2017 Fire HD 10: Unbricking from anti-rollback

Search This thread

coliny59

Senior Member
Feb 20, 2009
77
3
I bricked my tablet. I am able to start the script and it looks like it's doing things, but it fails saying that it can't read rpmb. What can I do next?

I commented out all the lines that reads rpmb. Looks like it works now.
 
Last edited:

K.C.I.

New member
Mar 9, 2020
2
0
"Check Gpt"

Why do i keep getting roadblocked at the "Check GPT" point no matter which script I run!? What could possibly be the problem? Can someone with knowledge and expertise shine some light on this problem, please?!

-Thanks

[email protected]:~/Desktop/HOPE!/amonet$ sudo ./bootrom-step.sh
[2020-03-08 03:11:04.984599] Waiting for bootrom
[2020-03-08 03:11:10.548917] Found port = /dev/ttyACM0
[2020-03-08 03:11:10.554933] Handshake
[2020-03-08 03:11:10.564473] Disable watchdog

* * * Remove the short and press Enter * * *


[2020-03-08 03:11:14.495365] Init crypto engine
[2020-03-08 03:11:14.822625] Disable caches
[2020-03-08 03:11:14.826681] Disable bootrom range checks
[2020-03-08 03:11:15.000879] Load payload from ../brom-payload/build/payload.bin =
0x45D0 bytes
[2020-03-08 03:11:15.020817] Send payload
[2020-03-08 03:11:23.963972] Let's rock
[2020-03-08 03:11:23.971961] Wait for the payload to come online...
[2020-03-08 03:11:27.532808] all good
[2020-03-08 03:11:27.533725] Check GPT
Traceback (most recent call last):
File "main.py", line 193, in <module>
main()
File "main.py", line 96, in main
switch_user(dev)
File "main.py", line 56, in switch_user
flash_binary(dev, "../bin/gpt-32G.bin", 0)
File "main.py", line 37, in flash_binary
flash_data(dev, data, start_block, max_size=0)
File "main.py", line 28, in flash_data
dev.emmc_write(start_block + x, data[x * 0x200:(x + 1) * 0x200])
File "/home/ubuntu-mate/Desktop/HOPE!/amonet/modules/common.py", line 202, in
emmc_write
raise RuntimeError("device failure")
RuntimeError: device failure


[email protected]:~/Desktop/HOPE!$ sudo ./bootrom.sh
[2020-03-08 02:34:33.940064] Waiting for bootrom
[2020-03-08 02:34:44.271901] Found port = /dev/ttyACM0
[2020-03-08 02:34:44.277863] Handshake
[2020-03-08 02:34:44.288383] Disable watchdog

* * * Remove the short and press Enter * * *


[2020-03-08 02:34:47.844343] Init crypto engine
[2020-03-08 02:34:48.171637] Disable caches
[2020-03-08 02:34:48.175694] Disable bootrom range checks
[2020-03-08 02:34:48.349884] Load payload from ../brom-payload/build/payload.bin = 0x45D0 bytes
[2020-03-08 02:34:48.373123] Send payload
[2020-03-08 02:34:57.323990] Let's rock
[2020-03-08 02:34:57.331977] Wait for the payload to come online...
[2020-03-08 02:35:00.891811] all good
[2020-03-08 02:35:00.892617] Check GPT
Traceback (most recent call last):
File "main.py", line 92, in <module>
main()
File "main.py", line 61, in main
switch_user(dev)
File "main.py", line 32, in switch_user
block = dev.emmc_read(0)
File "/home/ubuntu-mate/Desktop/HOPE!/modules/common.py", line 183, in emmc_read
raise RuntimeError("read fail")
RuntimeError: read fail


[email protected]:~/Desktop/HOPE!/amonet$ sudo ./bootrom-step.sh
[2020-03-08 02:55:15.627879] Waiting for bootrom
[2020-03-08 02:55:23.954924] Found port = /dev/ttyACM0
[2020-03-08 02:55:23.960880] Handshake
[2020-03-08 02:55:23.968308] Disable watchdog

* * * Remove the short and press Enter * * *


[2020-03-08 02:55:26.885055] Init crypto engine
[2020-03-08 02:55:27.212699] Disable caches
[2020-03-08 02:55:27.216750] Disable bootrom range checks
[2020-03-08 02:55:27.388974] Load payload from ../brom-payload/build/payload.bin = 0x45D0 bytes
[2020-03-08 02:55:27.409091] Send payload
[2020-03-08 02:55:36.353048] Let's rock
[2020-03-08 02:55:36.361010] Wait for the payload to come online...
[2020-03-08 02:55:39.920869] all good
[2020-03-08 02:55:39.921775] Check GPT
Traceback (most recent call last):
File "main.py", line 192, in <module>
main()
File "main.py", line 95, in main
switch_user(dev)
File "main.py", line 56, in switch_user
block = dev.emmc_read(0)
File "/home/ubuntu-mate/Desktop/HOPE!/amonet/modules/common.py", line 183, in emmc_read
raise RuntimeError("read fail")
RuntimeError: read fail


[email protected]:~/Desktop/HOPE!/amonet$ sudo ./bootrom-step-minimal.sh
[2020-03-08 02:59:12.589846] Waiting for bootrom
[2020-03-08 02:59:23.934905] Found port = /dev/ttyACM0
[2020-03-08 02:59:23.940900] Handshake
[2020-03-08 02:59:23.950630] Disable watchdog

* * * Remove the short and press Enter * * *


[2020-03-08 02:59:27.116237] Init crypto engine
[2020-03-08 02:59:27.443673] Disable caches
[2020-03-08 02:59:27.447743] Disable bootrom range checks
[2020-03-08 02:59:27.621933] Load payload from ../brom-payload/build/payload.bin = 0x45D0 bytes
[2020-03-08 02:59:27.641756] Send payload
[2020-03-08 02:59:36.591031] Let's rock
[2020-03-08 02:59:36.599013] Wait for the payload to come online...
[2020-03-08 02:59:40.211868] all good
[2020-03-08 02:59:40.212789] Running in minimal mode, assuming LK and TZ to have already been flashed.
[2020-03-08 02:59:40.213539] If this is correct (i.e. you used "brick" option in step 1) press enter, otherwise terminate with Ctrl+C

[2020-03-08 03:00:21.018619] Check GPT
Traceback (most recent call last):
File "main.py", line 192, in <module>
main()
File "main.py", line 95, in main
switch_user(dev)
File "main.py", line 56, in switch_user
block = dev.emmc_read(0)
File "/home/ubuntu-mate/Desktop/HOPE!/amonet/modules/common.py", line 183, in emmc_read
raise RuntimeError("read fail")
RuntimeError: read fail
[email protected]:~/Desktop/HOPE!/amonet$


---------- Post added at 04:07 PM ---------- Previous post was at 03:46 PM ----------

@coliny59 That's interesting. Could you please expand on this topic of "commented out" lines. Do you believe this would also work for various other errors as well?
 
Last edited:

martinbrecko

Member
Sep 24, 2007
7
0
I am trying to carry out the instructions with VirtualBox. Unfortunately, the script always stops at waiting for Bootrom. Can this be due to the virtual machine?
 

chjohnso

New member
Mar 24, 2020
1
0
Still getting Serial protocol mismatch

I have everything disassembled and have been trying to short my fire hd 10. Here is what I get every time:

Code:
[2020-03-24 15:30:59.801978] Waiting for bootrom
[2020-03-24 15:31:21.396052] Found port = /dev/ttyACM0
[2020-03-24 15:31:21.435498] Handshake
[2020-03-24 15:31:21.456238] Disable watchdog
b''
b'\x00\x01'
Traceback (most recent call last):
  File "main.py", line 92, in <module>
    main()
  File "main.py", line 54, in main
    handshake(dev)
  File "/home/XXXXXXX/Documents/HD 10/unbrick_suez/modules/handshake.py", line 11, in handshake
    dev.write32(0x10007000, 0x22000000)
  File "/home/XXXXXXX/Documents/HD 10/unbrick_suez/modules/common.py", line 150, in write32
    self.check(self.dev.read(2), b'\x00\x01') # arg check
  File "/home/XXXXXXX/Documents/HD 10/unbrick_suez/modules/common.py", line 87, in check
    raise RuntimeError("ERROR: Serial protocol mismatch")
RuntimeError: ERROR: Serial protocol mismatch

Battery is disconnected, ModemManager is disabled, and I have tried both USB ports. Not sure what to try next.

Does anyone have any ideas as to how to fix this?
Thank you!
 
Apr 5, 2020
7
1
Amsterdam
serial protocol mismatch here, too

I have everything disassembled and have been trying to short my fire hd 10. Here is what I get every time:
Code:
[2020-03-24 15:30:59.801978] Waiting for bootrom
[2020-03-24 15:31:21.396052] Found port = /dev/ttyACM0
[2020-03-24 15:31:21.435498] Handshake
[2020-03-24 15:31:21.456238] Disable watchdog
b''
b'\x00\x01'
Traceback (most recent call last):
  File "main.py", line 92, in <module>
    main()
  File "main.py", line 54, in main
    handshake(dev)
  File "/home/XXXXXXX/Documents/HD 10/unbrick_suez/modules/handshake.py", line 11, in handshake
    dev.write32(0x10007000, 0x22000000)
  File "/home/XXXXXXX/Documents/HD 10/unbrick_suez/modules/common.py", line 150, in write32
    self.check(self.dev.read(2), b'\x00\x01') # arg check
  File "/home/XXXXXXX/Documents/HD 10/unbrick_suez/modules/common.py", line 87, in check
    raise RuntimeError("ERROR: Serial protocol mismatch")
RuntimeError: ERROR: Serial protocol mismatch

similar problem (same?) here on Ubuntu 19.10, adb and fastboot enabled, modemmanager removed and disabled...
I have the fire hd10 open and shorted but the script throws:


Code:
[2020-04-05 22:42:37.014509] Waiting for bootrom
[2020-04-05 22:42:45.335053] Found port = /dev/ttyACM0
[2020-04-05 22:42:45.374266] Handshake
[2020-04-05 22:42:45.396024] Disable watchdog
b''
b'\x00\x01'
Traceback (most recent call last):
  File "main.py", line 92, in <module>
    main()
  File "main.py", line 54, in main
    handshake(dev)
  File "/home/xxx/Downloads/unbrick/modules/handshake.py", line 11, in handshake
    dev.write32(0x10007000, 0x22000000)
  File "/home/xxx/Downloads/unbrick/modules/common.py", line 150, in write32
    self.check(self.dev.read(2), b'\x00\x01') # arg check
  File "/home/xxx/Downloads/unbrick/modules/common.py", line 87, in check
    raise RuntimeError("ERROR: Serial protocol mismatch")
RuntimeError: ERROR: Serial protocol mismatch

so I went to line 87 and commended out the in common.py but I don't think I know what I am doing at this point :)


Code:
    def check(self, test, gold):
        if test != gold:
            print(test)
            print(gold)
            print("ERROR: Serial protocol mismatch") <--- uncommented
            #raise RuntimeError("ERROR: Serial protocol mismatch") <---- commented out


and now it stops here:

Code:
[2020-04-05 22:22:58.368021] Waiting for bootrom

[2020-04-05 22:23:40.592908] Found port = /dev/ttyACM0
[2020-04-05 22:23:40.631312] Handshake
[2020-04-05 22:23:40.652038] Disable watchdog
b''
b'\x00\x01'
ERROR: Serial protocol mismatch
b''
b'\x00\x01'
ERROR: Serial protocol mismatch

 * * * Remove the short and press Enter * * * 

[2020-04-05 22:24:00.674653] Init crypto engine

b''
b'\x00\x01'
ERROR: Serial protocol mismatch
b''

[SNIP - removed ~30 iterations of this]

b'\x00\x01'
ERROR: Serial protocol mismatch
b''
b'\x00\x00'
ERROR: Serial protocol mismatch
Traceback (most recent call last):
  File "main.py", line 92, in <module>
    main()
  File "main.py", line 57, in main
    load_payload(dev, "../brom-payload/build/payload.bin")
  File "/home/xxx/Downloads/unbrick/modules/load_payload.py", line 113, in load_payload
    hw_acquire(dev)
  File "/home/xxx/Downloads/unbrick/modules/load_payload.py", line 25, in hw_acquire
    dev.write32(CRYPTO_BASE, dev.read32(CRYPTO_BASE) & 0xFFFFFFF0)
  File "/home/xxx/Downloads/unbrick/modules/common.py", line 125, in read32
    data = struct.unpack('>I', self.dev.read(4))[0]
struct.error: unpack requires a buffer of 4 bytes

anyone can point in the right direction?
I tried using bootable USB of ubuntu 18.04LTS and 16..04LTS - same same. so back on 19.10 now. did something change to cause this to fail?

Can I run the script in verbose to help // troubleshoot?

thanks


Andreas
 
Apr 5, 2020
7
1
Amsterdam
tried a different laptop - no joy

it was not the laptop. can someone tell me what the script is checking at line 87 (when it throws the error?)
Apparently it expects \x00\x01 but gets .. nothing? but this is where my code skill stops :/

also I seem to be stuck in preloader... any clues?

Code:
[2020-04-10 07:34:52.475445] Waiting for bootrom
[2020-04-10 07:35:10.082899] Found port = /dev/ttyACM0
[2020-04-10 07:35:10.121918] Handshake
[2020-04-10 07:35:10.142719] Disable watchdog
b''
b'\x00\x01'
Traceback (most recent call last):
  File "main.py", line 92, in <module>
    main()
  File "main.py", line 54, in main
    handshake(dev)
  File "/home/xxx/Downloads/modules/handshake.py", line 11, in handshake
    dev.write32(0x10007000, 0x22000000)
  File "/home/xxx/Downloads/modules/common.py", line 150, in write32
    self.check(self.dev.read(2), b'\x00\x01') # arg check
  File "/home/xxx/Downloads/modules/common.py", line 87, in check
    raise RuntimeError("ERROR: Serial protocol mismatch")
RuntimeError: ERROR: Serial protocol mismatch
[email protected]:/home/xxx/Downloads#

connecting usb cable (tried 3 now) and applying a short the device starts, when I have the script running
but I immediately get to
Code:
Bus 003 Device 006: ID 0e8d:2000 MediaTek Inc. MT65xx Preloader

checked/used updated udev rules
https://github.com/M0Rf30/android-udev-rules
but still cant' get the device further than bootloader (disconnected from battery, disassembled)

tried the amonet scripts (bootrom-minimal, etc..)
but they all drop at this
Code:
[2020-04-10 08:49:34.458825] Found port = /dev/ttyACM0
[2020-04-10 08:49:34.498194] Handshake
[2020-04-10 08:49:34.518900] Disable watchdog
b''
b'\x00\x01'
Traceback (most recent call last):
  File "main.py", line 192, in <module>
    main()
 
Last edited:
Apr 5, 2020
7
1
Amsterdam
@retyre could you lend me a hand and help me debug the script? i really can't read it with my meager skills :/
and I am stuck in preloader

amazon offered me a 15 bucks discount for a new hd10 as a workaround as it is just out of warranty :p
 

Michajin

Senior Member
Oct 23, 2012
1,304
524
does anyone know if this will work with the HD 8 2017? what pin would be needed?

There is a unlock thread for hd8 (2017) Douglas. Search for it...

---------- Post added at 08:58 PM ---------- Previous post was at 08:07 PM ----------

@retyre could you lend me a hand and help me debug the script? i really can't read it with my meager skills :/
and I am stuck in preloader

amazon offered me a 15 bucks discount for a new hd10 as a workaround as it is just out of warranty :p

I can try and help you. There is a lot of useful info in the hd10 Suez unlock thread. Look through that. Most the answers you search for are there. If you would like more assistance send me a message and I see I can do. I'm no expert, but have some experience with unlocking/ bricking these.

---------- Post added at 09:07 PM ---------- Previous post was at 08:58 PM ----------

@retyre could you lend me a hand and help me debug the script? i really can't read it with my meager skills :/
and I am stuck in preloader

amazon offered me a 15 bucks discount for a new hd10 as a workaround as it is just out of warranty :p

I can try and help you. There is a lot of useful info in the hd10 Suez unlock thread. Look through that. Most the answers you search for are there. If you would like more assistance send me a message and I see I can do. I'm no expert, but have some experience with unlocking/ bricking these.
 
