Skip to content

Instantly share code, notes, and snippets.

@TobiasWooldridge
Last active April 4, 2024 20:03
Show Gist options
  • Save TobiasWooldridge/22f0cdca75190b9a473f to your computer and use it in GitHub Desktop.
Save TobiasWooldridge/22f0cdca75190b9a473f to your computer and use it in GitHub Desktop.
How to Unbrick a Kindle Paperwhite

How to unbrick an Amazon Kindle Paperwhite™

This guide instructs you in how to unbrick an Amazon Kindle Paperwhite. The consequences of following it are your own responsibility. This method (opening the Kindle and using the serial interface) should be a last resort and should only be considered if other methods fail

The Guide

  1. Pry open Kindle using a prying tool
  2. Unscrew the screen and remove it from the base. Note that there's a screw hidden under the adhesive at the top in the middle
  3. Solder tin wire to serial ports on the bottom
  4. Attach tin wire to USB TTY device (order is ground, RX, TX, from the kindle's perspective, where GND is the smallest pad) and plug USB TTY device into your computer
  5. Open Putty on your computer in serial mode, with the serial port specified as your USB device and baud configured to 115200
  6. Reboot kindle
  7. When the kindle is booting, there exists a brief window where sending data to it over the serial line will cause it to enter it's bootloader. To achieved this I repeatedly pressed enter on my computer's keyboard as my kindle started booting
  8. Now that we're in the bootloader, run 'bist fastboot' to put your Kindle into fastboot mode
  9. On a Mac, build https://github.com/TobiasWooldridge/Fastboot-Kindle -- if you get this building on anything else, please send me a pull request :)
  10. Download Paperwhite images from http://ixtab.tk/kindle-touch-images/PaperWhite/
    wget http://ixtab.tk/kindle-touch-images/PaperWhite/pw_5.2.0-diags_kernel.img.gz
    wget http://ixtab.tk/kindle-touch-images/PaperWhite/pw_5.2.0-main_kernel.img.gz
    wget http://ixtab.tk/kindle-touch-images/PaperWhite/pw_5.2.0-mmcblk0p1.img.gz
    wget http://ixtab.tk/kindle-touch-images/PaperWhite/pw_5.2.0-mmcblk0p2.img.gz
    gunzip pw_5.2.0-*.img.gz
  1. Modify the pw_5.2.0-mmcblk0p2.img on something which can mount ext3 using the guide below
  2. In bist, run 'fastboot' (if it isn't running already)
  3. Make sure Kindle Paperwhite is plugged in to your Mac by USB as well
  4. On your Mac, run ./fastboot (Be careful not to run fastboot, as that may use an installed Android fastboot binary). This will list the paritions on your Kindle Paperwhite
  5. We want to overwrite diags_kernel, main_kernel, system and diags
  6. We now want to run
    ./fastboot flash system pw_5.2.0-mmcblk0p1.img
    ./fastboot flash kernel pw_5.2.0-main_kernel.img
    ./fastboot flash diags pw_5.2.0-mmcblk0p2.img

to flash all of our images to the Kindle Paperwhite EXCEPT for the main system image

  1. Run the following to reboot your Kindle and get into Diags mode
    ./fastboot setvar bootmode diags
    ./fastboot reboot
  1. Once your kindle's booted to diags mode, start USB mode

  2. Rename pw_5.2.0-mmcblk0p1.img to mmcblk0p1.img and copy it to your kindle

  3. Safely unmount your kindle

  4. Reboot your kindle into diagnostics mode again from the "Exit, Reboot or Disable Diags" menu

  5. If you're watching your Kindle's serial output as it boots, you should see something like

    /dev/loop/0: 84 files, 44940/174079 clusters
    info filesystems:installdata:KINDLEFIX looking for /mnt/us/mmcblk0p1.img ...:
    info filesystems:installdata:KINDLEFIX found mmcblk0p1.img, trying to install:I
  1. This indicates that it's flashing the system partition. It will take a while, during which the Kindle will only show the Amazon Kindle screen

  2. Once diags mode has booted, open "Exit, Reboot or Disable Diags", hit disable diagnostics, then hit continue. This will reboot your kindle.

  3. Hooray! Your kindle is now unbricked.

  4. Optionally delete the mmcblk0p1.img on your Kindle over USB. If you leave it there, every time the diags tool is run, it'll flash it to the system partition.

How to modify pw_5.2.0-mmcblk0p2 to automatically dd pw_5.2.0-mmcblk0p1 to the system partition

Unfortunately pw_5.2.0-mmcblk0p1 is too big for fastboot (or, fastboot doesn't like it for some reason). This causes us a little bit of grief because we need to use some other means to get it onto our kindle

We'd usually use the 'dd' tool on the kindle over ssh to copy this file to its respective partition; however, Amazon has removed the diagnostic partition's ssh application, so we can't use that to copy the file to the kindle and dd it.

Instead, we'll just mangle the diagnostic image to 'dd' the file after it's done initializing filesystems.

To do this,

  1. Back up then mount the diagnostic image to some directory
    cp pw_5.2.0-mmcblk0p2.img pw_5.2.0-mmcblk0p2.img.bak
    mkdir mmcblk0p2
    root@debian:~# mount -t ext3 pw_5.2.0-mmcblk0p2.img mmcblk0p2/
  1. Open its /etc/upstart/diags file (the diagnostics boot script)
    vim mmcblk0p2/etc/upstart/diags
  1. At the end of init_filesystems function, before the "#end script" comment, add
    # INSTALL MAIN PARTITION FROM USERSTORE
    f_log I filesystems installdata "KINDLEFIX looking for /mnt/us/mmcblk0p1.img ..."
    if [ -e /mnt/us/mmcblk0p1.img ] ; then
      f_log I filesystems installdata "KINDLEFIX found mmcblk0p1.img, trying to install" I
      dd if=/mnt/us/mmcblk0p1.img of=/dev/mmcblk0p1 bs=4K
      f_log I filesystems installdata "KINDLEFIX Install successful" I
    fi
  1. Unmount mmcblk0p2
    umount mmcblk0p2/
  1. Now when we flash pw_5.2.0-mmcblk0p2.img, it'll automatically check the userstore directory for a file named 'mmcblk0p1.img' and flash it to the system partition

Misc

If you find this useful or find an error, feel welcome to leave a comment below or email tobias@wooldridge.id.au - thanks!

@skrobul
Copy link

skrobul commented Aug 29, 2020

So, the ixtab.tk domain is dead and there are no images available anymore. But... I was able to recover using official firmware images and booting into diags mode.

It took me a bit to understand what the recovery process is based on the steps above but once I understood it, I was able to make it work for me. Basically, it was:

  1. Figure out how to boot device into "diags" mode
  2. While booted in diags mode, selected "Erase MMC", followed by "Recreate partitions" and bunch of reboots in between.
  3. Once the partitions is recreated, used "Export FAT" option in the recovery menu to connect my PW2 to computed with USB cable and transfer the update_XXXX.bin to that partition (save file as update.bin). Please note that Load MMC through USB did not work correctly.
  4. When the firmware is on FAT partition, then you can boot into diags recovery menu again and select U. If the partition table is correct, then it will start flashing (takes few minutes but there are nice progress bars).

In my case, at some point the update did not proceed and I've noticed that it was complaining that mmcblk0p1 did not have a journal. I've used Load MMC through USB menu, connected kindle to my computer and noticed that indeed first partition was formatted as ext2 rather than ext3 with journal. So I fixed it with simple tune2fs -j /dev/sda1 and repeated the Update step and it worked this time.

Also, in case you need the missing images from ixtab.tk, I have found some of them on chinese website - https://www.lanzous.com/b604463
Not sure which versions they are, but the diags worked on PW2.

  • diags_kernel - flashed as diags_kernel
  • kernel - flashed as kernel
  • mmcblk0p2.img - flashed as diags

I didn't touch boot0.img and boot1.img - not sure what they are for, probably bootloader.

@ritrelo
Copy link

ritrelo commented Jan 28, 2021

No one got working links to the diag kernel ? I think i screwed my PW diags partition

@skrobul
Copy link

skrobul commented Jan 28, 2021

@ritrelo see my comment above, the 2nd link seems to have the kernel

@ritrelo
Copy link

ritrelo commented Jan 28, 2021

@skrobul Thanks for the quick reply. I thought those were for PW2 im looking for PW1. you think they would work? I thought PW1 was closer to K5 than to PW2. Im afraid of following your steps because I think I screwed up my diags partition and im afraid of "Erase MMC" but I might give it a shot

@skrobul
Copy link

skrobul commented Jan 28, 2021

@ritrelo to be honest, I don't know and I don't have the device to check anymore, but here are some ideas:

  • is it possible to dump existing kernel partition so you could restore it if needed?
  • https://pastebin.com/ZD1CiAkm lists a couple of URLs. the Mediafire links still work. They are simply listed as Paperwhite without model specification.

@FranciscoDaunas
Copy link

Hi, I just got two pw2 where the previous owner though it would be great idea to try de command erase. I’m trying to fix them I’m at the point where I have compiled the tool both in mac and linux(raspbian) and I got the images. I can get the kindle to fastboot and says:
Usb speed: High
Connected to host
Battery voltage .....( keep printing the battery voltage)

I assume that this means it is waiting to get a handshake from the ./fastboot called from the computer. However, when ever y call ./fastboot flash diag , I get In both linux and mac

I have the usb connected and serial connected on the same device. I have tried using the options for -i vendor id and -s serial but non seems to work. The vendor id just sits in and -s said invalid. I’m connecting through a FTDI232 board, so seria to USB. If anyone could help me I would appreciate it a lot

@reza12345678901
Copy link

I have kindle oasis 3. My device is stuck on tree screen display. I did 40 sec pressing the power button but nothing happened. Please help.
5316367B-969A-480E-AF7C-AB40F55AD900

@mpcabete
Copy link

hey, I am trying to debrick my kindle, I just flashed it with the images provided in the tutorial https://www.youtube.com/watch?v=xBquDhGZXoU&list=WL&index=4&t=622s description, enabled diagnostic mode with "./fastboot setvar bootmode diags" and rebooted it. when it reboots it doesn't enter diagnostic mode tho, in the serial port debug it shows the following errors:
`...
[ 1.706780] mxc_dvfs_core_probe
[ 1.714340] DVFS driver module loaded
[ 1.737446] regulator_init_complete: max77696_ldo10: incomplete constraints, leaving on
[ 1.752691] regulator_init_complete: max77696_ldo7: incomplete constraints, leaving on
[ 1.770048] regulator_init_complete: max77696_ldo6: incomplete constraints, leaving on
[ 1.785257] regulator_init_complete: max77696_buck6: incomplete constraints, leaving on
[ 1.793485] regulator_init_complete: max77696_buck5: incomplete constraints, leaving on
[ 1.802204] regulator_init_complete: max77696_buck2dvs: incomplete constraints, leaving on
[ 1.810556] emmc: I def:mmcpartinfo:vendor=toshiba, host=mmc0:
[ 1.819790] regulator_init_complete: max77696_buck1dvs: incomplete constraints, leaving on
[ 1.838984] mmc0: unrecognised EXT_CSD revision 7
[ 1.843696] mmc0: error -22 whilst initialising MMC card
[ 1.851483] max77696-rtc max77696-rtc.0: setting system clock to 2021-09-10 18:31:36 UTC (1631298696)
[ 1.883644] KERNEL: I pmic:charger chgina::charger connected
[ 1.930832] MAX77696 Main Charger Driver 1.0.0 Installed
[ 1.969526] MAX77696 Energy Harvester Driver 1.0.0 Installed
[ 1.987266] Freeing init memory: 1036K
3.0.35-lab126 #1 Tue Sep 3 03:12:16 PDT 2013 armv7l
[ 2.067505] emmc: I def:mmcpartinfo:vendor=toshiba, host=mmc0:
[ 2.096435] mmc0: unrecognised EXT_CSD revision 7
[ 2.101166] mmc0: error -22 whilst initialising MMC card
[ 2.298024] emmc: I def:mmcpartinfo:vendor=toshiba, host=mmc0:
[ 2.334487] mmc0: unrecognised EXT_CSD revision 7
[ 2.339236] mmc0: error -22 whilst initialising MMC card
[ 2.416651] add wake up source irq 104
[ 2.569644] emmc: I def:mmcpartinfo:vendor=toshiba, host=mmc0:
[ 2.628923] mmc0: unrecognised EXT_CSD revision 7
[ 2.633651] mmc0: error -22 whilst initialising MMC card
[ 3.546991] KERNEL: I pmic:fg battery id check::wario_battery_valid=1

`

It is a generation 6 kindle paperwhite.
Can someone help me?

@netcom27
Copy link

netcom27 commented Nov 7, 2022

Hello! Could you please explain to a laic what step 8 actually is? I have a general IT knowledge, let's say average+, but the only coding I did what HTML in Junior High so bear with me. I have PuTTy, what do i need to do now? Download all the codes from this repository, paste them in the notebook and rename the file to the listed names and put them in the same folder as PuTTy is?

On a Mac build... -> what does it literary mean. I paste the code from fastboot.c to a notebook and save it as "fastboot.c" file that i put in my PuTTy folder so it can be loaded while I type "./fastboot".

@MrSlimbrowser
Copy link

Fastboot.c is a source code file. To build means to compile these source code files into an executable program.
I don't have a mac but you likely have to download the whole repository (and extract it if zipped), open a terminal, change to that folder (probably with "cd /path" command) and then run "make". It should output a whole lot of stuff which hopefully does not contain an error message and then an executable "fastboot" should show up somewhere (either in the same folder or a bin or output subfolder) that you then can use.
Hope this is somewhat helpful 😅

@netcom27
Copy link

netcom27 commented Nov 7, 2022

Fastboot.c is a source code file. To build means to compile these source code files into an executable program. I don't have a mac but you likely have to download the whole repository (and extract it if zipped), open a terminal, change to that folder (probably with "cd /path" command) and then run "make". It should output a whole lot of stuff which hopefully does not contain an error message and then an executable "fastboot" should show up somewhere (either in the same folder or a bin or output subfolder) that you then can use. Hope this is somewhat helpful 😅

Thank you sir! I have both Mac and Windows (no linux unfortunately) but the guide seems to be more Mac-focused so I'll try that. Thank you very much :)

@sirkuazar
Copy link

Hello, my name is Patricio from Chile.

I have a problem with my kindle 10th paperwhite. I need to solder (rx TX and) to the board but I don't have the serial port (diagram). Can you help me? I don't know which pin they should be soldered to

Please!

I did not find the solution.

Please

@DavDaz
Copy link

DavDaz commented Nov 1, 2023

Hello, can someone help me with the 11th gen 'kindle paperwhite'? I need to solder (rx TX and) to the board, but I don't have the serial port (diagram). Can you assist me? I don't know which pin they should be soldered to. Please! I couldn't find the solution. I'm attaching an image of my kindle.
https://imgur.com/gallery/36Hv3Kf

@Ph1syc
Copy link

Ph1syc commented Dec 29, 2023

Hello, can someone help me with the 11th gen 'kindle paperwhite'? I need to solder (rx TX and) to the board, but I don't have the serial port (diagram). Can you assist me? I don't know which pin they should be soldered to. Please! I couldn't find the solution. I'm attaching an image of my kindle. https://imgur.com/gallery/36Hv3Kf

Hey! i also ran into the same issue on the same device and eventually gathered that the gen 11 kindle doesn't have any serial pins because amazon use their own proprietary debug cable now (and it's not available for purchase ): )

@ERROR-404-NULL-NOT-FOUND

@sirkuazar It should be the same layout as is shown in https://www.mobileread.com/forums/showthread.php?t=249979, just upside down (you can use the extra solder pads for reference)

@Asdikaa
Copy link

Asdikaa commented Mar 11, 2024

Hi! Does anyone have the image files for the pw 1?

@10110000mh
Copy link

can anyone help me? this is what i see in the terminal when only the rx is connected (see "random" text output in end of post) and when the tx is also connected i don't see anything (i checked the connections they are all good but i still don't see anything tried pressing power for 40s and tried to remove battery and then insert and press power.... nothing please help):

output

  üüàøþüøÿÀüÿø@ÀàÁøðüÿÿÎÀ@àÿþàø?ü|üÀàÀàøøðþ÷hàÿ ð×ü
Àüþø?êèðüüççþÂôñ
Àÿàpô¾<ÀðÀ0àþ ðÿÿ<ðÿûÀÿþÿü?ÿpÿÿÿü0Àð0ÿþÿÀ}hð
þëçæøüÿ0xààÿøüþààÀðÿðàøÀøþxøøà ÿÔ
þþþø<üðààø
ü?ðÿÀüàÿøÿøÿþÈüþþÿ ÿðýðÿøÿð|øþþþà0á@>AðpÌøàÜ1ÄÀþxRxøÿðøðþø þðÀÀþÿÿºøïüÿÀ2þÃÿøÀ@,pøÿÿð|þüþöðüîÿ÷Èÿø?þý|àÿ0Äÿüøÿüþøø~ìà�ÀþüððÀÿÿþþüþø?¦ÿÿÇÜüüð û4|?ÿü2þ#ÿì ÿüÿÄ?ýÿôÿ?ÿÿ@øÿæøþÿüÀþ_üÀÿ~Ì>ÿ8ÀL Àþx ø0øà<x8ÂþþpÁ8Çò¿üÿxøüÀðÿøÀÿÿ÷ÿôü??ÿÀð@º¸Aèÿþÿ¿þþ?näà@  ð¼Ð øþÿþ pàøàøÐþÿôÿÀüøúàþÿ àðþø|Ìûpþÿøÿ@@ àðÂc?8<"Ø@@@à@ÿ;þ7ßÿì&<üþàþÿÐÕþÿÿÿ,ðÿÿðþö@Àøøþàþÿø
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
and more....

@ERROR-404-NULL-NOT-FOUND

@10110000mh Did you set the baud to 115200 in your serial program?

@ERROR-404-NULL-NOT-FOUND
Copy link

ERROR-404-NULL-NOT-FOUND commented Apr 4, 2024 via email

@10110000mh
Copy link

10110000mh commented Apr 4, 2024 via email

@ERROR-404-NULL-NOT-FOUND

That's disroot+FairEmail lol

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment