode.

You can recover a damaged kindle from Diagnostics mode by mounting the root partition and replacing missing or damaged files on it. You can also replace the root partition with a copy of a backup image file.

To recover from a full /var/local (collections database too large), you can delete files in /var/local, or you can copy /dev/zero onto /dev/mmcblk0p3 to destroy /var/local, and the next reboot will create a fresh empty /var/local.

[thatworkshop]

Quote:

Originally Posted by geekmaster

You can recover a damaged kindle from Diagnostics mode by mounting the root partition and replacing missing or damaged files on it. You can also replace the root partition with a copy of a backup image file.

First and foremost, thank you very much geekmaster AGAIN. Diags mode was successful and I recovered my documents and books I bought... AWESOME!

1. So in diags mode, I'd imagine simply putting the following line in RUNME.sh and rebooting the Touch, will replace root partition with my backup image?

Code:

dd -if /mnt/us/bak/mmcblk0p1.bin -of /dev/mmcblk0p1 bs=1024

or is it more detailed, e.g. involving mount -o loop /dev/loop1 and such?

2. Is there a command for faculty restoring (factory resetting)? (oops brain-fart )

Feedback for fastboot mode: I rebooted my Touch and did the same procedure as for diags mode... in MfgTool, I Started the fastboot mode, Windows began automatically searching for driver, couldn't locate and gave error "No driver found". Checking Device Manager, I see a device called Kindle in "Other devices" section, but by setting the path for drivers manually (Driver folder of MfgTool) it still says suitable driver not found!!!... so nothing happens on my Kindle Touch in fastboot mode! O_o

3. Misc. individual dignostics > Utilities > Enable USBnet gives out correct information regarding IP... I wonder why it doesn't work out with ssh and we have to push reverse shell!

[Emrexcem]

Quote:

Originally Posted by cscat

First and foremost, thank you very much geekmaster AGAIN. Diags mode was successful and I recovered my documents and books I bought... AWESOME!

1. So in diags mode, I'd imagine simply putting the following line in RUNME.sh and rebooting the Touch, will replace root partition with my backup image?

Code:

dd -if /mnt/us/bak/mmcblk0p1.bin -of /dev/mmcblk0p1 bs=1024

or is it more detailed, e.g. involving mount -o loop /dev/loop1 and such?

2. Is there a command for faculty restoring?

Feedback for fastboot mode: I rebooted my Touch and did the same procedure as for diags mode... in MfgTool, I Started the fastboot mode, Windows began automatically searching for driver, couldn't locate and gave error "No driver found". Checking Device Manager, I see a device called Kindle in "Other devices" section, but by setting the path for drivers manually (Driver folder of MfgTool) it still says suitable driver not found!!!... so nothing happens on my Kindle Touch in fastboot mode! O_o

3. Misc. individual dignostics > Utilities > Enable USBnet gives out correct information regarding IP... I wonder why it doesn't work out with ssh and we have to push reverse shell!

i need that too

[geekmaster]

Quote:

Originally Posted by cscat

First and foremost, thank you very much geekmaster AGAIN. Diags mode was successful and I recovered my documents and books I bought... AWESOME!

1. So in diags mode, I'd imagine simply putting the following line in RUNME.sh and rebooting the Touch, will replace root partition with my backup image?

Code:

dd -if /mnt/us/bak/mmcblk0p1.bin -of /dev/mmcblk0p1 bs=1024

or is it more detailed, e.g. involving mount -o loop /dev/loop1 and such?

2. Is there a command for faculty restoring?

Feedback for fastboot mode: I rebooted my Touch and did the same procedure as for diags mode... in MfgTool, I Started the fastboot mode, Windows began automatically searching for driver, couldn't locate and gave error "No driver found". Checking Device Manager, I see a device called Kindle in "Other devices" section, but by setting the path for drivers manually (Driver folder of MfgTool) it still says suitable driver not found!!!... so nothing happens on my Kindle Touch in fastboot mode! O_o

3. Misc. individual dignostics > Utilities > Enable USBnet gives out correct information regarding IP... I wonder why it doesn't work out with ssh and we have to push reverse shell!

There are a number of options available to you.

From diags you can export the USB Drive to add a data.tar.gz to launch RUNME.sh, like is used in ixtab's jailbreak. You can make a backup copy of mmcblk0p1 with:

dd if=/dev/mmcblk0p1 of=/mnt/us/mmcblk0p1.img bs=1024

You can then export that to a host PC, where you can mount it, modify it, and use dd to write it back to /dev/mmcblk0p1. Or you can write it back with fastboot.

Or you can push a reverse shell to a host PC, then type linux commands at a root shell running in your kindle. You can repair your main partition from a root shell with:

mount /dev/mmcblk0p1 /mnt/mmc

then make repairs in /mnt/mmc/ which is where your "main" root is now mounted. Do not make changes to the diags root "/" that you booted from.

There will be more tools available soon (especially to assist with running RUNME.sh on a touch).

I do not know of any "driver" for fastboot mode. Yifanlu's kindle fastboot program communicates directly with the raw USB port using libusb (or equivalent), so no device driver is required. I have not tried the windows version. I use the linux version which works quite well (at least the parts that I needed). Thanks yifanlu!

Some files are removed from kindles before they are shipped. The touch is missing files needed to use SSH from diagnostics mode. Perhaps you can added the missing files later, to enable those menu items to function properly.

[geekmaster]

Quote:

Originally Posted by cscat

2. Is there a command for faculty restoring?

Actually, there are additional bootmodes of "factory" and "reset". I could create additional u-boots and add MfgTool Profiles for them. I did not do that because I have not tested those boot modes and I am not sure what they do at this time.

You can also set those bootmode values with the "idme" command, and I may try that later when my recovery tools are more complete.

There are also scripts in the kindles to do factory reset, and to place it in shipping mode (like when it first came out of the box).

*** Also, I have a tool similar to MfgTool for use by the Kindle 3, and I have source code so I can do custom u-boots for it too. I plan to add Kindle 3 "Select Boot" support in the future.

P.S. A reverse shell is easy, but I am trying to get dropbear SSH working. Getting close. I will provide a package that will be easy to install from diags, to provide SSH and to run RUNME.sh on the USB Drive if it finds one. I will use one of my "secret" jailbreak methods to do this, but it will make NO changes to the main or diags boot partitions, unless you select those options from a menu.

[ixtab]

Whoa, this looks awesome!

Is there any chance of having this for us non-Windows users?

I'm talking Linux, specifically, but maybe some MacOS folks would also be interested. If I missed something along the way and there is a way to do this on Linux (MacOS), any pointers are appreciated

Thanks!

[thatworkshop]

Quote:

Originally Posted by geekmaster

P.S. A reverse shell is easy, but I am trying to get dropbear SSH working. Getting close. I will provide a package that will be easy to install from diags, to provide SSH and to run RUNME.sh on the USB Drive if it finds one. I will use one of my "secret" jailbreak methods to do this, but it will make NO changes to the main or diags boot partitions, unless you select those options from a menu.

Oh yes, I did nc Lvm 192.168.15.244 -e /bin/sh but no luck! Just to say that I tried my best not to be spoonfed (as I don't like those who are like that) and I worked my *bum* off... But not having access to my Linux for time being, doing all these debricking operations in Windows is a catch!

Anyway, next I tried the following RUNME.sh script:

Code:

mntroot rw
echo "it works!" > /mnt/us/test.txt
factory_reset
mntroot ro

Here, 2nd line is just to see if the script is called. Then I put the data.tar.gz file in /mnt/us/. Exit from USB in diags mode, rebooted Kindle, didn't unplug the USB cable, and ... it didn't work. I can confirm that coming back to diags mode and seeing my USB, the RUNME.sh is not run!!!

Oh please don't disclose your secret jailbreak method until ... you know what I mean. Also, guess what geekmaster?! You're Awesome.

[geekmaster]

After reading the EULA (End User License Agreement) that is distributed with the MfgTools Source code (which includes Open Source code under various licenses including GPL), it looks like we are allowed to freely distribute MfgTool.exe as part of a package that is used to support Freescale devices (such as the CPU/SoC inside Kindles). What is not allowed is to distribute MfgTool.exe by itself, as a standalone application.

So, in agreement with the EULA, I repackaged MfgTool.exe along with my custom u-boot images and MfgTool Profiles. This reduced the total download size from about 70 MB to about 0.5 MB. It also greatly simplified installation, so I made new screen captures of the simplified installation process, and I modified previous posts to this thread using the simplified process, as you can see above in my previous posts.

Smaller faster download, less Internet usage, less disk space, less documentation, and less confusion.

If you actually need Windows USB/HID drivers for your version of Windows, and you cannot locate them elsewhere, please ask for them here.

[geekmaster]

Quote:

Originally Posted by ixtab

Whoa, this looks awesome!

Is there any chance of having this for us non-Windows users?

I'm talking Linux, specifically, but maybe some MacOS folks would also be interested. If I missed something along the way and there is a way to do this on Linux (MacOS), any pointers are appreciated

Thanks!

Awesome? That is the name of the Kindle Touch window manager. This looks nothing like that. But yes, I strive to make "highly awesomized" code. Thanks.

I am working on a Linux version of sb_loader, which can download and run u-boot images in the kindle. It is in progress...

In the mean time, I am using 64-bit Linux, and I thoroughly tested this in a 32-bit Windows XP Virtual Machine running in VirtualBox, by passing the Kindle USB port directly through to the Windows USB/HID device driver inside the VM.

MacOS can run XP using its built-in emulation, or you could install XP in QEMU or something.

I plan to make the sb_loader replacement cross-platform using libusb (and perhaps libSDL if we expand into full GUI-land).

[geekmaster]

Quote:

Originally Posted by cscat

Oh yes, I did nc Lvm 192.168.15.244 -e /bin/sh but no luck! Just to say that I tried my best not to be spoonfed (as I don't like those who are like that) and I worked my *bum* off... But not having access to my Linux for time being, doing all these debricking operations in Windows is a catch!

Anyway, next I tried the following RUNME.sh script:

Code:

mntroot rw
echo "it works!" > /mnt/us/test.txt
factory_reset
mntroot ro

Here, 2nd line is just to see if the script is called. Then I put the data.tar.gz file in /mnt/us/. Exit from USB in diags mode, rebooted Kindle, didn't unplug the USB cable, and ... it didn't work. I can confirm that coming back to diags mode and seeing my USB, the RUNME.sh is not run!!!

Oh please don't disclose your secret jailbreak method until ... you know what I mean. Also, guess what geekmaster?! You're awesome.

I have multiple secret jailbreaks (I have been busy). I will burn the one most likely to get "fixed" when they fix ixtab's jailbreak (depending on how thorough they are).

On the k4nt, diags gives you everything you need, but on the Touch, it needs a little "jailbreak" type of help to run RUNME.sh or to start a command shell. I have a working reverse shell, but that does not give you a command prompt, so it can be a little confusing about when your should type a command. I *almost* have SSH running, and that will also allow using vi or nano to edit scripts in the kindle.

[geekmaster]

I finally got SSH working in diags mode on the touch. The key was that after copying all the dropbear files from /mnt/mmc/* to /* (mmcblk0p1 to mmcblk0p2), I had to reboot the kindle before I could get it to work. For some reason, starting dropbear manually from inside a reverse shell caused "dropbear permission denied (publickey)" errors during SSH logins, but after rebooting, the "Enable USBnet" menu now starts SSH after you select Exit. You cannot login for about 20 seconds while dropbear starts up. Then it logs in fine. Surprisingly, the diags login is fionaXXX on my Touch (I was expecting mario, like K4NT diags uses).

I plan to add this to the diags part of my kindle recovery package, so a menu item will let you install SSH (from yifanlu's jailbreak package). I will also add menu items to install update and developer keys. I want to make it support plugins (similar to yifanlu's launch menu), so custom packages can be added to during repair and/or installation.

Things may start out a bit complicated, but they get streamlined and simplified as progress is being made. I will post a package here when I get it together.

I plan to use the diags tar bug, with a payload in /var/local/wan/info, and the "AR 11g factory test" used to trigger it. I requested that this be kept secret by those I shared it with, but it is now public (because we need a way to run our code in diags), so go ahead and use it. I will post my code using that method, which you can use as an example.