Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
How to Unbrick a Kindle Paperwhite

How to unbrick an Amazon Kindle Paperwhite™

This guide instructs you in how to unbrick an Amazon Kindle Paperwhite. The consequences of following it are your own responsibility. This method (opening the Kindle and using the serial interface) should be a last resort and should only be considered if other methods fail

The Guide

  1. Pry open Kindle using a prying tool
  2. Unscrew the screen and remove it from the base. Note that there's a screw hidden under the adhesive at the top in the middle
  3. Solder tin wire to serial ports on the bottom
  4. Attach tin wire to USB TTY device (order is ground, RX, TX, from the kindle's perspective, where GND is the smallest pad) and plug USB TTY device into your computer
  5. Open Putty on your computer in serial mode, with the serial port specified as your USB device and baud configured to 115200
  6. Reboot kindle
  7. When the kindle is booting, there exists a brief window where sending data to it over the serial line will cause it to enter it's bootloader. To achieved this I repeatedly pressed enter on my computer's keyboard as my kindle started booting
  8. Now that we're in the bootloader, run 'bist fastboot' to put your Kindle into fastboot mode
  9. On a Mac, build https://github.com/TobiasWooldridge/Fastboot-Kindle -- if you get this building on anything else, please send me a pull request :)
  10. Download Paperwhite images from http://ixtab.tk/kindle-touch-images/PaperWhite/
    wget http://ixtab.tk/kindle-touch-images/PaperWhite/pw_5.2.0-diags_kernel.img.gz
    wget http://ixtab.tk/kindle-touch-images/PaperWhite/pw_5.2.0-main_kernel.img.gz
    wget http://ixtab.tk/kindle-touch-images/PaperWhite/pw_5.2.0-mmcblk0p1.img.gz
    wget http://ixtab.tk/kindle-touch-images/PaperWhite/pw_5.2.0-mmcblk0p2.img.gz
    gunzip pw_5.2.0-*.img.gz
  1. Modify the pw_5.2.0-mmcblk0p2.img on something which can mount ext3 using the guide below
  2. In bist, run 'fastboot' (if it isn't running already)
  3. Make sure Kindle Paperwhite is plugged in to your Mac by USB as well
  4. On your Mac, run ./fastboot (Be careful not to run fastboot, as that may use an installed Android fastboot binary). This will list the paritions on your Kindle Paperwhite
  5. We want to overwrite diags_kernel, main_kernel, system and diags
  6. We now want to run
    ./fastboot flash system pw_5.2.0-mmcblk0p1.img
    ./fastboot flash kernel pw_5.2.0-main_kernel.img
    ./fastboot flash diags pw_5.2.0-mmcblk0p2.img

to flash all of our images to the Kindle Paperwhite EXCEPT for the main system image

  1. Run the following to reboot your Kindle and get into Diags mode
    ./fastboot setvar bootmode diags
    ./fastboot reboot
  1. Once your kindle's booted to diags mode, start USB mode

  2. Rename pw_5.2.0-mmcblk0p1.img to mmcblk0p1.img and copy it to your kindle

  3. Safely unmount your kindle

  4. Reboot your kindle into diagnostics mode again from the "Exit, Reboot or Disable Diags" menu

  5. If you're watching your Kindle's serial output as it boots, you should see something like

    /dev/loop/0: 84 files, 44940/174079 clusters
    info filesystems:installdata:KINDLEFIX looking for /mnt/us/mmcblk0p1.img ...:
    info filesystems:installdata:KINDLEFIX found mmcblk0p1.img, trying to install:I
  1. This indicates that it's flashing the system partition. It will take a while, during which the Kindle will only show the Amazon Kindle screen

  2. Once diags mode has booted, open "Exit, Reboot or Disable Diags", hit disable diagnostics, then hit continue. This will reboot your kindle.

  3. Hooray! Your kindle is now unbricked.

  4. Optionally delete the mmcblk0p1.img on your Kindle over USB. If you leave it there, every time the diags tool is run, it'll flash it to the system partition.

How to modify pw_5.2.0-mmcblk0p2 to automatically dd pw_5.2.0-mmcblk0p1 to the system partition

Unfortunately pw_5.2.0-mmcblk0p1 is too big for fastboot (or, fastboot doesn't like it for some reason). This causes us a little bit of grief because we need to use some other means to get it onto our kindle

We'd usually use the 'dd' tool on the kindle over ssh to copy this file to its respective partition; however, Amazon has removed the diagnostic partition's ssh application, so we can't use that to copy the file to the kindle and dd it.

Instead, we'll just mangle the diagnostic image to 'dd' the file after it's done initializing filesystems.

To do this,

  1. Back up then mount the diagnostic image to some directory
    cp pw_5.2.0-mmcblk0p2.img pw_5.2.0-mmcblk0p2.img.bak
    mkdir mmcblk0p2
    root@debian:~# mount -t ext3 pw_5.2.0-mmcblk0p2.img mmcblk0p2/
  1. Open its /etc/upstart/diags file (the diagnostics boot script)
    vim mmcblk0p2/etc/upstart/diags
  1. At the end of init_filesystems function, before the "#end script" comment, add
    # INSTALL MAIN PARTITION FROM USERSTORE
    f_log I filesystems installdata "KINDLEFIX looking for /mnt/us/mmcblk0p1.img ..."
    if [ -e /mnt/us/mmcblk0p1.img ] ; then
      f_log I filesystems installdata "KINDLEFIX found mmcblk0p1.img, trying to install" I
      dd if=/mnt/us/mmcblk0p1.img of=/dev/mmcblk0p1 bs=4K
      f_log I filesystems installdata "KINDLEFIX Install successful" I
    fi
  1. Unmount mmcblk0p2
    umount mmcblk0p2/
  1. Now when we flash pw_5.2.0-mmcblk0p2.img, it'll automatically check the userstore directory for a file named 'mmcblk0p1.img' and flash it to the system partition

Misc

If you find this useful or find an error, feel welcome to leave a comment below or email tobias@wooldridge.id.au - thanks!

garyaj commented Sep 17, 2014

What does "immediately mash enter" mean? KPWs don't have any keys (other than power on/off).

garyaj - I believe he's referring to the client that you've connected the TTY to. For example, you could use a USB to TTY cable, then open that TTY in your operating system using something like PuTTY. Turn on the KPW, then mash Enter on your keyboard so you hit the limited time window during the boot process.

Owner

That's exactly it, jeff. I've since updated the wording :)

Thanks

Great thanks for the manual! Successfully debricked Kindle Paperwhite Demo and turn it into full featured kindle. Only trouble that i got into was exiting from Diag mode, because it couldn't find device_info.xml file, to generate it i followed these instructions http://wiki.mobileread.com/wiki/Kindle_Touch_Hacking#Exiting_Diags_Mode. And since my Kindle is 3G i used images from "ixtab_pw520_wlan+3g" folder. Everything works now.

amirseni commented Jan 9, 2015

Thanks for the instructions, I keep reading that the voltage on the TX line from the USB-TTY should be 1.8v.
Did you have to wire in a level shifter?

Hi, I'm trying to unbrick a kindle PW2. When i run "bist fastboot" I only get Battery voltage outputs, like

Battery voltage: 3996 mV
Battery voltage: 3997 mV
Battery voltage: 3998 mV
Battery voltage: 3999 mV
...
The battery has 81% of charge, according to "vni batt cap"
bist > vni batt cap
FG Capacity = 81 Percent

And the kindle never enters fastboot mode. What can I do?

When the Kindle is in fastboot mode and I hit terminal for the fastboot commands I just have a "Waiting for device" note and nothing happens. Anyone knows what to do?

jsfaint commented Jan 5, 2016

This command was missing in step 16

./fastboot flash diags_kernel pw_5.2.0-diags_kernel.img
geekmaster commented May 1, 2016 edited

I like the hacked diags partition. This would be a lot easier (if automated) than manually enabling USB networking in kubrick (from ixtab at mobileread.com), where you got those partition images. BTW, that diags kernel you hacked was copied from MY kindle (as purchased from amazon), and amazon support staff DID give me permission to share these partition images online "for repair purposes". Kubrick (bootable CD or USB stick) works without hacking the diags partition (which shipped with USB networking built into diags), and it automatically "types" the fastboot commands for you.

More images here:
https://ixtab.tk/kindle-touch-images/PaperWhite/

govvin commented May 12, 2016

Hi there. Your introduction mentioned this method as a last resort. Would you have links to guide to other methods I can try to de-brick my Paperwhite? Thanks

horak commented Aug 14, 2016

Ah, so one must be able to reboot the device in order to follow this method correct? Unfortunately I cannot even do that. 👎

wcs commented Aug 25, 2016

Hi!, I'm having a issue on my kindle. For some very weird reason, I do the flashing, everything just looks good, but actually no data is stored on the mmc0.. after reboot everything goes back as it was. Trying to undemo a paperwhite, btw.

I've followed the guide and everyting seems OK, but kindle is still in a bootloop.. and mmcblk0p1 does not seem to have been flashed.
Any ideas?

omowyh commented Sep 16, 2016

Where can I get the kpw3 images?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment