Blog Tags: 

On my Kindle I am root

Starting from the end

That's my Kindle in the screenshot running a full screen terminal. I'm about to run nmap (a network mapping program) inside a chrooted Debian ARM installation I put on the device. Having Debian on the device isn't really necessary for hacking the Kindle but it does make it easier to install ARM binaries of just about any of the 25,000 packages in Debian. Yep, apt-get works on my Kindle!

More practically I can now SSH into the device over the WIFI, use SFTP to transfer over new books without having to mess around with a USB cable, etc.

The device can still gets books from Amazon, but I've disabled its ability to auto-update firmware. Now that I control my device I'd like to keep it that way, even if there's no immediate practical benefit.

Besides, it's one thing to know on a theoretical level that the device runs Linux, and being able to see for yourself which processes are running:

Rewinding back to the beginning

Besides my workstation, my Kindle is the device I use the most. By far.

So much that it's almost wearable computing by now. When I take a break I stick it in my pocket and have Tom Glynn's synthesized voice quickly humming whatever I'm reading to me while my hands are free to eat my meals, take care of boring errands, etc.

It's maybe the only mobile device I feel has unambiguously improved my quality of life in a net positive way (I'll leave my gripes with smart phones for another time).

My only major concern with the Kindle is that I'm not supposed to have full control over it:

  • If it's connected to a network, Amazon can update my firmware remotely at any time without asking me first, possibly changing the device's behavior in undesirable ways. They can spy on my reading (how would I know?), delete my books, etc.

  • I can't customize its behavior. I keep having these ideas on little features that would make the device even more useful to me but probably wouldn't make sense for the average user. I don't expect Amazon (or any other consumer company for that matter) to design a product that fits perfectly with my needs out of the box.

  • I know there's Linux under the hood and I want root on it. On principle dammit!

    OK, maybe not just on principle. The Kindle is a very low cost, super lightweight, ARM Linux machine with an eInk display that can be easily read in bright sunlight, a great text-to-speech system, amazing battery life, WIFI / 3G access, a nice bit of storage, sound output and even a hidden microphone. There are endless creative off-label things you could do with it.

    Considering all the features packed into the Kindle the price is jaw dropping. Amazon probably isn't making a profit on the hardware. Heck the "special offers" Kindle now costs just $79. That's $20 less the $99 ARM SheevaPlug which doesn't have nearly as many features.

So over the weekend I took a look and it turns out that since I last checked a nice Kindle hacking community has sprung up, discovered that the Kindle doesn't have any real security, and made available all the tools you need to take full control over your device.

Kindle hacking is at its infancy but there's already a pretty sweet list of homebrew hacks that let you for example, replace the dead people in your screensavers, change/add new fonts, etc.

I found everything online. Mostly on the excellent mobileread forums but it took time to make sense of it all. The documentation is often a somewhat confusing and dodgy patchwork so I took notes, tested what worked on my Kindle and figured it would be useful to summarize my "crystallized" understanding for the benefit of others who might want to go down the same road.

Rooting your Kindle

Under the hood Amazon's firmware updates are just glorified shell scripts in a proprietary package format that contains an embedded Amazon signature.

The first thing we need to do to get control of the device is "jailbreak" it, which really just adds a "hacked" key to the keyring used to verify the package signature.

Install the Jailbreak

See the "How to install Jailbreak Hack" section.

Currently the latest version of the JailBreak is 0.7. To install it you just transfer over the bin that's right for your version of the Kindle (I.e., update_jailbreak_0.7.N_k3w_install.bin = Kindle 3 Wifi) into the device root and then update the device:

Home > Settings > Menu > Update Kindle

Now you can install packages signed by a non-secret hacked key. The Jailbreak contains a whitelist of md5sums of known good hacks.

Install usbnet hack

I downloaded the usbnet hack from an attachment on this forum thread:

What's usbnet?

The Kindle 2 has a hidden USB network mode, probably left over from development. When activated, the Kindle would behave as a USB network device rather than a USB mass storage device. This allowed you to do neat things such as tethering the device to your laptop.

Kindle 3 seems to have removed this feature, but the usbnet hack reactivates it and installs busybox (a micro shell environment), dropbear (a micro SSH server) and a few other utilities to allow you to SSH into your device and explore its insides.

After installation, usbnet creates a usbnet directory in your kindle root which contains its configuration files:

$ cd /mnt/kindle/usbnet
$ find


Now we'll unmount (I.e., "eject") the Kindle from our computer, disconnect the USB connection to take it out of mass storage mode and enable usbnet mode.

  • Press [DEL] on your Kindle to bring up the search bar and do the following "searches":

    ~help # just for fun

The commands are not case sensitive. Usually you don't want to stay in debugging mode because it turns off various power savings features such as turning off WIFI is your Kindle is not connected to the USB. Also, it turns on verbose logging.

Now when you connect your Kindle to your computer via USB, it isn't recognized as a mass storage device but rather as a USB network device.

This is what dmesg says when I connect the Kindle in mass storage mode:

[138591.847428] usb 8-1: new high speed USB device using ehci_hcd and address 45
[138592.000857] usb 8-1: configuration #1 chosen from 1 choice
[138592.004480] scsi24 : SCSI emulation for USB Mass Storage devices
[138592.004541] usb-storage: device found at 45
[138592.004556] usb-storage: waiting for device to settle before scanning
[138596.996774] usb-storage: device scan complete
[138596.997900] scsi 24:0:0:0: Direct-Access     Kindle   Internal Storage 0100 PQ: 0 ANSI: 2
[138597.003881] sd 24:0:0:0: [sdc] 6410688 512-byte hardware sectors (3282 MB)
[138597.109966] sd 24:0:0:0: [sdc] Write Protect is off
[138597.109973] sd 24:0:0:0: [sdc] Mode Sense: 0f 00 00 00
[138597.109976] sd 24:0:0:0: [sdc] Assuming drive cache: write through
[138597.113952] sd 24:0:0:0: [sdc] 6410688 512-byte hardware sectors (3282 MB)
[138597.219787] sd 24:0:0:0: [sdc] Write Protect is off
[138597.219792] sd 24:0:0:0: [sdc] Mode Sense: 0f 00 00 00
[138597.219794] sd 24:0:0:0: [sdc] Assuming drive cache: write through
[138597.219799]  sdc: sdc1

And here's what dmesg says when I connect the Kindle in USB network mode:

[138741.453693] usb 8-1: new high speed USB device using ehci_hcd and address 48
[138741.604690] usb 8-1: configuration #1 chosen from 2 choices
[138741.610967] usb0: register 'cdc_ether' at usb-0000:00:1d.7-1, CDC Ethernet Device, ee:49:00:00:00:00

Note that with the usbnet hack, by default SSH only works over the USB host-to-host connection. SSH is configured not to ask for the root password so usbnet wisely disables SSH over WIFI for security reasons.

To safely turn SSH over WIFI on we'll want to harden our Kindle first a bit. Setup SSH authentication, change the default keys and passwords and then reconfigure usbnet to allow SSH over WIFI.

We can configure this stuff in mass storage mode by editing files in usbnet/etc under the Kindle root, or via SSH on the usb host-to-host network. BTW, the kindle root you see in mass storage mode is is mounted to /mnt/us on the Kindle.

Anyhow, after connecting the Kindle to our computer in usbnet mode we have a new device, usb0 which we will configure to suit the default usbnet setup:

$ sudo ifconfig usb0
$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=0.696 ms

--- ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.696/0.696/0.696/0.000 ms

Now let's login to our Kindle for the first time:

$ ssh
Welcome to Kindle!

#  N O T I C E  *  N O T I C E  *  N O T I C E  #
Rootfs is mounted read-only. Invoke mntroot rw to
switch back to a writable rootfs.

[root@kindle root]# cat /proc/cpuinfo
Processor       : ARMv6-compatible processor rev 3 (v6l)
BogoMIPS        : 511.18
Features        : swp half thumb fastmult vfp edsp java
CPU implementer : 0x41
CPU architecture: 6TEJ
CPU variant     : 0x1
CPU part        : 0xb36
CPU revision    : 3
Cache type      : write-back
Cache clean     : cp15 c7 ops
Cache lockdown  : format C
Cache format    : Harvard
I size          : 16384
I assoc         : 4
I line length   : 32
I sets          : 128
D size          : 16384
D assoc         : 4
D line length   : 32
D sets          : 128

Hardware        : Amazon MX35 Luigi Board
Revision        : 35020
Serial          : "B008A0A0040298FC"
BoardId         : "SP1B000000000000"

[root@kindle root]# free
         total       used       free     shared    buffers     cached
Mem:        256536     151468     105068          0      15248 53372
-/+ buffers/cache:      82848     173688
Swap:            0          0          0

[root@kindle root]# mntroot rw
system: I mntroot:def:Making root filesystem writeable

[root@kindle root]# passwd root
Changing password for root
New password:
Retype password:

[root@kindle root]# cd /mnt/us
[root@kindle us]# ls
audible           documents         music             system
usbnet            linkjail
[root@kindle us]# cd usbnet/etc/
[root@kindle etc]# ls -l
-rwxr-xr-x    1 root     root          957 May 23 14:56 config
-rwxr-xr-x    1 root     root          458 May 23 01:54 dropbear_dss_host_key
-rwxr-xr-x    1 root     root          427 May 23 01:54 dropbear_rsa_host_key
-rwxr-xr-x    1 root     root          561 Oct 10  2010 htoprc
drwxr-xr-x    3 root     root         8192 May 22 20:59 terminfo

# setup my SSH key as an authorized key
[root@kindle etc]# echo ssh-rsa AAAAB3NzaC1yc2EAAAABIwAwAIEAvp+4FpjKlv1nsddevQtX8zMvQMkuJDwZSCHpFdm2IY20NmOhF0LY6dKRzQ+89pJ2MUYZYtotN1SmMk1ndUmHssQIRrmKKWdwnDzDUISTDB5iEQIg8JcPxwu6+uJnLrZvfNrx/fsMoRwRR3S9bHcKi9pxQT9T4Jbt+Gt6ewtuLAE= liraz@dev > authorized_keys

Note that with the usbnet hack, by default SSH doesn't ask for the root password so it disables SSH over WIFI for security reasons.

In summary here's what I did to enable SSH over WIFI safely:

  1. added my SSH key to usbnet/etc/authorized_keys (a new file).

  2. installed dropbear on my Ubuntu workstation (e.g,. apt-get install dropbear) and then recreated the dropbear host keys:

    dropbearkey -t rsa -f rsa
    dropbearkey -t dss -f dss
    scp rsa
    scp dss
  3. edit usbnet/etc/config to change K3_WIFI field from false to true

  4. restart usbnet by toggling it off and back on with the hidden ~usbNetwork comand (from the search bar in ;debugOn mode).

Test that you can still log into SSH via the usb0 connection. That means you've configured everything correctly.

Now turn on Wifi and see if you can log in over WIFI. You can find out the Kindle's IP address by accessing the secret 711 network info screen:

Home > Menu > Settings >

    # ALT + U Q Q

As long as your Kindle is plugged into USB (in your computer or the power charger), it will remain accessible via WIFI even if the screensaver is active. In debugging mode the WIFI stays on even when your Kindle is not plugged in.

As is typical for embedded ARM devices the WIFI chip is usually sleeping to conserve power which makes for a slightly jittery interactive SSH session. Not too bad though.

For extra convenience, I configured my local WIFI router to bind the Kindle always to the same IP address (e.g.,

Keep in mind that your Kindle filters out ICMP pings on the WIFI so it won't respond to a regular ping, but it will respond to arping:

$ sudo arping
42 bytes from ee:19:00:00:00:00 ( index=0 time=1.777 msec
42 bytes from ee:19:00:00:00:00 ( index=1 time=54.230 msec

$ nc -vv 22 22 (ssh) open

$ ssh
Welcome to Kindle!

#  N O T I C E  *  N O T I C E  *  N O T I C E  #
Rootfs is mounted read-only. Invoke mntroot rw to
switch back to a writable rootfs.

[root@kindle root]# ifconfig
lo        Link encap:Local Loopback
          inet addr:  Mask:
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:25 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2496 (2.4 KiB)  TX bytes:2496 (2.4 KiB)

usb0      Link encap:Ethernet  HWaddr EE:19:00:00:00:00
          inet addr:  Bcast:  Mask:
          RX packets:647 errors:0 dropped:0 overruns:0 frame:0
          TX packets:428 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:53670 (52.4 KiB)  TX bytes:56067 (54.7 KiB)

wlan0     Link encap:Ethernet  HWaddr 28:EF:01:83:A1:2C
          inet addr:  Bcast:  Mask:
          RX packets:3079 errors:0 dropped:0 overruns:0 frame:0
          TX packets:727 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:333515 (325.6 KiB)  TX bytes:57404 (56.0 KiB)

[root@kindle root]# netstat -atn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address State
tcp        0      0* LISTEN
tcp        0      0    * LISTEN
tcp        0      0* LISTEN
tcp        0      0    * LISTEN
tcp        0      0 * LISTEN
tcp        0      0    ESTABLISHED
tcp        0    496    ESTABLISHED
tcp        0      0 ESTABLISHED

[root@kindle root]# iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:40317
ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            state ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            state ESTABLISHED
ACCEPT     all  --  localhost.localdomain  anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             localhost.localdomain

I transfered over a 50MB test file to test the transfer rate. With good connectivity I can get 1.5MB/s over the Wifi. The USB host-to-host is slightly faster at about 2MB/s, and the mass storage interface is fastest at 6MB/s.

Transfering Kindle ebooks over Wifi with SSH/SFTP


scp path/to/ebook.prc
ssh dbus-send --system /default com.lab126.powerd.resuming int32:1

That last command triggers Amazon to refresh the book list. After I got sick of cut and pasting it into the CLI I made it into a tiny script:

cat > /usr/local/bin/hack-refresh << EOF
dbus-send --system /default com.lab126.powerd.resuming int32:1

chmod +x /usr/local/bin/hack-refresh

Note that in addition to its native AZW format, Amazon also supports txt, mobi, prc, mp3 and PDF files.

Unfortunately, the Kindle doesn't support local HTML files natively but there's a really sweet open source project called calibre for converting between ebooks formats.

Before Calibre, I also had some success with mobi pocket creator, a free as in beer program I experimented with in my Windows XP VM.

Install a native terminal (kiterm)

Luigi Rizzo wrote a standalone Kindle terminal you can use from within the device. I used a slightly patched version that works full screen.

It hasn't been packaged into a Kindle *.bin file yet but installation was relatively straightforward thanks to a nice tutorial on TinyApps.

The short version:

  1. extract the zip file to /mnt/us/kiterm

  2. create an init script to launch it on startup:

    #! /bin/sh
    # /etc/init.d/kiterm
    case "$1" in
        echo "Starting kiterm "
        /mnt/us/kiterm/myts.arm &
        echo "Stopping kiterm "
        killall myts.arm
        echo "Usage: /etc/init.d/kiterm
        exit 1
    exit 0
    ln -s /etc/init.d/kiterm /etc/rc5.d/S97kiterm
  3. reboot the Kindle (Menu > Settings > Menu > Restart)

To access the Terminal you press Shift, let go and immediately press T.

The terminal configures various key bindings to make up for the all the missing keys missing from the Kindle's limited keyboard. I saved the most common ones to a text file on my kindle for reference:

[root@kindle root]# mntroot rw
system: I mntroot:def:Making root filesystem writeable
[root@kindle root]# cat>keys<<'EOF'
>     Ctrl = AA (aka Symbol)
>     Esc  = Left Next Page
>     .------------------------.     .----------------------.
>     | Key   Back  Back+Shift |     | Key   Alt  Alt+Shift |
>     +------------------------+     +----------------------+
>     |  Q      `        ~     |     |  Q     1      !      |
>     |  A     Tab   Back Tab  |     |  W     2      @      |
>     |  Z      <        >     |     |  E     3      #      |
>     |  U      -        _     |     |  R     4      $      |
>     |  I      =        +     |     |  T     5      %      |
>     |  O      [        {     |     |  Y     6      ^      |
>     |  P      ]        }     |     |  U     7      &      |
>     |  K      ;        :     |     |  I     8      *      |
>     |  L      '        "     |     |  O     9      (      |
>     | Del     \        |     |     |  P     0      )      |
>     |  .      ,        <     |     '----------------------'
>     | Sym     .        >     |
>     | Ret     /        ?     |
>     '------------------------'
[root@kindle root]# mntroot ro
system: I mntroot:def:Making root filesystem read-only

Preventing Amazon from auto-updating your firmware

As far as I can tell the easiest and surest way to prevent Amazon from auto-updating your Kindle is to knock out the keys it uses to verify the signatures:

mv /etc/uks /etc/uks.disabled

Under the hood, the Kindle is programmed to get firmware updates automatically via the TODO service, which gives the Kindle a list of things to do including getting new books (or deleting existing books) and/or getting new firmware.

Some people in the community have gone as far as to change the URLs in the framework and pass them through a proxy server setup to selectively mirror Amazon's TODO requests.

# grep http /opt/amazon/ebook/config/framework.fiona.conf

Uninstalling hacks

All the hacks I've come across so far come with an installer and uninstaller *.bin files. Just in case, I copy the uninstaller for the hacks I install to my Kindle's root under "uninstallers". That way I can always roll back hacks later if I want:

[root@kindle uninstallers]# cd /mnt/us/uninstallers
[root@kindle uninstallers]# ls

Stuff I still haven't figured out

  • How do I speed up the text-to-speech? Even at Amazon's fastest default rate the Kidnle's TTS voice isn't speaking as fast as I can read with my eyes. Make it gI want it to go faster!
  • How do I replace the TTS voice? I'm hoping the Polish hacker that got his Kindle to speak in Polish will share more details on his brilliant hack
  • How do I map all the dbus targets on the Kindle? I bet that would be useful in scripting the Kindle to new things.


Keith's picture

In the "Rewinding to the beginning" section you've got this sentence fragment in the middle of another sentence: "the key that Amazon uses to update".

I think the paragraph should read:

"So much that it's almost wearable computing by now. When I take a break I stick it in my pocket and have Tom Glynn's synthesized voice quickly humming whatever I'm reading to me while my hands are free to eat my meals, take care of boring errands, etc."

Liraz Siri's picture

I must have accidentally hit the middle button on the mouse and pasted a fragment from the clipboard while proof-reading or something. Thanks for catching it Keith!
Jeremy Davis's picture

I want to root my Kindle now too! :) Although I must admit that I get a little nervious about hacking devices. I think of all the silly things I've done on PCs over the years and the times I've foobarred OSs of all varieties with a few simple keystrokes... On a PC though clean install is (relatively) easy. Not always quite the case on a bricked device...

I appreciate the clear write up and I may well give this a go sometime soon! I'll post back if/when I do.

Liraz Siri's picture

I wouldn't worry too much about bricking the Kindle. With some devices you have to go to pretty extreme lengths to get control, with the Kindle everything seems to run as root under the hood anyway. The device's security seems to be mostly for show, like the Kindle development team doesn't really care about that sort of thing - which they probably don't.

Once you get root, just try to avoid the urge to run this command:

rm -rf /
Jeremy Davis's picture

Yeah I must admit it sounds pretty straight forward. And I have come a long way since my days of trashing stuff (it hasn't happened for a while now). And I think I can contain myself and hold back on deleteing the root fs! :)

Secockpit Pro's picture

I never utilized WiFi on my own Amazon kindle Key-board in more than 3 years. Last year I wanted to order a novel. I forgot to disable Wi-fi when the book finished downloading, with an auto-update started. The Secockpit of Kindle is behaving oddly now. It really wants to activate Wi-fi all the time.

Reid Ellis's picture

It's amazing how much Linux/Unix is out there now. I've jailbroken my Apple TV and iPhone and iPad and more ecently, an HP TouchPad.

Everything can be ssh'ed into and has package installation using apt-get. It's awesome.


Liraz Siri's picture

ssh'ing into a device and exploring its innards really brings home the fact that there's a little general purpose computing device lurking in there. Security isn't a high priority in these devices. They have an ever increasing number of sensors. High resolution cameras, microphones, GPS, etc. Perfect little spying devices that will eventually be everywhere. Wait till you can SSH into a bug sized micro-copter...

Ah, maybe that's just my inner security consultant coming out for air. Shoo!

L. Arnold's picture

Maybe a memory stick upload to a Kindle, Android, Nook, what have you, would be an interesting take on a TKL setup.  What stands out to me are the layers of modifications that it takes to get this to work together... and that you can piece the sequencing together.

Thinking about general Linux/Ubuntu/Debian how would one start to learn and understand the "startup roll" that one sees at boot time?  Particularly, how to understand each of the components at loadup are referenced and where they each start and finish?  I can chunder around a running system and get it to shutdown etc, but I would love to start to understand the configuration  process in the context of the old "autoexec.bat" file.

Thanks for the good read Liraz!

Liraz Siri's picture

Debian uses the classical serial SysV init process which is very simple to understand. The first process the kernel runs is init, which reads /etc/inittab to figure out which configuration scripts to run for the runlevel you are on (typically runlevel 3 or 5). Usually this is /etc/init.d/rc running scripts in /etc/rc3.d, and those are symbolic links to configuration scripts in /etc/init.d.

On Ubuntu they've introduced a replacement for SysV init called upstart to allow the system to boot up asynchronously. One of the things that means is that configuration tasks that can run in parallel do, and the initialization process only blocks for dependencies (e.g., network filesystems can't mount before the network comes up). Due to its parallel nature, exactly what happens in what order when your system boots up under Upstart is a bit hard to understand and predict, but many scripts, especially the server stuff still run in SysV init compatibility mode. Upstart scripts are in /etc/init.

Reid Ellis's picture

It should be noted that the reason upstart works asynchronously is to start things as quickly as possible, so that those items that have no interdependancies don't block each other, as they do in Sys V init. (Lest you wonder if comlexity is for the sake of complexity :-D).

DanHill's picture

upstart has some complexity incurred by bad design idea. systemd is what rocks the boat now. It has (from user perspective) a much simpler approach to parallelising startup procedure. autoexec.bat is more like a tiny script  (/etc/rc.conf on some systems). SysV init scripts, upstart and systemd are more like services from Windows world.

Tom's picture


i intend to buy a kindle and like the possibilities you described!

What kindle do you have?

With or without keyboard; 3G-stuff; touchpad, ...

Another question: Is it possible with the (original) kindle to connect through a http-proxy?

Thank you


zer0error's picture


Please don't make your device ID public. This info can potentially be used to hack into this Shasta device.
Emil's picture

thanks for this tutorial,

works fine from my pc over ssh but: how do you start shell on your kindle, using any key combination?

Liraz Siri's picture

Once you have the hacked terminal service running: Shift. Let go. T.

emil's picture

thanks mate, great stuff!

I was wondering whether is possible to use 3G on my debian on kindle, it would fulfill my dreams :),

btw have you managed tu run Xserver?

take care


Valentin's picture

After installing a native terminal kiterm, how can one set root profile so that I get the PATH i want every time I start the kindle. 


Also how can one use the history of typed commands? TO have it after rebooting kindle?

Eden's picture

Glorious guide; I was about to give in navigating the horror that is the mobileread wiki, and now I have my own little chrooted debian installation, so thankyou for this!

One quick question, though -- using that terminal, the fullscreen one, I seem to lose a character from the far right of my display. Whilst not insurmountable, this is kinda annoying. Did you encounter this, and if so, do you know of any way to make it work?

boglin's picture

I had this problem with kiterm. Instead I now use this terminal:

You should probably install launchpad before this.

Rasty's picture

Hello. Is it also possible to SSH into other devices from Kindle ? Thanks for answer.

Valentin's picture

Yes you can, but only on Wifi!

Rasty's picture

That's beauty! It's really working. I was afraid of bricking or disfunctioning while implementing but there was no issue at all. Thanks for your guide!

Rasty's picture

For kiterm to run at startup I had to change permissions for the script:

chmod 755 /etc/init.d/kiterm

(Within creation perms for script were set to 744 so it didn't start)

Rasty's picture

Have you ever try to access content of /mnt/us from debian on Kindle? Is it possible?

Stonecold's picture

I was following your instructions and have successfully installed the jailbreak, usbnetwork hack, and installed debian.  However, I was trying to add /opt/bin to PATH, and accidentally ended up deleteing /etc/profile (I was editing it with nano and the connection between my computer and my Kindle broke, and that somehow deleted it)!  Now none of the paths are displayed (instead of root@kindle~# it displayed just #).  I successfully restored PATH so binaries can still run, but the rest of /etc/profile is gone.  Would anyone who can be kind enough to post the contents of YOUR /etc/profile on your Kindle so I can copy it to mine (it doesn't contain any personal data, and my computer's /etc/profile won't work on the Kindle)?

boglin's picture

# system /etc/profile

export PATH=/usr/local/bin:/bin:/usr/bin:/usr/sbin:/sbin:/mnt/optware/opt/bin

# use local X display if none set
if [ -z "$DISPLAY" ]; then
    export DISPLAY=:0.0

# If running interactively, then:
if [ "$PS1" ]; then
    umask 022

    export PS1="[\u@\h \W]\\$ "
    export USER=`id -un`
    export LOGNAME=$USER
    export HOSTNAME=`/bin/hostname`
    export HISTSIZE=1000
    export HISTFILESIZE=1000
    export PAGER='/bin/more '
    export EDITOR='/bin/vi'
    export INPUTRC=/etc/inputrc
    export LANG=en_US.UTF-8
    export LC_ALL=en_US.UTF-8

Note that this file has been edited a little by me. Probably only the PATH line has been altered.

Ipak's picture

So Linux is everywhere :-)  Wouldn't it be great to turn my Kindle keyboard into a fully functional tablet PC with Android interface and full of apps.

I prefer the Kindle TTS female voice though... somehow it sounds more natural.

ken green's picture

I have rooted my Kindle 3 keyboard Wifi only and installed the usbnetwork.  I tried putting the Kindle in usbnetwork mode using ;debugOn ~help (which works) ~usbNetwork ;debugOff but still get the same dmesg about Kindle mass storage.  Occasionally, i have gotten it  the usbnetwork register cdc_ether.  I tried to ssh into the Kindle at and it ask for a password.  I have heard that "mario" is yhe password but it didn't work for me.  Can someone send me a copy of their config.file in usbnet/etc.  I changed K3_WIFI and K3_WIFI_SSHD_ONLY to "true" from  false.  What about the sshd_config file?  Any help  would be appreciated.  I am trying to set up the Kindle as a terminal for my Raspberry pi.

ken green's picture

I copied back the original config and sshd_config in the /usbnet/etc folder and was able to ssh into my kindle as framework@ using password mario.  however, I can't change the root password as  framework and I can't make the root file system writable.  Any suggestions?

ken green's picture

Hacked the root password with JtR in 38 minutes. got root

DirkL's picture

After restarting my Kindle with menu-settings-menu-restart, the Kindle mistakenly thinks it is in USB mode and wants the computer to eject it. However, it actually is in usb-network mode: I can telnet to it, anf the computer can't eject it.  While in USB mode, it is totally passive. Hoe can I break this deadlock? It should be easy, hey, I am root when telnetting, but I can''t figure it out.

DirkL's picture

OK, typing "reboot" from the telnet session did it.

Roman's picture

Hi good morningI can not create collections of books, I think it's because I do not amazon accepts the registration, I can change any file requested not to register my kindle k3 (keyboard) on amazon?, thanks.

Franck's picture

Hi there,

I just started installing some of the hacks for the Kindle DXG, being most interested by the usbnetwork hack in order to gain ssh access to my kindle embedded linux system.

My Kindle DXG is using FW 2.5.8 (555370010).

I have successfully jailbreaked this Kindle DXG with "update_jailbreak_0.11.N_dxg_install.bin" then sucessfully installed "update_python_0.2.N_dxg_install.bin", "update_ss_0.33.N_dxg_install.bin" and "update_fonts_5.6.N_dxg_install.bin".

The filesystem looks perfectly conform to what is expected when I mount the Kindle as a USB device storage on my BSD system: All folders python, linkss and the like are there and the kits seem complete.   

Then I install the usbnetwork hack "update_usbnetwork_0.46.N_dxg_install.bin" the same way, renaming  "<mountpoint>/usbnet/DISABLED_auto" as "<mountpoint>/usbnet/auto", as requested to start the service upon the Kindle reboot.

At that point, I put the Kindle DXG in debug mode (;debugOn), and enable the ubsnetwork service through " `usbNetwork", ignoring " `usbQa " for now.

I plug the Kindle DXG in my computer and indeed see the USB Ethernet device, named "ue0" on my FreeBSD box :


ugen2.2: <Linux> at usbus2
cdce0: <RNDIS Communications Control> on usbus2
cdce0: No valid alternate setting found
device_attach: cdce0 attach returned 6
cdce0: <Ethernet Data> on usbus2
cdce0: faking MAC address
ue0: <USB Ethernet> on cdce0
ue0: Ethernet address: 2a:dc:6f:70:05:00
I set up my host address for this interface as per usbnet/etc/config :
- for the BSD box
- for the Kindle (I guess this is set automatically upon enabling the usbnetwork service via " `usbNetwork " private command).
$ ifconfig ue0 
ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 2a:dc:6f:70:05:00
        inet netmask 0xffffff00 broadcast
So far so good !
Except that now, pinging Kindle DXG at does not respond. Same for ssh or telnet.
I cannot access the Kindle.
Did I miss something ?
Who has actually successfully enabled usbnetwork as described here on a 2.5.8 Kindle DX Graphite ?
Thank you for any help.
PS. My vision is to develop/extend lots of useful things for this Kindle. For one thing, I would like to enable and use a real console on it, then extend or replace the actual reader with a tabbed-reader, to allow to open several books at the same time, and simply go from one to another with simple keyboards keys sequences. 
Daniel Rubenstein's picture

Hello - thanks for the great article.

I have been able to "almost" jailbreak my K2. I have sucessfully set up the usbnet. I can ping the IP that I set over USB. When trying to ssh I get connection refused. NMAP shows all ports closed. 


Thanks for any help.

Jae's picture

Thank you for the interesting article! I have successfully "SSH'ed" into my Kindle Keyboard (K3). I did this using WinSCP, which I do not think is Linux, so perhaps my question is misplaced here, but...

I am not interested in using WhiperNet or tethering my Kindle Keyboard. I just want to be able to use the "experimental browser" on my home wi-fi network without it running through Amazon's proxy(?) first.

I cannot seem to find clear/consise instructions as to how to avoid the Amazon proxy.

Can you point me in the proper direction? I see the information you've posted above about the TODO servers, etc, but remain puzzled as to whether you've changed that information or if that is the original information that needs to be changed.

Thank you in advance for any help you might provide. :)

Mohan's picture

I would like to use the home wifi connection without going through the proxy, can a Linux guru please help?

I dont see how this would harm Amazon.

It is unlikely that the devs at mobileread will help, seems like Amazon has forbidden such a hack for some reason.

Pak's picture


Thank you for this amazing post! I like to see how things work, but I don't want to screw up my Kindle right now as I use it a lot.

You gave me some ideas to build a custom eReader though, that could be interesting.

Do you know if one can access Kindle's statistics ? Supposedly there is a hidden file that is uploaded regularly to Amazon's servers about your reading statistics (speed, etc)

I would be interested in that.

Thank you!

DirkL's picture

Are there any alternatives to the native Kindle reader available?

Mohan's picture

You've found them already, but I found this article so useful, I thought I'd chip in.

Search for Jailbreak on Mobileread, and install the jailbreak. Install KUAL. I found Liberator the best alternative reader.

innn's picture

hi, I am impressed with what the author here did with his kindle though I am even more interested to know if it is possible to use any standard pc keyboard with it

I am in the course of acquiring the hobby of writing but I hate writing on paper (typewriters inc.) and I hate writing on netbooks and notebooks as well.

Please tell me what other options do I have. I was thinking my needs are met with a screen and keyboard but thats all.
I know I am a bit hypocrite asking for help in turning what was conceived as a reading device into a writing one but I cannot help myself I got sick of reading I want now to try writing , think of it more of therapeutical reasoning than alphabetically challenged,... anythink that can keep me away of internet as possible. and stores...

thank you, english is not my native language so please bear with me.


bolk's picture

There is kindle with keyboard... In fact author of this post poses one since he guided how to install kiterm (otherwise, this app would be useles).

After you did get this kindle with keyboard and follow instructions how to jailbreak it and gain acces to terminal, all you need is knowing how to handle vi or emacs. They both are text editors, mainly used for scripting but writing poems or proza is also possible :P Using them is pretty simple.

Good luck :)

PS mine native is english not too hahaha

Jeremy Davis's picture

I wouldn't recommend it for any serious typing... I imagine that you are hoping to connect a 'proper' keyboard. TBH I am not sure if the hardware actually supports this, although it would be quite easy to test if you get a microUSB B (male - to connect to Kindle) to USB A (female - to connect to keyboard) adaptor then connect a USB keyboard to it and see what happens (note I imagine that you would have to root the Kindle first). 

USB types

None of this will be much help though if you don't already have a Kindle. Unless you have one already, or want one anyway, I wouldn't buy one on the off chance that it will work...

IMO you'd be better off buying a cheap Android tablet. In my experience you should be able to do that no worries.

innn's picture


I am aware of kindle with keyboard but that kbd won't make it for writing.


I was thinking the same, one cheap android tablet coupled with my very personal cheap pc keyboard that costed text to nothing and impressed my in that I rarely mistype having an almost mechanical feeling to it unlike chiclet one on laptop .Now will start looking for one with most battery life and write then in textroom

Thank you both very much for your answers.

Nabijaczleweli's picture

Very good tutorial (even under Windows), but after creating a startup script (to catch Shift - T) you MUST run chmod +x /etc/init.d/kiterm to make it work, so please add this info' to the tutorial.

Greetings, and again thank you very much.

pnkfelix's picture

In the section "Preventing Amazon from auto-updating your firmware", this document recommends renaming uks directory to something else (i.e. adding a suffix).


I did this, and after doing so, I was unable to install other applications that use the firmware update approach.  That is, copying the update_XXX file onto my DX and then selecting the install "upgrade" menu item in settings yields a failure during the update.


Luckily its easy to go back and rename the uks.with-suffix directory back to uks, and then I was successfully able to use install "upgrade" again.  (But I did spend a long time struggling to figure out why my install attempts were failing.  That's why I'm adding this comment here, so that hopefully other people with similar problems might find this explanation.)

Louis M. Ayers's picture


Does this procedure work for K4 model Kindles? You mention a "DEL" key - is this a screen key?

Thanks in advance.


Darry's picture

Wow, this was great, it's working niceley.

I only wish I knew how to install packages like PHP so I could use my kindle as a little box almost.

The kiterm is kind of useless though when you think about it, unless you want some fast access.

mike's picture

This is a very good article on SSH login without password. Here is another one that worked for me when I first started doing this. It's very simple, concise and easy to understand.

aitech1990's picture

the left side "Next Page" button or key.

Ran Talbott's picture

Thanks for pulling all this diverse info into a convenient package: finding it here, instead of chasing it all over the net the way I'm sure you had to, is a big help.

There's one point that I found unclear, though: does the dropbear installed by the usbnet package work as a client, or just as a server?

I'm working on a remote sensing system controlled by a Linux SBC. What I want to do is drive out to the installation, plug in a USB WiFi dongle, and get a bash prompt from the SBC. But a bash prompt on something I can read outdoors, which is a real pain on my phone (microscopic text) or netbook (unreadable in sunlight). I thought the e-ink display would be great for this, but the KindleTerm kindlet doesn't seem to be quite ready for "production" use.

Does the kiterm version you're using have enough ncurses support that I could use it with an standard ssh client?

Thanks again,


Kitz's picture

I have experience with using this device as ssh client and must say it does very well. Simply use ssh command  as in any linux distro you did before. Eink display works very well for CLI


the only problem I encountered was that any time I connect to internet my kindle disables the hack and the whole unlocking process must be done again. Tried to disable this autoupdate by deleting several scripts without succes. Good luck

Mohan's picture

Thanks Liraz, I was able to install USBNET on my K3.

Had to look for the root password. This webpage computes your password given your Kindle's serial number:

Try "mario", if not, use the password page above.

While I was playing with the wifi, my K3 v3.3 downloaded an update and started the update process, luckily, all the hacks worked after the update (including usbnetwork), but I suggest you do the following as early as possible:

mv /etc/uks /etc/uks.disabled

Remember to undo the rename if you wish to appy updates later.

KUAL was very helpful for toggling USBNET.

You have to press ALT <top row 7th button> ALT <top row button 1> ALT <top row button 1> to send 711 to see the WIFI status and get the Kindle's IP address.




polygraph's picture

To be clear,  if usbnet/etc/config says


then that means to set the IP of the device like so

ifconfig usb0 192.168.HH.HH

See, there are two sides to the connection. The host side on the computer, and the kindle side on the, well, kindle. My kindle4 has its "internal" IP set to and expects that the IP I give the other side of this connection, on my computer, be

DirkL's picture

I never used WiFi on my Kindle Keyboard in over three years. Last year I wished to order a book. I forgot to disable WiFi as soon as the book finished downloading, and an auto-update started. The Kindle is acting strangely now. It wants to activate WiFi all the time. It sometimes does not react to keypresses. I tried rebooting. This worked for a while, but yesterday after a reboot the Kindle went straight to Amazon Store and seemed to automatically just say yes to every opportunity. This causes it to order the first book on Amazon's best-seller list. I still hoped to get it out of the loop, but when it ordered another book, I hurriedly switched it off and rushed to the computer to cancel the orders, which fortunately it did.

I have now (too late) moved /etc/uks elsewhere. Let's hope that cures the problem.

DirkL's picture

My Kindle can't talk to Amazon now that /etc/uks is renamed. It still tries though. What now happens is that as soon as I press the Menu key, the question "Do you want to enable 3G?" appears and after a short pause is automatically answered yes. When finally it gives up trying to reach Amazon, I get an opportunity to switch off 3G, which takes a long time but eventually succeeds. But then I get a Home screen in which it asks whether to add an item to a collection, and keeps answering yes autimatically, with the quesyion altering with do I wish to remove it.

Next try will be to move the entire /documents directory out of sight.


DirkL's picture

I next moved away three files that seem to enable communication.




Kindle was then willing to let me disable WiFi. Keeping fingers crossed :-)

DirkL's picture

If my Kindle Keyboard Internation (k3gb) is on wireless, the USB net disconnects every now and then. If wireless if off, the USB net is very stable.

Raphael's picture

How did you install apt-get onto your kindle?

Ramana's picture

Hi I would like to navigate pages using a mouse clicks - preferably wireless. Is this possible?




Ramana's picture

In my older kindle 3, I hard-wired a mouse to the pcb and got it working. I used the headphone jack port to snake the wire through. It becomes less portable though.  Now I am looking for wireless possibilities - by modifying the OS if possible.

Lissa's picture

Hi! I have the silver Kindle Version 4.12, and I've just successfully connected via SSH as root. At this point, however, I wanted to get out of this mode, and I seem to be stuck. I was following Jailbreak directions that say to select "D) Exit, Reboot or Disable Diags" (using the 5-way keypad) 4. Select "R) Reboot System" and "Q) To continue" (following on-screen instructions, when it tells you to use 'FW Left' to select an option, it means left on the 5-way keypad) This seems to reboot the kindle, only reboots it back into Diag mode. I don't know how to get out of it... and so now my Kindle is basically useless. Do you know what I'm doing wrong? Thanks so much!

Mykle's picture

'Cause its sure not private any more.

pornici's picture

Hi there. Is it possible to SSH into other devices from Kindle ? Thank u for the answer.

the naturalist's picture

Sadly you can only send a post pigeon with e-inked msg. Secure shell on kindle gets to hosts with known addresses only

man's picture

"The device can still gets books from Amazon, but I've disabled its ability to auto-update firmware. Now that I control my device I'd like to keep it that way, even if there's no immediate practical benefit."

IMHO That right there is the essence of the hacker sprit.

Swathi Manohar's picture

I am looking for this old model. If any one is having this please send me a messge.


Add new comment