KOA3 Serial jailbreak resources

Junket · 01-09-2020, 04:12 PM

I've been meaning to look closer at the Oasis3 (2019 model) for a while but haven't done so yet. A serial port connection would surely be helpful but as far as I know the connection points for this have not been identified yet.

Below are some resources e.g. data sheets and application notes that I have collected so far. These should be a good starting point for anyone who wants to pursue this further. There are some unconfirmed assumptions here, such as the Oasis 3 (2019) using the NXP (ARM) i.MX 7D processor (same as the KOA2). I'll try to physically confirm the processor model when I have an OA3 in hand.

The i.Mx 7D is a low-power, dual processor. A7 (ARM) processor (800 Mhz - 1.2 Ghz) x2 and M4 co-processor (200 Mhz) x2.

Architecture Overview (block diagram, png)
i.MX 7 Series Processors Product Selector
i.MX 7D datasheet (PDF)
i.MX_Code signing tool (REV 3.3.0) (Download, GZ)
i.MX High Assurance Boot Reference Code signing tool (REV 3.1.0) (Download, GZ)
AN12056 Encrypted Boot on HABv4 and CAAM Enabled Devices (PDF)
AN12554 Demo Application to Generate Red/Black Blobs Using CAAM and Encrypt/Decrypt Data (PDF)
AN12210 Tampering Application for i.MX7Dsabresd (PDF)
AN5317 Loading Code on Cortex-M4 from Linux for the i.MX 6SoloX and i.MX 7Dual/7Solo Application Processors (PDF)
i.MX 7Solo, i.MX 7Dual Fact Sheet (REV 1) (PDF)
AN4553 Using Open Source Debugging Tools for Linux on i.MX Processors (PDF)
NXP iMX7D Developer's forum (1446 questions)

L4.1.15_2.0.0_LINUX_DOCS (REV L4.1.15_2.0.0) (GZ)
i.MX 7Dual Applications Processor Reference Manual (REV 1) (PDF)
i.MX 7Dual Applications Processor Reference Manual (REV 0.1) (PDF)
Hardware Development Guide for i.MX7Dual and 7Solo Applications Processors (REV 0) (PDF)

Security Reference Manual for i.MX 7Dual and 7Solo Applications Processors (IMX7DSSRM.pdf)
(registration, corporate approval, assigned rep required) ./

Cortex M-series Technical Reference Manual (PDF)
CoreSight Components Reference Manual (PDF)

Working with Cortex-M4 on i.MX7 Dual (PDF)
iMX (Linux) Reference Manual (PDF)
Getting Started with Android on iMX based Com boards (PDF)
iMX Linux BSP Porting Guide (PDF)

Development boards are available from NXP @ $249 USD. Boards include JTAG and Debug (UART via USB) ports. There are also a lot of code samples, source, sample kernels, binaries and application notes available, much of which require creating an account to access. On the development board, a 20-pin header, with the standard ARM JTAG pinout is used for the JTAG interface (see below). Development boards from third-party vendors start at $70 USD.

Serial port debug access, on the iMX7D Sabre development board at least, is via the USB port. If the implementation is similar on the OA3, you can think of it as a built in serial port (UART) adapter. Standard micro-USB cable and a terminal program. 115200 baud, 8 data, 1 stop, no parity.
/dev/ttyUSB*

Quick Start Guide: Get Started with the MCIMX7SABRE (Development Board) (PDF)
iMX7Dual COM Datasheet (PDF)
Variscite iMX7 Development board Datasheet (PDF)
Sample Linux 4.14.78 kernel for Variscite iMX7 & Development guide
Compulab iMX7D SOM Reference Guide (PDF)

Arm Cortex processors can make use of Serial Wire Debug (SWD or ARM's acronym, SWJ-DP), which are JTAG variants using 2 or 3 signal pins (orange labels), instead of the traditional 4 pins. So serial access may be via 2, 3 or 4 pins on the OA3. And UART access is likely available through the USB port as well. Serial port and JTAG are often used interchangeably as their use overlaps but true serial is asynchronous, where JTAG (and confusingly, SWD) are synchronous.

SWD pins are overlaid on the JTAG architecture, a good explanation of the pinouts can be found here. Also see section 2.4 in the Hardware Development guide.
iMX JTAG (Schematic, showing pinouts & resistor wiring)
Segger iMX7D debugging

ARM Whitepaper describing the use of SWD
ARM Whitepaper /Introduction to CoreSight (Debug and Trace) (PDF)

When trying to confirm where JTAG pins are on a device board, it's helpful to use some simple code to look for patterns which identify JTAG pins. Google for "jtag finder", one example here

Android version is most likely 7.1.1. (8.0.0 possible) according to the NXP Developers Forum.
Summary of Android 7.1.1 source code BSP (4.1 kernel) (Download)
i.MX Android N7.1.1_1.0.0 BSP Documentation (Download)
Summary of Android 8.0.0 source code & documentation (Download)
Android 8.0.0 Application Documents (Download)
Android 8.1.0 Application Documents (Download)
i.MX 6/7 Android proprietary source code (Download)
Linux Manufacturing Toolset Quick start docs (docx) (Download, 7z)
Linux Manufacturing Toolset L4.9.88 2.0.0 (GZ, 1.3 GB) - write eMMC at factory,
shell commands, end-user debrick

knc1 · 01-09-2020, 05:03 PM

geekmaster was able to determine that one of the Kindle models was using the 3-wire JTAG.
I don't recall which model he was working with, one of the early ones for certain since he died in 2018 (June IIRC).

Junket · 01-09-2020, 05:25 PM

That could have been the OA2 (2017).

In any case it makes sense as NXP heavily favours the SWD (3-pin interface), with less documentation and support for other variants.

edit:
@knc1
found this post that Geekmaster made about PW3: 3-wire JTAG

NiLuJe · 01-09-2020, 10:54 PM

IIRC, the Zelda devices use the i.MX 7D (which means, yeah, I have no idea what they use the extra M4 for ;p).

Junket · 01-10-2020, 12:53 AM

It's dual core! You know that you want one!

brendandebeasi · 11-16-2023, 04:40 PM

I am working to achieve a hardware jailbreak. Thank you for the posted info!

I have photos of specific chips inside the KOA3 in my post here

LMK if anybody is interested in working together

01-09-2020, 04:12 PM	#1
Junket Nil adsuetudine maius Posts: 278 Karma: 500000 Join Date: Nov 2019 Location: US Device: PW4	KOA3 Serial jailbreak resources I've been meaning to look closer at the Oasis3 (2019 model) for a while but haven't done so yet. A serial port connection would surely be helpful but as far as I know the connection points for this have not been identified yet. Below are some resources e.g. data sheets and application notes that I have collected so far. These should be a good starting point for anyone who wants to pursue this further. There are some unconfirmed assumptions here, such as the Oasis 3 (2019) using the NXP (ARM) i.MX 7D processor (same as the KOA2). I'll try to physically confirm the processor model when I have an OA3 in hand. The i.Mx 7D is a low-power, dual processor. A7 (ARM) processor (800 Mhz - 1.2 Ghz) x2 and M4 co-processor (200 Mhz) x2. Architecture Overview (block diagram, png) i.MX 7 Series Processors Product Selector i.MX 7D datasheet (PDF) i.MX_Code signing tool (REV 3.3.0) (Download, GZ) i.MX High Assurance Boot Reference Code signing tool (REV 3.1.0) (Download, GZ) AN12056 Encrypted Boot on HABv4 and CAAM Enabled Devices (PDF) AN12554 Demo Application to Generate Red/Black Blobs Using CAAM and Encrypt/Decrypt Data (PDF) AN12210 Tampering Application for i.MX7Dsabresd (PDF) AN5317 Loading Code on Cortex-M4 from Linux for the i.MX 6SoloX and i.MX 7Dual/7Solo Application Processors (PDF) i.MX 7Solo, i.MX 7Dual Fact Sheet (REV 1) (PDF) AN4553 Using Open Source Debugging Tools for Linux on i.MX Processors (PDF) NXP iMX7D Developer's forum (1446 questions) L4.1.15_2.0.0_LINUX_DOCS (REV L4.1.15_2.0.0) (GZ) i.MX 7Dual Applications Processor Reference Manual (REV 1) (PDF) i.MX 7Dual Applications Processor Reference Manual (REV 0.1) (PDF) Hardware Development Guide for i.MX7Dual and 7Solo Applications Processors (REV 0) (PDF) Security Reference Manual for i.MX 7Dual and 7Solo Applications Processors (IMX7DSSRM.pdf) (registration, corporate approval, assigned rep required) ./ Cortex M-series Technical Reference Manual (PDF) CoreSight Components Reference Manual (PDF) Working with Cortex-M4 on i.MX7 Dual (PDF) iMX (Linux) Reference Manual (PDF) Getting Started with Android on iMX based Com boards (PDF) iMX Linux BSP Porting Guide (PDF) Development boards are available from NXP @ $249 USD. Boards include JTAG and Debug (UART via USB) ports. There are also a lot of code samples, source, sample kernels, binaries and application notes available, much of which require creating an account to access. On the development board, a 20-pin header, with the standard ARM JTAG pinout is used for the JTAG interface (see below). Development boards from third-party vendors start at $70 USD. Serial port debug access, on the iMX7D Sabre development board at least, is via the USB port. If the implementation is similar on the OA3, you can think of it as a built in serial port (UART) adapter. Standard micro-USB cable and a terminal program. 115200 baud, 8 data, 1 stop, no parity. /dev/ttyUSB* Quick Start Guide: Get Started with the MCIMX7SABRE (Development Board) (PDF) iMX7Dual COM Datasheet (PDF) Variscite iMX7 Development board Datasheet (PDF) Sample Linux 4.14.78 kernel for Variscite iMX7 & Development guide Compulab iMX7D SOM Reference Guide (PDF) Arm Cortex processors can make use of Serial Wire Debug (SWD or ARM's acronym, SWJ-DP), which are JTAG variants using 2 or 3 signal pins (orange labels), instead of the traditional 4 pins. So serial access may be via 2, 3 or 4 pins on the OA3. And UART access is likely available through the USB port as well. Serial port and JTAG are often used interchangeably as their use overlaps but true serial is asynchronous, where JTAG (and confusingly, SWD) are synchronous. SWD pins are overlaid on the JTAG architecture, a good explanation of the pinouts can be found here. Also see section 2.4 in the Hardware Development guide. iMX JTAG (Schematic, showing pinouts & resistor wiring) Segger iMX7D debugging ARM Whitepaper describing the use of SWD ARM Whitepaper /Introduction to CoreSight (Debug and Trace) (PDF) When trying to confirm where JTAG pins are on a device board, it's helpful to use some simple code to look for patterns which identify JTAG pins. Google for "jtag finder", one example here Android version is most likely 7.1.1. (8.0.0 possible) according to the NXP Developers Forum. Summary of Android 7.1.1 source code BSP (4.1 kernel) (Download) i.MX Android N7.1.1_1.0.0 BSP Documentation (Download) Summary of Android 8.0.0 source code & documentation (Download) Android 8.0.0 Application Documents (Download) Android 8.1.0 Application Documents (Download) i.MX 6/7 Android proprietary source code (Download) Linux Manufacturing Toolset Quick start docs (docx) (Download, 7z) Linux Manufacturing Toolset L4.9.88 2.0.0 (GZ, 1.3 GB) - write eMMC at factory, shell commands, end-user debrick Last edited by Junket; 01-10-2020 at 03:57 PM. Reason: add resources

01-09-2020, 05:25 PM	#3
Junket Nil adsuetudine maius Posts: 278 Karma: 500000 Join Date: Nov 2019 Location: US Device: PW4	That could have been the OA2 (2017). In any case it makes sense as NXP heavily favours the SWD (3-pin interface), with less documentation and support for other variants. edit: @knc1 found this post that Geekmaster made about PW3: 3-wire JTAG Last edited by Junket; 01-10-2020 at 04:11 PM.

01-10-2020, 12:53 AM	#5
Junket Nil adsuetudine maius Posts: 278 Karma: 500000 Join Date: Nov 2019 Location: US Device: PW4	It's dual core! You know that you want one! Last edited by Junket; 01-11-2020 at 11:40 AM. Reason: dual core

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Is serial jailbreak possible on KT4?	domx	Kindle Developer's Corner	10	01-07-2020 03:24 PM
Failed Serial Jailbreak	dav9317	Kindle Developer's Corner	2	09-16-2018 03:10 PM
Serial Jailbreak on 5.8.9?	Cambion	Kindle Developer's Corner	16	01-21-2018 08:02 PM
jailbreak KV via serial port?	procyon	Kindle Developer's Corner	1	08-01-2017 05:34 AM
How To Jailbreak By Serial Port	P_Chang	Kindle Developer's Corner	10	01-03-2015 04:17 PM

01-09-2020, 05:03 PM	#2
knc1 Going Viral Posts: 17,212 Karma: 18210809 Join Date: Feb 2012 Location: Central Texas Device: No K1, PW2, KV, KOA	geekmaster was able to determine that one of the Kindle models was using the 3-wire JTAG. I don't recall which model he was working with, one of the early ones for certain since he died in 2018 (June IIRC).

01-09-2020, 10:54 PM	#4
NiLuJe BLAM! Posts: 13,491 Karma: 26012494 Join Date: Jun 2010 Location: Paris, France Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E	IIRC, the Zelda devices use the i.MX 7D (which means, yeah, I have no idea what they use the extra M4 for ;p).

11-16-2023, 04:40 PM	#6
brendandebeasi Junior Member Posts: 7 Karma: 10 Join Date: Oct 2023 Device: Kindle Oasis 3	I am working to achieve a hardware jailbreak. Thank you for the posted info! I have photos of specific chips inside the KOA3 in my post here LMK if anybody is interested in working together

Advert

Advert