FORUMS
Remove All Ads from XDA

[Thor][Apollo] Unlocking bootloader with any firmware

436 posts
Thanks Meter: 321
 
By ONYXis, Senior Member on 18th September 2016, 08:11 AM
Post Reply Email Thread
Hello. At first, I did not invent anything new, just checked some my guess on a other motherboard. All thanks and credits to our great developers. As always, all at your own risk.
It does not work on the Fire HDX 8.9 (Saturn)!
All steps in this manual are not necessary but they are present for maximum safety. So I highly recommend do anything exactly in this way. Sorry my English as always =)
Update2 - actual method is https://forum.xda-developers.com/sho...postcount=1006
Update: now you can use updated draxie's utility - http://forum.xda-developers.com/kind...oader-t3241014

Prerequisites for Installation
- Root
- Installed adb and fastboot drivers - official - https://drive.google.com/open?id=0B2...WdwRl9TQS11b0k (if your system language not English, after fail navigate to "Program Files (x86)\Lab126\drivers" and run dpinst.exe /EL or switch to English =) for x64 need to disable driver signature verification before install ) also you can use pdanet drivers - http://forum.xda-developers.com/show...23&postcount=8

Manual:
1. Create unlock file following this instruction - https://forum.xda-developers.com/kin...5#post70881555

2. Flash old vulnarable aboot and cubed twrp (just in case). Check that all these commands executed without errors. If you'll get one - read second post below. If your firmware <=13(14)3.2.3.2 skip this step.
Download aboot and twrp for Thor (Kindle Fire HDX 7) https://drive.google.com/open?id=0B2...GxXMUZPZTlZTUk or for Apollo (Kindle Fire HDX 8.9) - https://drive.google.com/open?id=0B2...zJDQkczNzRLaHM - and put this two files (twrp_cubed.img and aboot_vuln.mbn) into root of your kindle internal storage.
Run:
Code:
adb shell
su
dd if=/sdcard/twrp_cubed.img of=/dev/block/platform/msm_sdcc.1/by-name/recovery
dd if=/sdcard/aboot_vuln.mbn of=/dev/block/platform/msm_sdcc.1/by-name/aboot
Now you have working twrp recovery. It already works even without unlocked bootloader. You could boot into it by holding volUP during grey kindle logo. But no need to flash anything until unlock. At this point this is just emergency tool if something goes wrong =)

3. Flash unlock file.
Now, if you reboot, you will go straight into fastboot because of old aboot - newest boot.img can't load with it. If your firmware <13(14).4.1.1 you need run "adb reboot bootloader" to boot into fastboot.
Time to flash your unlock file.
Code:
fastboot -i 0x1949 flash unlock 0xmmssssssss.unlock
You must obtain "unlock code is correct".
Grats. You are perfect =)
You can flash:
CM13 - http://forum.xda-developers.com/kind...11-29-t3259732
CM 12.1 - http://forum.xda-developers.com/kind...-thor-t3050199
Or stock repacked latest 4.5.5.2 rom - https://drive.google.com/open?id=0B2...FFtN2RYNXNUZ0k (13.x - thor, 14.x - apollo)
Do not flash original stock firmwares.

Regards and thank to all - @dpeddi, @vortox, @draxie, @ggow, @Ralekdev, @jcase, @Hashcode
And greatest thanks for motherboard for my experiments to @MahmudS !
The Following 51 Users Say Thank You to ONYXis For This Useful Post: [ View ] Gift ONYXis Ad-Free
18th September 2016, 08:12 AM |#2  
ONYXis's Avatar
OP Senior Member
Flag Kyiv
Thanks Meter: 321
 
Donate to Me
More
FAQ:
1. if your get "not such file or directory" after su in step 2 (this is SAFESTRAP related possibly)- try to use next commands:
Code:
adb shell
su
dd if=/storage/emulated/0/twrp_cubed.img of=/dev/block/platform/msm_sdcc.1/by-name/recovery
dd if=/storage/emulated/0/aboot_vuln.mbn of=/dev/block/platform/msm_sdcc.1/by-name/aboot
http://forum.xda-developers.com/show...1&postcount=35
The Following 2 Users Say Thank You to ONYXis For This Useful Post: [ View ] Gift ONYXis Ad-Free
18th September 2016, 08:15 AM |#3  
ONYXis's Avatar
OP Senior Member
Flag Kyiv
Thanks Meter: 321
 
Donate to Me
More
I think you can use greatest @draxie tool - http://forum.xda-developers.com/kind...oader-t3241014 with doing step2 only. But it need to test. Anyway I highly recommend get your hw id's before any actions.
18th September 2016, 09:17 AM |#4  
Senior Member
Thanks Meter: 464
 
Donate to Me
More
Daredevil
Quote:
Originally Posted by ONYXis


Code:
dd if=/sdcard/aboot_vuln.mbn of=/dev/block/platform/msm_sdcc.1/by-name/aboot

Great job! So, simply flashing the vulnerable bootloader "just works"...
Are you absolutely positive?
Although I've been expecting this all along
[but wouldn't dare trying, since the HDX is *still* my only tablet],
I'm wondering what the supposed "rollback protection" after 3.2.8 really covers.

Fixed issue (now hidden)
BTW: I get the exact same MD5 hash for both versions of 'aboot_vuln.mbn' (the two 'cubed_twrp.img' are different).
Code:
66b7df0db97c7c2905d1d61199c816a5  13-aboot_vuln.mbn
66b7df0db97c7c2905d1d61199c816a5  14-aboot_vuln.mbn
087e7125c48fcbebcc2f51a9c46379f2  13-twrp_cubed.img
c06799a4a8d48d9dd55aea002def1caf  14-twrp_cubed.img
H[66b7df0db97c7c2905d1d61199c816a5]=aboot-13.3.2.3.2_user_323001720.mbn

Please double-check to make sure Apollo users won't get fried.



You do say that not all steps are necessary. Can you advise if my thinking below sounds correct?
I'm considering adding this to 1-Click; that's why I'm asking.. (If I could also include a surefire way
to root the device beforehand, we'd be all set for a truly 1-Click experience from scratch, modulo
strange Windows behaviour. [if anybody still cares ;-P])
  • I suppose getting rid of the potentially dangerous anti-rollback-related files is good measure,
    but if they had been making any difference, this method shouldn't really work, right?
    So, this may not be needed at all.
  • I'm also thinking that flashing TWRP in the same step -although nice- is not strictly needed.
    Would you agree?
The Following 2 Users Say Thank You to draxie For This Useful Post: [ View ] Gift draxie Ad-Free
18th September 2016, 09:42 AM |#5  
ONYXis's Avatar
OP Senior Member
Flag Kyiv
Thanks Meter: 321
 
Donate to Me
More
Quote:

Are you absolutely positive?

I tried this with two devices with two firmwares at each after rollback-upgrade proccess to be sure.
Quote:

Although I've been expecting this

Same as I. Just need to be checked.
Quote:

: I get the exact same MD5 hash for both versions of 'aboot_vuln.mbn

Strange, I use same aboots in this tool - http://forum.xda-developers.com/kind...mware-t3277197 =) need to fix=)
Re-uploaded aboot from 14.3.2.3.2 - 4A2BE8E374C8D1FCE8E6743AC2D09BB0
Thank you.
Quote:

'm also thinking that flashing TWRP in the same step -although nice- is not strictly needed.

Of course. But... why not? and sometimes fastboot flash recovery at very first time don't work.
Quote:

but if they had been making any difference, this method shouldn't really work, right?
So, this may not be needed at all.

This is need to check. I really do not like that factory_provision_tool.
But I agree that all magic is just dd'ing of old aboot.
18th September 2016, 10:11 AM |#6  
Senior Member
Thanks Meter: 464
 
Donate to Me
More
Quote:
Originally Posted by ONYXis

I tried this with two devices with two firmwares at each after rollback-upgrade proccess to be sure.

Sounds good.

Quote:
Originally Posted by ONYXis

Same as I. Just need to be checked.

Indeed! And, that's quite a daring achievement. Big thanks for that!

Quote:
Originally Posted by ONYXis

Strange, I use same aboots in this tool - http://forum.xda-developers.com/kind...mware-t3277197 =) need to fix=)
Re-uploaded aboot from 14.3.2.3.2 - 4A2BE8E374C8D1FCE8E6743AC2D09BB0
Thank you.

I also verified this, just to be sure; and, chose to hide the issue in my post above.
H[4a2be8e374c8d1fce8e6743ac2d09bb0]=aboot-14.3.2.3.2_user_323001720.mbn

Quote:
Originally Posted by ONYXis

Of course. But... why not? and sometimes fastboot flash recovery at very first time don't work.

I'll see if including the TWRP images in 1-Click pushes the size of the ZIP over the XDA limit.
I suppose I could opt to fetch from the net if it doesn't, but then I need to enable networking for the VM.

Quote:
Originally Posted by ONYXis

This is need to check. I really do not like that factory_provision_tool.
But I agree that all magic is just dd'ing of old aboot.

Yes. Please check!
The Following User Says Thank You to draxie For This Useful Post: [ View ] Gift draxie Ad-Free
18th September 2016, 11:32 AM |#7  
ONYXis's Avatar
OP Senior Member
Flag Kyiv
Thanks Meter: 321
 
Donate to Me
More
Quote:
Originally Posted by draxie

Yes. Please check!

Ok. So... Another motherboard with stock 3.2.3.2
Updated it through OTA to 3.2.5 > 4.1.1 > 4.5.2 > 4.5.4 > 4.5.5 > 4.5.5.1 > 4.5.5.2
Rollbacked to 3.2.8, updated to 4.5.5.1, Kingroot.
Code:
adb shell
su
dd if=/sdcard/aboot_vuln.mbn of=/dev/block/platform/msm_sdcc.1/by-name/aboot
reboot
Boot into fastboot. At this point need to have id's already!!!
Flash unlock, flash recovery, flash upHDXed 4.5.5.2 rom. Succesfully booted up.
OP edited.
The Following 2 Users Say Thank You to ONYXis For This Useful Post: [ View ] Gift ONYXis Ad-Free
18th September 2016, 11:52 AM |#8  
Senior Member
Thanks Meter: 464
 
Donate to Me
More
Quote:
Originally Posted by ONYXis

Rollbacked to 3.2.8, updated to 4.5.5.1, Kingroot.

I don't suppose this rollback is essential, is it?
It should work just as well to stop the update before the currently unrootable 4.5.5.2, right?

Quote:
Originally Posted by ONYXis

Flash unlock, flash recovery, flash upHDXed 4.5.5.2 rom. Succesfully booted up.

Nice. I'll PM you soon with an updated 1-Click, for testing, if you don't mind.
(I cannot [and don't even want to] test this on my only tablet.)
18th September 2016, 11:54 AM |#9  
ONYXis's Avatar
OP Senior Member
Flag Kyiv
Thanks Meter: 321
 
Donate to Me
More
Quote:
Originally Posted by draxie

I don't suppose this rollback is essential, is it?

just checked all variations.
Quote:

I'll PM you soon with an updated 1-Click, for testing, if you don't mind.

Of course.
18th September 2016, 02:54 PM |#10  
Member
Thanks Meter: 4
 
More
Can it work on hdx 8.9?
18th September 2016, 03:13 PM |#11  
DB126's Avatar
Senior Member
Thanks Meter: 9,348
 
More
Although I have registered my 'thanks' on various posts it seems hollow to not explicitly recognize @ONYXis and @draxie for their tremendous contributions supporting this device both past and present. The ability to unlock virtually any rooted 3rd gen HDX is a true game changer that will revive interest in this discontinued gem that still competes nicely with contemporary offerings. Well done, gents!
The Following 6 Users Say Thank You to DB126 For This Useful Post: [ View ] Gift DB126 Ad-Free
Post Reply Subscribe to Thread

Tags
unlock bootloader

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes