Thursday, August 27, 2015

Kindle paperwhite 2015 full jailbreak writeup

This is a post I've been meaning to write for a while now, a complete writeup for how to jailbreak the kindle paperwhite 2015. Credit for figuring out the serial connection details and the debug password goes to hondamarlboro and credit for the original jailbreak goes to NiLuJe.


In the newer models, Amazon has removed the ability to jailbreak easily via .bin files. The method I used to hack mine involves using the built in serial port, so if you don't feel comfortable soldering to the board of your new kindle, this probably isn't for you.

The front panel of the kindle is glued on, I used a guitar pick to peel it off from the edges. The back is held on by small star-head screws.

Taken apart kindle
Once you have the kindle apart find the area on the board where it says 'SERIAL DEBUG'. Beneath it are three contacts, Tx, Rx, and GND from left to right.

Orange:Tx White:Rx Green:GND

I used an Adafruit FTDI Serial to USB cable to connect to the kindle.

Next you'll need to go under settings, then device info on the kindle to find your serial number. The root password for debug mode can be found with the following python script:

python2 -c 'import hashlib,sys;print "fiona%s" % hashlib.md5("%s\n" % sys.argv[1]).hexdigest()[13:16]' YOUR_SERIAL_NUMBER

Connect to the kindle at 115200 baud and reboot it. When it says 'Hit any key to stop autoboot:' hit a key. At the uboot> prompt, enter 'bootm 0xE41000'.


On the screen that pops up, tap (o)-Reboot or Disable Diags Then on the next screen tap (EXIT LOGIN) Log in using the login: root and the password you got earlier.


The next step is to set a normal root password so you can log in normal, non-debug mode. Run the following commands to do that:

# mount /dev/mmcblk0p1 /mnt/mmc
# chroot /mnt/mmc
# /usr/bin/passwd
# exit
# reboot


Once the kindle boots you can login as root using the password you just set. Plug the kindle in via USB and copy this jailbreak package to the root of the device, then eject the kindle. Now from the serial connection, run the following:

# mntroot rw 
# mkdir /tmp/jailbreak
# cp /mnt/us/kindle2015_jailbreak.zip /tmp/jailbreak/
# cd /tmp/jailbreak
# unzip kindle2015_jailbreak.zip
# chmod a+x install.sh
# ./install.sh


It'll spew a lot of output and take a little bit, but after that, you're entirely  jailbroken! I now suggest grabbing a copy of KUAL and seeing what your newly freed little Linux machine can do.

**EDIT: If you're having trouble getting kterm to start, copy this package to the USB root of the kindle and run the following:

# mntroot rw
# cp /mnt/us/libpng.tar /libpng.tar
# cd /
# tar -xvf libpng.tar
# rm libpng.tar

Tuesday, April 14, 2015

Disabling wireless card whitelist on ThinkPad T410

Recently I bought myself a Lenovo ThinkPad T410. All in all it's a wonderful laptop, fast, robust, and a testament to enduring ThinkPad design. The one issue I had with it (other than getting the ACPI backlight working with Arch, but that's a post for another day) was the the hardware whitelist in the BIOS. When I plugged in any Mini PCI wireless card, instead of booting my laptop would present me with:

1802: Unauthorized network card is plugged in - Power off and remove the network card

System is halted

Not only was this rather limiting, I also don't like not having control over my own hardware. I found two promising methods to go about disabling this "feature." The first and less potentially damaging of the two was to modify the card's ID so the BIOS sees it on it's whitelist. After doing that though I would have had to patch my wireless drivers with the new ID, and then have to always worry with updates breaking it. To me it doesn't seem like an elegant solution.

The next option was to modify the BIOS itself. If done wrong this can brick your laptop, so it's not really recommended. There are lots of instructions online on how to patch the BIOS file yourself, but I was a bit apprehensive seeing as my skills with assembly are pretty basic and my skills with modifying hex are non-existent. 

With a bit of searching I found an already patched bios for the T410 done by user sovem on https://www.bios-mods.com. (links at the end of the post) I checked to make sure it had worked for other people, I really didn't want to brick my new laptop. It looked ok so I decided to give it a go. 

Step 1: Burn 6iuj29us.iso to a cd.
Step 2: Boot from the cd and flash BIOS.
Step 3: Make a FreeDOS USB stick (unetbootin is the easiest way) 
Step 5: Copy the bios_mod folder to the USB stick. 
Step 6: Boot from flash drive and select "Load FreeDOS without drivers"
Step 7: Run flash.bat

With the new BIOS the laptop no longer halts on boot, but it will still turn any wireless cards off with a hardware rfkill. To stop this you have to block pin 13 on the card. 


I just covered it with a piece of tape. After that everything worked fine and my OS saw both cards I had plugged in.

Links:
Modded BIOS
Mirror to files

Friday, March 20, 2015

Hyper Text Coffe Pot Protocol - My functional implementation of RFC2324

On April 1st 1998 the IETF published RFC2324, a protocol for controlling, monitoring, and diagnosing coffee pots. Even though it was a joke, I could see a real need for implementing this. Finally the making of coffee could be could be added to cron jobs and makefiles. When gcc spat out more than 50 errors it could automatically start making the coffee that you'll be needing. You could add a BREW request to anything that makes that takes a very long time to run. Simply put, this a thing that really needed to be real.

So I started out building a coffee pot capable of supporting HTCPCP. I decided to use a Raspberry Pi to run the server application. It's a bit overpowered for the task, but it's nice to have a *NIX environment to work with, and it makes updating the code very easy. The idea was to connect a relay in place of the on/off switch on an old coffee pot I had laying around.


  • GPIO pin 17 connects a relay capable of switching at least 2A at 120V
  • GPIO pin 21 connects to a pushbutton
  • GPIO pin 22 connects to a status LED
Completed circuit board

On the RPi I chose to install Arch Linux because this project doesn't need everything installed by default in Raspbian, and I find that NetworkManager is less flaky than wpa_supplicant alone for connecting to encrypted WiFi networks.

Once the pi was connected to the internet I installed WiringPi started working on the code for the HTCPCP server. The RFC specifies the following requests in addition to HTCP
  • BREW
  • WHEN
  • PROPFIND
 BREW specifies that coffee should be brewed, and is synonymous with POST. PROPFIND returns metadata about the pot, and WHEN is sent when the server has added enough of an addition to the coffee (sugar, cream, rum, etc.)

Since my pot doesn't have the capabilities to support additions yet, WHEN will return an error. Sending either BREW, POST, or GET will set GPIO 17 to high for half an hour (I can't see myself waiting any longer than that for coffee ever.) Once a BREW or synonymous request is sent, potinfo.ready is set to false. Once the pot is refilled with water and coffee grounds, pressing the pushbutton will set the ready status to true. Holding the button down for more than 3 seconds, the pi will power off. PROPFIND will return at any time the readiness of the pot to make coffee.

The code for the HTCPCP server is available at https://github.com/saljs/htcpcp
(The sleep(30); is a dirty hack to make sure that the pi connects to the network fully before the server tries to claim a port.)

Once I got the server working, I put the following in /etc/systemd/system/htcpcpd.service

[Unit]
Description=Hyper Text Coffee Pot Control Protocol Server
Requires=network.target

[Service]
Type=forking
ExecStart=/usr/local/bin/htcpcpd


[Install]
WantedBy=multi-user.target


Then enabled the server. In Raspbian the same could be done by putting /usr/local/bin/htcpcpd on a line in /etc/rc.local

The last thing I did before assembling it all was to make the root filesystem read-only to prevent corruption. https://web.archive.org/web/20160305060007/http://ruiabreu.org/2013-06-02-booting-raspberry-pi-in-readonly.html was the guide I used.

Here are some pictures of the completed project. It was banned from the kitchen because it doesn't exactly match with the decoration, so instead I keep it by the sink in the basement. Please forgive the mess.

3d printed case for the pi+relay board

All plugged in

Closeup of the pi


Coffee tastes all the better for knowing that it was brewed over my network.


Yet Another Teenager's Tech Blog

I've decided to start a personal blog as a place to keep a collection of  project write ups, my fixes for odd undocumented problems I run across (mostly on Arch Linux and Debian), and hardware hacks. I find a lot of answers to tech related problems on blogs, so I figure a blog of my own would be a good repository for these sort of things as well. I'm writing it mostly for myself, but if anyone finds it useful then that's great!