Hacking the Kindle part 3: root shell and runtime system

Root Shell

After I downloaded and extracted the root fs image, I quickly ran the /etc/shadow file though John the Ripper. In a moment it displayed the root password: "fiona" (which is the codename for the Kindle, by the way). Alas, it didn't work when I tried entering into console. Also, adding "init=/bin/sh" or "single" to the kernel boot arguments didn't work either.
So I started to poke around with the firmware update and after some time was able to run a script which mounted the read-write part of root filesystem and dumped the /etc/shadow from it. Unsurprisingly, it had a different password hash. Apparently the root password is changed somewhere before shipping to the end user. So I quickly adapted the script to replace the shadow file on the device with the original one.
You can find that implementation in this update maker zip.
kindle_update_maker-0.1.zip

After replacing the shadow file and a reboot, I was able to get in.

Output of some commands.

[root@kindle root]#ls -la /
drwxr-xr-x    2 root     root          592 Oct 30  2007 bin
drwxr-xr-x    1 root     root            0 Jan  1 00:00 dev
lrwxrwxrwx    1 root     root            7 Oct 30  2007 etc -> opt/etc
drwxr-xr-x    2 root     root            3 Oct 30  2007 home
drwxr-xr-x    2 root     root            3 Oct 30  2007 initrd
drwxr-xr-x    2 root     root          586 Oct 30  2007 lib
lrwxrwxrwx    1 root     root           11 Oct 30  2007 linuxrc -> bin/busybox
drwxr-xr-x    5 root     root           34 Oct 30  2007 mnt
drwxr-xr-x   10 root     root         1024 Nov  5  2007 opt
dr-xr-xr-x  101 root     root            0 Jan  1 15:42 proc
drwxr-xr-x    2 root     root          506 Oct 30  2007 sbin
drwxr-xr-x   10 root     root            0 Jan  1 15:42 sys
drwxrwxrwx    5 root     root            0 Jan  1 15:44 tmp
drwxr-xr-x   10 root     root           95 Oct 30  2007 usr
drwxr-xr-x    2 root     root           55 Oct 30  2007 var

[root@kindle root]# mount
devfs on /dev type devfs (rw)
/dev/bml0/6 on / type squashfs (ro)
/dev/stl0/8 on /opt type ext3 (rw,sync,noatime,nodiratime)
/proc on /proc type proc (rw,nodiratime)
sysfs on /sys type sysfs (rw)
devfs on /dev type devfs (rw)
usbdevfs on /proc/bus/usb type usbdevfs (rw)
devpts on /dev/pts type devpts (rw)
tmpfs on /tmp type tmpfs (rw)
/dev/bml0/7 on /mnt/dc type squashfs (ro)

[root@kindle root]# ps -A f
  PID TTY      STAT   TIME COMMAND
    1 ?        S      0:01 [swapper]
    2 ?        SN     0:00 [ksoftirqd/0]
    3 ?        S<     0:00 [events/0]
    4 ?        S<     0:00  \_ [khelper]
   20 ?        S<     0:10  \_ [kblockd/0]
   87 ?        S      0:02  \_ [pdflush]
   89 ?        S<     0:00  \_ [aio/0]
   86 ?        S      0:00  \_ [pdflush]
   10 ?        S      0:00 [sleepd]
   33 ?        S      0:00 [khubd]
   88 ?        S      0:00 [kswapd0]
  676 ?        S      0:12 [voltd]
  678 ?        S      0:02 [pnlcd_animate]
  681 ?        S      0:00 [kseriod]
  710 ?        S      0:00 [wantph]
  709 ?        S      0:00 [wanend]
  721 ?        S      0:00 [mmcdd]
  727 ?        S      0:00 [hpdetd]
  740 ?        Ss     0:00 init    
 1116 tts/2    Ss     0:00  \_ -sh
 2344 tts/2    R+     0:00      \_ ps -A f
  831 ?        S      0:00 [kjournald]
  884 ?        S      0:03 /sbin/syslogd -m 0 -b 1 -S -s 250
  887 ?        S      0:01 /sbin/klogd
  976 ?        S      0:00 [eink_fb_apt]
  974 ?        S      0:04 [eink_fb_udt]
  975 ?        S      0:00 [eink_fb_sst]
 1023 ?        S      0:07 [f-s-gadget]
 1024 ?        S      0:00 [f-s-activity]
 1063 ?        S      0:00 [wdtpmd]
 1071 ?        S      0:00 /usr/sbin/watchdogd -k 9 -t 30
 1079 ?        S      0:00 /usr/sbin/netwatchd -d 20 -t 5 -p www.amazon.com
 1086 ?        S      0:03 /usr/sbin/nomkd -v 80 -r 44 -d 23 cvm
 1092 ?        S      0:00 crond -l 9 -c /etc/crontab             
 1097 ?        S      0:00 /bin/sh /usr/sbin/tphmonitor
 1101 ?        S      0:00  \_ /usr/sbin/tphserver -f
 1119 ?        S      0:00 /bin/sh /usr/sbin/execmonitor
 1128 ?        S      0:00  \_ /usr/sbin/execserver
 1123 ?        S      0:00 /bin/sh /opt/amazon/ebook/bin/run_framework
 1169 ?        S      0:00  \_ /bin/sh /opt/amazon/ebook/bin/start.sh
 1173 ?        SL     0:18      \_ /usr/java/bin/cvm -Xmx16m -Dsun.boot.library.path=/opt/usr/java/lib:/usr/java/lib -cp :/opt/amazon/ebook/lib/MobiCore-impl.jar:/opt/amazon/ebook/lib/MobipocketCoreReader.jar:/opt/amazon/ebook/lib/ReaderSDK.jar:/opt/amazon/ebook/lib/SearchSDK.jar:/opt/amazon/ebook/lib/framework-api.jar:/opt/amazon/ebook/lib/framework-impl.jar:/opt/amazon/ebook/lib/jdbm.jar:/opt/amazon/ebook/lib/json.jar:/opt/amazon/ebook/lib/kxml2.jar:/opt/amazon/ebook/lib/xyml.jar:/opt/amazon/ebook/booklet/AudiblePlayer.jar:/opt/amazon/ebook/booklet/AudioPlayer.jar:/opt/amazon/ebook/booklet/Browser.jar:/opt/amazon/ebook/booklet/ContentManager.jar:/opt/amazon/ebook/booklet/Demo.jar:/opt/amazon/ebook/booklet/Experimental.jar:/opt/amazon/ebook/booklet/Home.jar:/opt/amazon/ebook/booklet/MobiReader.jar:/opt/amazon/ebook/booklet/PictureViewer.jar:/opt/amazon/ebook/booklet/PrefBooklet.jar:/opt/amazon/ebook/booklet/Search.jar:/opt/amazon/ebook/booklet/XymlBooklet.jar:/opt/amazon/ebook/booklet/msp.jar:/opt/usr/java/lib/libjnisystem.jar -Ddebug=1 -Dcheck_comm_stack=true -Dhttp.keepalive.timeout=60000 -Dhttp.maxConnections=16 -Dallow_demo=false -Dawt_fb_enable=0 -Dextkeyboard=false -Dconfig=/opt/amazon/ebook/config/framework-unix.conf -DENABLE_SEARCH_INDEXING_THREAD=true -Dprintdebugtime=false com.amazon.ebook.framework.Main
 (around 30 cvm copies skipped)
 2298 ?        S      0:00 [mmcqd]

As you can see, /opt is writable and so is /etc which points to it. On factory reset, the writable partition is populated from /usr/default/opt.tar.gz file.

Here's the full listing of the filesystem: list.zip.

Bonus content

The main GUI and most of the back-end code is written in Java. The framework is quite elaborate and can be extended with extra "booklets".
After spending some time investigating it with JAD, I found some undocumented shortcuts, features and easter eggs. Here's a more or less complete list.

Picture viewer

I'm not sure why Amazon didn't make it public (maybe because paging is kinda slow), but there is a basic picture viewer in Kindle.
To activate it:
1) make a folder called "pictures" in the root of Kindle drive or SD card. Kindle also checks for "dcim" made by cameras.
2) put your pictures for a single "book" into a folder inside that. The subfolder name will be used as the "book" name. Supported formats are jpg, png, gif.
3) in Home screen press Alt-Z. A new "book" should appear. Open it to view your pictures.
4) In the local menu you can toggle dithering, resize to fit and full screen mode.

Keyboard shortcuts

Various undocumented/underdocumented keyboard shortcuts. I italicized most interesting ones.

Global keys

Alt-Shift-R reboot Kindle
Alt-Shift-. restart GUI
Alt-Shift-G make screenshot
due to an implementation bug, screenshots can only be stored on SD card, not the main storage. A gif file is saved in the card root.
Shift-Sym start demo
Enabled only if allow_demo=true is passed on the Java commandline. Needs a special demo script present on the SD card.

Home

Alt-Shift-M Minesweeper
Alt-Z rescan picture directories
Alt-T show time

Reader

Alt-B toggle bookmark
Alt-T spell out time
Alt-0 enable/disable slideshow
Alt-1 start slideshow (if enabled)
Alt-2 stop slidehow
Alt-PageForward/PageBackward go to next/prev annotation or one "chunk" (1/20th of a book) forward or backward

Settings

411 show diagnostics data
511 run loopback call test
611 diagnostic data service call
c/e/s
126 Lab126 team members

Font List

J show/hide justification options

Picture viewer

Alt-Shift-0 set current picture as screensaver
F toggle fullscreen mode

Minesweeper

I,J,K,L up,left,down,right
M mark mine
R restart
Space open cell
Scroll move cursor up/down
Alt-Scroll move cursor left/right
H return to Home screen

Text input

Alt-Backspace clear all
Alt-H/Alt-J move cursor
(the following don't work in search field for some reason)
Alt-6 ?
Alt-7 ,
Alt-8 :
Alt-9 "
Alt-0 '

Browser

It seems there is a location capability (GPS?) in the CDMA module. I cannot check it as I'm not in USA but the following shortcuts are programmed inside the browser.
Alt-1 show current location in google maps
Alt-2 find gas station nearby
Alt-3 find restaurants nearby
Alt-4
Alt-5 find custom keyword nearby
Alt-D dump debug info to the log and toggle highlight default item
Alt-Z toggle zone drawing and show log

Audio Player

Alt-F next
Alt-P play/stop

Search commands

These command work in the search field. You can enter only beginning of the command if that's enough for it to be unique.

Public commands (always available)

@help
@web
@wiki/@wikipedia
@store
@time

Semiprivate (available but not mentioned in @help)

;dumpMessages dump current debug log into the "documents" directory
;debugOn set log level=2 and enable private commands
;debugOff set log level=1 and disable private commands

Private commands
Note: following commands are clearly not intended for end users. Some of them may damage your Kindle and void your warranty. Enter at your own risk.

`help list private commands
`7777 set version to TOPmk-xyz-77770 (to disable OTA updates?)
`voltLog <1|0> enable/disable voltage table debug
`batteryLoggingDelay set battery logging delay (in seconds)
`pppStop close WAN PPP connection
`disableIndexing
`logOpenFiles
`startIndexing
`dumpBattery
`indexStatus
`compliance
`einkAdjustments
`allocate [MB]
`log611
`reloadContentRoster
`indexForever
`downloadIndex
`consumeMemory
`terminal
`checkForUpdate
`applyUpdate
`stopIndexing
`processNowNow
`processTodo
`countUnmergedDownloadedIndexes
`dumpIndexStats
`memInfo

Hacking the Kindle part 2: bootloader and firmware updates

Bootloader

The Kindle uses Das U-Boot bootloader. To break into the interactive shell, just press any key right afer reset.
"help" gives a list of available commands

KINDLE> help
?       - alias for 'help'
badblocks - print OneNAND bad block info
base    - print or set address offset
bbm     - BBM sub-system
bdinfo  - print Board Info structure
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootf   - boot from various options
bootm   - boot application image from memory
cmp     - memory compare
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
dcache  - enable or disable data cache
diags   - execute the User Diagnostics from OneNAND
dsleep  - sleep USB device controller
dwake   - wake USB device controller
echo    - echo args to console
erase   - erase FLASH memory
exit    - exit script
factory - string [lock] [LLL_RR_PP]
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls   - list files in a directory (default /)
fb      - framebuffer subsystem
flinfo  - print FLASH memory information
gain    - displays/sets the gain value
go      - start application at address 'addr'
help    - print online help
hsuspend - suspend the 1761 USB host controller
hwake   - wake USB host controller
icache  - enable or disable instruction cache
iminfo  - print header information for application image
itest  - return true/false on integer compare
keys    - prints out hex values from device keyboard until console key is pressed
kindle  - print info about Kindle's revision
load    - load OneNAND page into DataRAM
loadb   - load binary file over serial line (kermit mode)
loads   - load S-Record file over serial line
loop    - infinite loop on address range
loopw   - infinite write loop on address range
mbboot  - boot bootloader from MMC/SC card
md      - memory display
mdc     - memory display cyclic
mkboot  - boot kernel & initrd from MMC/SD card
mm      - memory modify (auto-incrementing)
mmcinit - init mmc card
mtest   - simple RAM test
mw      - memory write (fill)
mwc     - memory write cyclic
nand    - NAND sub-system
nboot   - boot from NAND device
nm      - memory modify (constant address)
ohms    - calculates board resistance
onenand - print OneNAND register info
opamp   - displays/sets the op-amp offset value
otp     - dump/read/write OneNAND OTP
printenv- print environment variables
protect - enable or disable FLASH write protection
reboot  - alias of reset to match kernel
reset   - perform RESET of the CPU
run     - run commands in an environment variable
rve     - displays/sets the rve (reference voltage error) value
saveenv - save environment variables to persistent storage
serial  - set/display board serial number in OTP
setenv  - set environment variables
sleep   - delay execution for some time
snuz    - put PXA to sleep
test    - minimal test like /bin/sh
update  - update sub-system (updates images from MMC/SD card to flash)
usb_init  - init USB host controller
version - print monitor version
write   - write DataRAM buffer to OneNAND page

Let's see what we can do with bbm command

KINDLE> ? bbm
bbm format
    - format device
bbm open
    - open device
bbm eraseall
    - erase all blocks
bbm erase 'start' 'end'
    - erase blocks from 'start' to 'end'
bbm load image 'id' ['start']
    - load image from partition 'id' into RAM;
      image is loaded into RAM at location 0xA2000000
      or into 'start' if 'start' is specified (in hex)
bbm save image 'id' ['start'] 'size'
    - save image of 'size' to partition 'id';
      image should be loaded into RAM at 0xA2000000
      or into 'start' if 'start' is specified (in hex)

- Partition Info -
bbm show partition
    - show partition information
bbm save partition
    - save partition information
bbm del partition
    - delete last partition
bbm add partition 'id 'attr' 'blocks'
   - add partition 'id' of type 'attr' and of size 'blocks'
KINDLE> bbm show partition
<< PARTITION INFORMATION >>
 id        : Bootloaders, Diagnostics (3)
 attr      : RW (1)
 first_blk : 0 (0x00000000)
 no_blks   : 12 (1.5 MB)
  ---------------------
 id        : Standard Kernel (17)
 attr      : RW (1)
 first_blk : 12 (0x00180000)
 no_blks   : 12 (1.5 MB)
  ---------------------
 id        : Recovery Kernel (16)
 attr      : RW (1)
 first_blk : 24 (0x00300000)
 no_blks   : 12 (1.5 MB)
  ---------------------
 id        : Standard Initrd (15)
 attr      : RW (1)
 first_blk : 36 (0x00480000)
 no_blks   : 10 (1.3 MB)
  ---------------------
 id        : Recovery Initrd (14)
 attr      : RW (1)
 first_blk : 46 (0x005C0000)
 no_blks   : 10 (1.3 MB)
  ---------------------
 id        : Read-only Root Filesystem (8)
 attr      : RW (1)
 first_blk : 56 (0x00700000)
 no_blks   : 96 (12 MB)
  ---------------------
 id        : Default Content (9)
 attr      : RW (1)
 first_blk : 152 (0x01300000)
 no_blks   : 120 (15 MB)
  ---------------------
 id        : Read/Write Root Filesystem (10)
 attr      : RW (1)
 first_blk : 272 (0x02200000)
 no_blks   : 144 (18 MB)
  ---------------------
 id        : Userstore (11)
 attr      : RW (1)
 first_blk : 416 (0x03400000)
 no_blks   : 1584 (198 MB)
  ---------------------
 id        : Environment Variables (4)
 attr      : RW (1)
 first_blk : 2000 (0x0FA00000)
 no_blks   : 2 (256 KB)
  ---------------------

The diagnostics U-Boot image is stored in the first partition.
There are two kernels, standard and recovery with corresponding ramdisks. Recovery kernel is used for firmware update.
There is a read-only root filesystem and read-write part. There is a partition with default content used for factory reset.
Then there is a userstore partition, which is visible as mass storage drive over USB.

There were no commands to copy data from flash to SD/MMC, but I could load flash partitions into memory and dump that.

KINDLE> bbm load image 3
Loading partition "Bootloaders, Diagnostics" into 0xA2000000... Success
KINDLE> base a2000000
KINDLE> md.b 0 100
a2000000: 4e 69 63 6b ff ff ff ff ff ff ff ff ff ff ff ff    Nick............
a2000010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
a2000020: 0e 00 00 ea 18 f0 9f e5 2c f0 9f e5 18 f0 9f e5    ........,.......
a2000030: 18 f0 9f e5 18 f0 9f e5 18 f0 9f e5 18 f0 9f e5    ................
a2000040: 60 00 00 a2 20 01 00 a2 80 01 00 a2 e0 01 00 a2    `... ...........
a2000050: 40 02 00 a2 a0 02 00 a2 00 03 00 a2 40 03 00 a2    @...........@...
a2000060: 00 00 0f e1 80 00 c0 e3 00 f0 29 e1 7c 00 9f e5    ..........).|...
a2000070: 21 0a 40 e2 02 0c 40 e2 02 0a 40 e2 0c d0 40 e2    !.@...@...@...@.
a2000080: 70 00 9f e5 70 10 9f e5 00 20 a0 e3 00 20 80 e5    p...p.... ... ..
a2000090: 04 00 80 e2 01 00 50 e1 fb ff ff 1a e6 80 00 ea    ......P.........
a20000a0: 00 00 a0 40 00 00 00 00 00 00 00 00 00 00 00 00    ...@............
a20000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
a20000c0: 28 00 1f e5 18 10 90 e5 01 10 81 e3 18 10 80 e5    (...............
a20000d0: 10 10 90 e5 02 1b 81 e2 02 1b 81 e2 0c 10 80 e5    ................
a20000e0: fe ff ff ea ef be ad de ef be ad de ef be ad de    ................
a20000f0: 00 00 00 a2 20 00 00 a2 1c 56 06 a2 98 52 4a a3    .... ....V...RJ.

(Nick probaly refers to Nick Vaccaro of Lab126, who apparently was one of the main Kindle software developers. Hi Nick!)

Due to either my cable or inconsistent terminal settings, any dump of over 256 bytes was returning only some bytes in the beginning and some in the end. So I had to conjure up a little Python script to send dump commands in chunks of 256 bytes, parse the output and write it to a file. It took a few hours per partition, but in the end I was able to dump what I needed. In the initrd image of the recovery kernel I found scripts that performed firmware update and so I could reverse the update file format.

Firmware updates

Firmware update can be performed both over-the-air and from the SD card or mass storage partition.

The firmware update file should match the mask "update*.bin" and reside in the root of the userstore partition (Kindle's USB drive) or SD/MMC card. There should be only one such file present. The file consists of a header and scrambled .tar.gz file with update files.

offset size  value
0      4     signature (OTA: "FC02", manual: "FB01")
4      4     fromVersion (minimal version to update)
8      4     toVersion (maximal version to update)
0C     2     deviceCode (number in 3rd and 4th characters of the serial, i.e. 01)
0E     1     updateOptional (seems unused)
0F     1     
10    32     scrambled md5 hash string of the tgz
20000  ?     scrambled tgz with update files

Version value is made from the kindle version string. In my unit, it's 292-Kindle-012138 and the version value is 121380292 (12138*10000 + 292).

The manual update doesn't check any fields except signature and md5.

Scramble algorithm:

byte = rol(byte,4)^0x7A;

Descramble:

byte = rol(byte^0x7A,4);

The tgz should contain a text file matching the mask "update*.dat". Its lines have the following format:

id md5 filename block_count display_name

id is the ID of the flash partition to write to. I know the following numbers:
6 base RO fs (squashfs image)
7 default content (squashfs)

block_count is the number of 128K blocks to flash (see bbm show partition output above).

If id is 129, the file is considered a shell script and is executed.
If id is 128, the md5 is checked but nothing is done with the file.

I made a small Python script to assemble an update file with all checksums calculated automagically. It will be included in the next post.

To do a manual update, first put the update bin in the root of Kindle's flash drive or SD card. Then hold Home button while resetting the Kindle. In a while you will see the following menu:

2 "Firmware Reset" clears all user-specific data and settings and returns the Kindle to factory state. I'm not sure if it will be usable without extra initialization by Amazon technicians.
3 "Exit" starts normal boot process.
0 (not shown) starts the diagnostics bootloader. Interaction is done mostly over the console, you won't see much on the Kindle screen.
1 "Firmware update" starts the manual update process.

Hacking the Kindle part 1: getting the console

From reading the sources published by Amazon, it was clear that Kindle has a console running at least during boot. And there was an unconnected port available from outside.

Logically, the console would be accessible there. I salvaged a flat cable with a connector from my Rio Karma dock and stripped extra conductors to bring the pin count down to 20. Next I needed a TTL-RS232 converter. I almost bought one from EBay, but then realized that I already have one in the form of a data cable for my Samsung GSM phone. I stripped the phone connector, spent some time to discover the pinout of the cable, and was ready to search for the console. With a multimeter I found grounded pins of the debug connector so I knew which ones I can skip. I then started PuTTY, set port parameters to 115200/8n1 (gleaned from source code), connected ground of the cable to the shield, and started connecting RX of the cable to every pin in order, resetting the Kindle each time. Eventually I was able to see the output of the bootloader.

check_recovery: shift-<r>ecover, shift-<u>pdate, shift-</> reset...
 normal boot...

U-Boot 1.1.2 (Oct 29 2007 - 16:35:25)

*** Welcome to Kindle ***

With a bit of solder I fixed it, and then did the same with the TX wire while pressing some keys on the keyboard. As I was at the login prompt at this point, once I had the correct pin I could see the echo in the terminal. Unsurprisingly, the RX pin was right next to the TX.
I wasn't able to solder cable to the connector without shorting (the pins are 0.5mm apart!), so in the end I removed most of the pins, soldered short wires to the removed pins and inserted those I needed back into the connector.

The final pinout:
12 TX (connect PC's RX here)
11 RX (connect PC's TX here)
10 GND (also 7 and 3)


There are probably JTAG pins too, but those are a bit harder to find by trial and error. Also, I don't have a JTAG cable.

In case you want to make your own connector, you'll need:
1) a 20-pin 0.5mm pitch flat flex cable with a connector. Digikey seems to have some.
2) a TTL-RS232 or TTL-USB converter. For the former, make sure you get one that can handle 3.3V levels (i.e. MAX232 analog won't do, you'll need MAX3232 or similar). For the latter, probably any will do.

Sony Reader PRS-505 disassembly

I liked looking into the Reader much more than the Kindle.

Sony Reader PRS-505 disassembly

Kindle disassembly and internals

I know that RapidRepair published their guide recently but I found it not detailed enough, so I tried to take many pictures when disassembling my own Kindle. I hope this will be interesting.

Disassembly with step-by-step photos

Detailed internals with close-ups of various chips

Check photo notes for chip details.

P.S. After I uploaded my photos, I found this post in PC-Doctor blog. He has some notes about the chips used.

Mobipocket books on Kindle

We've known for some time already that Amazon's AZW files are actually Mobi files, but Amazon didn't share Kindle's Mobi PID which would allow one to buy encrypted Mobi books for Kindle.
Well, I've discovered the algorithm used to generate the PID and was able to use it on Fictionwise, but there was another catch. AZW files have a flag set in the DRM info which is not present in books bought from other vendors. After fixing that, I could read the book on Kindle.

Linked archive includes two Python scripts.

kindlepid.py generates Mobi PID from Kindle serial number. You can then add this PID at a Mobipocket vendor site and redownload books with Kindle's PID enabled. It's possible that some vendors will refuse this PID, as it has an asterisk in place of the traditional dollar sign (Fictionwise works fine).
kindlefix.py "fixes" a Mobi book so that it can be read on Kindle. It should already include Kindle's PID (which you need to specify too). The script will output the fixed book with .azw extension.

Kindle Mobipocket tools 0.1 0.2
Mirror

Kindle boot log

So the Kindle has a console running. Lots of interesting info here...

U-Boot 1.1.2 (Oct 29 2007 - 16:35:25)

*** Welcome to Kindle ***

U-Boot code: A3F00000 -> A3F3FA6C  BSS: -> A3F77850

REV2 Bootloader: Kindle 400 MHz REV2 Board, Revision #9
 Boot block version: 20070525
 Checksum: 0x9F132881
 Buildrev: 292-Kindle-012138
 IOC Firmware Version #63

RAM Configuration:
 Bank #0: 0xA0000000 64 MB
Flash Configuration:
 Bank #0: 0x00000000 128 MB
 Bank #1: 0x04000000 128 MB
NAND Configuration:
 256 MB
BML_Init success
BML_Open success
**************** device info  *******************
nPgsPerBlk = 64
nSctsPerPg = 4
nNumOfUsBlks = 2002
*************************************************
bml open success
pi->nNumOfPartEntry: 10Success loading partition
load env done
op_amp#=65535
gain#=0
rve#=1015
panel#=010_01_23
panel#=010_01_23
serial#=B001BAB074999999
usb_force_sleep: hw_flags.disable_pdc_suspend = 0
waiting for CLKREADY
Mode reg = 0x00000000
soft resetting device controller
power switch is on
Update  battery level: >3720mV
Boot    battery level: >3680mV
Alert   battery level: >3600mV
Current battery level:  3911mV (bootable)

Loading partition "Standard Kernel" into 0xA2000000... Success
Loading partition "Standard Initrd" into 0xA2E20000... Success

iminfo a2000000 a2e20000

## Checking Image at a2000000 ...
   Image Name:   Linux-2.6.10-lab126
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    1236608 Bytes = 1.2 MB
   Load Address: a0008000
   Entry Point:  a0008000
   Verifying Checksum ... OK

## Checking Image at a2e20000 ...
   Image Name:   initrd_fs.gz
   Image Type:   ARM Linux RAMDisk Image (gzip compressed)
   Data Size:    689536 Bytes = 673.4 KB
   Load Address: 00000000
   Entry Point:  00000000
   Verifying Checksum ... OK

bootm a2000000 a2e20000
## Booting image at a2000000 ...
   Image Name:   Linux-2.6.10-lab126
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    1236608 Bytes = 1.2 MB
   Load Address: a0008000
   Entry Point:  a0008000
   Verifying Checksum ... OK
OK
## Loading Ramdisk Image at a2e20000 ...
   Image Name:   initrd_fs.gz
   Image Type:   ARM Linux RAMDisk Image (gzip compressed)
   Data Size:    689536 Bytes = 673.4 KB
   Load Address: 00000000
   Entry Point:  00000000
   Verifying Checksum ... OK

Starting kernel ...

Uncompressing Linux................................................................................ done, booting the kernel.
Linux version 2.6.10-lab126 (build@lab126-build) (gcc version 3.4.2) #1 Mon Oct 29 16:38:09 PST 2007
CPU: XScale-PXA255 [69052d06] revision 6 (ARMv5TE)
CPU: D VIVT undefined 5 cache
CPU: I cache: 32768 bytes, associativity 32, 32 byte lines, 32 sets
CPU: D cache: 32768 bytes, associativity 32, 32 byte lines, 32 sets
Machine: Fiona Platform
Fiona Board Resistance : 150 mOhms
Memory policy: ECC disabled, Data cache writeback
Memory clock: 99.53MHz (*27)
Run Mode clock: 398.13MHz (*4)
Turbo Mode clock: 398.13MHz (*1.0, inactive)
Built 1 zonelists
Kernel command line: console=ttyS2,115200n8 root=/dev/rd/0 initrd=/linuxrc rw reboot=hard
reserved 4096 bytes at a3fff000 for boot globals
reserved 122880 bytes at a3fe1000 for framebuffer
PID hash table entries: 512 (order: 9, 8192 bytes)
Console: colour dummy device 80x30
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Memory: 64MB = 64MB total
Memory: 61456KB available (2070K code, 357K data, 100K init)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
CPU: Testing write buffer coherency: ok
checking if image is initramfs...it isn't (no cpio magic); looks like an initrd
Freeing initrd memory: 673K
NET: Registered protocol family 16
Recalculated watermarks:
  wan:      3603 (was 3603)
  low:      3586 (was 3586)
  critical: 3536 (was 3536)
REV2 board detected
Power transition failed err=-5 for pnlcd video display class
SCSI subsystem initialized
usbcore: registered new driver usbfs
usbcore: registered new driver hub
PXA CPU frequency change support initialized
NetWinder Floating Point Emulator V0.97 (extended precision)
FPOW: Fiona Power Management Driver v0.54
squashfs: version 3.0 (2006/03/15) Phillip Lougher
devfs: 2004-01-31 Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
Initializing Cryptographic API
WATER: Disabling IOC voltage reporting, initing our own timer...
Battery Voltage: 3881 mVolts (raw: 3854 mVolts)
V[1] : ~3881~
A[1] : ~181~
T[1] : ~26~
OP Amp Offset : Uninitialized
Op Amp Gain Correction : Uninitialized
Voltage Reference Correction Factor : 1015 / 1000
IOC: Fiona IOC Driver v1.0, IOC FW version #63
Battery: 3.911 Volts, 26 Degrees C, 164 mA Draw, DISCHARGING, 72%
PNLCD: Fiona PNLCD Driver v0.94
KEYBOARD: Fiona Keyboard Driver v1.0
ppoke driver: Major: 207  Rev. 4  Kernel v.2.6.10-lab126
/proc/peek initialized.
/proc/poke initialized.
ttyS0 at MMIO 0x40100000 (irq = 15) is a FFUART
ttyS1 at MMIO 0x41600000 (irq = 0) is a HWUART
ttyS2 at MMIO 0x40700000 (irq = 13) is a STUART
io scheduler noop registered
RAMDISK driver initialized: 8 RAM disks of 4096K size 1024 blocksize
loop: loaded (max 8 devices)
PPP generic driver version 2.4.2
wan: AnyDATA DTEV WAN module driver 0.8.4
i2c /dev entries driver
i2c_adapter i2c-0: found device 0x1a
Advanced Linux Sound Architecture Driver Version 1.0.6 (Sun Aug 15 07:17:53 2004 UTC).
soc: version 0.7 liam.girdwood@wolfsonmicro.com
wm8971: WM8971 audio codec 0.2.3
soc: WM8971 <-> pxa2xx-i2s mapping ok
ALSA device list:
  #0: WM8971 Portable Codec (SoC)
NET: Registered protocol family 2
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 4096 bind 8192)
NET: Registered protocol family 1
NET: Registered protocol family 17
RAMDISK: Compressed image found at block 0
VFS: Mounted root (ext2 filesystem).
Mounted devfs on /dev
starting initrd...
eink_fb: /dev/fb/0 frame buffer device, using 471K for video memory
eink_fb: Apollo Display Driver 1.00
xsr: module license 'Samsung Proprietary' taints kernel.
Samsung XSR Core 1.2.1-lab126-2
elevator: using noop as default io scheduler
Samsung STL 1.2.1-lab126-2
Samsung RFS 1.2.1-lab126-2
kjournald starting.  Commit interval 5 seconds
EXT3 FS on stl8, internal journal
EXT3-fs: recovery complete.
EXT3-fs: mounted filesystem with ordered data mode.
starting init...
dosfsck 2.11-lab126 (7 Dec 2006)
dosfsck 2.11-lab126, 7 Dec 2006, FAT32, LFN
Checking we can access the last sector of the filesystem
Boot sector contents:
System ID "mkdosfs"
Media byte 0xf8 (hard disk)
       512 bytes per logical sector
      2048 bytes per cluster
        32 reserved sectors
First FAT starts at byte 16384 (sector 32)
         2 FATs, 32 bit entries
    386048 bytes per FAT (= 754 sectors)
Root directory start at cluster 2 (arbitrary size)
Data area starts at byte 788480 (sector 1540)
     96416 data clusters (197459968 bytes)
8 sectors/track, 1 heads
         0 hidden sectors
    387204 sectors total
Checking for unused clusters.
Checking free cluster summary.
/dev/stl0/9: 293 files, 7117/96416 clusters
mount: Mounting /dev/mmc/blk0/part1 on /mnt/mmc failed: No such file or directory
system: processing module dependencies
system: loading module pdc
pdc: version 1.0
pdc: IRQ 26
system: loading module usbserial
drivers/usb/serial/usb-serial.c: USB Serial support registered for Generic
usbcore: registered new driver usbserial_generic
usbcore: registered new driver usbserial
drivers/usb/serial/usb-serial.c: USB Serial Driver core v2.0
system: initializing eInk driver for rootfs use
eink_fb: /dev/fb/0 frame buffer device, using 588K for video memory
eink_fb: Apollo Display Driver 1.00
eink_fb: write_eink_which, size=50327
eink_fb: curr_count=0 write_size=50327
eink_fb: done, status=1
1+0 records in
1+0 records out
system: initializing random number generator
system: initializing USB gadget driver
g_file_storage gadget: controller 'pdc' not recognized
g_file_storage gadget: File-backed Storage Gadget, version: 28 July 2004
g_file_storage gadget: Number of LUNs=2
system: initializing audio configuration for REV2 or higher
system: initializing audio driver defaults
system: initializing network configuration
system: setting "conservative" processor power mode
system: starting processor watchdog
SA1100/PXA2xx Watchdog Timer: timer margin 60 sec
watchdogd 0.1 Copyright (C) 2007 Lab126, Inc.  All rights reserved.
system: starting network connection watchdog
netwatchd 0.5 Copyright (C) 2007 Lab126, Inc.  All rights reserved.
system: starting CVM memory watchdog
nomkd 0.7 Copyright (C) 2006-2007 Lab126, Inc.  All rights reserved.
system: starting TPH monitor
system: starting tphserver
tphserver 0.2 Copyright (C) 2007 Lab126, Inc.  All rights reserved.
system: starting booklet framework



Welcome to Kindle!

kindle login: