Recovering a formatted or corrupt Kindle 2

One day, while playing around with a Kindle 2, I accidentally deleted the /lib folder. Oops. Now, no command beyond “ls” and “rm” work. If this was a computer, I could have simply inserted a installation DVD and copied the files over, but this was an eBook reader, and I was in for a world of pain. This was a month ago, and I’ve finally recovered the Kindle. I’m posting what I did online to save anyone else who’s in the same boat a ton of time. This tutorial is only designed for the Kindle 2, but it MAY work for the DX. It will NOT work for the Kindle 3, but directions should be similar.

First

If you’ve think you “bricked” your Kindle, don’t panic yet. There could be a easy solution. Chances are, if you can see the startup progress bar loading, the solution should be easier (although I can’t tell you exactly what your problem is). I would follow Amazon’s troubleshooting directions first. Only proceed if you are absolutely sure nothing else can be done.

Overview

Here’s what you’ll need

  1. TTL to RS232 or USB connector. I used this one. For that, use the jumper on pin 1 and 2 on the side (with the three pins, pin 1 is towards the USB port). Connect Kindle Tx -> Tx, Rx -> Rx, GND -> GND, VDD -> VDD

  2. Windows with HyperTerminal (I tried Kermit on Linux, but it couldn’t send files. HyperTerminal is the only program I’ve tested that works sending files to the Kindle)

  3. Linux or Unix-based computer with “dd” and “ssh”

  4. My custom recovery kernel which allows jailbreak signed recovery packages and exporting MMC0 without a password. If you want to know how I’ve made it in technical details, see the appendix.

Here’s what we’ll be doing:

  1. Attaching the recovery port

  2. Flashing the custom patched recovery kernel

  3. Obtaining a backup of Kindle system files

  4. Restoring your Kindle

Attaching the recovery port

First open up the Kindle 2 to reveal the PCB board. You should remove both the metal casing and the white plastic with all the screws. On the top, to the left of the headphone jack, you should see four pads labeled J4. Either solder (recommended) or tape (make sure it isn’t lose!) four wires to these pads. The order of these ports (left to right, where left is towards the volume switch) are: VDD, Rx, Tx, GND. Connect these lines to your TTL adapter and connect the adapter to your computer.

Flashing the custom patched recovery kernel

Open up HyperTerminal, and connect to your adapter. Make sure to click “Configure” and fill in the settings. The settings are: BPS: 115200, Data bits: 8, Parity: none, Stop bits: 1, Flow control: none. Then, restart your Kindle either by removing & reconnecting the battery, holding the sleep switch for 30 seconds, or tapping the reset switch on the PCB. Press Enter when text pops up in HyperTerminal. You only have one second, so be quick. In uBook, type in “run prg_kernel_serial” (make sure to type fast or uBoot will timeout). Then right click on the text, and choose “Send File”. Under protocol, choose Ymodem-G and for the file, select my custom kernel. Wait a few minutes for it to upload and install, then type in “bootm 0xa0060000” to boot the kernel. The Kindle has two kernels that it alternates on each boot, so if you want to use my recovery kernel, you need to either flash the other kernel also or type in “bootm 0xa0060000” into uboot on startup. Hold down Enter either on your computer or on the Kindle to enter the recovery menu. The recovery menu times out in 10 seconds, so you need to be quick. First type “I” to recreate all the partitions, then type “3” to export the MMC. Again, these can be typed from either your keyboard in HyperTerminal, or the Kindle keypad. If you do not have access to HyperTerminal because you are in Linux restoring, you can get back here by holding Enter on the Kindle keypad and pressing 3 on the recovery menu.

Obtaining a backup of Kindle system files

Let’s put your broken Kindle aside. You need a working copy of Kindle’s system files. I cannot provide this for legal reasons, but if you obtain another Kindle 2 (preferably the same model and version as your broken one, but others MAY work [not Kindle 3 though… yet]), jailbreak it and install the usbNetwork hack for SSH access. Make sure that Kindle has at least 500MB of free space on the FAT partition to store the backup image. Once you SSH’d into the working Kindle (there are tons of tutorials around on this), issue the following command:

dd if=/dev/mmcblk0p1 of=/mnt/us/rootfs.img bs=1024

Note that this will only make a copy of the OS files. All personal information, passwords, books, etc are not copied. You can tell your friend that. This may take five to fifteen minutes to run, but when the command returns with the blocks written, you can disable usbNetwork and enable USB storage again. Copy the rootfs.img file over to your recovery computer and prepare to restore.

Restoring your Kindle

Back to your broken Kindle. You need to reformat the root and copy over the backup files. I moved the Kindle over to a Linux computer because it is easier. You can also use OSX or maybe even cygwin, but I haven’t tested. In shell, type in the following commands:

sudo su # Become root, so you don't need to sudo everything
fdisk -l # Look for your Kindle's identifier, it should be something like /dev/sdc, it should be a 2GB drive with 4 partitions. I will use /dev/sdX to represent this drive
mkfs.ext3 /dev/sdX2 # Make a ext3 partition for /var/local
dd if=/path/to/rootfs.img of=/dev/sdX1 bs=1MiB # This will take a long time to finish

Note that an alternative method is to gzip rootfs.img and place it into a recovery package created using kindle_update_tool.py, but I’ll leave that as an exercise for the reader.

Appendix

So, what is in the magical Kindle recovery kernel? It’s actually just a regular Kindle kernel recompiled with a modified initramfs with a patched recovery script. Using the regular kernel, you’ll run into two difficulties when trying to recover. First, if you press 3 to export MMC0, you’ll get a password prompt. Good luck brute forcing it. Second, if you build a custom recovery package using kindle_update_tool.py m –k2 –sign –fb, it will not work because of signature checks. What I did was patch the two checks.

First, I extracted the recovery-utils file by gunzipping uImage (with the extra stuff stripped out), and gunzipped initramfs.cpio from that. Then I extracted initramfs.cpio and found recovery-utils under /bin.

Next, the easy part is patching the updater package signature checks. What I did is extract the updater RSA public key file from the Kindle, found under /etc/uks and used OpenSSL to extract the public key from it (n and e). Then I opened recovery-utils with a hex editor, searched for the public key, and replaced it with the jailbreak key (found in kindle_update_tool.py).

Finally, the challenging part was to patch the password check from export MMC0. First I opened recovery-utils with IDA Pro. Then I located the check_pass function. I worked backwards from that and saw it was called from loc_94A8. Here’s a snippet of the check along with my interpretation of what it does:

BL	check_pass # Call the check_pass function
CMP	R0, #0 # check_pass sets register R0 with the return value, we will check if R0 equals 0x0
BEQ	loc_9604 # If the previous instruction is true, then password check has failed
LDR	R0, =aDevMmcblk0 ; "/dev/mmcblk0" # We did not jump out, so CMP R0, #0 is false
BL	storage_export # Call this function

It’s always easy to patch the least amount of instructions with the least amount of changes, so this is what I did. (Note that IDA Pro doesn’t allow editing instructions directly, so I have to find the machine code in hex to know what to replace. Luckily, I have tons to instructions to look at and see what their corresponding machine codes are).

NOP # Instead of calling check_pass, I did MOV R0, R0 which is the same as NOP
CMN R0, R0 # Negative compare R0 with itself. Basically, always return false.
... rest is the same

Now, I saved the file and luckily, it was the same size. So I didn’t have to recreate the initramfs.cpio, I just replaced the file inside with my hex editor (note that cpio files do not have checksum checks unlike tar files). I copied this to the kernel source folder and compiled the kernel. Lucky for you, I have already done all of this so you don’t have to.

Comments

  1. bdaddy

    I’ve enjoyed reading your posts on kindle hacking. I’m looking forward to getting a kindle 3 wifi myself so I’m learning from you and others as much as possible beforehand. One of the things I’m most concerned about is how to perform a full system-image type backup/restore of the device in case things go wrong.

    One thing caught my eye as I was reading your procedure above. You said, “I moved the Kindle over to a Linux computer because it is easier”.

    And then you show running dd against “/dev/sdX2”. Does this imply that the kindle’s UMASS subsystem is actually serving up the full 2gbyte flash device? If so, is it not possible to backup the entire flash device by accessing “/dev/sdX” directly? Did you put the kindle in a special mode to get it to serve up the full flash device?

    Or did I misunderstand you? If so, what is your understanding of the structure of the data accessible via UMASS vs the structure of the flash device itself?

  2. First of all, the K3 recovery port is different. It uses 1.8V instead of 3.3V, using 3.3 WILL burn it. Which brings the second difficulty to be finding a 1.8V TTL to RS232/USB converter. I haven’t found one yet and don’t have the time to make one, so I haven’t done a lot of work on the K3. To export the filesystem, you CAN dd from SSH, but a better way is using the recovery shell to export directly over USB, but in order to do that, you need to patch the kernel to remove the password protection on the shell. I will do that one day, but I won’t be able to test.

  3. bdaddy

    Interesting, so if you have RS232 access to the kindle, you can put it into a mode where the entire “MMC0” device is exported via UMASS, but it requires a password? Have you seen the following:


    (from http://www.mobileread.mobi/forums/showthread.php?t=49942&page=2) now my kindle dx has been restore ,it’s work…thanks ebs,your dump file save me. and i has do some manual work:

    1. boot message say: cannot open /dev/fb/0,my solution is delete this dev file
    2. mkdir -p /mnt/{rwfs,base-us,us}
    3. using recovery menu , select ‘3’ to export whole MMC0, and it’s ask for PASSWORD,this password gen by serial no, i do it like this : qemu-arm -g 1234 -cpu arm1136 recovery-util b *0x128d8 b *0x128e8 first break after get_serail_no,r0 point to serial no ,i change it,then second breakpoint,sp point to password 4.when mmc0 exported , mkfs.ext3 /dev/sdb ,sudo mount -t ext3 /dev/sdb /mnt, sudo tar xvf rootfs.tar.gz /mnt. ————————-

    And also: http://translate.google.com/translate?hl=en&sl=ru&u=http://www.siralex.info/2011/03/22/kindle-3-troubleshootin/&ei=_VqzTarZDuW10QHroLn9CA&sa=X&oi=translate&ct=result&resnum=3&ved=0CC4Q7gEwAg&prev=/search%3Fq%3Dkindle%2B%2522Load%2BMMC0%2Bover%2BUSB%2Bstorage%2522%26hl%3Den%26safe%3Doff%26prmd%3Divns

    Where a poster shows an example password of “fiona828b”. Is this consistent with what you are talking about above? Are you familiar with this “recovery-util” utility?

  4. bdaddy

    Oh, sorry, I just re-read your appendix. The recover-utils utility is exactly what you where talking about. :) What do you make of this idea of extracting the password from the utility? Is it hard-coded in there?

  5. You can actually brute force the password because the Linux “root” user uses the same password. It’s generated using the serial number, but the algo is hard to understand after you disassembled it. That’s why I choose to patch the file instead of trying to find the password. That way, I can remove all checks, including unsigned recovery packages.

  6. bdaddy

    Wow, great information, thanks! I understand that when you hold the [Enter] key on bootup that you get into a recovery context that shows up on the kindle 3’s screen. And one of the options in this context is “E -> Export over USB”. A couple of questions:

    (1) As far as you know, is this “E -> Export over USB” option the same as the “3. Load MMC0 over USB storage” option available via the RS232 port’s recovery mode?

    (2) Do you have any idea what instructions are issued (presumibly by recovery-util) to put the kindle into a mode where it exports the entire MMC0 via USB. Imagine a small update style patch that simply enables full MMC0 via USB. That way, as soon as you get a new kindle, you can run that one update and get full access to the NAND flash’s root file system, mount it to a workstation, and customize the root filesystem as you see fit. For example, copy over some binaries, install some init.d scripts. Or even make a full block-by-block backup.

    It would be so awesome to have a machine of this formfactor with an e-ink display but was easier to backup/restore. But I presume there isn’t much of a market for such an open device.

  7. 1) no. Export USB just shows the fat partition

    2) you can always ssh and use dd to copy the filesystem. You need a custom kernel to export mmc without a password. No point doing it outside of bootup because you can’t recover if you can’t access the recovery script.

  8. bdaddy

    Cool, thanks for the clarification. I’ve heard that the kindle 3 has a so-called “on the go” (OTG) USB port. Has anyone done any research to see if the USB port can be put into host mode with the stock kernel?

  9. There are two usb ports on the kindle. The one for the charger is (afaik) client only. Host mode is supported on the USB input on the mini pci-e 3G modem. However, there is no use for them without additional drivers.

  10. bdaddy

    Say for the sake of argument that the USB port could somehow be switched over into host mode, wouldn’t it be possible to introduce new drivers as ko modules? Or does the stock kernel not allow the inclusion of externally built ko modules?

  11. You always have to recompile the kernel even if it’s just adding modules. I don’t know if this is for all Linux (I think it is), but I can tell from experience that compiling just a module (and keeping all other kernel options the same) does not work.

  12. RAY

    could you please present full instruction about how to use you your pack ,i have downloaded psxperia-bete-2.zip and sours but i could not get deal with them please help

  13. Elvin

    I have some ideas about replace the 3g with a wifi card,and i found that AR5B95 had a driver on the 2.6.22. And I am wondering if I plug it in my dx it would work as k3 wifi. Or I have to compile the kernel by myself…Sigh…I don’t know anything about it. Do you have any suggestion? Thank you very much.

  14. John

    I have a Kindle 3. Shows empty battery on screen. Tried resetting using start button 15sec then wait 20 secs. then tried longer times all no good. Opened kindle to do physical reset no button just 2 resistors where switch should be any suggestions would be welcomed. Best regards, John.

  15. Nandor

    Hi!

    I am deeply impressed of your work. I am curiouse if you were able to repeat this steps on Kindle 3 (Keyboard) as well? I have a broken Kindle 3. I was able to made a hyperterminal connection, but the boot log gave me not to much information. It would be the best if you could make me the same recovery kernel for Kindle 3 as well. Please inform me if you already done this or plan to do. I can send you the bootlog of my Kindle 3G. Thanks for your help in advance!

Leave a Comment

Your email address will not be published. Required fields are marked *

Loading...