FORUMS
Remove All Ads from XDA

[TUT] ROOT HD8(2018) via Magisk + [TWRP] + [Xposed]

1,260 posts
Thanks Meter: 985
 
By bibikalka, Senior Member on 2nd March 2019, 08:45 PM
Post Reply Email Thread
We are there! We have several fully successful attempts by @glate and @daymz (in addition to 3 partial successes earlier - thanks to @leakcheck, @spdqbr, @ShayBox). I have updated the instructions for further clarity. Please report back if there are issues. Still, be prepared to remove the back cover as described in this link in the rather unlikely case things go wrong.

First of all, full credit to @xyz` and @diplomatic, since the approach here 100% relies on their great work!

Motivation for this post: make obtaining root on Fire HD8 2018 simpler, without removing the back cover of your tablet. You will also preserve your current FireOS version, and all your user apps and settings (meaning, no Factory Reset).

Skill level required: moderate - since you will need to work with Linux and Python. HD8 2018 has Android version 7, and therefore will use Magisk for root management.

Legalese, or the standard disclaimer: While every effort had been made to ensure the instructions accuracy, any and all risk you take with this procedure is entirely yours. Please pay attention, and proceed with care! Happy unlocking!!!

Notice. If you already have a working TWRP from a prior effort, you should start at Step 11 or 12 depending on what you need to do! With TWRP, the tablet is already under your full control! Unlocking is a one time thing! Post on XDA what you are trying to do, and you will be helped!

Here we go:
  1. Get access to Linux, install Linux tools required as per the original work by @xyz` in this link (click Thanks there!!!). Specifically, on Debian/Ubuntu do this "sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot". Download attached amonet-lite.zip to Linux.
  2. Download attached unlock_images.zip, unpack it, place the individual image files into /sdcard/00 folder on your tablet (create /sdcard/00 folder on your tablet if it does not exist - "adb shell mkdir /sdcard/00")
  3. Download attached finalize_no_ota.zip to /sdcard/00 on your tablet
  4. Download Magisk to /sdcard/00 from here: Magisk-v18.0.zip If you like to live on the bleeding edge, and will be itching to upgrade, also download the latest and greatest Magisk zip - link (at present -version 18.1).
  5. Noob protection: drain tablet battery to some low number, ~3% (this is a safety measure, in case you later get a freeze while in BootRom). Use Fast Discharge app from the Google Play Store if you are impatient. If you do get a freeze in BootRom, your Fire will discharge about ~1% per hour. The battery has to discharge to 0% for the device to exit the BootRom mode. So for battery at 50% you will be waiting ~2 days.
  6. Get an adb root shell via mtk-su (arm version, not arm64), follow this method by @diplomatic (click Thanks there while you are doing it!!!) You may not get a proper full root on the very first try. Specifically, if ls command fails, exit shell via exit command, and run mtk-su again.
  7. In this root shell, obtained in the previous step, first, and foremost, please verify that your prompt looks something like this : [karnak:/data/local/tmp #]. Specifically, that your device is really a karnak (i.e., HD8 2018). If you have a different device, MISSION ABORT, and do refer to the original rooting thread for instructions on how to permanently root YOUR type of device. If you do have a karnak, proceed to do the following operations.

    Run the following commands
    Code:
    dd if=/dev/block/platform/soc/11230000.mmc/by-name/boot of=/sdcard/00/boot_orig.img
    dd if=/dev/block/platform/soc/11230000.mmc/by-name/lk of=/sdcard/00/orig_lk.bin
    dd if=/dev/block/platform/soc/11230000.mmc/by-name/tee1 of=/sdcard/00/orig_tz.bin
    dd if=/dev/block/mmcblk0boot0 of=/sdcard/00/orig_boot0.bin
    dd if=/dev/zero of=/dev/block/platform/soc/11230000.mmc/by-name/recovery
    dd if=/sdcard/00/unlock_recovery-inj.img of=/dev/block/platform/soc/11230000.mmc/by-name/recovery
    md5sum /sdcard/00/unlock_lk.bin; md5sum /sdcard/00/unlock_tz.bin; md5sum /dev/block/platform/soc/11230000.mmc/by-name/recovery
    Make sure the above commands run without any errors!!! If there are errors, check if you perhaps did not put the image files into /sdcard/00. Below in red are the checksums you should see, take a moment to ensure that they match!!! If the checksums don't match, mission ABORT! Come back here and paste your output. You can disconnect your tablet for the time being.
    Code:
    
    90ee125c08abc999f78325d30e26a388  /sdcard/00/unlock_lk.bin
    982513e70d6de114ed4a9058a86de848  /sdcard/00/unlock_tz.bin
    faae811e229f0a7780fd130a286d3c47  /dev/block/platform/soc/11230000.mmc/by-name/recovery
    
    If everything looks good, proceed with updating the rest, and wiping the preloader which will enable the BootRom mode:
    Code:
    dd if=/sdcard/00/unlock_lk.bin of=/dev/block/platform/soc/11230000.mmc/by-name/lk
    dd if=/sdcard/00/unlock_tz.bin of=/dev/block/platform/soc/11230000.mmc/by-name/tee1
    dd if=/sdcard/00/unlock_tz.bin of=/dev/block/platform/soc/11230000.mmc/by-name/tee2
    dd if=/sdcard/00/unlock_recovery-inj.img of=/dev/block/platform/soc/11230000.mmc/by-name/boot
    dd if=/sdcard/00/unlock_recovery-inj.img of=/dev/block/platform/soc/11230000.mmc/by-name/recovery
    echo 0 > /sys/block/mmcblk0boot0/force_ro
    dd if=/dev/zero of=/dev/block/mmcblk0boot0
    echo 'EMMC_BOOT' > /dev/block/mmcblk0boot0
    md5sum /dev/block/mmcblk0boot0
    (Thanks to @k4y0z, @Rortiz2, @retyre, @hwmod for figuring out the last step!!!)
  8. You are now in a properly bricked state. Disconnect the USB cable, turn off your tablet. It's a nice brick
  9. On Linux, you will now finish all the work required to unlock your tablet.

    First make sure to uninstall/disable ModemManager (very mission critical!!!) [on Ubuntu: "sudo apt-get remove modemmanager"]. Next, run these commands:
    Code:
    unzip amonet-lite.zip
    cd amonet-lite
    chmod 755 ./bootrom-step.sh
    sudo su
    ./bootrom-step.sh
    Attach your properly bricked tablet to your Linux computer with a USB cable, do try to use a pure USB2 port on your PC (if you have it). Your tablet should come up in the BootRom mode, and start interacting with the bootrom-step.sh script above (watch the output in the Linux terminal). The tablet screen will be off and you won't see anything. Follow the bootrom-step.sh script instructions. When the script prompts "Remove the short and press Enter", just press Enter (there is no short in this method!). Hopefully, everything works. If it freezes before finishing, disconnect the tablet, and let it sit for few hours (please report back if you had to wait for battery to drain here - mainly for statistics). The battery should drain, and the tablet will leave the BootRom mode. Try again in a few hours by re-running bootrom-step.sh, and connecting your bricked tablet to your Linux computer.
  10. Here your tablet should have rebooted to TWRP. The screen might be blank, try to hit Power button twice to wake TWRP up. If you still don't see anything, try to turn the tablet off by holding the Power button. If nothing works, wait for the battery to drain, and then re-try.
  11. Once TWRP comes up, go to "Install/Install Image", and install /sdcard/00/boot_orig.img to boot partition (here we are returning your original boot image to it's proper partition)
  12. In TWRP, go to "Install", select Magisk zip from /sdcard/00, and install. Version 18.0 is known to be rock solid, the newer 18.1 may or may not work OK. If you do flash 18.1, please watch for TWRP installation errors.
  13. In TWRP, go to "Install", select finalize_no_ota.zip from /sdcard/00,and install. You only need to do this once per new system image, to make sure OTA is disabled. Don't need to repeat this if you did not upgrade/sideload a fresh ROM. It will give an error message if it was already run before - in such a case ignore the error.
  14. In TWRP, reboot
  15. You should now be back in FireOS, but with Magisk for root. If you don't see Magisk Manager in your app list, install it via apk downloaded from this link. If you are bootlooping due to Magisk, reboot to TWRP using Pwr+Vol buttons, and start at Step 11 but using 18.0 Magisk this time.
  16. If you would like to install Xposed, proceed to this post #2.
  17. If your FireOS is not the latest version (6.3.0.1 at present), use instructions in post #3 to upgrade.

Notice. If you modify your tablet to the point of an unrecoverable bootloop, check if you can still boot TWRP. If you can, then you are still unlocked, and have simple ways to recover!!! Do not rush into doing a Factory Reset, reloading your OS, sideloading the stock Amazon ROM, repeating the full above procedure, etc. Come back here, ask questions, and wait for a competent answer. If TWRP is available, everything is relatively easy to fix!!!

TWRP system restore warning: Avoid backing up & restoring your system via TWRP. Unless you fully understand the current HD8 unlocking hack, unpleasant bricks may result! You are better off re-loading the fresh stock back (/system + /boot only) via TWRP, and then immediately re-applying Magisk and finalize zip. This way if you get into a bootloop, your TWRP is still there.

Q&A :
Q: How is this different from the approach by @xyz`? A: No need to remove the back cover. Also, the modified amonet script writes only ~4% of the data in the BootRom mode compared to the original method, thus reducing the chances of a freeze in case BootRom access is flaky. Finally, the battery pre-drain should enable BootRom to die reasonably quickly if it does freeze.

Want to say thanks by clicking the "Thanks" button ?
Attached Files
File Type: zip unlock_images.zip - [Click for QR Code] (15.46 MB, 2982 views)
File Type: zip finalize_no_ota.zip - [Click for QR Code] (1.1 KB, 2772 views)
File Type: zip amonet-lite.zip - [Click for QR Code] (108.0 KB, 2958 views)
The Following 64 Users Say Thank You to bibikalka For This Useful Post: [ View ] Gift bibikalka Ad-Free
 
 
2nd March 2019, 08:45 PM |#2  
OP Senior Member
Thanks Meter: 985
 
More
Magisk modules, and, Xposed in particular
In this post I shall cover the installation of Magisk modules and Xposed since this operation had presented certain challenges in the past.

Once you have Magisk up and running, install a couple of useful modules first.
  1. Busybox-1.29.2-YDS-ARM.zip. You can flash it either via Magisk, or in TWRP. It does limited modifications to the system, and is very benign, in terms of potentially causing any bootloop issues (pretty much unheard of!).
  2. Magisk Manager for Recovery Mode (mm). Please download this zip to /sdcard/00, and flash via TWRP. Run it in TWRP, and familiarize yourself fully with its features. Specifically, try to disable the above Busybox module, reboot to OS, and observe that the Busybox module is disabled. This module is your ticket out of any bootloop when you try to install more aggressive Magisk modules!

Now that you are familiar with ways to disable bootloop-y Magisk modules via TWRP, proceed to install Xposed. Thanks to @delessio100 (link) for helping me to sort things out on my first attempt!
  1. Download the attached Xposed_Framework_(SDK_25)-89.3_(Systemless).zip to /sdcard/00
  2. Reboot to TWRP, and flash it
  3. Reboot to OS, and be prepared to wait good 10-15 minutes. The first boot is unusually long, where it looks like things are in bootloop. Things may be fine, just slow, wait!!! Most likely, you shall boot into FireOS, just have patience.
  4. If the bootloop is continuing for more than 20 minutes, turn the tablet off via the long Power button press, and reboot to TWRP (Vol buttons + Power together). Run the above mm module (in TWRP terminal, type either mm, or /data/media/mm). Disable Xposed, and reboot to OS. You should boot back into OS without issues. Report your failure back to XDA, and wait for advice.
  5. Install XposedInstaller_3.1.5-Magisk.apk from this link, and verify that the Xposed framework (Systemless) is active.
  6. Install some modules from the list below, activate them in Xposed Installer/Modules, and reboot
In case you get into bootloop while installing other Magisk modules, simply disable those via mm. Then search for solutions on XDA

My favourite Xposed modules
  1. App Settings, version 1.15. This module helps to control misc per app settings. My main use - make Chrome tabs look like those on cell phone, without tabs on top, see this link for examples. AppSettings for Chrome on HD8 to trigger the cell phone look: DPI 240, screen(dp) - 320x480.
  2. Gravity Box - add a network traffic indicator to the status bar, I like to see how much data is coming in/leaving. Also, change battery color.
  3. No Play Games. This will stop bugging you about Google Play Games installation for certain games
  4. Per App Hacking - more options to change settings for a single app
  5. XVolume30 - improve volume control, with more steps
The Following 7 Users Say Thank You to bibikalka For This Useful Post: [ View ] Gift bibikalka Ad-Free
2nd March 2019, 08:46 PM |#3  
OP Senior Member
Thanks Meter: 985
 
More
How to upgrade FireOS version:
At this moment 6.3.0.1 is the latest version. If you have something older, just flash the 6301 zip file from this link in TWRP. After the flash, re-apply Magisk and its modules. Clear cache & dalvik in TWRP before reboot.
2nd March 2019, 08:46 PM |#4  
OP Senior Member
Thanks Meter: 985
 
More
#4 - reserved
2nd March 2019, 10:25 PM |#5  
Junior Member
Thanks Meter: 8
 
More
Is it required to create the sdcard/00 ? I cant seem to find the folder at least in the internal storage when connected over usb to it.
The Following User Says Thank You to leakcheck For This Useful Post: [ View ] Gift leakcheck Ad-Free
2nd March 2019, 10:31 PM |#6  
OP Senior Member
Thanks Meter: 985
 
More
Quote:
Originally Posted by leakcheck

Is it required to create the sdcard/00 ? I cant seem to find the folder at least in the internal storage when connected over usb to it.

Yes, just create yourself!
The Following User Says Thank You to bibikalka For This Useful Post: [ View ] Gift bibikalka Ad-Free
2nd March 2019, 11:01 PM |#7  
Junior Member
Thanks Meter: 8
 
More
So far so good I am at reboot to unlock fastboot!

---------- Post added 03-03-2019 at 12:01 AM ---------- Previous post was 02-03-2019 at 11:56 PM ----------

Hmm things looked good but now darkness lol
It had finished and said reboot to unlock fastboot but now nothing, power button does nothing.
The Following User Says Thank You to leakcheck For This Useful Post: [ View ] Gift leakcheck Ad-Free
2nd March 2019, 11:11 PM |#8  
OP Senior Member
Thanks Meter: 985
 
More
Quote:
Originally Posted by leakcheck

So far so good I am at reboot to unlock fastboot!

---------- Post added 03-03-2019 at 12:01 AM ---------- Previous post was 02-03-2019 at 11:56 PM ----------

Hmm things looked good but now darkness lol
It had finished and said reboot to unlock fastboot but now nothing, power button does nothing.

OK. It may be still stuck in BootRom? If the cover is removed, could you disconnect the battery? Could you post the Linux log here?
2nd March 2019, 11:24 PM |#9  
Junior Member
Thanks Meter: 8
 
More
Quote:
Originally Posted by bibikalka

OK. It may be still stuck in BootRom? If the cover is removed, could you disconnect the battery? Could you post the Linux log here?

[email protected]:~$ cd /home/admin/Downloads
[email protected]:~/Downloads$ cd /home/admin/Downloads/amonet-lite
[email protected]:~/Downloads/amonet-lite$ chmod 755 ./[email protected]:~/Downloads/amonet-lite$ sudo su
[email protected]:/home/admin/Downloads/amonet-lite# .bootrom-step.sh
.bootrom-step.sh: command not found
[email protected]:/home/admin/Downloads/amonet-lite# ./bootrom-step.sh
[2019-03-02 17:54:19.837131] Waiting for bootrom
[2019-03-02 17:54:34.187944] Found port = /dev/ttyACM0
[2019-03-02 17:54:34.188213] Handshake
[2019-03-02 17:54:34.188569] Disable watchdog

* * * Remove the short and press Enter * * *


[2019-03-02 17:55:56.007937] Init crypto engine
[2019-03-02 17:55:56.029801] Disable caches
[2019-03-02 17:55:56.030372] Disable bootrom range checks
[2019-03-02 17:55:56.044687] Load payload from ../brom-payload/build/payload.bin = 0x4690 bytes
[2019-03-02 17:55:56.049490] Send payload
[2019-03-02 17:55:56.588729] Let's rock
[2019-03-02 17:55:56.589343] Wait for the payload to come online...
[2019-03-02 17:55:57.321067] all good
[2019-03-02 17:55:57.321628] Check GPT
[2019-03-02 17:55:57.660554] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216), 'kb': (16384, 2048), 'dkb': (18432, 2048), 'lk': (20480, 2048), 'tee1': (22528, 10240), 'tee2': (32768, 10240), 'metadata': (43008, 80896), 'MISC': (123904, 1024), 'reserved': (124928, 16384), 'boot': (141312, 32768), 'recovery': (174080, 40960), 'system': (215040, 6354944), 'vendor': (6569984, 460800), 'cache': (7030784, 1024000), 'userdata': (8054784, 22722527)}
[2019-03-02 17:55:57.660890] Check boot0
[2019-03-02 17:55:57.906247] Check rpmb
[2019-03-02 17:55:58.115712] Downgrade rpmb
[2019-03-02 17:55:58.117623] Recheck rpmb
[2019-03-02 17:55:59.012188] rpmb downgrade ok
[2019-03-02 17:55:59.012691] Inject microloader
[4 / 4]
[2019-03-02 17:55:59.343207] Flash lk-payload
[4 / 4]
[2019-03-02 17:55:59.709695] Flash preloader
[288 / 288]
[2019-03-02 17:56:11.854171] Reboot to unlocked fastboot

---------- Post added at 12:24 AM ---------- Previous post was at 12:17 AM ----------

I tried pulling the battery and now I get this when I try to connect via bootrom-step

[email protected]:/home/admin/Downloads/amonet-lite# sudo ./bootrom-step.sh
[2019-03-02 18:12:58.394533] Waiting for bootrom
^[[B[2019-03-02 18:13:06.513079] Found port = /dev/ttyACM0
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 265, in open
self.fd = os.open(self.portstr, os.O_RDWR | os.O_NOCTTY | os.O_NONBLOCK)
FileNotFoundError: [Errno 2] No such file or directory: '/dev/ttyACM0'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "main.py", line 123, in <module>
main()
File "main.py", line 51, in main
dev.find_device()
File "/home/admin/Downloads/amonet-lite/modules/common.py", line 80, in find_device
self.dev = serial.Serial(port, BAUD, timeout=TIMEOUT)
File "/usr/lib/python3/dist-packages/serial/serialutil.py", line 240, in __init__
self.open()
File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 268, in open
raise SerialException(msg.errno, "could not open port {}: {}".format(self._port, msg))
serial.serialutil.SerialException: [Errno 2] could not open port /dev/ttyACM0: [Errno 2] No such file or directory: '/dev/ttyACM0'
The Following User Says Thank You to leakcheck For This Useful Post: [ View ] Gift leakcheck Ad-Free
3rd March 2019, 01:23 AM |#10  
OP Senior Member
Thanks Meter: 985
 
More
Quote:
Originally Posted by leakcheck

...

OK. Thank you for your valuable service!!! I will carefully check my procedure.

I think you are now coming up in the preloader mode, since preloader is now appears to be working fine. Disconnect the battery, and attempt to short the contacts, following the original procedure here: https://forum.xda-developers.com/hd8...-root-t3894256

My procedure is a one shot option, once the preloader is restored, you are back to shorting contacts.
3rd March 2019, 01:59 AM |#11  
Junior Member
Thanks Meter: 8
 
More
Awesome ok now the shorting contact method worked, however I am not sure what I am suppose to do from here, the directions say I can use fastboot devices to check to see if its good to start( alledgedly should see an amazon logo) the fastboo-stept.sh process. I am not seeing the logo, do you know if this is a long process ?
The Following User Says Thank You to leakcheck For This Useful Post: [ View ] Gift leakcheck Ad-Free
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes