[Kindle Touch] Firmware 5.1.0 and jailbreak

[ixtab]

The data.tar.gz exploit has been fixed with FW 5.1.0.

The only relatively easy remaining jailbreak method is Method 3 from http://yifan.lu/p/kindle-touch-jailbreak/ .

However, at least if the mmcblk0p2_ssh.img diags partition is installed, this method fails at the last step. I.e.: the actual payload gets installed on the main partition, but exiting diags mode is impossible. It yields an error about some xml file missing every time (I don't remember the exact file name, but it's something like diags_info.xml or so). The only way to get out of diags mode is to ssh into it (assuming that it actually *is* an SSH-enabled diags partition!), and to issue "idme -d --bootmode main; reboot".

Can anybody confirm this? If so, is anybody willing to take a look at this, possibly coming up with a revised (probably even final) version of the jailbreak?

[geekmaster]

Quote:

Originally Posted by ixtab

The data.tar.gz exploit has been fixed with FW 5.1.0.

I have another method that uses an unescaped user input bug in the diags menu, to run a runme.sh and install diags ssh with no flashing needed. I was saving it for when data.tar.gz no longer works. Do we need it now?

That diags_ssh came from dasmoover, and I added the ssh files to it. Perhaps we should build a new one from a "factory original" diags partition? Does somebody have one they can PM me a link to? Perhaps it is a version mismatch between the diags kernel and partition.

I will put ssh in the good one...

EDIT: Perhaps I should include my touchscreen onscreen keyboard and console in the new jailbreak? And GUI buttons and stuff. (No custom code -- only sh script that uses a few built-ins)...

[seaniko7]

Wouldn't it be easier to modify 5.1 update. We could include older busybox, userstore files from /etc, remove sanity checks and sign it with jailbreak key...

Btw, lab126 has implemented ARM NEON in kernel, which speeds up e-ink display a little.

[geekmaster]

Quote:

Originally Posted by seaniko7

Wouldn't it be easier to modify 5.1 update. We could include older busybox, userstore files from /etc, remove sanity checks and sign it with jailbreak key...

Btw, lab126 has implemented ARM NEON in kernel, which speeds up e-ink display a little.

Okay then, I need a 5.1 diags partition image to add SSH to it... Anybody got one for me?

[geekmaster]

I am cleaning up my onscreen keyboard and console shell, to use with my jailbreak that *should* probably work with the new firmware. But... I *need* a new diags partition image to test it. It exploits a bug in the diags menu. I need to see if it still works before I release it to a flood of complaints if it was fixed.

Could somebody please supply me with a link to a compressed (.zip or .gz is fine) mmbclk0p2.img for 5.1.0? Put it on mediafire or wherever... Thanks.

I will release my new jailbreak AFTER I test it on a 5.1.0 diags partition...

Do I *really* need to start a NEW thread for this request to get noticed by somebody who will take the time and effort to do this for me?

[ixtab]

I'm pretty sure that the update does not change the diags partition. At least, after reverting to 5.0.0, then updating to 5.1.0 using this method, SSH was still available on the diags partition.

There might have been some file updates though. If noone else does it till then, I'll send you a dump when I get back home (still some 6-8h to go).

[wolftail]

Quote:

Originally Posted by ixtab

However, at least if the mmcblk0p2_ssh.img diags partition is installed, this method fails at the last step. I.e.: the actual payload gets installed on the main partition, but exiting diags mode is impossible. It yields an error about some xml file missing every time (I don't remember the exact file name, but it's something like diags_info.xml or so). The only way to get out of diags mode is to ssh into it (assuming that it actually *is* an SSH-enabled diags partition!), and to issue "idme -d --bootmode main; reboot".

Can anybody confirm this? If so, is anybody willing to take a look at this, possibly coming up with a revised (probably even final) version of the jailbreak?

After doing some of the tests in diagnostics, the file is created. I don't remember exactly which tests but I was able to exit. (This has also happened to me some time ago when I played with the diags the first time after getting my Kindle.)
PS: I have successfully jailbroken my 5.1 Kindle. Thanks!

[thomass]

Quote:

Originally Posted by geekmaster

Could somebody please supply me with a link to a compressed (.zip or .gz is fine) mmbclk0p2.img for 5.1.0? Put it on mediafire or wherever... Thanks.

Ok, I'm here
Just created one and uploading to dropbox. However my internet is really slow.

[geekmaster]

Quote:

Originally Posted by wolftail

After doing some of the tests in diagnostics, the file is created. I don't remember exactly which tests but I was able to exit. (This has also happened to me some time ago when I played with the diags the first time after getting my Kindle.)
PS: I have successfully jailbroken my 5.1 Kindle. Thanks!

Actually, I remember that problem when my touch was new. It went away after running the diagnostics which created the missing file.

Perhaps we need to do that to the diags partition with ssh, and then repost it. That will eliminate a lot of confusion for many people, I think...

Thanks for the reminder... A little karma bump for that.

[geekmaster]

Quote:

Originally Posted by thomass

Ok, I'm here
Just created one and uploading to dropbox. However my internet is really slow.

OK. I will be looking for the link to it.

[wolftail]

After updating to the new firmware I had a problem. At every reboot the kindle would go into the Kindle needs repair screen. The only way to prevent this was to connect my kindle to a computer so that it would go directly into the USB drive mode. After disconnecting, it would return to the main menu.

The cause of this was the fact that I had installed some custom fonts but I removed the custom libfreetype. The fonts displayed correctly in the UI but caused some boot hiccups. After installing the custom libfreetype, the problem went away. I posted this so that if anyone has the same problem, they will be able to get their Kindle to work again.

Now the only problem left is that I cannot edit fonts anymore as the fonthack is incompatible with the new firmware. All Dev Apps refuse to open, throwing the same error (App incompatible, please update Kindle). (Krosswords does this too for me.) This does not bother me too much at the moment because I am happy with my custom fonts. One question tough: If I run the fonthack uninstaller, would the fonts return to default?

[eureka]

5.1.0 doesn't change diags partition.

/var/local/system/locale and /var/local/system/tzVar aren't sourced anymore in upstart scripts, but rather parsed. data.tar.gz extraction step is removed from appropriate upstart script.

But there is something new. /var/local/system/fixup and /var/local/system/onetimefixup are checked for existence and (on success) executed. And if /var/local/system/onetimefixup had been executed, it will be deleted afterwards.

[geekmaster]

Quote:

Originally Posted by eureka

5.1.0 doesn't change diags partition.

/var/local/system/locale and /var/local/system/tzVar aren't sourced anymore in upstart scripts, but rather parsed. data.tar.gz extraction step is removed from appropriate upstart script.

But there is something new. /var/local/system/fixup and /var/local/system/onetimefixup are checked for existence and (on success) executed. And if /var/local/system/onetimefixup had been executed, it will be deleted afterwards.

Those look like excellent payload destinations. I have a jailbreak method triggered from the diags menu that will deposit them (if it has not been fixed).

[thomass]

Quote:

Originally Posted by geekmaster

OK. I will be looking for the link to it.

mmcblk0p2.zip: http://db.tt/aAbjBNqE

[geekmaster]

UPDATE: The following information is for the diags partition that comes factory installed on the new kindles shipped with 5.1.0. The 5.1.0 update package does not install these changes on a kindle with older firmware. I flashed this new diags partition to my kindle touch, and there is an image file available with SSH pre-installed (see the "simple debricking" thread for download links).

I just compared that 5.1.0 diags image to my virgin 5.0.0 diags image. There are 153 files that are different, but a lot of those are symlinks.

5.0.0 diags: /etc/version.txt:
Software System Version: 137022-diags_signed-137022
Thu Nov 3 11:23:42 PDT 2011

5.1.0 diags: /etc/version.txt:
Software System Version: 137333-diags_signed-137333
Wed Nov 9 15:20:31 PST 2011

The shadow files are different too (as expected). The root passwords have different hashes. The diags root password is fiona180, which is probably derived from the serial number of the kindle that contained this image. For the diags_ssh, I changed the root password to use the mario hash, so it was not locked to a serial number.

/etc/guid is different too (also as expected).

/etc/fstab is different. It now contains the nfs mount , and the usb drive now had "nonempty" removed from it.

Many binary files are different in /bin, /sbin, /usr/bin, and /usr/sbin.

libcrypto.so is different.

mx50_yoshi_mma8453.ko is different.

And... /opt/factory/system_diags is different! This means that my jailbreak "secret" method might not work. I will need to flash this and test it.

So... in general... EVERYTHING that matters is DIFFERENT in the new diags partition that comes installed on new kindles.

EDIT: Thanks thomass!

UPDATE: /opt/factory/diagrootfs_md5_list is different. Specifically. these lines have changed:

Code:

----- old -----
33bb5670b73099ddd50f6ee546e1bbff  /etc/version.txt
8902ff941a46977702d2952933b12a72  /bin/busybox
e923c5541dd69c079cdc448f02814320  /usr/sbin/lsof
cd7029e00ecbfe87f4f0932ac774bf9d  /usr/lib/libcrypto.so.0.9.8
f4c4de1bc9a347eb48415ce52ee3423e  /opt/factory/system_diags
0b8f019fdb714ce8a2cc4b131b76f919  /sbin/mkfs
cb982256e7d68879a398180c0cc2fa81  /lib/modules/2.6.31-rt11-lab126/kernel/arch/arm/mach-mx5/mx50_yoshi_mma8453.ko
----- new -----
8247740e27c9e1ec9fc939d39567e798  /etc/version.txt
5e3150ccf41f5567d05c5857ad43a8f3  /bin/busybox
3732f0fd1eb61ada6759888c849abc5d  /usr/sbin/lsof
72db7538d8c6e5e74d2adf8e90482f0b  /usr/lib/libcrypto.so.0.9.8
94ed963e40ac6c894a219fbb1adcf216  /opt/factory/system_diags
3eb798198f269aea41cc2bbf97c4d2a9  /sbin/mkfs
747f02d7dba82c7e0ed572beeeebbdbb  /lib/modules/2.6.31-rt11-lab126/kernel/arch/arm/mach-mx5/mx50_yoshi_mma8453.ko
---------------

Also, there is a new file: /opt/ar6k/target/AR^003/hw2.1.1/bin/AR6003_calfile.bin

(As mentioned above, these changes are not installed when you update old firmware to 5.1.0 using the firmware update install package.)