[Discussion] Direct access to e-MMC to fix bricked KF? - CONFIRMED!

[kurohyou]

Hello! Been lurking for a while and just finally decided to post.

A little background: My first Kindle Fire 2 was rooted just fine. Everything worked for several months, then the screen went bad. Called Amazon and got a replacement sent over. The night I received said replacement, I decided that I wanted to try the 2nd bootloader + TWRP and install CyanogenMod. Unfortunately, I missed the part about reverting back to the older version of the bootloader before patching. Oops.

TLDR; Bricked KF2.


That brings me to the main focus of this topic: After reading a plethora of threads stating that there was no way to fix a bricked KF2 with the USB, I began thinking... Theoretically speaking, couldn't the e-MMC be accessed if it was taken out and mounted to an e-MMC to USB? This would allow reflashing the partitions and (hopefully) returning it to an unbricked state. Of course, that means remounting the e-MMC to the KF2 motherboard, but you can do wonders with a stencil, some solder paste, and a toaster oven, it seems.

Then, while searching for a good e-MMC to USB adapter, I stumbled across a very intriguing thread on hacking TomToms' NAV3 where the e-MMC is left on the device and wired to a MMC USB reader. Page 36 and 37 are the useful bits. (I can't post links yet, so this is the best to demonstrate): mobilescommunity.com/tomtom-discussions/178770-nav3-cracking-patching-copying-navcore-v10-v11-v12-36.html

At this point, I'm just waiting on an old, broken KF1 to arrive to track down where the leads go and possible solder points. I'll keep you posted as things progress.


Any comments, thoughts, suggestions?


P.S. I have a feeling that this would be better suited in the development forum, but as I am new, I can't post there. Assuming that this crazy idea actually works, (and considering that I'll probably have ten posts by then), I'll likely post a clean guide over on that forum.

 

[Hondologe]

i had my already taken apart cause of a broken screen, and one is for sure, there was no e-MMC or anything that you could take out and put into an adapter :\

 

[flopower1996]

I think you are not out of luck! Are you getting a red screen or is evrything dead?

 

[kurohyou]

Completely dead.

...and there is an e-MMC. On my KF2, it was under a piece of foam. If you look at it like you just took off the back cover (without moving the motherboard) from the bottom (the side with the usb port) it's on the right lower portion of the motherboard. It's a Samsung chip, KLM8G2FE3B-B001. There's also a line of solder points just below it. It looks like a decent number of the pins (which we can't see because it's a surface mount) go to that bank of solder points.

Since I still can't post real links/pictures: tinypic.com/r/20hppw5/5

Image credit: iFixit.

That picture is the motherboard from a KF1, but it's in the same location. It's the chip outlined in red.

 

[kurohyou]

Just a little update... Have a junk motherboard, the e-MMC is off, now I'm just tracking down where the pins go and possible solder points. It looks like the motherboard has exposed pads that will work well for soldering (my guess is they were originally access points for board/component testing?). I'll post again when I have more info.

 

[kurohyou]

Another update: I've tracked down solder points for DAT0-7, CMD, and CLK. I just need to track down the voltage (Vcc and Vss) and grounds (VccQ and VssQ). After that, I'll have pictures with it labelled. Then I need to work on soldering to said points and attaching them to a MMC reader, and praying that it works.

 

[stunts513]

Hmm well if you can get your PC to recognize the emmc, with what I'm assuming is going to be Linux because of the fact the filesystem is ext4 on kindles last I checked, I'm curious if the modules that Linux have will recognize the device. If it does I wonder if u can simply use dd to flash the messed up partitions with the correct signed replacements. I wish I had your solder skills... I need a new tip for mine but I'm too lazy to go out and get one, much less do soldering on a kindle motherboard. If this works u could offer repair services to people, because I doubt most people would attempt this. I find this thread very interesting!

Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app

 

[flopower1996]

Then good luck to you!
Hopefuly we will have an unbrick method...

 

[kurohyou]

Finished tracking down solder points. Attached are some pictures with them labelled. I'll be working on the actual soldering and connecting it to my computer in the next few days here as my mini-vacation is over and I have to go back to work tonight.

 

[kurohyou]

So! I have good news. I soldered everything together and plugged it in. Ubuntu auto-mounted all the partitions from the e-MMC! I'll post pictures on Friday as I'm about to take a nap before spending the next 24 hours at work.

 

[kurohyou]

I have a couple minutes on break, so I'm uploading a screenshot of Ubuntu with the partitions mounted. All my pictures of the board/SD card reader and solder job are on my camera at home, so I'll post those later.

Note: The partitions are on the bottom left of the window, the 17 MB one through the 929 MB one. Once I track down which one is the boot partition, I'm going to rewrite it with the original boot image and pray that has fixed the problem.

 

[stunts513]

Wow this is awesome, I am very impressed at this. Now to just use dd to shove the boot loader down the emmc's throat. I wonder does linux recognize the fact that any of the partitions are signed in like gparted under a partitions properties? Not sure if u have gparted installed, probably have to install it from the repos. Also kinda curious about the partition layout as to how everything is ordered on the emmc, as gparted shows.

Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app

 

[kurohyou]

Wow this is awesome, I am very impressed at this.

Thanks! Assuming this works, I'm thinking of designing a solder-less device to make all the connections. Soldering to those tiny pads on the motherboard was a pain!

I wonder does linux recognize the fact that any of the partitions are signed in like gparted under a partitions properties?

Is it the partition itself that's signed, or the boot files?

Also kinda curious about the partition layout as to how everything is ordered on the emmc, as gparted shows.

That's a really good idea. I'll make sure to take a screenshot of the partitions in gparted when I have a chance to work on it some more on Friday.

 

[stunts513]

From what I understand not all, but some of the partitions are signed, like the boot loader, they have a 64kb signature in the partitions header if I remember correctly. That's also the reason we can't fix the device when we brick the boot loader, because these things show up as omap devices and we have the means to use that device and try to fix it, but we can't fix it because the initial file it loads up has to be signed. Your fix is kinda unorthodox, but hey, whatever works.:thumbup:bet amazon didn't think people would go this far to fix it. Heck technically if this works you could probably root it in this manor even if an exploit wasn't viable. Anyways for more I to on what I was talking about read q2, q3, and q4 of this post: http://xdaforums.com/showthread.php?t=2228539
I personally want to look into why we can't just hex edit a image that's unsigned to clone a signed images signature, but I don't feel like opening up 2 huge files in a hex editor to compare the differences to see how the signature is in the file, not to me took that would be next to impossible I think since it would be difficult to try to make a partition exactly like the one on the kindle minus a signature (because even if u copied the files over, they wouldn't necessarily be in the stored in the exact same sectors of a partition), making it even more complicated for me to see the actual signature. Soupemagnet said this is impossible to do already and he knows what he's talking about so i seriously doubt I could do this.

Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app

 

[kurohyou]

I personally want to look into why we can't just hex edit a image that's unsigned to clone a signed images signature, but I don't feel like opening up 2 huge files in a hex editor to compare the differences to see how the signature is in the file

I'd venture an (un)educated guess that TI considered this sort of tampering and the header is essentially an encrypted checksum for the image. That would make sense when you consider the need for proprietary software to "generate" a signed header.

An interesting idea while we're going down this road... I'd think the only thing that prevents us from brute-forcing (through trial and error) our way to some sort of method of generating the signed headers is that an attempt could only be made once (assuming an incorrect algorithm) before you'd end up with a paperweight, meaning up until now you'd need a LOT of Kindles to even hope to get close; however, assuming that what I'm working on works to restore the KF2 to functioning, one could rig up a port to reflash the image (with a header generated with a new algorithm each time) until either you wore out the e-MMC or you managed upon one that worked.

Perhaps we could run the idea by soupmagnet and see what he thinks?

 

[stunts513]

Yea that's an interesting idea, I have no idea how u could generate headers to try to forge what the kindle has though, and I'm assuming if it is a 64kb signature, that is a huge amount of combinations. I'm assuming figuring out how to make a signed image is similar to how some key generators are made that take a activation code and spit put another code for you to use. Though I have no idea how they figure out the common denominators for making a code based on such. Its one thing in simple math but to do it to strings of letters and numbers is beyond me. Luckily we have several partitions for reference, if it was just one we'd be pretty screwed, assuming I have any idea what I'm talking about. Feel free to run the idea by him, I chatted with him before a little about something like this in some PM's.

Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app

 

[soupmagnet]

I'd venture an (un)educated guess that TI considered this sort of tampering and the header is essentially an encrypted checksum for the image. That would make sense when you consider the need for proprietary software to "generate" a signed header.

An interesting idea while we're going down this road... I'd think the only thing that prevents us from brute-forcing (through trial and error) our way to some sort of method of generating the signed headers is that an attempt could only be made once (assuming an incorrect algorithm) before you'd end up with a paperweight, meaning up until now you'd need a LOT of Kindles to even hope to get close; however, assuming that what I'm working on works to restore the KF2 to functioning, one could rig up a port to reflash the image (with a header generated with a new algorithm each time) until either you wore out the e-MMC or you managed upon one that worked.

Perhaps we could run the idea by soupmagnet and see what he thinks?

Let's say you are able to restore the device every time you brick it. In order for brute force to work, you would need to be able to flash the image, attempt to boot, restore the device when it fails, create a new disk.img while somehow generating a new signature for it, flash that one, etc....and it all has to be done automatically.

Putting that aside for a moment, there's a lot of speculation online about how long it will actually take to brute force just a simple 128bit encryption key. I've seen everything from several years to several hundred years. Multiply that by about 500 and you'll have an idea of the amount of time it would take to brute force a 64Kb signature, and that's without having to repack, flash, restore, etc. for every single iteration....so I highly doubt a brute force attack is even feasible in this situation.

You should probably just focus on getting the device restored so you can have yourself a little side business of restoring hard bricked 2nd generation Kindle Fires...although, it would be extremely nice if you shared with the community how you were able to do so...if you are ever successful that is.

 

[kurohyou]

Let's say you are able to restore the device every time you brick it. In order for brute force to work, you would need to be able to flash the image, attempt to boot, restore the device when it fails, create a new disk.img while somehow generating a new signature for it, flash that one, etc....and it all has to be done automatically.

Sounds like a lot of work; although, I didn't expect anything less.

Putting that aside for a moment, there's a lot of speculation online about how long it will actually take to brute force just a simple 128bit encryption key. I've seen everything from several years to several hundred years. Multiply that by about 500 and you'll have an idea of the amount of time it would take to brute force a 64Kb signature, and that's without having to repack, flash, restore, etc. for every single iteration....so I highly doubt a brute force attack is even feasible in this situation.

What, you're telling me that cracking the encryption in a few million years from now wouldn't be useful?

It probably didn't help that in my sleep-deprived state last night, I failed to differentiate between 64kb and 64bit. Oops.

You should probably just focus on getting the device restored

That's always been the focus, but I also figured that while we're here discussing things (and with confirmed access to the e-MMC now), why stop with just the basic restore to working when there's the possibility of more?

although, it would be extremely nice if you shared with the community how you were able to do so...if you are ever successful that is.

Of course I'm going to share! As soon as I finish the last few steps here and confirm that it's working, I'm going to post a guide over on the Development forum. I don't know how many people will be comfortable with the soldering part, though. It was a beast trying to solder to the motherboard. I do plan on trying to develop a solderless method, probably by fabricating a board that connects to all the important points and secures to the motherboard itself (probably using the screw holes).

 

[kurohyou]

Some more images, now that I'm home.


Here's what everything looks liked when it's soldered together:

Here it is connected to the computer:

...and finally, a screenshot of the partitions in gparted:

 

[stunts513]

Sweet, didn't realize how many partitions the kindle had. So now all we need to figure out is which partition of those is the bootloader partition, so u can try flashing the boot loader with the dd command. Might I suggest backing up the entire emmc device with dd instead of just some of the partitions? Also was wondering if all goes well, if the kfhd's emmc pin layout is the same, be nice if a solderless bolt on version could be truly "universal" for all kindles, shape wise it wouldn't be a problem as long as the bolt-on-board has multiple hole configurations.

Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app