FORUMS
Remove All Ads from XDA

[ROOT] Hardmod Root Your Amazon Fire HD 8 (7th Gen)

109 posts
Thanks Meter: 291
 
By <br />, Senior Member on 8th October 2018, 10:42 AM
Post Reply Email Thread


Amazon Fire HD 8 (7th Gen) Hardmod Root Guide

I have successfully rooted the Amazon Fire HD 8 (7th Gen), and I want to help you do it too! This is not an easy root, but it's as easy as it can be. The aim for this root was to get at least one working method in order to help aid the development of an easier software root in the future. Countless people from the xda-developers forums worked together to make this root method possible. This thread is where everything started. In no particular order, I want to thank for their help:

@Supersonic27543, @DragonFire1024, @teixeirap, @diplomatic, @richaardvark, @t0x1cSH, @Qiangong2, @MontysEvilTwin, @TheRealIntence, @Snigglez, @ambush_boy, @cybersaga, @gamblodar, @adidasos
… and everyone else who I missed. You're all amazing. Thank you!

I sunk a couple hundred dollars into finding this exploit, so if it works for you please consider helping me recuperate the costs. I want to find an exploit for the newer 8th gen tablets but cannot keep spending money like this. If nothing else, please give this post a thumbs up! :)

Start Here

Remember, this is a hardware root, so you will need experience with a soldering iron. All the hardware modifications needed for this tablet are pretty easy even if you have never soldered before. However, especially in the case of hardware modifications, there is a chance you can permanently brick your tablet. If you follow this guide, don't hold me responsible if you break things.

This guide will be improved as time goes on. Please reply with any questions or comments and I will help out where I can! Let's get started :)

General Procedure:
  1. Preparation - Gather the materials, build an SD card adapter, etc.
  2. Disassembly - Take the tablet apart and turn over the motherboard
  3. Hardware Modifications - Soldering the SD card adapter to the board
  4. Communication - Getting the device to talk to your computer
  5. Software Modifications - Installing SuperSU by hand
  6. Testing and Cleanup - Checking for root, removing the SD card adapter, reassembly.

1. Preparation

You will need:
  • An SD card reader that can read in 1-bit mode. This one will work. If you already have a reader you'd like to try, find a working SD card and referring to this diagram use some electrical tape to cover up pins 1, 2, and 9 (DAT 1-3). If you plug in the card and it still reads, then the reader will work.
  • A micro-sd card adapter. This will be taken apart so you can solder to the inside.
  • A soldering iron, solder, and experience.
  • Some thin wire. I like to use some 28 AWG magnet wire since it has an insulative enamel coating to prevent short circuits.
  • A small phillips head screwdriver to remove the motherboard.
  • Either a linux-based computer or a virtual machine running linux through which you can mount a raw physical disk from the host computer. VirtualBox can do this and I will show you how.
  • Experience using Linux commands and mounting partitions.
  • SuperSU version 2.79.

Modifying the SD Card Adapter
Pry apart the SD card adapter. You need to connect wires to CMD, GND, CLK, and DAT0. Give yourself at least a few inches of length to work with. Here are some images to help you figure it out:

I recommend putting some tape on the wires and writing what they are so you don't lose track after putting the adapter back together (or in my case, wrapping tape around the adapter because I broke the shell).
Also, you will need to either make sure that the sliding lock on the side of the adapter is still there (or fill it in so that there's no more indent) or take apart your SD card reader and ground the read-only pin so that the reader allows you to write to the card. (Grounding it makes it writable, having it open makes it read-only). This pin is located to the far left of the reader when the opening is facing you and the card is facing up.

2. Disassembly
Use a pry tool to take apart the tablet at the seam. There are no ribbon cables connecting the back cover to the front so you can just pull it off. Start at the bottom, and pull upwards so that the fulcrum is on the top of the tablet where the USB port is. This is the easiest way to get it off.

Next, unscrew the screws near the top of the board. Remove the tape covering the camera and disconnect the camera. It just pops off with your pry tool. There is a battery connector at the bottom right, an LCD connector at the bottom left, and a touch screen connector at top center. The battery connector pops out without lifting any hinges. Use tweezers to get underneath the wires and pop it up out of the slot. Lift up the hinge on the touch screen connector and use something very thin to get underneath the glued down ribbon cable. Be careful not to break things. Once it's free from the glue, slide the ribbon cable sideways to pull it out from the connector. Lift the hinge on the LCD connector.

Now, take the board from the top and lift upwards. Stick something under the board to break free some of the glue underneath while you pull upwards. This time the fulcrum of the motherboard is where the LCD and battery connector are. Do be cautious, there are speaker wires at the bottom right to be aware of. Once you have it lifted up most of the way, you can slide it out from under the plastic parts near the power connector and fold it sideways towards the right side of the tablet. The speaker wires act as a hinge.

If all goes well you should be looking at the back of the motherboard right now.

3. Hardware Modifications
Solder the wires from the sd card adapter to the respective test points in this diagram. VSS means GND. Once done with this, fold the motherboard back over and plug the ribbon cables back in. Plug in the power cable last. Loosely put the tablet back into its cover so that you don't crush the wires you just soldered, but also to protect the tablet from short circuiting on your table or something.

4. Communication
Plug your SD card reader into your computer, but do not plug in the SD card adapter. Power up your tablet with the volume down button pressed. At the recovery, use the volume keys to navigate to "Enter bootloader" but DO NOT press power yet.

You need to be ready. Within half a second of pressing power you need to plug the SD card adapter into the reader. This is the most reliable way I have gotten the reader to talk to the eMMC chip.

If all goes well you will see all the partitions appear on your computer. On Windows, check disk manager to see them all. On Ubuntu, use the disks program. When on Windows, it will pop up probably 20 different windows asking you to format drives. CLICK NO. And no and no and no and .... You do not want to format your eMMC lmao. Now just leave the card plugged in and don't touch the tablet. Don't even breathe on it.

5. Software Modifications

Mounting the drive:
Ok this is the most difficult part. On Windows you need to get a linux virtual machine. I prefer to use Ubuntu for this. I also use VirtualBox to run the VM and I can't help you if you don't use it. If you are already using Linux this will make things easier, but if you must use Windows, then you need to mount the eMMC on your virtual machine.

To do this, open a command prompt as an Administrator and navigate to "C:\Program Files\Oracle\VirtualBox". Using disk manager, find what disk number (left side) the SD card reader is mounted on. Then, run this command:

Code:
VBoxManage internalcommands createrawvmdk -filename "C:\Users\<user_name>\firehd8.vmdk" -rawdisk \\.\PhysicalDrive#
Where the # at the end is the disk number you found earlier (mine was 2), and "<user_name>" is obviously the name of your account. This should make a vmdk file on your desktop and be successful. Then you can open your VirtualBox settings for your VM, go to Storage, SATA, and add an existing drive being that vmdk file that just got created. Now boot the machine, and the drive will disappear off Windows but will reappear inside the VM. Please note that VirtualBox must be running as an administrator.

Now, in linux, mount the system partition (it should be about 1.5GB and will usually be partition 14). Open a terminal into it.

Writing SuperSU:
Did I say the last part was most difficult? Well this one is most time-consuming and most easy to do wrong. Here we go! Extract your SuperSU zip that you downloaded. You only need to keep two folders: common and arm64. You will copy the files from these folders into the system partition and set permissions as follows.

Note: When you see 4 numbers like 0644, this is referring to the permissions to set via chmod.

Note 2: When you see something like u:object_r:system_file:s0, this is referring to the extended attribute security.selinux which can be set with this command:

Code:
sudo setfattr -n security.selinux -v "u:object_r:system_file:s0" FILENAME
(Get setfattr by installing the attr package)

Or on most Ubuntu systems, this command will work too:
Code:
chcon u:object_r:system_file:s0 FILENAME
Note 3: All files copied or created will be owned by root:root. If you use sudo for these commands or do them as root, you'll be fine.
  • Create a directory at /system/app/SuperSU (0644 u:object_r:system_file:s0)
  • Copy common/Superuser.apk to /system/app/SuperSU/SuperSU.apk (0644 u:object_r:system_file:s0)
  • Copy common/install-recovery.sh to /system/etc/install-recovery.sh (0755 u:object_r:system_file:s0)
  • Create symlink from /system/bin/install-recovery.sh to /system/etc/install-recovery.sh
  • Copy arm64/su to /system/xbin/su (0755 u:object_r:system_file:s0)
  • Copy arm64/su to /system/xbin/daemonsu (0755 u:object_r:system_file:s0)
  • Copy arm64/supolicy to /system/xbin/supolicy (0755 u:object_r:system_file:s0)
  • Copy arm64/libsupol.so to /system/lib64/libsupol.so (0644 u:object_r:system_file:s0)
  • Move /system/bin/app_process to /system/bin/app_process_backup
  • Create symlink from /system/bin/app_process to /system/xbin/daemonsu
  • Create an empty file at /system/etc/.installed_su_daemon (0644 u:object_r:system_file:s0)

That's it! Now properly unmount and eject your SD card and boot up your device.

6. Testing and Cleanup
If all goes well you'll find a SuperSU app on your homescreen. Run it and it will probably tell you to update the su binary. Do so, restart, and then you should have root! Congrats! Make sure to go into settings and set it to grant rather than prompt.

Power down your device, unplug the cables, flip the board, desolder the wires, flip the board again, plug in the cables, put your camera back in, and then screw it all back together and slap on the back cover. You did it!

Extra Info and Troubleshooting

I will add troubleshooting steps here as time goes on.

Should you need them, here are the eMMC dumps from the 16GB and 32GB variants:
The Following 58 Users Say Thank You to <br /> For This Useful Post: [ View ] Gift <br /> Ad-Free
 
 
8th October 2018, 10:43 AM |#2  
OP Senior Member
Thanks Meter: 291
 
More
Reserved
The Following 2 Users Say Thank You to <br /> For This Useful Post: [ View ] Gift <br /> Ad-Free
8th October 2018, 11:09 AM |#3  
Member
Flag Nashville, TN
Thanks Meter: 45
 
More
This is beautiful!!! I have to get some basic supplies, but I am excited to try this out! I'd just about given up hope that this device would ever be rooted, but you made it happen! Definitely not the easiest root process, but maybe it will eventually lead to easier ways to obtain root. Thank you again for your hard work and dedication (and to everyone else as well!) on this!! 🍾πŸ₯‚πŸŽ‰
The Following 3 Users Say Thank You to richaardvark For This Useful Post: [ View ] Gift richaardvark Ad-Free
8th October 2018, 11:12 AM |#4  
OP Senior Member
Thanks Meter: 291
 
More
Quote:
Originally Posted by richaardvark

This is beautiful!!! I have to get some basic supplies, but I am excited to try this out! I'd just about given up hope that this device would ever be rooted, but you made it happen! Definitely not the easiest root process, but maybe it will eventually lead to easier ways to obtain root. Thank you again for your hard work and dedication (and to everyone else as well!) on this!! 🍾πŸ₯‚

Haha yay! It makes me happy to see people excited over this. That's what I was hoping for in the long run. I saw the progress thread struggling and thought I could try and help out on the hardware side. It turned out to be a hobby I never knew I needed; something to look forward to each day that made my life a little more exciting. I'm really proud of how far we've come

And you're right, it's definitely not the easiest. I want to make a video tutorial sometime. I have little experience making video tutorials so we'll see.
The Following 6 Users Say Thank You to <br /> For This Useful Post: [ View ] Gift <br /> Ad-Free
8th October 2018, 12:27 PM |#5  
GoodSoul's Avatar
Senior Member
Flag β–‚ β–ƒ β–… β–† β–ˆ
Thanks Meter: 95
 
More
Wow, this is outstanding! First, @</br>, thanks for all the work. You really got into the system and I love what you have found. Unfortunately I am not really good with hardware (totally sw guy) but I will find someone who might help me out here. Again, thanks for all your hard work!
The Following User Says Thank You to GoodSoul For This Useful Post: [ View ] Gift GoodSoul Ad-Free
8th October 2018, 01:18 PM |#6  
Senior Member
Thanks Meter: 328
 
More
I don't know Linux and I don't know how to solder but what the hell I've got an unused 7th gen hd8 sitting here and I'm pretty methodical so why not give it a go eh? Just for fun.



Edit: I'm looking at you @DragonFire1024, you know you want to
The Following 2 Users Say Thank You to obvious For This Useful Post: [ View ] Gift obvious Ad-Free
8th October 2018, 01:39 PM |#7  
Senior Member
Thanks Meter: 271
 
More
YAY!!! Finally, After almost a year of brainstorming by lots of people, and 700+ posts in the progress thread, we have root! THANK YOU for the work you put into this!
A pity that after so much time finally a root is found, but I can't do it (because it involves soldering which is a thing I can't do for a lot of reasons LOL). So, the progress thread will continue searching for a software root, and of course the next step, a bootloader unlock! You helped a couple of my ideas for a software root too, by full access to the eMMC dump.
Thank you again for your great work, and everyone, good luck hardware modding!
The Following 4 Users Say Thank You to Supersonic27543 For This Useful Post: [ View ] Gift Supersonic27543 Ad-Free
8th October 2018, 04:09 PM |#8  
Quote:
Originally Posted by obvious

I don't know Linux and I don't know how to solder but what the hell I've got an unused 7th gen hd8 sitting here and I'm pretty methodical so why not give it a go eh? Just for fun.



Edit: I'm looking at you @DragonFire1024, you know you want to

Right now I don't have the supplies or means to get them. Otherwise I'd have already started this AM. Right now I'm focused on looking at the partitions to get these things unlocked, whether i have help and advice, or not. I'd prefer help, but as with most of my work, I am sure I'll eventually figure it it out on my own.

---------- Post added at 04:09 PM ---------- Previous post was at 04:04 PM ----------

With that being said, is anyone going to clarify what @diplomatic was talking about? I don't like receiving half of the advice/instructions.
The Following 3 Users Say Thank You to DragonFire1024 For This Useful Post: [ View ] Gift DragonFire1024 Ad-Free
8th October 2018, 04:52 PM |#9  
Member
Thanks Meter: 38
 
More
I have the same Transcend SD card reader which I use to copy files to and from my Amazon tablets with a USB OTG cable. I was wondering if it would be possible to use a rooted Fire 7 (2015) or Fire HD 10 (2017) with Busybox installed to copy the SuperSU files and set permissions using a terminal emulator with a root shell, instead of a Linux machine/ virtual machine?
I am happy to break a couple of micro SD adapters to connect up the eMMC, but I am anxious about soldering to the motherboard. Is just taping the wires to the motherboard feasible, or is this just not robust enough?
8th October 2018, 05:33 PM |#10  
Senior Member
Thanks Meter: 345
 
More
Right now, this is a little too hard for me to attempt, but great job! Congratulations on figuring out how to root this stubborn thing!
The Following User Says Thank You to Qiangong2 For This Useful Post: [ View ] Gift Qiangong2 Ad-Free
8th October 2018, 07:20 PM |#11  
Senior Member
Thanks Meter: 328
 
More
Quote:
Originally Posted by DragonFire1024

Right now I don't have the supplies or means to get them. Otherwise I'd have already started this AM. Right now I'm focused on looking at the partitions to get these things unlocked, whether i have help and advice, or not. I'd prefer help, but as with most of my work, I am sure I'll eventually figure it it out on my own.

---------- Post added at 04:09 PM ---------- Previous post was at 04:04 PM ----------

With that being said, is anyone going to clarify what @diplomatic was talking about? I don't like receiving half of the advice/instructions.

The way I understand it, you're looking for the address of the unlock 'partition' so if you flash a text file with renamed file extension to it then you can trawl through address space till you find the text you recognize. Then you'll be able to work out where it is. It might overflow to or from another area but knowing the content of the file will enable you to figure out where correct offsets are....or something like that. Just my interpretation.
The Following User Says Thank You to obvious For This Useful Post: [ View ] Gift obvious Ad-Free
Post Reply Subscribe to Thread

Tags
amazon, emmc, fire hd 8 7th gen, kindle, root

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes