2017 Fire HD 10: Unbricking from anti-rollback

Search This thread

giants2710

New member
Apr 26, 2013
4
0
got it to work on manjaro. had to sub a few programs but they were obvious with whats on written on here and what you can get on aur.

thanks you
 

stormrvr

New member
Sep 24, 2019
1
0
Just wanted to also say that I've successfully used this - running Archlinux. One thing I had a little trouble with was when the program stated protocol mismatch, for me at least, it was because the short I was using was not good. I replaced it with a paperclip and bingo started working :) Thanks so much for everything!
 

Samkapimuni

New member
Aug 8, 2021
1
0
Hello good people. I loved my fire tab so much. But it was bricked for last 4 months. I tried several times every options written up in this thread to rollback. Used ubuntu 20.04 live usb stick.



[email protected]:~/Downloads/unbrick_suez$ sudo ./bootrom.sh
[2021-08-08 16:25:25.920226] Waiting for bootrom
[2021-08-08 16:25:59.155617] Found port = /dev/ttyACM0
[2021-08-08 16:25:59.156760] Handshake
[2021-08-08 16:25:59.158301] Disable watchdog

* * * Remove the short and press Enter * * *


[2021-08-08 16:26:13.517401] Init crypto engine
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 537, in write
n = os.write(self.fd, d)
OSError: [Errno 5] Input/output error

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "main.py", line 92, in <module>
main()
File "main.py", line 57, in main
load_payload(dev, "../brom-payload/build/payload.bin")
File "/home/ubuntu/Downloads/unbrick_suez/modules/load_payload.py", line 112, in load_payload
init(dev)
File "/home/ubuntu/Downloads/unbrick_suez/modules/load_payload.py", line 9, in init
dev.write32(CRYPTO_BASE + 0x0C0C, 0)
File "/home/ubuntu/Downloads/unbrick_suez/modules/common.py", line 141, in write32
self.dev.write(b'\xd4')
File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 571, in write
raise SerialException('write failed: {}'.format(e))
serial.serialutil.SerialException: write failed: [Errno 5] Input/output error
[email protected]:~/Downloads/unbrick_suez$
 

Sus_i

Senior Member
Apr 9, 2013
1,703
726
Hello good people. I loved my fire tab so much. But it was bricked for last 4 months. I tried several times every options written up in this thread to rollback. Used ubuntu 20.04 live usb stick.
Maybe try this somewhat newer unbrick instead...
 

rb2k

Member
Oct 20, 2006
39
2
37
I just 'freed' two Fire HD 10 inch 2017 models
I used the alternate root exploit which seemed to work fine.

On the 2nd tablet however, I got stuck in bootrom-step-minimal.sh
For some reason it didn't want to read the GPT partition
[2022-07-23 21:00:52.411325] Waiting for bootrom
[2022-07-23 21:01:00.657884] Found port = /dev/cu.usbmodem11101
[2022-07-23 21:01:00.665413] Handshake
[2022-07-23 21:01:00.666984] Disable watchdog
* * * Remove the short and press Enter * * *
[2022-07-23 21:01:15.049972] Init crypto engine
[2022-07-23 21:01:15.078454] Disable caches
[2022-07-23 21:01:15.079360] Disable bootrom range checks
[2022-07-23 21:01:15.095713] Load payload from ../brom-payload/build/payload.bin = 0x4820 bytes
[2022-07-23 21:01:15.097519] Send payload
[2022-07-23 21:01:15.791339] Let's rock
[2022-07-23 21:01:15.792479] Wait for the payload to come online...
[2022-07-23 21:01:15.796302] all good
[2022-07-23 21:01:15.796431] Running in minimal mode, assuming LK and TZ to have already been flashed.
[2022-07-23 21:01:15.796655] If this is correct (i.e. you used "brick" option in step 1) press enter, otherwise terminate with Ctrl+C


[2022-07-23 21:01:18.585629] Check GPT
Traceback (most recent call last):
File "main.py", line 192, in <module>
main()
File "main.py", line 95, in main
switch_user(dev)
File "main.py", line 56, in switch_user
block = dev.emmc_read(0)
File "~/Downloads/amonet-suez-v1.1.2/amonet/modules/common.py", line 196, in emmc_read
raise RuntimeError("read fail")
RuntimeError: read fail

After a bit of poking around, I just added a retry for that read since the first one returned with a 0 length answer.
So I changed the function from:
Python:
def emmc_read(self, idx):
        # magic
        self.dev.write(p32_be(0xf00dd00d))
        # cmd
        self.dev.write(p32_be(0x1000))
        # block to read
        self.dev.write(p32_be(idx))


        data = self.dev.read(0x200)
        if len(data) != 0x200:
            raise RuntimeError("read fail")

To:

Python:
def emmc_read(self, idx):
        # magic
        self.dev.write(p32_be(0xf00dd00d))
        # cmd
        self.dev.write(p32_be(0x1000))
        # block to read
        self.dev.write(p32_be(idx))


        data = self.dev.read(0x200)
        if len(data) != 0x200:
            data = self.dev.read(0x200)
            if len(data) != 0x200:
                raise RuntimeError("read fail")

Surprisingly that worked and I was able to continue with fastboot \o/
Just thought I'd comment because I found a few identical questions but couldn't find anyone else that figured out the workaround :)
 
Last edited:
  • Like
Reactions: Sus_i

Top Liked Posts

  • There are no posts matching your filters.
  • 21
    Disclaimer: To go through with this, you will have to open up your device to get access to the back of the PCB. This is not for everyone. If you encounter issues, I (or the others here) will try to help you, but the risk is all yours.

    First, credit where credit is due. To xyz` for coming up with this and taking the time to help and to k4y0z for helping me get unstuck multiple times.

    What's the purpose of this thread, you ask? It's to recover from a bricked 2017 Fire HD 10 as a result of sideloading to a lower version (from anti-rollback). This thread is not about rooting or other apps. Numerous threads of that type exist on these forums. If your device can get to the "amazon" screen or the "Fire" screen, do not waste your time here. Questions unrelated to anti-rollback unbricking will be mostly ignored.

    This has only been tested on Linux (Ubuntu 16.04). In general, getting familiar with Linux (as opposed to Windows) can make all the difference in projects like these.

    1. Make sure your device is powered off and disconnected from your PC.

    2. Take off the back cover, remove the pieces of tape from the battery and display connectors, disconnect the battery and display cables, unscrew the PCB (11 screws), and gently lift it up. Take care not to rip the speaker wires from the board. (To unbrick, you do not have to connect the battery.)

    3. Download and extract the contents of unbrick_suez.zip (attached).

    4. Navigate to the root of the extracted archive and open a terminal there.

    5. Optional: If you see serial port errors, disable or remove modem manager as root (command may vary with distro; try one or more of these commands in Ubuntu 16.04):
    Code:
    sudo apt-get remove modemmanager
    sudo apt-get remove --auto-remove modemmanager
    sudo systemctl stop ModemManager.service

    6. Run the unbricking script as root:
    Code:
    sudo ./bootrom.sh

    You should see it waiting for the bootrom. Let it be and do the following with the PCB.

    7. Connect the microUSB end of the cable to the PCB. This is the more physically-challenging end of the connection. Leave open the PC side.

    8. Short the point (highlighted in blue in the attached picture) to ground. Work with what you're comfortable with, but here's my approach (use M/M jumper wire if you have access to it):
    a. Gently nudge one end of the wire into the metal case of the SD slot so that it stays in place (keyword: gently). This frees up one hand. You need just enough grip to ensure it doesn't fall off unexpectedly.
    b. Hold the other tip of the jumper wire to the point highlighted in blue.
    c. Connect the other end of the USB cable to your Linux box (remove the jumper wire when you're instructed to and press Enter on your keyboard).

    You should see the following:
    Code:
    [email protected]:~/Desktop/unbrick_suez$ sudo ./bootrom.sh
    [2019-02-03 12:28:08.466131] Waiting for bootrom
    [2019-02-03 12:35:22.602290] Found port = /dev/ttyACM0
    [2019-02-03 12:35:22.602653] Handshake
    [2019-02-03 12:35:22.603225] Disable watchdog
    
     * * * Remove the short and press Enter * * * 
    
    
    [2019-02-03 12:35:27.691503] Init crypto engine
    [2019-02-03 12:35:27.709450] Disable caches
    [2019-02-03 12:35:27.709854] Disable bootrom range checks
    [2019-02-03 12:35:27.721298] Load payload from ../brom-payload/build/payload.bin = 0x45D0 bytes
    [2019-02-03 12:35:27.724457] Send payload
    [2019-02-03 12:35:28.262081] Let's rock
    [2019-02-03 12:35:28.262834] Wait for the payload to come online...
    [2019-02-03 12:35:31.824056] all good
    [2019-02-03 12:35:31.824533] Check GPT
    [2019-02-03 12:35:33.103565] gpt_parsed = {'lk': (20480, 2048), 'recovery': (174080, 34816), 'MISC': (123904, 1024), 'cache': (3515392, 868352), 'tee1': (22528, 10240), 'dkb': (18432, 2048), '': (0, 1), 'userdata': (4383744, 56687583), 'system': (208896, 3306496), 'PMT': (7168, 9216), 'tee2': (32768, 10240), 'proinfo': (1024, 6144), 'reserved': (124928, 16384), 'metadata': (43008, 80896), 'boot': (141312, 32768), 'kb': (16384, 2048)}
    [2019-02-03 12:35:33.103747] Check boot0
    [2019-02-03 12:35:34.291300] Check rpmb
    [2019-02-03 12:35:34.499043] Downgrade rpmb
    [2019-02-03 12:35:34.501403] Recheck rpmb
    [2019-02-03 12:35:35.392720] rpmb downgrade ok

    It should complete in a few seconds.

    9. Unplug the USB cable after "rpmb downgrade ok" appears in the terminal.

    10. Put your device back together (PCB and display/battery cables). Do not screw the PCB in or snap the back cover until you confirm your device has been unbricked.

    11. Depress the power button (with your nail or a suitable tool) to turn on your device. (If it doesn't turn back on, hold it down for a few seconds. If you hear a ding, that's usually a good sign.) This can be challenging for the uninitiated, but don't complain. Obviously, it's better to verify unbricking now than after you put everything back together.

    12. If the device turns back on, you can shut it down and put everything back together. If it does not turn back on, connect it to your PC and see what shows up with lsusb. Time to troubleshoot.

    If you have questions, read the two linked threads above. If you cannot find the answer to your question(s), post here. If you append this entire OP to your post (instead of snipping most/all of it), I will, on general principle, ignore your post.
    2
    If he has to do that, it will also likely require an edit to the script to allow enter to be tapped. I'll have to look back on where that edit needs to go.

    There's no need for any edit to the script. It has always included a pause for user input. In an earlier post, you told him/her to try all the six points and that you will look at one of your boards and take a picture. Why? The OP has always included a picture of the PCB with a clear marking of which point to short. There's no need for trial-and-error.

    To shadowcliffs: Opening the back should not have resulted in damage to the PCB. Disconnect the battery and display cables, remove the PCB from the case, and try again. If you don't have jumper wire, use a metal clip. Get a second pair of hands to help. Tell us what you see with lsusb as you do this.
    1
    This method worked and unbricked my 2017 HD 10 after a bad firmware flash. Had to run the script twice, the first time succeeded but the tablet didn't boot up. May have been completely out of battery after running itself down in a media loader bootloop all night but after a short charge the low battery icon flashed and back in business. Also helps to have a friend ready to plug/unplug the USB and hit enter when required, it's a very small spot on the board that you're shorting.

    The hardest part was getting the shell off, once you unclip the sides you'll feel it's still "stuck" because there are 3 more clips about 1.5-2" from the left side of the tablet, starting 3" from the bottom. You just have to force them and the shell will pop off. Be careful they clip back in when you reassemble or they will push against the screen and cause white spots.

    Thank you retyre for your efforts amongst many posts here, without this guide I'd be stuck with a paperweight. For anyone else with a hard bricked HD 10 2017 model, you've got nothing to lose giving this a go!
    1
    First, Thank you for posting.
    i have looked around the solution for bricked fire hd 10.

    But, i have same problem like @DragonFire1024.

    this is the log

    [email protected]:~/Downloads$ sudo ./bootrom.sh
    [2019-03-12 04:13:38.983635] Waiting for bootrom
    [2019-03-12 04:13:48.574166] Found port = /dev/ttyACM0
    [2019-03-12 04:13:48.578815] Handshake
    [2019-03-12 04:13:48.586267] Disable watchdog

    * * * Remove the short and press Enter * * *


    [2019-03-12 04:13:53.935066] Init crypto engine
    [2019-03-12 04:13:54.383858] Disable caches
    [2019-03-12 04:13:54.391831] Disable bootrom range checks
    [2019-03-12 04:13:54.616303] Load payload from ../brom-payload/build/payload.bin = 0x45D0 bytes
    [2019-03-12 04:13:54.621105] Send payload
    [2019-03-12 04:14:03.086231] Let's rock
    [2019-03-12 04:14:03.093481] Wait for the payload to come online...
    Traceback (most recent call last):
    File "main.py", line 92, in <module>
    main()
    File "main.py", line 57, in main
    load_payload(dev, "../brom-payload/build/payload.bin")
    File "/home/skyhyung/Downloads/modules/load_payload.py", line 143, in load_payload
    dev.wait_payload()
    File "/home/skyhyung/Downloads/modules/common.py", line 171, in wait_payload
    raise RuntimeError("received {} instead of expected pattern".format(data))
    RuntimeError: received b'' instead of expected pattern
    [email protected]:~/Downloads$

    i am debugging it.
    the result of self.dev.read(4) is null at module/common.py 169 line

    i run the script on vmware ubuntu 16.04

    ---------- Post added at 10:24 PM ---------- Previous post was at 10:10 PM ----------

    i solved it
    i changed the TIMEOUT value to 10 from 5 at modules/common.py line 11
    then, it works

    @DragonFire1024
    please try it like me

    Thanks you.
    1
    I just 'freed' two Fire HD 10 inch 2017 models
    I used the alternate root exploit which seemed to work fine.

    On the 2nd tablet however, I got stuck in bootrom-step-minimal.sh
    For some reason it didn't want to read the GPT partition
    [2022-07-23 21:00:52.411325] Waiting for bootrom
    [2022-07-23 21:01:00.657884] Found port = /dev/cu.usbmodem11101
    [2022-07-23 21:01:00.665413] Handshake
    [2022-07-23 21:01:00.666984] Disable watchdog
    * * * Remove the short and press Enter * * *
    [2022-07-23 21:01:15.049972] Init crypto engine
    [2022-07-23 21:01:15.078454] Disable caches
    [2022-07-23 21:01:15.079360] Disable bootrom range checks
    [2022-07-23 21:01:15.095713] Load payload from ../brom-payload/build/payload.bin = 0x4820 bytes
    [2022-07-23 21:01:15.097519] Send payload
    [2022-07-23 21:01:15.791339] Let's rock
    [2022-07-23 21:01:15.792479] Wait for the payload to come online...
    [2022-07-23 21:01:15.796302] all good
    [2022-07-23 21:01:15.796431] Running in minimal mode, assuming LK and TZ to have already been flashed.
    [2022-07-23 21:01:15.796655] If this is correct (i.e. you used "brick" option in step 1) press enter, otherwise terminate with Ctrl+C


    [2022-07-23 21:01:18.585629] Check GPT
    Traceback (most recent call last):
    File "main.py", line 192, in <module>
    main()
    File "main.py", line 95, in main
    switch_user(dev)
    File "main.py", line 56, in switch_user
    block = dev.emmc_read(0)
    File "~/Downloads/amonet-suez-v1.1.2/amonet/modules/common.py", line 196, in emmc_read
    raise RuntimeError("read fail")
    RuntimeError: read fail

    After a bit of poking around, I just added a retry for that read since the first one returned with a 0 length answer.
    So I changed the function from:
    Python:
    def emmc_read(self, idx):
            # magic
            self.dev.write(p32_be(0xf00dd00d))
            # cmd
            self.dev.write(p32_be(0x1000))
            # block to read
            self.dev.write(p32_be(idx))
    
    
            data = self.dev.read(0x200)
            if len(data) != 0x200:
                raise RuntimeError("read fail")

    To:

    Python:
    def emmc_read(self, idx):
            # magic
            self.dev.write(p32_be(0xf00dd00d))
            # cmd
            self.dev.write(p32_be(0x1000))
            # block to read
            self.dev.write(p32_be(idx))
    
    
            data = self.dev.read(0x200)
            if len(data) != 0x200:
                data = self.dev.read(0x200)
                if len(data) != 0x200:
                    raise RuntimeError("read fail")

    Surprisingly that worked and I was able to continue with fastboot \o/
    Just thought I'd comment because I found a few identical questions but couldn't find anyone else that figured out the workaround :)