Kindle K3 — jailbreak, then network access over USB port

This post summarises the steps I used to jailbreak my Kindle 3 and set up IP-over-USB link to my PC-BSD 8.2 (FreeBSD) desktop.

Jailbreak

Inspired by people who’ve done this before, I decided to jailbreak my K3 in order to gain more control over the unit’s operation. One piece of functionality I definitely desired was creating an IP network link over the USB port.

The discussion thread http://www.mobileread.com/forums/showthread.php?t=88004 has links to a variety of jailbreak and usbnetwork hacks updated for K3 firmware (FW) 3.2.1.

With the K3 plugged into my PCBSD desktop, I performed the following steps:

  1. Install update_jailbreak_0.9.N_k3w-3.2.1_install.bin from kindle-jailbreak-0.9.N.zip (copy the .bin file to the root of the Kindle’s mass storage folder when plugged in as a USB Mass Storage Device)
  2. Unmount and disconnect the Kindle
  3. On the K3 select Home->Menu->UpdateKindle, and the Kindle restarts and updates automatically from the newly added .bin file

This process leaves a directory /linkjail at the top level of the K3’s mass storage folder.

Installing USB Networking

Once jailbroken, the Kindle’s USB port may be used as an IP network interface. I installed update_usbnetwork_0.34.N_k3w_install.bin from kindle-usbnetwork-0.34.N.zip (using same steps as for the jailbreak itself — copy the .bin file to the root of the K3’s mass storage folder, remove, then “UpdateKindle”).

This process leaves a directory /usbnet at the root of the K3’s mass storage folder, containing a number of configuration files (under /usbnet/etc) and executable binaries (under /usbnet/bin). The executables are useful network tools:

-rwxr-xr-x    1 root     root        47568 Aug 22  2011 busybox
-rwxr-xr-x    1 root     root       203492 Aug 22  2011 dropbearmulti
-rwxr-xr-x    1 root     root        98940 Aug 22  2011 htop
-rwxr-xr-x    1 root     root       109720 Aug 22  2011 lsof
-rwxr-xr-x    1 root     root       351292 Aug 22  2011 rsync
-rwxr-xr-x    1 root     root        55360 Aug 22  2011 sftp-server
-rwxr-xr-x    1 root     root         1474 Mar 23  2011 usbnet-disable
-rwxr-xr-x    1 root     root         1539 Mar 23  2011 usbnet-enable
-rwxr-xr-x    1 root     root         7442 Mar 23  2011 usbnetwork

Enable and configure USB networking

Enabling USB networking requires the Kindle be returned to its e-reader (not mass storage) mode. If you’ve not already done so, ‘unmount’ the mass storage file system (the usual way) and ‘eject’ the K3 from your PC without physically removing it. From within PC-BSD/FreeBSD use:

[gja@gjadesktop] /home/gja# usbconfig -d 4.3 power_off

(assuming the K3 was device 3 on USB bus 4) and the K3 should now revert to e-reader (interactive on-screen) mode.

Back at the K3’s Home screen enter the following two special commands into the search box (be sure to press <enter> after each one).

;debugOn

followed by

~usbNetwork

(Each time, open up the search box by hitting [DEL] when sitting at the Home screen and before typing anything else.)

This command sequence re-enables the K3’s USB port as an RNDIS-compatible Ethernet-over-USB interface (“USB networking mode”). By default, the K3 will assume IP address 192.168.2.2 on its end of the IP-over-USB link, and assume the other end is 192.168.2.1. This is set using the following lines in /usbnet/etc/config:

HOST_IP=192.168.2.1
KINDLE_IP=192.168.2.2

I left these as configured for now.

My PC-BSD host saw the following messages to console (/var/log/messages) as soon as “~usbNetwork” was entered in the search box:

Sep 19 18:02:55 gjadesktop kernel: ugen4.3: <Amazon> at usbus4 (disconnected)
Sep 19 18:02:57 gjadesktop kernel: ugen4.3: <Linux 2.6.26-rt-lab126/fsl-usb2-udc> at usbus4
Sep 19 18:02:57 gjadesktop kernel: cdce0: <RNDIS Communications Control> on usbus4
Sep 19 18:02:57 gjadesktop kernel: cdce0: No valid alternate setting found
Sep 19 18:02:57 gjadesktop kernel: device_attach: cdce0 attach returned 6
Sep 19 18:02:57 gjadesktop kernel: cdce0: <RNDIS Communications Control> on usbus4
Sep 19 18:02:57 gjadesktop kernel: cdce0: No valid alternate setting found
Sep 19 18:02:57 gjadesktop kernel: device_attach: cdce0 attach returned 6
Sep 19 18:02:57 gjadesktop kernel: cdce0: <Ethernet Data> on usbus4
Sep 19 18:02:57 gjadesktop kernel: cdce0: faking MAC address
Sep 19 18:02:57 gjadesktop kernel: ue0: <USB Ethernet> on cdce0
Sep 19 18:02:57 gjadesktop kernel: ue0: Ethernet address: 2a:fa:c8:10:02:00

usbconfig now reports an RNDIS/Ethernet device:

[gja@gjadesktop] /home/gja# usbconfig
 [..]
 ugen4.3: <RNDIS/Ethernet Gadget Linux 2.6.26-rt-lab126/fsl-usb2-udc> at usbus4, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON
[gja@gjadesktop] /home/gja#

In other words, the Ethernet-over-USB subsystem on FreeBSD 8.2 has detected the K3 as a new ue0 network interface.

HOWEVER — in order to actually get IP/Ethernet traffic flowing over this interface we need to tickle the interface. I’ve not researched specifically why this works, but trial-and-error led to the following:

[gja@gjadesktop] /home/gja# usbconfig -d 4.3 set_config 1

This causes the FreeBSD kernel’s if_cdce driver to register a reset and renewal of the ue0 network interface. The messages in /var/log/messages look the same as above, but the interface is now actually active.

Sep 19 18:15:25 gjadesktop kernel: cdce0: at uhub4, port 2, addr 3 (disconnected)
Sep 19 18:15:25 gjadesktop kernel: ue0: promiscuous mode disabled
Sep 19 18:15:25 gjadesktop kernel: cdce0: <CDC Communications Control> on usbus4
Sep 19 18:15:25 gjadesktop kernel: cdce0: No valid alternate setting found
Sep 19 18:15:25 gjadesktop kernel: device_attach: cdce0 attach returned 6
Sep 19 18:15:25 gjadesktop kernel: cdce0: <CDC Communications Control> on usbus4
Sep 19 18:15:25 gjadesktop kernel: cdce0: No valid alternate setting found
Sep 19 18:15:25 gjadesktop kernel: device_attach: cdce0 attach returned 6
Sep 19 18:15:25 gjadesktop kernel: cdce0: <Linux 2.6.26-rt-lab126/fsl-usb2-udc RNDIS/Ethernet Gadget, class 2/0, rev 2.00/2.22, addr 3> on usbus4
Sep 19 18:15:25 gjadesktop kernel: cdce0: faking MAC address
Sep 19 18:15:25 gjadesktop kernel: ue0: <USB Ethernet> on cdce0
Sep 19 18:15:25 gjadesktop kernel: ue0: Ethernet address: 2a:a8:d3:1b:02:00

Configure the FreeBSD end of this link on the 192.168.2/24 network (as assumed by the K3’s defaults):

[gja@gjadesktop] /home/gja/papers# ifconfig ue0 192.168.2.1/24
[gja@gjadesktop] /home/gja/papers# ifconfig
[..]
ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 2a:fa:c8:10:02:00
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
inet6 fe80::28fa:c8ff:fe10:200%ue0 prefixlen 64 scopeid 0xa
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
[gja@gjadesktop] /home/gja/papers#

And confirm the link works using ping…..

[gja@gjadesktop] /home/gja/papers# ping 192.168.2.2
PING 192.168.2.2 (192.168.2.2): 56 data bytes
64 bytes from 192.168.2.2: icmp_seq=0 ttl=64 time=1.416 ms
64 bytes from 192.168.2.2: icmp_seq=1 ttl=64 time=0.409 ms
64 bytes from 192.168.2.2: icmp_seq=2 ttl=64 time=0.476 ms
64 bytes from 192.168.2.2: icmp_seq=3 ttl=64 time=0.456 ms
64 bytes from 192.168.2.2: icmp_seq=4 ttl=64 time=0.432 ms
^C
--- 192.168.2.2 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.409/0.638/1.416/0.390 ms
[gja@gjadesktop] /home/gja/papers#

Yay! The network is up and running.

Login to the Kindle

Now the network is up, I login with telnet and then later use sftp from inside a KDE Dolphin window.

From the README_FIRST.txt that came with the usbnetwork hack:

“Note that, when WiFi mode is enabled, telnetd won’t be started, and the SSH daemon *WILL* require a proper password! When WiFi mode is disabled, telnet will log you right in without password, and SSH will log you in with anything as the password (even a blank one, so you can just type return).”

Also:

“When you’re done, exit your shell on the Kindle, and bring the network if down before
ejecting/unplugging your Kindle.”

Using telnet, my first login does not require a password:

[gja@gjadesktop] /home/gja/papers#
[gja@gjadesktop] /home/gja/papers# telnet 192.168.2.2
Trying 192.168.2.2...
Connected to 192.168.2.2.
Escape character is '^]'.

Welcome to Kindle!

#################################################
#  N O T I C E  *  N O T I C E  *  N O T I C E  #
#################################################
Rootfs is mounted read-only. Invoke mntroot rw to
switch back to a writable rootfs.
#################################################
[root@kindle root]#
[root@kindle root]# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/mmcblk0p1          646.8M    483.5M    137.4M  78% /
tmpfs                   125.3M     20.0k    125.2M   0% /dev
rwfs                     32.0M    432.0k     31.6M   1% /mnt/rwfs
shm                     125.3M         0    125.3M   0% /dev/shm
rwfs                     32.0M    432.0k     31.6M   1% /var
/dev/mmcblk0p2           23.2M      1.4M     20.6M   6% /var/local
fsp                       3.1G    101.1M      3.0G   3% /mnt/us
/dev/loop/0               3.1G    101.1M      3.0G   3% /mnt/base-us
[root@kindle root]#
[root@kindle root]# uname -a
Linux kindle 2.6.26-rt-lab126 #5 Sat Apr 16 20:16:18 PDT 2011 armv6l unknown
[root@kindle root]#
[root@kindle /etc]# ifconfig
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:52 errors:0 dropped:0 overruns:0 frame:0
          TX packets:52 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4224 (4.1 KiB)  TX bytes:4224 (4.1 KiB)

usb0      Link encap:Ethernet  HWaddr EE:19:00:00:00:00
          inet addr:192.168.2.2  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:492 errors:34 dropped:0 overruns:0 frame:34
          TX packets:431 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:26446 (25.8 KiB)  TX bytes:213273 (208.2 KiB)

[root@kindle /etc]#
[root@kindle /etc]# date
Wed Nov  3 02:03:38 UTC 2010
[root@kindle /etc]#
[root@kindle /etc]# date -s "091908312011"
Mon Sep 19 08:31:00 UTC 2011
[root@kindle /etc]#

I also tried accessing the K3 from the KDE/Dolphin file manager using sftp://root@192.168.2.2 and it worked nicely, providing a perfectly reasonable GUI drag-n-drop interface to the Kindle’s file system.

Note that file system /mnt/base-us is the one exposed when the K3 attaches as a USB mass storage device. I could potentially use sftp and Dolphin as an alternative to mounting the K3 in its USB mass storage device mode when copying files back and forth.

Finally, I logged out of the Kindle, “ifconfig ue0 down” on the PCBSD box, and pulled the USB cable out. As far as I could tell, the ue0 interface went away gracefully.

Enabling USB Networking by default

The file /usbnet/DISABLED_auto is created  in the K3’s mass storage file system when USB networking support is installed.  While this file is present, you will need to explicitly enable USB networking using the “;debugOn” & “;usbNetwork” steps after reboots/restarts.

Renaming this file to /usbnet/auto will result in the K3’s USB port being always configured by default for Ethernet-over-USB networking, rather than USB mass storage, when the Kindle is restarted/rebooted. Be very sure you’ve properly configured networking before changing this file, as you wont be able to (easily) restore access to the K3’s mass storage file system later.

Advertisements

One comment

  1. These companies are going to want you to give then a review of their product,
    in exchange for you receiving free merchandise. Running Ethernet cable to unwired
    areas of a building is an easy project for either in-house or outside technicians.
    I didn’t believe it in the beginning, but when the Zero cost PSN codes worked, I was jumping throughout.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: