Hacking the Kindle Paperwhite 2 (Root Access) - Adding SSH for Remote Login

by Jonathan Cline - jcline@ieee.org

The following shows how to get a sshd on the kindle pw2. This allows remoting into the kindle using SSH on a PC.

This is based on a custom build of the SSH tools under an ARM cross-compile toolchain (details below).

Return to Jonathan's On-line EE Lab Notebook

Build the software development environment using Freescale's i.MX6 distribution (LTIB), or use a similar ARM cross build. The LTIB build will take some time. Requires a linux host machine. I used a generic VM of Ubuntu Server 10.04-i386. Took at least 4 days to build, most of that time spent waiting for compilation to finish or error out. The LTIB (a buildroot) has some dependency problems (outdated links and small Makefile errors) which must be resolved and frequently results in an incomplete finish.

This requires serial console access, so refer to my other Lab Notebook pages for how to get serial root.

My tarball is here: kindle_pw2_sshd_20131015.tar.bz2 : Kindle Paperwhite 2 Binaries for SSH and SSHD

General steps of installation:

  1. Mount kindle to the host PC by connecting USB.
  2. Copy the tar file to the kindle. On kindle side, this will be in /mnt/us/.
  3. Unmount (Eject) the kindle. This will remount /mnt/us/ on the kindle side.
  4. From serial port console on the kindle, proceed as follows.
  5. Log in as root-priv account.
  6. Make / filesystem read-write using
    mntroot rw
  7. Untar the sshd distribution into / using
    cd /; tar xjf /mnt/us/kindle_pw2_sshd_20131015.tar.bz2
    . The files are
    ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.31, stripped
    Only sshd, ssh, and the assorted utils/config files are included in this tarball.
  8. Add firewall exception to
    as follows:
    # SSHD
    -A INPUT -i wlan0 -p tcp -m tcp --dport 88 -j ACCEPT
    -A INPUT -i wlan0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
  9. Run ssh host key generation.
    ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
    ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
  10. Reload iptables rules or reboot.
  11. Make /var/empty,
    mkdir /var/empty
  12. Start sshd with
  13. Attempt to ssh into the kindle paperwhite 2 with SSH on port 88.

There may be other small config pieces missing from the above though it's the general idea.

Then, the result is as follows: root shell!

Kindle Paperwhite 2 SSH Access

It is possible to build and install dropbear for similar result.

These lab book pages are mostly for myself since dealing with multiple development environments tends to obscure the details after a while.