Amazon Fire HD 8 (7th Gen) Hardmod Root Guide
I have successfully rooted the Amazon Fire HD 8 (7th Gen), and I want to help you do it too! This is not an easy root, but it's as easy as it can be. The aim for this root was to get at least one working method in order to help aid the development of an easier software root in the future. Countless people from the xda-developers forums worked together to make this root method possible. This thread is where everything started. In no particular order, I want to thank for their help:
@Supersonic27543, @DragonFire1024, @teixeirap, @diplomatic, @richaardvark, @t0x1cSH, @Qiangong2, @MontysEvilTwin, @TheRealIntence, @Snigglez, @ambush_boy, @cybersaga, @gamblodar, @adidasos
… and everyone else who I missed. You're all amazing. Thank you!
I sunk a couple hundred dollars into finding this exploit, so if it works for you please consider helping me recuperate the costs. I want to find an exploit for the newer 8th gen tablets but cannot keep spending money like this. If nothing else, please give this post a thumbs up! :)
Remember, this is a hardware root, so you will need experience with a soldering iron. All the hardware modifications needed for this tablet are pretty easy even if you have never soldered before. However, especially in the case of hardware modifications, there is a chance you can permanently brick your tablet. If you follow this guide, don't hold me responsible if you break things.
This guide will be improved as time goes on. Please reply with any questions or comments and I will help out where I can! Let's get started :)
- Preparation - Gather the materials, build an SD card adapter, etc.
- Disassembly - Take the tablet apart and turn over the motherboard
- Hardware Modifications - Soldering the SD card adapter to the board
- Communication - Getting the device to talk to your computer
- Software Modifications - Installing SuperSU by hand
- Testing and Cleanup - Checking for root, removing the SD card adapter, reassembly.
You will need:
- An SD card reader that can read in 1-bit mode. This one will work. If you already have a reader you'd like to try, find a working SD card and referring to this diagram use some electrical tape to cover up pins 1, 2, and 9 (DAT 1-3). If you plug in the card and it still reads, then the reader will work.
- A micro-sd card adapter. This will be taken apart so you can solder to the inside.
- A soldering iron, solder, and experience.
- Some thin wire. I like to use some 28 AWG magnet wire since it has an insulative enamel coating to prevent short circuits.
- A small phillips head screwdriver to remove the motherboard.
- Either a linux-based computer or a virtual machine running linux through which you can mount a raw physical disk from the host computer. VirtualBox can do this and I will show you how.
- Experience using Linux commands and mounting partitions.
- SuperSU version 2.79.
Modifying the SD Card Adapter
Pry apart the SD card adapter. You need to connect wires to CMD, GND, CLK, and DAT0. Give yourself at least a few inches of length to work with. Here are some images to help you figure it out:
I recommend putting some tape on the wires and writing what they are so you don't lose track after putting the adapter back together (or in my case, wrapping tape around the adapter because I broke the shell).
Also, you will need to either make sure that the sliding lock on the side of the adapter is still there (or fill it in so that there's no more indent) or take apart your SD card reader and ground the read-only pin so that the reader allows you to write to the card. (Grounding it makes it writable, having it open makes it read-only). This pin is located to the far left of the reader when the opening is facing you and the card is facing up.
Use a pry tool to take apart the tablet at the seam. There are no ribbon cables connecting the back cover to the front so you can just pull it off. Start at the bottom, and pull upwards so that the fulcrum is on the top of the tablet where the USB port is. This is the easiest way to get it off.
Next, unscrew the screws near the top of the board. Remove the tape covering the camera and disconnect the camera. It just pops off with your pry tool. There is a battery connector at the bottom right, an LCD connector at the bottom left, and a touch screen connector at top center. The battery connector pops out without lifting any hinges. Use tweezers to get underneath the wires and pop it up out of the slot. Lift up the hinge on the touch screen connector and use something very thin to get underneath the glued down ribbon cable. Be careful not to break things. Once it's free from the glue, slide the ribbon cable sideways to pull it out from the connector. Lift the hinge on the LCD connector.
Now, take the board from the top and lift upwards. Stick something under the board to break free some of the glue underneath while you pull upwards. This time the fulcrum of the motherboard is where the LCD and battery connector are. Do be cautious, there are speaker wires at the bottom right to be aware of. Once you have it lifted up most of the way, you can slide it out from under the plastic parts near the power connector and fold it sideways towards the right side of the tablet. The speaker wires act as a hinge.
If all goes well you should be looking at the back of the motherboard right now.
3. Hardware Modifications
Solder the wires from the sd card adapter to the respective test points in this diagram. VSS means GND. Once done with this, fold the motherboard back over and plug the ribbon cables back in. Plug in the power cable last. Loosely put the tablet back into its cover so that you don't crush the wires you just soldered, but also to protect the tablet from short circuiting on your table or something.
Plug your SD card reader into your computer, but do not plug in the SD card adapter. Power up your tablet with the volume down button pressed. At the recovery, use the volume keys to navigate to "Enter bootloader" but DO NOT press power yet.
You need to be ready. Within half a second of pressing power you need to plug the SD card adapter into the reader. This is the most reliable way I have gotten the reader to talk to the eMMC chip.
If all goes well you will see all the partitions appear on your computer. On Windows, check disk manager to see them all. On Ubuntu, use the disks program. When on Windows, it will pop up probably 20 different windows asking you to format drives. CLICK NO. And no and no and no and .... You do not want to format your eMMC lmao. Now just leave the card plugged in and don't touch the tablet. Don't even breathe on it.
5. Software Modifications
Mounting the drive:
Ok this is the most difficult part. On Windows you need to get a linux virtual machine. I prefer to use Ubuntu for this. I also use VirtualBox to run the VM and I can't help you if you don't use it. If you are already using Linux this will make things easier, but if you must use Windows, then you need to mount the eMMC on your virtual machine.
To do this, open a command prompt as an Administrator and navigate to "C:\Program Files\Oracle\VirtualBox". Using disk manager, find what disk number (left side) the SD card reader is mounted on. Then, run this command:
VBoxManage internalcommands createrawvmdk -filename "C:\Users\<user_name>\firehd8.vmdk" -rawdisk \\.\PhysicalDrive#
Now, in linux, mount the system partition (it should be about 1.5GB and will usually be partition 14). Open a terminal into it.
Did I say the last part was most difficult? Well this one is most time-consuming and most easy to do wrong. Here we go! Extract your SuperSU zip that you downloaded. You only need to keep two folders: common and arm64. You will copy the files from these folders into the system partition and set permissions as follows.
Note: When you see 4 numbers like 0644, this is referring to the permissions to set via chmod.
Note 2: When you see something like u:object_r:system_file:s0, this is referring to the extended attribute security.selinux which can be set with this command:
sudo setfattr -n security.selinux -v "u:object_r:system_file:s0" FILENAME
Or on most Ubuntu systems, this command will work too:
chcon u:object_r:system_file:s0 FILENAME
- Create a directory at /system/app/SuperSU (0644 u:object_r:system_file:s0)
- Copy common/Superuser.apk to /system/app/SuperSU/SuperSU.apk (0644 u:object_r:system_file:s0)
- Copy common/install-recovery.sh to /system/etc/install-recovery.sh (0755 u:object_r:system_file:s0)
- Create symlink from /system/bin/install-recovery.sh to /system/etc/install-recovery.sh
- Copy arm64/su to /system/xbin/su (0755 u:object_r:system_file:s0)
- Copy arm64/su to /system/xbin/daemonsu (0755 u:object_r:system_file:s0)
- Copy arm64/supolicy to /system/xbin/supolicy (0755 u:object_r:system_file:s0)
- Copy arm64/libsupol.so to /system/lib64/libsupol.so (0644 u:object_r:system_file:s0)
- Move /system/bin/app_process to /system/bin/app_process_backup
- Create symlink from /system/bin/app_process to /system/xbin/daemonsu
- Create an empty file at /system/etc/.installed_su_daemon (0644 u:object_r:system_file:s0)
That's it! Now properly unmount and eject your SD card and boot up your device.
6. Testing and Cleanup
If all goes well you'll find a SuperSU app on your homescreen. Run it and it will probably tell you to update the su binary. Do so, restart, and then you should have root! Congrats! Make sure to go into settings and set it to grant rather than prompt.
Power down your device, unplug the cables, flip the board, desolder the wires, flip the board again, plug in the cables, put your camera back in, and then screw it all back together and slap on the back cover. You did it!
Extra Info and Troubleshooting
I will add troubleshooting steps here as time goes on.
Should you need them, here are the eMMC dumps from the 16GB and 32GB variants: