FORUMS
Remove All Ads from XDA

Experimental Software Root for HD 8 & HD 10

834 posts
Thanks Meter: 1,030
 
By diplomatic, Senior Member on 26th February 2019, 02:58 AM
Post Reply Email Thread
26th February 2019, 02:49 PM |#11  
Senior Member
Thanks Meter: 959
 
More
@diplomatic

Wow!!! This is crazy !!! Where have you been before??? I almost had to drill a hole into HD8 2016!!!

I tried this on HD8 2016, FireOS 5.3.2.1, and the method worked! It takes less than 1 second to run, way faster than any Kingoroot. I had to exit and run again to get system mounting permissions rw as per @dutchthomas recommendation {mount -o remount -rw /system}. Then I updated su manually (using armv7 binaries from SR5-SuperSU-v2.82-SR5-20171001224502.zip - on HD10 2017 I am always using armv7 versions as well), and let SuperSu update itself. Full success! SuperSu needs to be set to "Grant" as per this link.

Now, for HD8 2018 I believe the following could work. 0) Drain the battery to really minimal amount ~ 3% 1) Run this to get temp root. 2) Zero out boot0 {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. At this point the device should be booting into BootRom mode (as claimed by others - @xyz`, @hwmod, @k4y0z, can you confirm?). In BootRom, run the scripts from this link. If it hangs in BootRom, just let it sit disconnected from anything. The low battery should shut it down, and you can try again later in BootRom. Low battery would remove the need to open the case should the amonet script hang.

Actually, for HD8 2018, if RPMB does not need to be cleared, all of amonet steps could be done via dd while having a temporary root shell. One could dd all of LK/TZ/boot/recovery/preloader. If RPMB needs clearing, then one should still dd everything but the preloader, which instead should be zeroed out {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. Then amonet would be used to clear our RPMB, and put the preloader back. One of the current seeming issues is that amonet appears to write LK exploit into the memory area outside of boot0 size (thus precluding dd operation for that piece of code into boot0) - see this link for details. If this issue could be addressed, then HD8 2018 could be unlockable without ever opening the case.

My HD8 2016 output:
Code:
C:\Program Files\Minimal ADB and Fastboot>adb shell
[email protected]:/ $ cd /data/local/tmp
[email protected]:/data/local/tmp $ chmod 755 mtk-su
[email protected]:/data/local/tmp $ ./mtk-su  -v
Building symbol table
kallsyms_addresses_pa 0x40ad8f00
kallsyms_num_syms 67082, addr_count 67082
kallsyms_names_pa 0x40b5c100
Size of kallsyms_names 805834 bytes
kallsyms_markers_pa 0x40c20d00
kallsyms_token_table_pa 0x40c21600
kallsyms_token_index_pa 0x40c21a00
Patching credentials
init_task va: ffffffc000edaa20
Possible list_head tasks at offset 0x338
0xffffffc0030c8338 0xffffffc050347638 0x000000000000008c
comm offset 0x5a8 comm: swapper/0
Found own task_struct at node 0
real_cred: 0xffffffc052669900, cred: 0xffffffc052669900
New UID/GID: 0/0
Setting selinux permissive
Found adrp at offset 4
ADRP x0, base is 0xffffffc001030000
Found ldr at offset 28
LDR [x0,444], selinux_enforce VA is 0xffffffc0010301bc
Switched selinux to permissive
starting /system/bin/sh
[email protected]:/data/local/tmp #

Edit: Despite my super careful SuperSu injection into FireOS 5.3.6.4 system image, I still could not get SuperSu to work after I restored this image using FlashFire. Regardless, the method from this thread also rooted 5.3.6.4 in no time! Awesome!
The Following 4 Users Say Thank You to bibikalka For This Useful Post: [ View ] Gift bibikalka Ad-Free
 
 
26th February 2019, 05:48 PM |#12  
Member
Thanks Meter: 17
 
More
Quote:
Originally Posted by dutchthomas

Awesome! I just rooted my HD8 2017

For anyone that is confused by the process of manually installing SuperSu, I did the following:

  1. Install SuperSu from Playstore
  2. Download SuperSu and unzip somewhere
  3. adb push arm64/su arm64/supolicy arm64/libsupol.so /data/local/tmp
  4. Follow directions from OP to get a root shell. You should not get permission denied when running ls. If you see permission denied, run exit and try again. Took me a few tries
  5. mount -o remount -rw /system
  6. cp /data/local/tmp/su /system/xbin/su
  7. cp /data/local/tmp/su /system/xbin/daemonsu
  8. cp /data/local/tmp/supolicy /system/xbin/
  9. cp /data/local/tmp/libsupol.so /system/lib/
  10. cp /data/local/tmp/libsupol.so /system/lib64/
  11. at this point, running su should work and show a root shell
  12. daemonsu --auto-daemon
  13. Open SuperSu app and allow it to update the su binary

My tablet hung at the boot logo when I manually installed SuperSu via the linked instructions. Installing the bare minimum and letting the SuperSu app do the rest seems like a less error-prone middle ground.

Thanks for this! I'm not sure if I'm doing it correctly, but everything works fine until I get to #11. Do I just type su? When I do, it says permission denied.

EDIT: Just tried the new commands you edited and it worked. My FireHD 8 7th gen is now rooted.
The Following User Says Thank You to teamfresno For This Useful Post: [ View ] Gift teamfresno Ad-Free
26th February 2019, 06:33 PM |#13  
Senior Member
Thanks Meter: 796
 
Donate to Me
More
Quote:
Originally Posted by diplomatic

Software root method found for Mediatek MT8163, MT8173 and MT67xx!

Great work!

Quote:
Originally Posted by bibikalka

Now, for HD8 2018 I believe the following could work. 0) Drain the battery to really minimal amount ~ 3% 1) Run this to get temp root. 2) Zero out boot0 {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. At this point the device should be booting into BootRom mode (as claimed by others - @xyz`, @hwmod, @k4y0z, can you confirm?). In BootRom, run the scripts from this link. If it hangs in BootRom, just let it sit disconnected from anything. The low battery should shut it down, and you can try again later in BootRom. Low battery would remove the need to open the case should the amonet script hang.

Actually, for HD8 2018, if RPMB does not need to be cleared, all of amonet steps could be done via dd while having a temporary root shell. One could dd all of LK/TZ/boot/recovery/preloader. If RPMB needs clearing, then one should still dd everything but the preloader, which instead should be zeroed out {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. Then amonet would be used to clear our RPMB, and put the preloader back. One of the current seeming issues is that amonet appears to write LK exploit into the memory area outside of boot0 size (thus precluding dd operation for that piece of code into boot0) - see this link for details. If this issue could be addressed, then HD8 2018 could be unlockable without ever opening the case.

If you want to zero out preloader, you should do it this way:
Code:
su -c "echo 0 > /sys/block/mmcblk0boot0/force_ro; cat /dev/zero > /dev/block/mmcblk0boot0; echo 'EMMC_BOOT' > /dev/block/mmcblk0boot0"
that way the sanity check of amonet won't fail.
I'm not sure about the boot0 size on the HD8. According to @xyz` it is 4MB on the HD8 as well.
26th February 2019, 06:38 PM |#14  
OP Senior Member
Thanks Meter: 1,030
 
Donate to Me
More
Quote:
Originally Posted by bibikalka

@diplomatic

Wow!!! This is crazy !!! Where have you been before??? I almost had to drill a hole into HD8 2016!!!

I tried this on HD8 2016, FireOS 5.3.2.1, and the method worked! It takes less than 1 second to run, way faster than any Kingoroot. I had to exit and run again to get system mounting permissions rw as per @dutchthomas recommendation {mount -o remount -rw /system}. Then I updated su manually (using armv7 binaries from SR5-SuperSU-v2.82-SR5-20171001224502.zip - on HD10 2017 I am always using armv7 versions as well), and let SuperSu update itself. Full success! SuperSu needs to be set to "Grant" as per this link.

Now, for HD8 2018 I believe the following could work. 0) Drain the battery to really minimal amount ~ 3% 1) Run this to get temp root. 2) Zero out boot0 {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. At this point the device should be booting into BootRom mode (as claimed by others - @xyz`, @hwmod, @k4y0z, can you confirm?). In BootRom, run the scripts from this link. If it hangs in BootRom, just let it sit disconnected from anything. The low battery should shut it down, and you can try again later in BootRom. Low battery would remove the need to open the case should the amonet script hang.

Actually, for HD8 2018, if RPMB does not need to be cleared, all of amonet steps could be done via dd while having a temporary root shell. One could dd all of LK/TZ/boot/recovery/preloader. If RPMB needs clearing, then one should still dd everything but the preloader, which instead should be zeroed out {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. Then amonet would be used to clear our RPMB, and put the preloader back. One of the current seeming issues is that amonet appears to write LK exploit into the memory area outside of boot0 size (thus precluding dd operation for that piece of code into boot0) - see this link for details. If this issue could be addressed, then HD8 2018 could be unlockable without ever opening the case.

My HD8 2016 output:

Code:
C:\Program Files\Minimal ADB and Fastboot>adb shell
[email protected]:/ $ cd /data/local/tmp
[email protected]:/data/local/tmp $ chmod 755 mtk-su
[email protected]:/data/local/tmp $ ./mtk-su  -v
Building symbol table
kallsyms_addresses_pa 0x40ad8f00
kallsyms_num_syms 67082, addr_count 67082
kallsyms_names_pa 0x40b5c100
Size of kallsyms_names 805834 bytes
kallsyms_markers_pa 0x40c20d00
kallsyms_token_table_pa 0x40c21600
kallsyms_token_index_pa 0x40c21a00
Patching credentials
init_task va: ffffffc000edaa20
Possible list_head tasks at offset 0x338
0xffffffc0030c8338 0xffffffc050347638 0x000000000000008c
comm offset 0x5a8 comm: swapper/0
Found own task_struct at node 0
real_cred: 0xffffffc052669900, cred: 0xffffffc052669900
New UID/GID: 0/0
Setting selinux permissive
Found adrp at offset 4
ADRP x0, base is 0xffffffc001030000
Found ldr at offset 28
LDR [x0,444], selinux_enforce VA is 0xffffffc0010301bc
Switched selinux to permissive
starting /system/bin/sh
[email protected]:/data/local/tmp #

Thanks for the feedback, bro! So the HD8 2016 is crossed off the untested list. For the HD8 2018, as far as I see, you can just flash the premade TWRP to recovery by dd. Why do you need to do the whole bootrom procedure? Then reboot to recovery to check if everything's ok. If not, Android will just restore the stock recovery on next boot. If TWRP works, just install Magisk or whatever you do to modify boot.

Quote:
Originally Posted by dutchthomas

Awesome! I just rooted my HD8 2017

For anyone that is confused by the process of manually installing SuperSu, I did the following:

  1. Install SuperSu from Playstore
  2. Download SuperSu and unzip somewhere
  3. adb push arm64/su arm64/supolicy arm64/libsupol.so /data/local/tmp
  4. Follow directions from OP to get a root shell. You should not get permission denied when running ls. If you see permission denied, run exit and try again. Took me a few tries
  5. mount -o remount -rw /system
  6. cp /data/local/tmp/su /system/xbin/su
  7. cp /data/local/tmp/su /system/xbin/daemonsu
  8. cp /data/local/tmp/supolicy /system/xbin/
  9. cp /data/local/tmp/libsupol.so /system/lib/
  10. cp /data/local/tmp/libsupol.so /system/lib64/
  11. at this point, running su should work and show a root shell
  12. daemonsu --auto-daemon
  13. Open SuperSu app and allow it to update the su binary

My tablet hung at the boot logo when I manually installed SuperSu via the linked instructions. Installing the bare minimum and letting the SuperSu app do the rest seems like a less error-prone middle ground.

Oh, nice, thanks for this... This is more straightfoward than doing it "offline". I just realized Chainfire has instructions specifically for dealing with exploits here.
The Following User Says Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
26th February 2019, 06:46 PM |#15  
Senior Member
Thanks Meter: 796
 
Donate to Me
More
Quote:
Originally Posted by diplomatic

Thanks for the feedback, bro! So the HD8 2016 is crossed off the untested list. For the HD8 2018, as far as I see, you can just flash the premade TWRP to recovery by dd. Why do you need to do the whole bootrom procedure? Then reboot to recovery to check if everything's ok. If not, Android will just restore the stock recovery on next boot. If TWRP works, just install Magisk or whatever you do to modify boot.

Flashing TWRP isn't enough.
LK-payload needs to be written to boot0 at offset 0x200000.
Additionally you need to have the correct version of LK installed.
If you have an older version it could just be overwritten.
If your installed LK is newer, you will have to zero out RPMB.
26th February 2019, 07:09 PM |#16  
LOL
Very nice!
Awesome work @diplomatic
If you had discovered it before, I would not have asked you to compile TWRP for the BQ M8 and I would not have bothered you. By the way I I prefer to have TWRP. (thanks!)
I have reinstalled stock in my BQ M8 and the script has worked! If you want you can add it to the list of devices...
On Fire 7 7th Gen it not worked.. But we have TWRP.
EDIT: I have tried again and now I get this error
Code:
130|[email protected]_M8:/data/local/tmp $ ./mtk-su -v
Building symbol table
kallsyms_addresses_pa 0x40a43000
kallsyms_num_syms 49221, addr_count 49221
kallsyms_names_pa 0x40aa3400
Size of kallsyms_names 602609 bytes
kallsyms_markers_pa 0x40b36600
kallsyms_token_table_pa 0x40b36c00
warning: token_count 1
kallsyms_token_index_pa 0x40b36d00
Patching credentials
__ksymtab_init_task not found
New UID/GID: 2000/2000
Setting selinux permissive
find_selinux_enforce_var() returned -1
starting /system/bin/sh
26th February 2019, 09:01 PM |#17  
Senior Member
Thanks Meter: 959
 
More
Quote:
Originally Posted by k4y0z

Flashing TWRP isn't enough.
LK-payload needs to be written to boot0 at offset 0x200000.
Additionally you need to have the correct version of LK installed.
If you have an older version it could just be overwritten.
If your installed LK is newer, you will have to zero out RPMB.

Quote:
Originally Posted by diplomatic

... For the HD8 2018, as far as I see, you can just flash the premade TWRP to recovery by dd. Why do you need to do the whole bootrom procedure? Then reboot to recovery to check if everything's ok. If not, Android will just restore the stock recovery on next boot. If TWRP works, just install Magisk or whatever you do to modify boot.

Yep! Cannot just flash TWRP on HD8 2018 - need to also unlock bootloader, otherwise TWRP won't boot. Which is not a problem, and in theory can be done all via dd - except for the amonet address issue (2Mb), see more below.

Quote:
Originally Posted by k4y0z

If you want to zero out preloader, you should do it this way:

Code:
su -c "echo 0 > /sys/block/mmcblk0boot0/force_ro; cat /dev/zero > /dev/block/mmcblk0boot0; echo 'EMMC_BOOT' > /dev/block/mmcblk0boot0"
that way the sanity check of amonet won't fail.
I'm not sure about the boot0 size on the HD8. According to @xyz` it is 4MB on the HD8 as well.

OK - once boot0 is zeroed out, how does one get into BootRom after that? One basically turns off the tablet, and then plugs it into Linux with amonet listening? Which tablet models were tested so far with this BootRom activation method?

For the boot0 size, see these outputs from 2 tablets, 'cat /proc/partitions'. In both cases, boot0 is only 1Mb - 1024 blocks below. So it's not possible to dd beyond that 1Mb from within FireOS. If the exploit was placed at ~512 Kb, then it'd be all in range.

Fire HD8 2016:
Code:
major minor  #blocks  name
 179        0   15388672 mmcblk0
 179        1       3072 mmcblk0p1
 179        2       5120 mmcblk0p2
 179        3      10240 mmcblk0p3
 179        4      10240 mmcblk0p4
 179        5        256 mmcblk0p5
 179        6        500 mmcblk0p6
 179        7      16268 mmcblk0p7
 179        8      16384 mmcblk0p8
 179        9       6144 mmcblk0p9
 179       10        512 mmcblk0p10
 179       11       8192 mmcblk0p11
 179       12      10240 mmcblk0p12
 179       13       1024 mmcblk0p13
 179       14       5120 mmcblk0p14
 179       15       5120 mmcblk0p15
 179       16      40320 mmcblk0p16
 179       17       1024 mmcblk0p17
 179       18       1024 mmcblk0p18
 179       19    1653024 mmcblk0p19
 179       20     434176 mmcblk0p20
 179       21        512 mmcblk0p21
 179       22      16384 mmcblk0p22
 179       23       4320 mmcblk0p23
 179       24   13138927 mmcblk0p24
 179       96       4096 mmcblk0rpmb
 179       64       4096 mmcblk0boot1
 179       32       1024 mmcblk0boot0
 179       33          2 mmcblk0boot0p1
 179       34          2 mmcblk0boot0p2
 179       35        256 mmcblk0boot0p3
 179       36        747 mmcblk0boot0p4
Fire HD8 2018:
Code:
major minor  #blocks  name
 179        0   15267840 mmcblk0
 179        1       3072 mmcblk0p1
 179        2       4608 mmcblk0p2
 179        3       1024 mmcblk0p3
 179        4       1024 mmcblk0p4
 179        5       1024 mmcblk0p5
 179        6       5120 mmcblk0p6
 179        7       5120 mmcblk0p7
 179        8      40448 mmcblk0p8
 179        9        512 mmcblk0p9
 179       10       8192 mmcblk0p10
 179       11      16384 mmcblk0p11
 179       12      20480 mmcblk0p12
 179       13    3177472 mmcblk0p13
 179       14     230400 mmcblk0p14
 179       15     512000 mmcblk0p15
 179       16   11240431 mmcblk0p16
 179       96       4096 mmcblk0rpmb
 179       64       4096 mmcblk0boot1
 179       32       1024 mmcblk0boot0
 179       33          2 mmcblk0boot0p1
 179       34          2 mmcblk0boot0p2
 179       35        256 mmcblk0boot0p3
 179       36        747 mmcblk0boot0p4
26th February 2019, 09:15 PM |#18  
Junior Member
Thanks Meter: 25
 
More
@diplomatic - awesome work - just had to give it a go for myself...

Factory reset my HD8 (2017) (root originally via @t0x1cSH "Fire hd8 2017 root, debrick" post) and followed your post plus the 'speedy SU install' from @dutchthomas - post 10.

One difficulty: mtk-su seemed to run fine and UID= 0 was shown - but I did have trouble getting the the 'mount -o remount -rw /system' command to work at first - it needed a few attempts.
And then, using the work-through from post 10, I couldn't get full root (i.e. 'su' accepted at command prompt) until I changed permissions on each of the copied SU components (su, daemonsu etc) to those prescribed in @<br />'s awesome Hardmod post.

Bit strange? I was using Fire OS 5.3.6.0 - I wonder if version makes any difference? Got there eventually tho'
The Following 2 Users Say Thank You to JJ2017 For This Useful Post: [ View ] Gift JJ2017 Ad-Free
26th February 2019, 09:30 PM |#19  
Quote:
Originally Posted by bibikalka

Yep! Cannot just flash TWRP on HD8 2018 - need to also unlock bootloader, otherwise TWRP won't boot. Which is not a problem, and in theory can be done all via dd - except for the amonet address issue (2Mb), see more below.



OK - once boot0 is zeroed out, how does one get into BootRom after that? One basically turns off the tablet, and then plugs it into Linux with amonet listening? Which tablet models were tested so far with this BootRom activation method?

For the boot0 size, see these outputs from 2 tablets, 'cat /proc/partitions'. In both cases, boot0 is only 1Mb - 1024 blocks below. So it's not possible to dd beyond that 1Mb from within FireOS. If the exploit was placed at ~512 Kb, then it'd be all in range.

Fire HD8 2016:

Code:
major minor  #blocks  name
 179        0   15388672 mmcblk0
 179        1       3072 mmcblk0p1
 179        2       5120 mmcblk0p2
 179        3      10240 mmcblk0p3
 179        4      10240 mmcblk0p4
 179        5        256 mmcblk0p5
 179        6        500 mmcblk0p6
 179        7      16268 mmcblk0p7
 179        8      16384 mmcblk0p8
 179        9       6144 mmcblk0p9
 179       10        512 mmcblk0p10
 179       11       8192 mmcblk0p11
 179       12      10240 mmcblk0p12
 179       13       1024 mmcblk0p13
 179       14       5120 mmcblk0p14
 179       15       5120 mmcblk0p15
 179       16      40320 mmcblk0p16
 179       17       1024 mmcblk0p17
 179       18       1024 mmcblk0p18
 179       19    1653024 mmcblk0p19
 179       20     434176 mmcblk0p20
 179       21        512 mmcblk0p21
 179       22      16384 mmcblk0p22
 179       23       4320 mmcblk0p23
 179       24   13138927 mmcblk0p24
 179       96       4096 mmcblk0rpmb
 179       64       4096 mmcblk0boot1
 179       32       1024 mmcblk0boot0
 179       33          2 mmcblk0boot0p1
 179       34          2 mmcblk0boot0p2
 179       35        256 mmcblk0boot0p3
 179       36        747 mmcblk0boot0p4
Fire HD8 2018:
Code:
major minor  #blocks  name
 179        0   15267840 mmcblk0
 179        1       3072 mmcblk0p1
 179        2       4608 mmcblk0p2
 179        3       1024 mmcblk0p3
 179        4       1024 mmcblk0p4
 179        5       1024 mmcblk0p5
 179        6       5120 mmcblk0p6
 179        7       5120 mmcblk0p7
 179        8      40448 mmcblk0p8
 179        9        512 mmcblk0p9
 179       10       8192 mmcblk0p10
 179       11      16384 mmcblk0p11
 179       12      20480 mmcblk0p12
 179       13    3177472 mmcblk0p13
 179       14     230400 mmcblk0p14
 179       15     512000 mmcblk0p15
 179       16   11240431 mmcblk0p16
 179       96       4096 mmcblk0rpmb
 179       64       4096 mmcblk0boot1
 179       32       1024 mmcblk0boot0
 179       33          2 mmcblk0boot0p1
 179       34          2 mmcblk0boot0p2
 179       35        256 mmcblk0boot0p3
 179       36        747 mmcblk0boot0p4

When you execute that command, simply turn off the tablet and when you connect it to the PC it will detect it in BootROM Mode. Checked in Fire 7 2017.
The Following User Says Thank You to Rortiz2 For This Useful Post: [ View ] Gift Rortiz2 Ad-Free
26th February 2019, 09:45 PM |#20  
Datastream33's Avatar
Senior Member
Flag Salt Lake
Thanks Meter: 349
 
Donate to Me
More
Wait, will this work for a mt6753 chipset?
26th February 2019, 10:10 PM |#21  
Senior Member
Thanks Meter: 959
 
More
@diplomatic

Fire HD8 2016 (MT8163V/B) - works

Fire HD10 2017 (MT8173) - no go:
Code:
[email protected]:/data/local/tmp $ ./mtk-su  -v
Building symbol table
ioctl: No message of desired type
read_at_pa() failed
Error in find_kallsyms_addresses()
Unable to get kernel symbol table
starting /system/bin/sh
[email protected]:/data/local/tmp $
Fire HD7 2014 (MT8135) - no go:
Code:
[email protected]:/data/local/tmp $ ./mtk-su
/system/bin/sh: ./mtk-su: not executable: 64-bit ELF file
[email protected]:/data/local/tmp $ exit
Need to test:
Fire Stick 4K - MTK8695
Fire Stick 2nd gen - MT8127D (seems the same as Fire 7 2015/2017)
The Following User Says Thank You to bibikalka For This Useful Post: [ View ] Gift bibikalka Ad-Free
Post Reply Subscribe to Thread

Tags
fire hd 10, fire hd 8, root

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes