Yet another reverse engineering blog

Thursday, December 20, 2007

Hacking the Kindle part 1: getting the console

From reading the sources published by Amazon, it was clear that Kindle has a console running at least during boot. And there was an unconnected port available from outside.
Debug Port
Logically, the console would be accessible there. I salvaged a flat cable with a connector from my Rio Karma dock and stripped extra conductors to bring the pin count down to 20. Next I needed a TTL-RS232 converter. I almost bought one from EBay, but then realized that I already have one in the form of a data cable for my Samsung GSM phone. I stripped the phone connector, spent some time to discover the pinout of the cable, and was ready to search for the console. With a multimeter I found grounded pins of the debug connector so I knew which ones I can skip. I then started PuTTY, set port parameters to 115200/8n1 (gleaned from source code), connected ground of the cable to the shield, and started connecting RX of the cable to every pin in order, resetting the Kindle each time. Eventually I was able to see the output of the bootloader.

check_recovery: shift-<r>ecover, shift-<u>pdate, shift-</> reset...
normal boot...

U-Boot 1.1.2 (Oct 29 2007 - 16:35:25)

*** Welcome to Kindle ***

With a bit of solder I fixed it, and then did the same with the TX wire while pressing some keys on the keyboard. As I was at the login prompt at this point, once I had the correct pin I could see the echo in the terminal. Unsurprisingly, the RX pin was right next to the TX.
I wasn't able to solder cable to the connector without shorting (the pins are 0.5mm apart!), so in the end I removed most of the pins, soldered short wires to the removed pins and inserted those I needed back into the connector.
Connected
The final pinout:
12 TX (connect PC's RX here)
11 RX (connect PC's TX here)
10 GND (also 7 and 3)
Pinout

There are probably JTAG pins too, but those are a bit harder to find by trial and error. Also, I don't have a JTAG cable.

In case you want to make your own connector, you'll need:
1) a 20-pin 0.5mm pitch flat flex cable with a connector. Digikey seems to have some.
2) a TTL-RS232 or TTL-USB converter. For the former, make sure you get one that can handle 3.3V levels (i.e. MAX232 analog won't do, you'll need MAX3232 or similar). For the latter, probably any will do.

14 comments:

Anonymous said...

Hey, it is very facinating to see how someone works into this sort of thing and goes to work.

RE is interesting! Hope you ever get to the old Rocketbook 1100.

Kyle said...

I'm a newbie to micro-controller's and what-not. Can you tell me if this converter would work? I want to know before I spend any money. I haven't received my kindle yet, but I'm interested in checking out the software.

http://www.pololu.com/products/pololu/0391/

One more question. In your other post, you showed how to change the password back to fiona for the kindle. Does that have any negative effects on buying from the kindle store?

Igor Skochinsky said...

@kyle
Yes, I believe that converter should work. Another one you could try is this:
http://www.chip45.com/index.pl?page=littleUSB

As for changing the root password, I don't think it has any effect on running the Amazon software, as it's started by the init scripts and does not use root shell as it is.

Kyle said...

Thanks for the help. So amazon probably just changes the password for security reasons. That actually shows some forethought on their part. Too many products ship with default passwords today. The device would have been just waiting to be remotely hacked. If I revert the password, I'll probably pick my own out.

Anonymous said...

Please share your knowledge by posting this pinouts information on AllPinouts archive (http://www.allpinouts.org).

AllPinouts is a Web-based free content project (like Wikipedia) that collects information about hardware interfaces of modern and obsolete hardware, including pinouts of ports, expansion slots, and other connectors of computers and different digital devices (i.e. Cellular Phones, GPS, PDA, Game Consoles, etc.). All text is available under the GNU Free Documentation License (GFDL) and may be distributed or linked accordingly. AllPinouts archive already contains hundreds of pages organized into three main categories (Connectors, Cables, Adapters) and several subcategories.

Anonymous said...

For anyone else trying this at home, the brown part of the connector flips up, then you insert the ribbon cable and flip it back down to hold the cable in place.

Anonymous said...

Do you have any idea which JTAG interface pinout this box uses ? Did you try any interface such as Byteblaster with this?

Anonymous said...

Cool. Thanks for documenting your work for the rest of us to learn from.

kellya29 said...

Amazing! Thanks for the tips. I look forward to playing around with mine http://www.bookbender.com

Anonymous said...

Any suggestions to build a remote page-turner for the Kindle DX, to use with sheet music?

Anonymous said...

It's interesting that Kindle has a console, but is it possible to get the console to display on the Kindle itself, rather than connecting to it via terminal?

Conejo Playero said...

the new kindle has access to the connector?

Conejo Playero said...

does the new kindle has physical access to the connector

Anonymous said...

I have the new Kindle with Wi-fi & 3G & short of Dismantling the device, i see no external access to the connector. I wonder if we can hack the headphone jack to use with other devices like #Square (@Square) device used for payments :-)

Thoughts?