Multi-platform 1-Click bootloader unlock for *ANY* 3rd Gen HDX (with VirtualBox)

[draxie]

UPDATE 2022-03-05: Network Access Snafu

During the last week or so, a server-side issue caused 1-Click to fail
either silently or with a "1-Click needs network access!" message
on startup. If you experienced the above, please try again!


Changed:

• VirtualBox 6.1.x support (tested with 6.1.16)
  works fine on Linux with Firefox and USB2 ports
  tends to be flaky on MacOS with Safari; PLEASE use Firefox or Chrome!!
  may need to connect via a USB2 hub or try different ports and cables
• More accurate state assessment (i.e. rooted/unlocked/etc)
• More aggressive planning logic
  always look for ROM/GAPPS/SU in internal storage
  may end up offering choices that make very little sense
• Assorted fixes and improvements
  hopefully fewer new bugs were introduced than old ones fixed

Unchanged:

1. No prerequisites on the device side
   • no root needed
   • full stock is OK
   • stuck in fastboot is fine
   • heck, it even works with _some_ soft-bricks
2. Does NOT work on Windows
   1-Click is a virtual machine and a script that starts the VM in VirtualBox.
   Unfortunately, VirtualBox on Windows fails to pass certain USB devices
   including the HDX in bulk mode from Windows to the VM.
3. Network access required to grab the right aboot + TWRP for your device
4. Optional TWRP magic to auto-install ROM.zip, GAPPS.zip, and SU.zip from internal storage

PM me for a personal link and please state your regular HOST operating system.

Gotchas:

• Requests without HOST OS information will be ignored.
  • Naturally, the same applies to requests with a Windows HOST OS.
• Running 1-Click inside another VM is almost guaranteed NOT to work.
• Link requests should be sent at the earliest 2 weeks after join date.
  Freshly joined members are encouraged to spend some time
  familiarizing themselves with the details of working with this device
  by studying the relevant threads in this forum.
• If you send a request be sure to monitor your account for replies!
  A response should arrive within a week (or so), but the link is only valid for 2 days.
  Don't miss your chance!

 

[DB126]

Title says it all..

(Well, almost: you need a vulnerable bootloader,
i.e. 3.2.3.2 or earlier, that foolishly accepts forged
signatures...)

Download and unpack the attached zip file.
Run the right '1-Click' script for your platform
(that is, '1-Click.bat' for Windows users,
and '1-Click' on OS X and Linux).

Simply clicking on the script works in Windows and OS X.
On these more "one-size fits all" operating systems, the scripts
-modulo network connectivity- will also download and install
VirtualBox, if it's not already installed.


Linux users need either VirtualBox or QEMU installed.
There are simply too many variants to automate this
for all the different distros. Sorry...

On some Linux variants, instead of launching the script
the click action opens the script in editor... YMMV
This may, in fact, be very useful, since on some of the same
Linux variants the script has to be run as root to avoid
automounters taking precedence; in which case, you're
well advised to make sure you read and understand what
the script is doing before you run it as root, because I take no
-that is: ZERO- responsibility for any damage that may result.


I personally tested the scripts on

• Linux: Mint 17.2 (both 32-bit and 64-bit versions)
• OS X: Mountain Lion, Yosemite, El Capitan
• Windows: 7, 8.1, 10

The 1-Click VM runs a minimal Linux system with adb/fastboot
and a pure C "cuber" using OpenSSL's BigNum library.

No need to download adb/fastboot, python, or worry about
drivers on your host system.

Good luck!

Very cool! Will be interesting to try this out (have to wait for a someone with an eligible device that is willing to give it a whirl).

 

[draxie]

Any takers?

Very cool! Will be interesting to try this out (have to wait for a someone with an eligible device that is willing to give it a whirl).

BTW, this works with already unlocked devices also,
if anyone is willing to do some independent testing.
This is how I tested also... should be completely harmless.

 

[codeshane]

Ran this against my HDX 7

Puttytel reported an 'error reading from serial device', but after it had initiated device shutdown so just a gui annoyance (I'm on windows, so commonplace.) It seemed to work, but I haven't verified yet..

> fastboot -i 0x1949 oem device-info

kindle fire [fastboot]
oem device-info...Device tampered: false
Ok.

I'll do some more testing later.

 

[draxie]

Puttytel reported an 'error reading from serial device', but after it had initiated device shutdown so just a gui annoyance (I'm on windows, so commonplace.) It seemed to work, but I haven't verified yet..

> fastboot -i 0x1949 oem device-info

kindle fire [fastboot]
oem device-info...Device tampered: false
Ok.

I'll do some more testing later.

Thanks for reporting back!
The puttytel message is normal: the serial port it's talking to
disappears when the VM shuts down.

If/when you test again do check your Kindle after the fastboot prompt
appears but **before** you hit [Enter] in the puttytel window!
You should see "Unlock code correct" in green,
if the unlock worked...

Other than that, since you seem to have fastboot working, you can use

fastboot -i 0x1949 oem idme ?

to see if your device is unlocked (see here for a list of commands).

 

[codeshane]

Other than that, since you seem to have fastboot working, you can use

fastboot -i 0x1949 oem idme ?

to see if your device is unlocked (see here for a list of commands).

C:\>fastboot -i 0x1949 oem idme ?
...
(bootloader) board_id: 0c0400
(bootloader) serial: xxxxxxxxxxxxxxxx
(bootloader) mac_addr: 00BB3Axxxxxx
(bootloader) bt_mac_addr: 00BB3Axxxxxx
(bootloader) productid: 0
(bootloader) productid2: 0
(bootloader) bootmode: 1
(bootloader) postmode: 0
(bootloader) bootcount: 203
(bootloader) panelcal:
(bootloader) time_offset: 0
(bootloader) signature:
(bootloader) idme done
OKAY [ 0.359s]
finished. total time: 0.361s

I feel rusty, haven't done any android dev in two years.. never tried to unlock a bootloader beyond 'fastboot oem unlock' before, but I really don't want them re-locking this one (they've taken root from me twice before.) I verified I have root still, but some apps are reporting that I don't. lame. more tests when I have some time, thanks for your time and effort!

Update:
Successfully flashed twrp recovery image recovery-twrp-recovery-2-8-1-0-apollo-t2991155

Happily considering ROMs to blow-away Amazon's 'os' with

 

[DB126]

C:\>fastboot -i 0x1949 oem idme ?
...
(bootloader) board_id: 0c0400
(bootloader) serial: xxxxxxxxxxxxxxxx
(bootloader) mac_addr: 00BB3Axxxxxx
(bootloader) bt_mac_addr: 00BB3Axxxxxx
(bootloader) productid: 0
(bootloader) productid2: 0
(bootloader) bootmode: 1
(bootloader) postmode: 0
(bootloader) bootcount: 203
(bootloader) panelcal:
(bootloader) time_offset: 0
(bootloader) signature:
(bootloader) idme done
OKAY [ 0.359s]
finished. total time: 0.361s

I feel rusty, haven't done any android dev in two years.. never tried to unlock a bootloader beyond 'fastboot oem unlock' before, but I really don't want them re-locking this one (they've taken root from me twice before.) I verified I have root still, but some apps are reporting that I don't. lame. more tests when I have some time, thanks for your time and effort!

Update:
Successfully flashed twrp recovery image recovery-twrp-recovery-2-8-1-0-apollo-t2991155

Happily considering ROMs to blow-away Amazon's 'os' with

Thoughts:
- take a backup of your current rom before flashing; leave it on the device until the new rom is stable (simplifies recovery)
- if you get a response from 'fastboot -i 0x1949 oem idme' your bootloader is unlocked!
- once you overwrite FireOS there is no chance of loosing root due to Amazon actions. OTA capability is baked into FireOS - not the device firmware.
- If you like AOSP go with Nexus v4. Any of the other HDX roms (CM11, CM12, SlimLP) are also fine choices. Each has a few minor quirks but no major 'gotchas'.

 

[codeshane]

Sorry for the delay, wrote back a while ago but I guess it didn't post (cellular, pfft.)

Went for the Nexus v4 rom, which is running great so far. Thanks again for such a brilliantly simple unlock utility!

 

[zXiC]

I have a few questions.

1. How can I tell I have a vulnerable bootloader?
I've been on Safestrap 3.7 and one of the early 4.2.2 Android Roms since the December after the HDX's release. My stock slot Fire OS hasn't been updated either. So am I on a vulnerable bootloader? How do I check?
2. Where do I start with this?
Is there anything I need to remove? Do I need to be on the stock Fire OS slot? Or do I simply run it as you stated.
3. After the unlock where do I go from there?
I'm so out of the loop I don't know what's the ideal stable rom to use .

Thanks, I'd appreciate any help .

 

[DB126]

I have a few questions.

1. How can I tell I have a vulnerable bootloader?
I've been on Safestrap 3.7 and one of the early 4.2.2 Android Roms since the December after the HDX's release. My stock slot Fire OS hasn't been updated either. So am I on a vulnerable bootloader? How do I check?
2. Where do I start with this?
Is there anything I need to remove? Do I need to be on the stock Fire OS slot? Or do I simply run it as you stated.
3. After the unlock where do I go from there?
I'm so out of the loop I don't know what's the ideal stable rom to use .

Thanks, I'd appreciate any help .

Check your FireOS version in the stock slot. If 3.2.6 or below you can unlock the bootloader. The rollback procedure depends on the current version of FireOS. Report back and we'll go from there.

 

[Cl4ncy]

Just a little add-on to @Davey126's info:
3.2.3.2 and lower can unlock, 3.2.4 - 3.2.6 must downgrade first.
Once on 3.2.8 or higher you can NOT downgrade anymore due to rollback protection by Amazon, attempting would brick the device! So if you're on 3.2.6 or lower do NOT update!

 

[draxie]

Just a little add-on to @Davey126's info:
3.2.3.2 and lower can unlock, 3.2.4 - 3.2.6 must downgrade first.
Once on 3.2.8 or higher you can NOT downgrade anymore due to rollback protection by Amazon, attempting would brick the device! So if you're on 3.2.6 or lower do NOT update!

Just a quick comment: since there are no known adverse affects of a failed unlock,
you could just try unlocking to see if your bootloader is 3.2.3.2 or earlier..
If the unlock fails, you could move on to figuring out if downgrading is an option.

 

[DB126]

Just a quick comment: since there are no known adverse affects of a failed unlock,
you could just try unlocking to see if your bootloader is 3.2.3.2 or earlier..
If the unlock fails, you could move on to figuring out if downgrading is an option.

True!! But for for the 'typical' Kindle user (I know...sterotypes) working with a Windows host the effort to unlock far exceeds that of simply checking the FireOS version if still installed.

 

[fuxkamazon]

Hi, can any help why it keep telling me my kindle device is not connected? i using windowX86 and sure open the adb on kindle. thank you!

 

[draxie]

More accuracy please! (-;

Hi, can any help why it keep telling me my kindle device is not connected? i using windowX86 and sure open the adb on kindle. thank you!

Hi there,

I'm convinced that I can help you,
but I would need a more accurate
trouble report...

In the meantime, I'll try to give some background
and possible causes and remedies to what I think
might be your problem.

1-Click relies on VirtualBox's USB filter mechanism
to pass through any USB device with Amazon' s
vendorId (0x1949) to the 1-Click VM.
This may not always work.
The most common reasons are as follows:

• No device is connected.
  I presume this does *not* apply...
  
  
• The device is in use.
  This could happen easily, e.g. if you were browsing files on your Kindle.
  Apart from possible privilege issues (see next bullet),
  these kind of issues are usually solved by simply disconnecting
  and reconnecting your device while the VM is running.
  
  This is the most common/likely case, which 1-Click also tells you about..
  Have you tried this? (Your report is not very clear on this.)
  
  
• Possible lack of privilege.
  I've only encountered this on Linux (as described in the first post),
  but, then again, on all the Windows boxes I tested on, my user is
  in the Administrators group; so, this may still apply there.
  
  BTW, I'm guessing that you are on some 32-bit version of Windows,
  although I must admit that the "windowX86" moniker in your post
  doesn' t make this crystal clear.
  
  
• Global USB filter rules in VirtualBox may override the rule used by 1-Click.
  This only applies if VirtualBox had already been installed
  and configured with global USB filter rules before 1-Click.

There may be other reasons, but the above should cover
the most obvious/common cases.

 

[fuxkamazon]

ty for you quick reply. i dun know what info i can provide but ill try. im now using this bl unlock on safestrap3.75 stock rom without opening or browsing any documents. yet, it show the samething i did last couple times. Here is,

Welcome to 1-Click

mount: proc mounted on /proc.
mount: sys mounted on /sys.
mount: dev mounted on /dev.
* daemon not run[ 1.269523] random: adb urandom read with 6 bits of entropy available
ning. starting it now on port 5037 *
* daemon started successfully *

Please make sure ADB is enabled on your Kindle
and connect the device to your computer


In case you don't already know, ADB is enabled by turning on the
'Settings/Device[ Options]/Developer Options/Enable ADB' option.
If 'Developer Options' is missing in 'Settings/Device[ Options]',
tapping 'Settings/Device[ Options]/Serial Number' seven times
will enable it..

Hit [Enter] to continue

No device appears to be connected..
You may need to disconnect and reconnect your device

Hit [Enter] to continue[ 27.214445] random: nonblocking pool is initialized

so hope you can find whats going wrong. ty!

Hi there,

I'm convinced that I can help you,
but I would need a more accurate
trouble report...

In the meantime, I'll try to give some background
and possible causes and remedies to what I think
might be your problem.

1-Click relies on VirtualBox's USB filter mechanism
to pass through any USB device with Amazon' s
vendorId (0x1949) to the 1-Click VM.
This may not always work.
The most common reasons are as follows:

• No device is connected.
  I presume this does *not* apply...
  
  
• The device is in use.
  This could happen easily, e.g. if you were browsing files on your Kindle.
  Apart from possible privilege issues (see next bullet),
  these kind of issues are usually solved by simply disconnecting
  and reconnecting your device while the VM is running.
  
  This is the most common/likely case, which 1-Click also tells you about..
  Have you tried this? (Your report is not very clear on this.)
  
  
• Possible lack of privilege.
  I've only encountered this on Linux (as described in the first post),
  but, then again, on all the Windows boxes I tested on, my user is
  in the Administrators group; so, this may still apply there.
  
  BTW, I'm guessing that you are on some 32-bit version of Windows,
  although I must admit that the "windowX86" moniker in your post
  doesn' t make this crystal clear.
  
  
• Global USB filter rules in VirtualBox may override the rule used by 1-Click.
  This only applies if VirtualBox had already been installed
  and configured with global USB filter rules before 1-Click.

There may be other reasons, but the above should cover
the most obvious/common cases.

 

[draxie]

ty for you quick reply. i dun know what info i can provide but ill try. im now using this bl unlock on safestrap3.75 stock rom without opening or browsing any documents. yet, it show the samething i did last couple times. Here is,

Welcome to 1-Click

mount: proc mounted on /proc.
mount: sys mounted on /sys.
mount: dev mounted on /dev.
* daemon not run[ 1.269523] random: adb urandom read with 6 bits of entropy available
ning. starting it now on port 5037 *
* daemon started successfully *

Please make sure ADB is enabled on your Kindle
and connect the device to your computer


In case you don't already know, ADB is enabled by turning on the
'Settings/Device[ Options]/Developer Options/Enable ADB' option.
If 'Developer Options' is missing in 'Settings/Device[ Options]',
tapping 'Settings/Device[ Options]/Serial Number' seven times
will enable it..

Hit [Enter] to continue

No device appears to be connected..
You may need to disconnect and reconnect your device

Hit [Enter] to continue[ 27.214445] random: nonblocking pool is initialized

so hope you can find whats going wrong. ty!

This looks fine. The question is what you did next..
Have you tried disconnecting and reconnecting your Kindle
as the message above suggests?

(BTW, since this was the only direct question in my previous post,
I sort of expected you to answer that, but now you get another chance. )

 

[conan1600]

just tried this. i had rooted my kindle when root first came out without safestrap as i didnt like all the restrictions of safestrap. i installed twrp much later and then cm 11 for twrp without an unlocked BL. tried this one click and had to disconnect and reconnect the tablet at one point, no biggie. at another it sat there with no instructions till i hit enter, but it did complete and said it was successful. so ty very much. at some point soon ill try a rom that requires an unlocked BL and see that my BL is really unlocked. great program if it really did work. will donate soon

 

[nickytun]

I'm using Thor with stock 13.3.2.4 block OTA update and safetrap 3.75. So can i use this tool to unlock BL right away or i've downgraded 13.1.0.0 then unlock?

 

[Cl4ncy]

I'm using Thor with stock 13.3.2.4 block OTA update and safetrap 3.75. So can i use this tool to unlock BL right away or i've downgraded 13.1.0.0 then unlock?

You can NOT unlock versions above 3.2.3.2, so you must downgrade first.
Good News is you can downgrade to 3.1.0 using the downgrade images provided by @ggow. Check page 2 here (page 1 is about 3.2.5/3.2.6 users who can NOT use these images!). Then flash TWRP, update the bootloader to 3.2.3.2, unlock the bootloader, then use ROM of your choice.
Read the info, ask if you've any questions before you brick your HDX! Note that factory reset in Safestrap means the standard wipe only (wipes data, cache & dalvik only)! Do NOT go into advanced wipe, do NOT wipe System!
Be sure to make backups of your current system (even if you don't need it anymore), remove the secondary slot(s) in Safestrap to get back the storage used by it (if you created any), and after installation of TWRP create a backup of your Fire OS before you flash any custom ROM.