Apr 5, 2020
7
1
Amsterdam
hd10 unlock follow-up

I can try and help you. There is a lot of useful info in the hd10 Suez unlock thread. Look through that. Most the answers you search for are there. If you would like more assistance send me a message and I see I can do. I'm no expert, but have some experience with unlocking/ bricking these.

yeah.. so.,. that's how I ended up here :)
after I had installed TWRP I rebooted and since then I don't get any further than preloader
also took the tablet apart and tried to use the scripts used here (amonet bootrom and bootrom-step scripts)
tried with an old laptop, too. (USB2 ports) no joy

that's how I ended up here, that script is the only one that does _anything_ :p
but my skills are not good enough to unravel what this means:

Code:
  File "/home/xxx/Downloads/modules/handshake.py", line 11, in handshake
    dev.write32(0x10007000, 0x22000000)
  File "/home/xxx/Downloads/modules/common.py", line 150, in write32
    self.check(self.dev.read(2), b'\x00\x01') # arg check
  File "/home/xxx/Downloads/modules/common.py", line 87, in check
    raise RuntimeError("ERROR: Serial protocol mismatch")
 
Last edited:

Michajin

Senior Member
Oct 23, 2012
1,304
524
yeah.. so.,. that's how I ended up here :)
after I had installed TWRP I rebooted and since then I don't get any further than preloader
also took the tablet apart and tried to use the scripts used here (amonet bootrom and bootrom-step scripts)
tried with an old laptop, too. (USB2 ports) no joy

that's how I ended up here, that script is the only one that does _anything_ :p
but my skills are not good enough to unravel what this means:

Code:
  File "/home/xxx/Downloads/modules/handshake.py", line 11, in handshake
    dev.write32(0x10007000, 0x22000000)
  File "/home/xxx/Downloads/modules/common.py", line 150, in write32
    self.check(self.dev.read(2), b'\x00\x01') # arg check
  File "/home/xxx/Downloads/modules/common.py", line 87, in check
    raise RuntimeError("ERROR: Serial protocol mismatch")

Yes, you are in preloader to run the script, i would suggest you go over to the most current files from the unlock thread.

Try unbricking from there and see if you have the same result. Can you short the device and force bootrom?

https://forum.xda-developers.com/hd8-hd10/orig-development/unlock-fire-hd-10-2017-suez-t3913639
 
  • Like
Reactions: flaming_lemons
Apr 5, 2020
7
1
Amsterdam
Yes, you are in preloader to run the script, i would suggest you go over to the most current files from the unlock thread.

Try unbricking from there and see if you have the same result. Can you short the device and force bootrom?

https://forum.xda-developers.com/hd8-hd10/orig-development/unlock-fire-hd-10-2017-suez-t3913639

SUCCESS

the problem was not the procedure or the script, it was the short :/
silly me used a crocodile clamp to attach to the MicroSD cage.. and because it seemed convenient I soldered the needle for the short to the attached cable (an anti-static wristband)

now those have a resistance of 1,5M Ohms.. not suitable for a short, I guess

soldered it to a common cable > works instantly

Code:
[2020-05-09 07:35:05.401969] Waiting for bootrom
[2020-05-09 07:35:42.807252] Found port = /dev/ttyACM0
[2020-05-09 07:35:42.807947] Handshake
[2020-05-09 07:35:42.808590] Disable watchdog

 * * * Remove the short and press Enter * * * 


[2020-05-09 07:35:46.735715] Init crypto engine
[2020-05-09 07:35:46.766793] Disable caches
[2020-05-09 07:35:46.767285] Disable bootrom range checks
[2020-05-09 07:35:46.784772] Load payload from ../brom-payload/build/payload.bin = 0x45D0 bytes
[2020-05-09 07:35:46.786846] Send payload
[2020-05-09 07:35:47.512935] Let's rock
[2020-05-09 07:35:47.513816] Wait for the payload to come online...
[2020-05-09 07:35:52.265234] all good
[2020-05-09 07:35:52.265655] Check GPT
[2020-05-09 07:35:53.548315] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216), 'kb': (16384, 2048), 'dkb': (18432, 2048), 'lk': (20480, 2048), 'tee1': (22528, 10240), 'tee2': (32768, 10240), 'metadata': (43008, 80896), 'MISC': (123904, 1024), 'reserved': (124928, 16384), 'boot': (141312, 32768), 'recovery': (174080, 34816), 'system': (208896, 3306496), 'cache': (3515392, 868352), 'userdata': (4383744, 56687583), '': (0, 1)}
[2020-05-09 07:35:53.548474] Check boot0
[2020-05-09 07:35:54.749738] Check rpmb
[2020-05-09 07:35:54.956222] Downgrade rpmb
[2020-05-09 07:35:54.958394] Recheck rpmb
[2020-05-09 07:35:55.855508] rpmb downgrade ok

sooo... thinking helps! Thank you for helping me out. now.. where was I? rooting.. yes!
 

BrainlessDude

Senior Member
Feb 5, 2013
81
12
Google Pixel 4a 5G
Hey guys. I bought a not working Fire HD 10 2017 because I thought it might be just a bad battery.

After trying a known working battery I tried plugging it into my PC and it seems like the PreLoader is connecting but is disconnecting right away after 1-2 seconds. Since I dont know what happened to this device is it worth trying this script on it? Or is this behavior a sign of a hardware failure?

When it is fixable I will setup a virtualbox right now :D

EDIT
I made a Ubuntu Live USB Stick and tried my luck. This is the outcome for now:
[2020-05-13 18:20:50.591049] Init crypto engine
[2020-05-13 18:20:50.757320] Disable caches
[2020-05-13 18:20:50.761850] Disable bootrom range checks
[2020-05-13 18:20:50.852530] Load payload from ../brom-payload/build/payload.bin = 0x45D0 bytes
[2020-05-13 18:20:50.859881] Send payload
[2020-05-13 18:20:55.334680] Let's rock
[2020-05-13 18:20:55.341509] Wait for the payload to come online...
Traceback (most recent call last):
File "main.py", line 92, in <module>
main()
File "main.py", line 57, in main
load_payload(dev, "../brom-payload/build/payload.bin")
File "/media/ubuntu/STICK/modules/load_payload.py", line 143, in load_payload
dev.wait_payload()
File "/media/ubuntu/STICK/modules/common.py", line 171, in wait_payload
raise RuntimeError("received {} instead of expected pattern".format(data))
RuntimeError: received b'' instead of expected pattern

Im clueless what to do next...

Seems like the payload isnt going online as expected. lsusb shows the Mediatek Phone and not PreLoader
 
Last edited:

Michajin

Senior Member
Oct 23, 2012
1,304
524
Hey guys. I bought a not working Fire HD 10 2017 because I thought it might be just a bad battery.

After trying a known working battery I tried plugging it into my PC and it seems like the PreLoader is connecting but is disconnecting right away after 1-2 seconds. Since I dont know what happened to this device is it worth trying this script on it? Or is this behavior a sign of a hardware failure?

When it is fixable I will setup a virtualbox right now :D

EDIT
I made a Ubuntu Live USB Stick and tried my luck. This is the outcome for now:


Im clueless what to do next...

Seems like the payload isnt going online as expected. lsusb shows the Mediatek Phone and not PreLoader

I believe that it the error related to modem manager...

sudo apt-get remove modemmanager
sudo apt-get remove --auto-remove modemmanager
sudo systemctl stop ModemManager.service
 

kindle-user

Member
Nov 3, 2012
10
0
question

Hello
my problem is that after a successful unbrick the tablet still won't start. I plugged the battery in and out.

[email protected]:~/Schreibtisch/boot$ sudo ./bootrom.sh
[sudo] Passwort für jorg:
[2020-06-17 22:20:30.197994] Waiting for bootrom
[2020-06-17 22:20:55.321570] Found port = /dev/ttyACM0
[2020-06-17 22:20:55.322073] Handshake
[2020-06-17 22:20:55.322675] Disable watchdog

* * * Remove the short and press Enter * * *


[2020-06-17 22:21:05.042216] Init crypto engine
[2020-06-17 22:21:05.066640] Disable caches
[2020-06-17 22:21:05.067332] Disable bootrom range checks
[2020-06-17 22:21:05.083522] Load payload from ../brom-payload/build/payload.bin = 0x45D0 bytes
[2020-06-17 22:21:05.085466] Send payload
[2020-06-17 22:21:05.634210] Let's rock
[2020-06-17 22:21:05.636187] Wait for the payload to come online...
[2020-06-17 22:21:09.240955] all good
[2020-06-17 22:21:09.241475] Check GPT
[2020-06-17 22:21:10.530568] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216), 'kb': (16384, 2048), 'dkb': (18432, 2048), 'lk': (20480, 2048), 'tee1': (22528, 10240), 'tee2': (32768, 10240), 'metadata': (43008, 80896), 'MISC': (123904, 1024), 'reserved': (124928, 16384), 'boot': (141312, 32768), 'recovery': (174080, 34816), 'system': (208896, 3306496), 'cache': (3515392, 868352), 'userdata': (4383744, 56687583), '': (0, 1)}
[2020-06-17 22:21:10.530913] Check boot0
[2020-06-17 22:21:11.733233] Check rpmb
[2020-06-17 22:21:11.940314] rpmb looks broken; if this is expected (i.e. you're retrying the exploit) press enter, otherwise terminate with Ctrl+C

[2020-06-17 22:21:17.995600] Downgrade rpmb
[2020-06-17 22:21:17.997851] Recheck rpmb
[2020-06-17 22:21:18.888288] rpmb downgrade ok
[email protected]:~/Schreibtisch/boot$ ^C


lsusb shows:
[email protected]:~$ lsusb
Bus 001 Device 002: ID 8087:8001 Intel Corp.
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 002 Device 003: ID 04ca:703c Lite-On Technology Corp. Integrated Camera
Bus 002 Device 002: ID 8087:0a2a Intel Corp.
Bus 002 Device 098: ID 0e8d:0003 MediaTek Inc. MT6227 phone
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
[email protected]:~$ ^C
 

Michajin

Senior Member
Oct 23, 2012
1,304
524
I would suggest going to the newer unbrick and unlock thread. Use it to unlock it, since you are booting into the bootrom (that is "MediaTek Inc. MT6227 phone") you should be able the install twrp and flash a clean fireOS.

https://forum.xda-developers.com/hd8-hd10/orig-development/unlock-fire-hd-10-2017-suez-t3913639


Hello
my problem is that after a successful unbrick the tablet still won't start. I plugged the battery in and out.

[email protected]:~/Schreibtisch/boot$ sudo ./bootrom.sh
[sudo] Passwort für jorg:
[2020-06-17 22:20:30.197994] Waiting for bootrom
[2020-06-17 22:20:55.321570] Found port = /dev/ttyACM0
[2020-06-17 22:20:55.322073] Handshake
[2020-06-17 22:20:55.322675] Disable watchdog

* * * Remove the short and press Enter * * *


[2020-06-17 22:21:05.042216] Init crypto engine
[2020-06-17 22:21:05.066640] Disable caches
[2020-06-17 22:21:05.067332] Disable bootrom range checks
[2020-06-17 22:21:05.083522] Load payload from ../brom-payload/build/payload.bin = 0x45D0 bytes
[2020-06-17 22:21:05.085466] Send payload
[2020-06-17 22:21:05.634210] Let's rock
[2020-06-17 22:21:05.636187] Wait for the payload to come online...
[2020-06-17 22:21:09.240955] all good
[2020-06-17 22:21:09.241475] Check GPT
[2020-06-17 22:21:10.530568] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216), 'kb': (16384, 2048), 'dkb': (18432, 2048), 'lk': (20480, 2048), 'tee1': (22528, 10240), 'tee2': (32768, 10240), 'metadata': (43008, 80896), 'MISC': (123904, 1024), 'reserved': (124928, 16384), 'boot': (141312, 32768), 'recovery': (174080, 34816), 'system': (208896, 3306496), 'cache': (3515392, 868352), 'userdata': (4383744, 56687583), '': (0, 1)}
[2020-06-17 22:21:10.530913] Check boot0
[2020-06-17 22:21:11.733233] Check rpmb
[2020-06-17 22:21:11.940314] rpmb looks broken; if this is expected (i.e. you're retrying the exploit) press enter, otherwise terminate with Ctrl+C

[2020-06-17 22:21:17.995600] Downgrade rpmb
[2020-06-17 22:21:17.997851] Recheck rpmb
[2020-06-17 22:21:18.888288] rpmb downgrade ok
[email protected]:~/Schreibtisch/boot$ ^C


lsusb shows:
[email protected]:~$ lsusb
Bus 001 Device 002: ID 8087:8001 Intel Corp.
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 002 Device 003: ID 04ca:703c Lite-On Technology Corp. Integrated Camera
Bus 002 Device 002: ID 8087:0a2a Intel Corp.
Bus 002 Device 098: ID 0e8d:0003 MediaTek Inc. MT6227 phone
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
[email protected]:~$ ^C
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    I just 'freed' two Fire HD 10 inch 2017 models
    I used the alternate root exploit which seemed to work fine.

    On the 2nd tablet however, I got stuck in bootrom-step-minimal.sh
    For some reason it didn't want to read the GPT partition
    [2022-07-23 21:00:52.411325] Waiting for bootrom
    [2022-07-23 21:01:00.657884] Found port = /dev/cu.usbmodem11101
    [2022-07-23 21:01:00.665413] Handshake
    [2022-07-23 21:01:00.666984] Disable watchdog
    * * * Remove the short and press Enter * * *
    [2022-07-23 21:01:15.049972] Init crypto engine
    [2022-07-23 21:01:15.078454] Disable caches
    [2022-07-23 21:01:15.079360] Disable bootrom range checks
    [2022-07-23 21:01:15.095713] Load payload from ../brom-payload/build/payload.bin = 0x4820 bytes
    [2022-07-23 21:01:15.097519] Send payload
    [2022-07-23 21:01:15.791339] Let's rock
    [2022-07-23 21:01:15.792479] Wait for the payload to come online...
    [2022-07-23 21:01:15.796302] all good
    [2022-07-23 21:01:15.796431] Running in minimal mode, assuming LK and TZ to have already been flashed.
    [2022-07-23 21:01:15.796655] If this is correct (i.e. you used "brick" option in step 1) press enter, otherwise terminate with Ctrl+C


    [2022-07-23 21:01:18.585629] Check GPT
    Traceback (most recent call last):
    File "main.py", line 192, in <module>
    main()
    File "main.py", line 95, in main
    switch_user(dev)
    File "main.py", line 56, in switch_user
    block = dev.emmc_read(0)
    File "~/Downloads/amonet-suez-v1.1.2/amonet/modules/common.py", line 196, in emmc_read
    raise RuntimeError("read fail")
    RuntimeError: read fail

    After a bit of poking around, I just added a retry for that read since the first one returned with a 0 length answer.
    So I changed the function from:
    Python:
    def emmc_read(self, idx):
            # magic
            self.dev.write(p32_be(0xf00dd00d))
            # cmd
            self.dev.write(p32_be(0x1000))
            # block to read
            self.dev.write(p32_be(idx))
    
    
            data = self.dev.read(0x200)
            if len(data) != 0x200:
                raise RuntimeError("read fail")

    To:

    Python:
    def emmc_read(self, idx):
            # magic
            self.dev.write(p32_be(0xf00dd00d))
            # cmd
            self.dev.write(p32_be(0x1000))
            # block to read
            self.dev.write(p32_be(idx))
    
    
            data = self.dev.read(0x200)
            if len(data) != 0x200:
                data = self.dev.read(0x200)
                if len(data) != 0x200:
                    raise RuntimeError("read fail")

    Surprisingly that worked and I was able to continue with fastboot \o/
    Just thought I'd comment because I found a few identical questions but couldn't find anyone else that figured out the workaround :)
  • 20
    Disclaimer: To go through with this, you will have to open up your device to get access to the back of the PCB. This is not for everyone. If you encounter issues, I (or the others here) will try to help you, but the risk is all yours.

    First, credit where credit is due. To xyz` for coming up with this and taking the time to help and to k4y0z for helping me get unstuck multiple times.

    What's the purpose of this thread, you ask? It's to recover from a bricked 2017 Fire HD 10 as a result of sideloading to a lower version (from anti-rollback). This thread is not about rooting or other apps. Numerous threads of that type exist on these forums. If your device can get to the "amazon" screen or the "Fire" screen, do not waste your time here. Questions unrelated to anti-rollback unbricking will be mostly ignored.

    This has only been tested on Linux (Ubuntu 16.04). In general, getting familiar with Linux (as opposed to Windows) can make all the difference in projects like these.

    1. Make sure your device is powered off and disconnected from your PC.

    2. Take off the back cover, remove the pieces of tape from the battery and display connectors, disconnect the battery and display cables, unscrew the PCB (11 screws), and gently lift it up. Take care not to rip the speaker wires from the board. (To unbrick, you do not have to connect the battery.)

    3. Download and extract the contents of unbrick_suez.zip (attached).

    4. Navigate to the root of the extracted archive and open a terminal there.

    5. Optional: If you see serial port errors, disable or remove modem manager as root (command may vary with distro; try one or more of these commands in Ubuntu 16.04):
    Code:
    sudo apt-get remove modemmanager
    sudo apt-get remove --auto-remove modemmanager
    sudo systemctl stop ModemManager.service

    6. Run the unbricking script as root:
    Code:
    sudo ./bootrom.sh

    You should see it waiting for the bootrom. Let it be and do the following with the PCB.

    7. Connect the microUSB end of the cable to the PCB. This is the more physically-challenging end of the connection. Leave open the PC side.

    8. Short the point (highlighted in blue in the attached picture) to ground. Work with what you're comfortable with, but here's my approach (use M/M jumper wire if you have access to it):
    a. Gently nudge one end of the wire into the metal case of the SD slot so that it stays in place (keyword: gently). This frees up one hand. You need just enough grip to ensure it doesn't fall off unexpectedly.
    b. Hold the other tip of the jumper wire to the point highlighted in blue.
    c. Connect the other end of the USB cable to your Linux box (remove the jumper wire when you're instructed to and press Enter on your keyboard).

    You should see the following:
    Code:
    [email protected]:~/Desktop/unbrick_suez$ sudo ./bootrom.sh
    [2019-02-03 12:28:08.466131] Waiting for bootrom
    [2019-02-03 12:35:22.602290] Found port = /dev/ttyACM0
    [2019-02-03 12:35:22.602653] Handshake
    [2019-02-03 12:35:22.603225] Disable watchdog
    
     * * * Remove the short and press Enter * * * 
    
    
    [2019-02-03 12:35:27.691503] Init crypto engine
    [2019-02-03 12:35:27.709450] Disable caches
    [2019-02-03 12:35:27.709854] Disable bootrom range checks
    [2019-02-03 12:35:27.721298] Load payload from ../brom-payload/build/payload.bin = 0x45D0 bytes
    [2019-02-03 12:35:27.724457] Send payload
    [2019-02-03 12:35:28.262081] Let's rock
    [2019-02-03 12:35:28.262834] Wait for the payload to come online...
    [2019-02-03 12:35:31.824056] all good
    [2019-02-03 12:35:31.824533] Check GPT
    [2019-02-03 12:35:33.103565] gpt_parsed = {'lk': (20480, 2048), 'recovery': (174080, 34816), 'MISC': (123904, 1024), 'cache': (3515392, 868352), 'tee1': (22528, 10240), 'dkb': (18432, 2048), '': (0, 1), 'userdata': (4383744, 56687583), 'system': (208896, 3306496), 'PMT': (7168, 9216), 'tee2': (32768, 10240), 'proinfo': (1024, 6144), 'reserved': (124928, 16384), 'metadata': (43008, 80896), 'boot': (141312, 32768), 'kb': (16384, 2048)}
    [2019-02-03 12:35:33.103747] Check boot0
    [2019-02-03 12:35:34.291300] Check rpmb
    [2019-02-03 12:35:34.499043] Downgrade rpmb
    [2019-02-03 12:35:34.501403] Recheck rpmb
    [2019-02-03 12:35:35.392720] rpmb downgrade ok

    It should complete in a few seconds.

    9. Unplug the USB cable after "rpmb downgrade ok" appears in the terminal.

    10. Put your device back together (PCB and display/battery cables). Do not screw the PCB in or snap the back cover until you confirm your device has been unbricked.

    11. Depress the power button (with your nail or a suitable tool) to turn on your device. (If it doesn't turn back on, hold it down for a few seconds. If you hear a ding, that's usually a good sign.) This can be challenging for the uninitiated, but don't complain. Obviously, it's better to verify unbricking now than after you put everything back together.

    12. If the device turns back on, you can shut it down and put everything back together. If it does not turn back on, connect it to your PC and see what shows up with lsusb. Time to troubleshoot.

    If you have questions, read the two linked threads above. If you cannot find the answer to your question(s), post here. If you append this entire OP to your post (instead of snipping most/all of it), I will, on general principle, ignore your post.
    2
    If he has to do that, it will also likely require an edit to the script to allow enter to be tapped. I'll have to look back on where that edit needs to go.

    There's no need for any edit to the script. It has always included a pause for user input. In an earlier post, you told him/her to try all the six points and that you will look at one of your boards and take a picture. Why? The OP has always included a picture of the PCB with a clear marking of which point to short. There's no need for trial-and-error.

    To shadowcliffs: Opening the back should not have resulted in damage to the PCB. Disconnect the battery and display cables, remove the PCB from the case, and try again. If you don't have jumper wire, use a metal clip. Get a second pair of hands to help. Tell us what you see with lsusb as you do this.
    1
    This method worked and unbricked my 2017 HD 10 after a bad firmware flash. Had to run the script twice, the first time succeeded but the tablet didn't boot up. May have been completely out of battery after running itself down in a media loader bootloop all night but after a short charge the low battery icon flashed and back in business. Also helps to have a friend ready to plug/unplug the USB and hit enter when required, it's a very small spot on the board that you're shorting.

    The hardest part was getting the shell off, once you unclip the sides you'll feel it's still "stuck" because there are 3 more clips about 1.5-2" from the left side of the tablet, starting 3" from the bottom. You just have to force them and the shell will pop off. Be careful they clip back in when you reassemble or they will push against the screen and cause white spots.

    Thank you retyre for your efforts amongst many posts here, without this guide I'd be stuck with a paperweight. For anyone else with a hard bricked HD 10 2017 model, you've got nothing to lose giving this a go!
    1
    First, Thank you for posting.
    i have looked around the solution for bricked fire hd 10.

    But, i have same problem like @DragonFire1024.

    this is the log

    [email protected]:~/Downloads$ sudo ./bootrom.sh
    [2019-03-12 04:13:38.983635] Waiting for bootrom
    [2019-03-12 04:13:48.574166] Found port = /dev/ttyACM0
    [2019-03-12 04:13:48.578815] Handshake
    [2019-03-12 04:13:48.586267] Disable watchdog

    * * * Remove the short and press Enter * * *


    [2019-03-12 04:13:53.935066] Init crypto engine
    [2019-03-12 04:13:54.383858] Disable caches
    [2019-03-12 04:13:54.391831] Disable bootrom range checks
    [2019-03-12 04:13:54.616303] Load payload from ../brom-payload/build/payload.bin = 0x45D0 bytes
    [2019-03-12 04:13:54.621105] Send payload
    [2019-03-12 04:14:03.086231] Let's rock
    [2019-03-12 04:14:03.093481] Wait for the payload to come online...
    Traceback (most recent call last):
    File "main.py", line 92, in <module>
    main()
    File "main.py", line 57, in main
    load_payload(dev, "../brom-payload/build/payload.bin")
    File "/home/skyhyung/Downloads/modules/load_payload.py", line 143, in load_payload
    dev.wait_payload()
    File "/home/skyhyung/Downloads/modules/common.py", line 171, in wait_payload
    raise RuntimeError("received {} instead of expected pattern".format(data))
    RuntimeError: received b'' instead of expected pattern
    [email protected]:~/Downloads$

    i am debugging it.
    the result of self.dev.read(4) is null at module/common.py 169 line

    i run the script on vmware ubuntu 16.04

    ---------- Post added at 10:24 PM ---------- Previous post was at 10:10 PM ----------

    i solved it
    i changed the TIMEOUT value to 10 from 5 at modules/common.py line 11
    then, it works

    @DragonFire1024
    please try it like me

    Thanks you.
    1
    I just 'freed' two Fire HD 10 inch 2017 models
    I used the alternate root exploit which seemed to work fine.

    On the 2nd tablet however, I got stuck in bootrom-step-minimal.sh
    For some reason it didn't want to read the GPT partition
    [2022-07-23 21:00:52.411325] Waiting for bootrom
    [2022-07-23 21:01:00.657884] Found port = /dev/cu.usbmodem11101
    [2022-07-23 21:01:00.665413] Handshake
    [2022-07-23 21:01:00.666984] Disable watchdog
    * * * Remove the short and press Enter * * *
    [2022-07-23 21:01:15.049972] Init crypto engine
    [2022-07-23 21:01:15.078454] Disable caches
    [2022-07-23 21:01:15.079360] Disable bootrom range checks
    [2022-07-23 21:01:15.095713] Load payload from ../brom-payload/build/payload.bin = 0x4820 bytes
    [2022-07-23 21:01:15.097519] Send payload
    [2022-07-23 21:01:15.791339] Let's rock
    [2022-07-23 21:01:15.792479] Wait for the payload to come online...
    [2022-07-23 21:01:15.796302] all good
    [2022-07-23 21:01:15.796431] Running in minimal mode, assuming LK and TZ to have already been flashed.
    [2022-07-23 21:01:15.796655] If this is correct (i.e. you used "brick" option in step 1) press enter, otherwise terminate with Ctrl+C


    [2022-07-23 21:01:18.585629] Check GPT
    Traceback (most recent call last):
    File "main.py", line 192, in <module>
    main()
    File "main.py", line 95, in main
    switch_user(dev)
    File "main.py", line 56, in switch_user
    block = dev.emmc_read(0)
    File "~/Downloads/amonet-suez-v1.1.2/amonet/modules/common.py", line 196, in emmc_read
    raise RuntimeError("read fail")
    RuntimeError: read fail

    After a bit of poking around, I just added a retry for that read since the first one returned with a 0 length answer.
    So I changed the function from:
    Python:
    def emmc_read(self, idx):
            # magic
            self.dev.write(p32_be(0xf00dd00d))
            # cmd
            self.dev.write(p32_be(0x1000))
            # block to read
            self.dev.write(p32_be(idx))
    
    
            data = self.dev.read(0x200)
            if len(data) != 0x200:
                raise RuntimeError("read fail")

    To:

    Python:
    def emmc_read(self, idx):
            # magic
            self.dev.write(p32_be(0xf00dd00d))
            # cmd
            self.dev.write(p32_be(0x1000))
            # block to read
            self.dev.write(p32_be(idx))
    
    
            data = self.dev.read(0x200)
            if len(data) != 0x200:
                data = self.dev.read(0x200)
                if len(data) != 0x200:
                    raise RuntimeError("read fail")

    Surprisingly that worked and I was able to continue with fastboot \o/
    Just thought I'd comment because I found a few identical questions but couldn't find anyone else that figured out the workaround :)