Turning an old Amazon Kindle into an eink development platform
Originally written by ADQ
Dried fish and marinated eggs
I wanted an ink screen for future projects, and I just bought a gadget with a raspberry PI “hat” on it. It was then that I had the idea that an old Amazon Kindle could be turned into a treasure.
Translator: This is the origin of this article.
I’ve had some experience with the Kindle before: I ported an Infocom parser and a Manga reader. I had The Amazon software load Infocom and Manga as “Kindlets” and integrated them into the Kindle, an e-book reader. Now, I want a Linux development platform with ink screens that is easy to use and cheap.
Here is the whole operation and process!
Cheap Kindles on Ebay (and Why they’re Cheap)
I saw a lot of cheap Kindles on Ebay labeled “BLOCKED BY AMAZON,” but of course I wasn’t going to buy them because they could theoretically have been stolen. In the end, I opted for a £7 non-touch Kindle 4.
A few days later, WHEN I received it, I found out why it was so cheap: The Kindle was stuck in some sort of inescapable demo mode:
I did a Google search for solutions, and later Versions of the Kindle can exit demo mode, but those solutions don’t work on this Kindle version 4. But never mind, it doesn’t matter: I don’t want to run the original Kindle ebook software on this Kindle.
Well, the next step is to get access. I scoured the Mobileread forum and found that the Kindle has a debugging serial port: It’s time to do it!
Processing hardware
The Kindle was a bit of a hassle: it had multiple buckles around it, and the cover was stuck to the battery assembly, which I tactlessly dismantled with a knife and wiped clean with acetone.
- Red box: Hate the buckle
- Purple: Really troublesome glue (adhesive)
- Yellow: Serial port
Generally speaking, the hardware serial port is no jack, we need to weld the connection line to the motherboard serial port. I like to use about 0.2mm of wire to connect electronics and my soldering iron to re-solder the Kindle base.
I didn’t want any wires to get tangled up, and I knew I might get tangled up, but I needed to connect the serial port, so I came up with a way to connect the wires:
I superglued a strip to the Kindle’s PCB, then soldered the wire from the mini PCB connection to one end. Finally, I welded a large, universal “Dupont” cable socket at the other end so I could easily connect and disassemble it. By the way, the Kindle PCB top cable is 0V /GND, the other cables are TX and RX (I forget the order of the two cables).
One last puzzle: The Kindle serial port runs at 1.8V, so I need a serial adapter for power:
The adapter I bought supports 5V, 3.3V, 2.5V, and 1.8V, which is a great match!
Root Kindle
Next, I connected the serial adapter to my laptop, ran the Minicom serial communication software, and restarted the Kindle. Then, after I exchanged the TX and RX cables, I saw the Kindle welcome message!
CPU: Freescale I.mx50 family 1.1V at 800 MHz Mx50 PLL1: 800MHz mx50 pll2: 400MHz mx50 pll3: 216MHz ipg clock : 50000000Hz ipg per clock : 50000000Hz uart clock : 24000000Hz ahb clock : 100000000Hz axi_a clock : 400000000Hz axi_b clock : 200000000Hz weim_clock : 100000000Hz ddr clock : 800000000Hz esdhc1 clock : 80000000Hz esdhc2 clock : 80000000Hz esdhc3 clock : 80000000Hz esdhc4 clock : 80000000Hz MMC: FSL_ESDHC: 0, FSL_ESDHC: 1 Board: Tequila Boot Reason: [POR] Boot Device: MMC Board Id: 0031701123730Z56 S/N: B02317022392005M Initing MDDR memory ZQ calibration complete: 0x128=0xfffe0010 0x12C=0xffffffff DRAM: 256 MB Using default environment In: serial Out: logbuff Err: logbuff Quick Memory Test 0x70000000, 0x10000000 POST done in 13 ms Hit any key to stop autoboot: 0 ## Booting kernel from Legacy Image at 70800000 ... Image Name: Linux-2.6.31-Rt11-lab126 Image Type: ARM Linux Kernel Image (uncompressed) Data Size: 4777568 Bytes = 4.6 MB Load Address: 70008000 Entry Point: 70008000 Verifying Checksum... OK Loading Kernel Image ... OK OK Starting kernel ... [snip] Welcome to Kindle! kindle login:Copy the code
Good, this is the uboot bootloader booting Linux and asking me to log in.
Login as root, prompting for password: Emmm… Password? I knew from previous Kindle experience that you could use the Kindle’s serial number to generate a password. Then I found this site, which generates a number of possible passwords for a particular device: my Kindle Root login password is number three.
In case the site fails, here are the key snippets of javascript-generated passwords:
var md5 = hex_md5(serial);
document.getElementById("rootpw").innerHTML = "fiona" + md5.substring(7.11);
document.getElementById("rootpw2").innerHTML = "fiona" + md5.substring(7.10);
document.getElementById("rootpw3").innerHTML = "fiona" + md5.substr(13.3);
Copy the code
Yeah, yeah, I forgot to mention how I got the device serial number. The Kindle is plugged into USB in non-working mode, meaning you can’t use these demo devices as disks. But a Kindle in this state can print the serial number using Linux’s dmesg command. (You can also print the serial number using printenv in the uboot. Press Enter when it says “Hit any key to stop autoboot”) :
[128033.676587] USB 1-2: New high-speed USB Device Number 51 using XhCI_hCD [128033.829631] USB 1-2: New high-speed USB device Number 51 using XhCI_hCD [128033.829631] New USB device found, idVendor=1949, idProduct=0004, bcdDevice= 1.00 [128033.829638] USB 1-2: New USB Device strings: Mfr=1, Product=2, SerialNumber=3 [128033.829642] USB 1-2: Product: Amazon Kindle [128033.829645] USB 1-2: Manufacturer: Amazon [128033.829648] USB 1-2: SerialNumber: XXXXXXXXXXXXXXXXCopy the code
Cool! We have root privileges and are ready to log in! Now let’s see how you can make it easier to use.
Dump system
Generally, the first step is to transfer the disk information to another computer for analysis.
If the /proc/mounts check, multiple partitions are displayed on /dev/mmcblk0, the virtualized primary disk.
Run fdisk /dev/mmcblk0 to get the following result:
Units = cylinders of 64 * 512 = 32768 bytes Device Boot Start End Blocks Id System /dev/mmcblk0p1 * 1025 12224 358400 83 Linux /dev/mmcblk0p2 12225 14272 65536 83 Linux /dev/mmcblk0p3 14273 15296 32768 83 Linux /dev/mmcblk0p4 15297 59776 1423360 b Win95 FAT32Copy the code
- Four partitions: three Linux systems and one FAT32 system.
- The first disk started far away from the disk: the original kernel was stored in that “missing” area.
- Further research reveals that partition 1 is a normal system, partition 2 is a diagnostic tool, and partition 3 is used to store Kindle private information (such as Wi-Fi passwords). When you plug in your Kindle via USB, you’ll see partition 4: where your e-books are stored.
– Partition 4 is mounted at/MNT /us “‘.
I dump disk and partition 1-3 to/MNT /us with the dd command (generally I like to back up a full original image so I can restore it in case of a problem) :
dd if=/dev/mmcblk0 of=/mnt/us/kindle.img bs=32768 count=15297
Copy the code
Although this Kindle doesn’t show up as a disk on USB, I can make it do so because I have root permission:
rmmod g_file_storage
modprobe g_file_storage file=/dev/mmcblk0p4
Copy the code
It would appear in my notebook, and I copied everything.
Analysis system
Finally, I installed the kindle. Img partition in my laptop with the following command:
kpartx -v kindle.img
Copy the code
Next, I installed the Kindle partitions on my laptop. I put all the partition files in a folder so I can easily view them with grep. I found:
- The Kindle uses RC.D as its system initialization system, and there are many elegant plain text scripts in the folder.
- Init Level 5 is a “general purpose” system for running ebook software
- Ebook software in the
/opt/amazon
Directory, written in Java (I know I’m going to go over Java quickly). - The Kindle has a bunch of interesting plain text “diag” scripts to test.
- There’s a pretty nice Wifid Daemon to manage Wi-Fi connections: I found a way to talk to it from the diag script.
- with
/usr/sbin/eps
Command (see documentationhereWrites data from the command line to the ink screen. - I can’t find a visible “turn off Demo Mode” switch: it looks like demo mode is a custom feature of Java ebook software.
- The following system services relate to unsupported features or ebook software, or contact Amazon: S50wan S70wand S75phd S81usbnetd S93webreaderd S94browserd S95framework S96boot_finished
Dialogue Wifid
You can use the Kindle’s built-in WiFID to connect to Wi-Fi and manage your Wi-Fi profile. Oh, and if your Wi-Fi connection fails, keep in mind that many Kindles only support 2.4ghz Wi-Fi 😉
List the number of Wi-Fi profiles
lipc-get-prop com.lab126.wifid profileCount
Copy the code
The Wi-Fi profile is displayed
echo "{index=(0)}" | lipc-hash-prop com.lab126.wifid profileData
Copy the code
Example Delete a Wi-Fi profile
lipc-set-prop com.lab126.wifid deleteProfile WIFIESSID
Copy the code
Create a Wi-Fi profile
echo '{essid="WIFIESSID", smethod="wpa2", secured="yes", psk="WIFIPSK"}' | lipc-hash-prop com.lab126.wifid createProfile
Copy the code
smethod
Can be one of Open/WEP/WPA/WPA2 (If you select Open, set Secured to “No”)- WIFIPSK is the WIFIPSK generated by the wpa_passphrase utility (which is actually on the Kindle) : a normal “WIFI passphrase” will not work.
Connect to the Wi-Fi profile
lipc-set-prop com.lab126.wifid cmConnect WIFIESSID
Copy the code
The Wi-Fi connection status is displayed
echo "{index = (0)}" | lipc-hash-prop -n com.lab126.wifid currentEssid
Copy the code
Modify the Root
Many of the instructions below require changing the Kindle’s root disk. By default, however, the root disk is mounted in read-only mode to prevent modification. To fix this, run the following command on your Kindle:
mntroot rw
Copy the code
When the changes are complete, set it to read-only mode to prevent any unnecessary changes:
mntroot ro
Copy the code
Install Dropbear SSH
I want to SSH to my Kindle, so I’m going to install the SSH program DropBear. Of course, the Kindle is an ARM-based device, so I either compiled DropBear myself or found the DropBear binary somewhere. As it happens, the Kindle has a legacy USBNET vulnerability: I don’t use it myself directly because I want full control of the development kit, but I can borrow the DropBear binaries from USBNET.
Unfortunately, the USBNET bug was released in Kindle’s own weird update format, so we need to extract USBNET:
On your computer:
- Download the Git repo and compile it — this will let us decode the Kindle update.
- inhereDownload Kindle-usbNetwork-0.57.n-k4.zip and copy it to
KindleTool/Release/
.
CD KindleTool/Release/ unzip Kindle-usbNetwork-0.57.n-k4.zip./ KindleTool extract Update_usbnetwork_0.57.n_k4_install. bin usbnet CD usbnet tar Jxf usbnet.tar.xzCopy the code
- will
src/usbnet/bin/dropbearmulti
Copy it to your Kindle (I reinstalled it as a USB device and copied it over).
In the Kindle:
cd /
mv /mnt/us/dropbearmulti /
chmod a+x /dropbearmulti
ln -sf /dropbear /dropbearmulti
ln -sf /dropbearkey /dropbearmulti
ln -sf /bin/scp /dropbearmulti
/dropbearkey -t rsa /dropbear_rsa_host_key
Copy the code
Customize the Kindle
I renamed all unnecessary system services as follows:
cd /etc/rc5.d; mv S95framework DISABLED.S95framework
Copy the code
I added my own initialization script to /etc/rc5.d/S99adq to add my own custom Settings:
#! /bin/sh NAME="adq" case "$1" in start) # display some stuff! /usr/sbin/eips -c 20 20 "HELLO ADQ" IP=`ifconfig wlan0 | awk '/t addr:/{gsub(/.*:/,"",$2); print$2}'` /usr/sbin/eips 1 1 "IP Address: $IP" /usr/sbin/eips 1 2 "Root Password: <MY ROOT PASSWORD>" /usr/sbin/eips "" # connect to wifi and allow ssh in lipc-set-prop com.lab126.wifid cmConnect MYWIFISSID iptables -A INPUT -i wlan0 -p tcp --dport 22 -j ACCEPT /dropbear -r /dropbear_rsa_host_key mkdir -p /mnt/us/usbnet/etc echo "<MY SSH PUBKEY>" > /mnt/us/usbnet/etc/authorized_keys # expose shell over usb modprobe -r g_file_storage modprobe g_serial /sbin/getty -L 115200 ttyGS0 -l /bin/login & ;; stop) ;; *) msg "Usage: /etc/init.d/$NAME {start|stop}" W >&2 exit 1 ;; esac exit 0Copy the code
- Some useful information is displayed on the start page of the ebook screen
- Connected wi-fi.
- SSH over the firewall is allowed.
- Run the Dropbear SSH process.
- Add my SSH public key in Dropbear.
- Remove the “Pretend to be a disk” USB function.
- When connected via USB, pretend to be a serial device and give a login prompt: if I plug it in via USB and use Minicom, I get a login prompt… Well, it’s in case something goes wrong.
Once booted up, my Kindle looks like this, and I can then SSH to it as root.
Almost: I can now SSH to my Kindle, and if I have a problem, I have multiple levels of serial console to fix it. This is a compact, wi-fi-enabled, battery-powered Linux development system with ink screens.
For the final operation, close the back cover to protect the circuit.
Looking forward to
The library (FBInk) looks like a replacement for Amazon’s EIP software; If I wanted to integrate the display into my own software, FBInk would probably be better.
Finally, welcome you to join HelloGitHub “translation dance” series, let your talent dance! Share excellent articles with more people. requirements