PW5 Getting UART and UART root shell on PW5

[trimen]

Hello,

I did a write-up about my progress with Kindle PW5.
So far, I've got working UART via USB C and I enabled root shell on it.

You can read about it here:
https://kb.taktpraha.cz/projects/kindlepw5

[shamanNS]

So, in summary: even that USB cable hardware mod couldn't restore a PW5 that was already bricked / bootlooped with storage not exported over USB?

[Wolf-HRB]

Could I use this method to downgrade my pw5 in order to jailbreak it?

[trimen]

By default, everything is disabled. You have no bootloader access, nor Linux shell.

In the u-boot source, I found that the u-boot determines the type of device by reading state of some GPIOs, but I didn't look into it properly yet.

I don't know, what will happen if some partitions become broken. I'll try it, but first I need to acquire HW for reading eMMC so I can do a full backup, before modifying the content of it.

My next plans are to reverse the u-boot binary to get some knowledge about functions, that were removed from the released source but are in present the production u-boot binary.

Also, the datasheet for the used CPU is unobtainable. Currently, I don't know about any process to load empty eMMC, as I'm still waiting for HW.

The whole point of my efforts is to be able to unlock the bootloader, which should enable low-level access to internal storage.

[Wolf-HRB]

if I support you a bootable pw5 full emmc backup, could you do more work on it?

[trimen]

I've got full eMMC backup via dd and netcat already.
The problem is not a missing eMMC image, but my current inability to restore eMMC content if I mess it up. (Or to be able to write to eMMCs in general)

So when I receive my eMMC reader, I'll do a backup.
Then I'll place a new empty eMMC chip inside and observe, what will happen. Maybe it will enter some kind of USB download mode.??

If not, then I'll try to look for JTAG on test pins with something like JTAGenum/JTAGulator.

If this will lead me nowhere, I'll make an automated test jig to periodically restart CPU with different logic levels on test pads that are static during startup and run and check UART/USB output.

In the datasheet for a different type of Mediatek CPU from the same family MT8x is information about bootloading, where you pull some GPIOs during start, and the CPU then enters UART download mode. Unfortunately, I found no other information about the process.

I'm mostly a HW guy, but I've got some friends that are experienced with binary reverse engineering. With them, we'll look into the u-boot binary to find out more about the unlocking feature.

Missing the datasheet for the MT8113 is a problem, as I cannot find anything about it, and the only info that I can get is from other CPU type datasheets.

[shamanNS]

Quote:

Originally Posted by trimen

I don't know, what will happen if some partitions become broken.

What I did to my first (jailbreak-ed) PW5 was: I broke the Upstart by introducing a syntax error ( by commenting-out the only line of code in a if/then block , a function call that calls the function that creates "/PRE_GM_DEBUGGING_FEATURES_ENABLED__REMOVE_AT_GMC" flag file) while editing (jailbreak) bridge.sh [edited all 3 copies of that file so in upstart services directory, in /var/local/mkk or wherever the fist backup is, and /mnt/us/mkk].

No idea if perhaps something bad happened to partitions and to eMMC chip while the device was stuck in bootloops for ~2 days until it drained the battery / until it displayed battery low screen.
Since then I charge the battery every couple of months and then unplug the battery to stop the bootloops. The behavior of that PW5 unit is still exactly the same as it was since that first reboot after botched bridge.sh edit.

[j.p.s]

Quote:

Originally Posted by trimen

I've got full eMMC backup via dd and netcat already.
The problem is not a missing eMMC image, but my current inability to restore eMMC content if I mess it up. (Or to be able to write to eMMCs in general)

I think there is more in the eMMC than reachable by dd. I don't know anything about eMMC layout and contents, but member eddie.t.h does, including writing to eMMC. There are things like serial numbers and more whose values need to be present in the correct places.

[Wolf-HRB]

One of my friends took off the emmc chip and make the mirror of the full disk, not the dd method

[trimen]

Quote:

Originally Posted by Wolf-HRB

One of my friends took off the emmc chip and make the mirror of the full disk, not the dd method

In that case, I would like to get it. It'll be useful for comparison.

[NiLuJe]

Quote:

Originally Posted by trimen

Missing the datasheet for the MT8113 is a problem, as I cannot find anything about it, and the only info that I can get is from other CPU type datasheets.

At a quick glance, it appears that the MT8110 is based on the MT8512... which is already a custom job for Amazon ;o). (But whose existence is at least acknowledged by MTK, which is more than can be said of its little brother ;p).

So, it's a custom job on top of a custom job, which doesn't really bode well for getting access to spec sheets :/.

[Wolf-HRB]

Here is the partition structure of the KPW5 8GB EMMC, if you need the real image file (which is a .bin file), I will upload it to my google drive after I get the share permission from my friend.

[studynet]

I need help, I tried to install the latest KUAL (coplate) thinking that the jalibreak would be updated, it failed, I got an error and it restarted.
It got stuck and I had to force restart it.
Now I have a paperweight, which I can do.
It restarts all the time and I can't do anything even by pressing the power button for 40 seconds and the computer doesn't detect it.
I find it incredible what happened.
It's a Kindle Power White 11th signature edition, I was delighted with everything.
what can i do??

My kindle is like this
https://www.youtube.com/watch?v=5QdSN8JQ0Ic
There is a moment when the pc detects a storage unit without access, but it disappears and I can't do anything.
In the end he will die and I understand that it is not good for the memory.
Can it be recovered?

I already had the kindle with a jailbreak done and the koreader working, the previous version.
I was very happy with how it worked and downloaded the new version and installed straight away.
It was supposed to update, but it didn't, it gave me an error and it crashed trying to install.

Update_KUALBooklet_hotfix_eb7e23d_install.bin

What I have installed was this file I put it in the MRPI folder and then start installation with KUAL package installer.
Something like that.
I'm surprised there's nothing to recover.
It's on an infinite reset and obviously this won't be good for memory I understand.
when I connect it to the computer it detects a drive and disconnects.
The device it detects is: Kindle Internal Storage USB Device
Any ideas?

[eddie.t.h]

Quote:

Originally Posted by Wolf-HRB

Here is the partition structure of the KPW5 8GB EMMC, if you need the real image file (which is a .bin file), I will upload it to my google drive after I get the share permission from my friend.

emmc memories have other areas such as two areas of the bootloader and rpmb, i.e. the encrypted part. Older kindle models kept all sensitive data (serial numbers, etc.) in this encrypted area. This area, as far as I know, cannot be copied to another memory using a programmer.

[Wolf-HRB]

what about the emmc mirroring? disregard the encryption, just full mirror. Because my friend is a 3rd party Kindle repair man, he fixed tonnes of KPW5 which stuck at the Tree screen (stuck at booting)