2017 Fire HD 10: Unbricking from anti-rollback

Search This thread

giants2710

New member
Apr 26, 2013
4
0
got it to work on manjaro. had to sub a few programs but they were obvious with whats on written on here and what you can get on aur.

thanks you
 

stormrvr

New member
Sep 24, 2019
1
0
Just wanted to also say that I've successfully used this - running Archlinux. One thing I had a little trouble with was when the program stated protocol mismatch, for me at least, it was because the short I was using was not good. I replaced it with a paperclip and bingo started working :) Thanks so much for everything!
 

Samkapimuni

New member
Aug 8, 2021
3
0
Hello good people. I loved my fire tab so much. But it was bricked for last 4 months. I tried several times every options written up in this thread to rollback. Used ubuntu 20.04 live usb stick.



ubuntu@ubuntu:~/Downloads/unbrick_suez$ sudo ./bootrom.sh
[2021-08-08 16:25:25.920226] Waiting for bootrom
[2021-08-08 16:25:59.155617] Found port = /dev/ttyACM0
[2021-08-08 16:25:59.156760] Handshake
[2021-08-08 16:25:59.158301] Disable watchdog

* * * Remove the short and press Enter * * *


[2021-08-08 16:26:13.517401] Init crypto engine
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 537, in write
n = os.write(self.fd, d)
OSError: [Errno 5] Input/output error

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "main.py", line 92, in <module>
main()
File "main.py", line 57, in main
load_payload(dev, "../brom-payload/build/payload.bin")
File "/home/ubuntu/Downloads/unbrick_suez/modules/load_payload.py", line 112, in load_payload
init(dev)
File "/home/ubuntu/Downloads/unbrick_suez/modules/load_payload.py", line 9, in init
dev.write32(CRYPTO_BASE + 0x0C0C, 0)
File "/home/ubuntu/Downloads/unbrick_suez/modules/common.py", line 141, in write32
self.dev.write(b'\xd4')
File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 571, in write
raise SerialException('write failed: {}'.format(e))
serial.serialutil.SerialException: write failed: [Errno 5] Input/output error
ubuntu@ubuntu:~/Downloads/unbrick_suez$
 

Sus_i

Senior Member
Apr 9, 2013
1,882
837
Hello good people. I loved my fire tab so much. But it was bricked for last 4 months. I tried several times every options written up in this thread to rollback. Used ubuntu 20.04 live usb stick.
Maybe try this somewhat newer unbrick instead...
 

rb2k

Member
Oct 20, 2006
39
3
38
I just 'freed' two Fire HD 10 inch 2017 models
I used the alternate root exploit which seemed to work fine.

On the 2nd tablet however, I got stuck in bootrom-step-minimal.sh
For some reason it didn't want to read the GPT partition
[2022-07-23 21:00:52.411325] Waiting for bootrom
[2022-07-23 21:01:00.657884] Found port = /dev/cu.usbmodem11101
[2022-07-23 21:01:00.665413] Handshake
[2022-07-23 21:01:00.666984] Disable watchdog
* * * Remove the short and press Enter * * *
[2022-07-23 21:01:15.049972] Init crypto engine
[2022-07-23 21:01:15.078454] Disable caches
[2022-07-23 21:01:15.079360] Disable bootrom range checks
[2022-07-23 21:01:15.095713] Load payload from ../brom-payload/build/payload.bin = 0x4820 bytes
[2022-07-23 21:01:15.097519] Send payload
[2022-07-23 21:01:15.791339] Let's rock
[2022-07-23 21:01:15.792479] Wait for the payload to come online...
[2022-07-23 21:01:15.796302] all good
[2022-07-23 21:01:15.796431] Running in minimal mode, assuming LK and TZ to have already been flashed.
[2022-07-23 21:01:15.796655] If this is correct (i.e. you used "brick" option in step 1) press enter, otherwise terminate with Ctrl+C


[2022-07-23 21:01:18.585629] Check GPT
Traceback (most recent call last):
File "main.py", line 192, in <module>
main()
File "main.py", line 95, in main
switch_user(dev)
File "main.py", line 56, in switch_user
block = dev.emmc_read(0)
File "~/Downloads/amonet-suez-v1.1.2/amonet/modules/common.py", line 196, in emmc_read
raise RuntimeError("read fail")
RuntimeError: read fail

After a bit of poking around, I just added a retry for that read since the first one returned with a 0 length answer.
So I changed the function from:
Python:
def emmc_read(self, idx):
        # magic
        self.dev.write(p32_be(0xf00dd00d))
        # cmd
        self.dev.write(p32_be(0x1000))
        # block to read
        self.dev.write(p32_be(idx))


        data = self.dev.read(0x200)
        if len(data) != 0x200:
            raise RuntimeError("read fail")

To:

Python:
def emmc_read(self, idx):
        # magic
        self.dev.write(p32_be(0xf00dd00d))
        # cmd
        self.dev.write(p32_be(0x1000))
        # block to read
        self.dev.write(p32_be(idx))


        data = self.dev.read(0x200)
        if len(data) != 0x200:
            data = self.dev.read(0x200)
            if len(data) != 0x200:
                raise RuntimeError("read fail")

Surprisingly that worked and I was able to continue with fastboot \o/
Just thought I'd comment because I found a few identical questions but couldn't find anyone else that figured out the workaround :)
 
Last edited:
  • Like
Reactions: lex66676 and Sus_i

bbt995

Member
Dec 13, 2022
9
0
I am getting a bad response in the handshake. I am pretty sure that ModeManager is inactive. Any idea about the problem?

Here is the stack trace:
Code:
Waiting for bootrom
Found port = /dev/ttyACM0
Handshake
Disable watchdog
b''
b'\x00\x01'
Traceback (most recent call last):
  File "main.py", line 92, in <module>
    main()
  File "main.py", line 54, in main
    handshake(dev)
  File "/home/memaxef/unbrick_suez/modules/handshake.py", line 11, in handshake
    dev.write32(0x10007000, 0x22000000)
  File "/home/memaxef/unbrick_suez/modules/common.py", line 150, in write32
    self.check(self.dev.read(2), b'\x00\x01') # arg check
  File "/home/memaxef/unbrick_suez/modules/common.py", line 87, in check
    raise RuntimeError("ERROR: Serial protocol mismatch")
RuntimeError: ERROR: Serial protocol mismatch
[/CO
[/QUOTE]
binh@binh-System-Product-Name:~/Downloads/amonet-suez-v1.1.2/amonet$ sudo ./bootrom-step.sh
[2023-04-24 18:47:46.114340] Waiting for bootrom
[2023-04-24 18:48:06.090937] Found port = /dev/ttyACM0
[2023-04-24 18:48:06.128791] Handshake
[2023-04-24 18:48:06.149521] Disable watchdog
b''
b'\x00\x01'
Traceback (most recent call last):
File "/home/binh/Downloads/amonet-suez-v1.1.2/amonet/modules/main.py", line 192, in <module>
main()
File "/home/binh/Downloads/amonet-suez-v1.1.2/amonet/modules/main.py", line 82, in main
handshake(dev)
File "/home/binh/Downloads/amonet-suez-v1.1.2/amonet/modules/handshake.py", line 11, in handshake
dev.write32(0x10007000, 0x22000000)
File "/home/binh/Downloads/amonet-suez-v1.1.2/amonet/modules/common.py", line 163, in write32
self.check(self.dev.read(2), b'\x00\x01') # arg check
File "/home/binh/Downloads/amonet-suez-v1.1.2/amonet/modules/common.py", line 90, in check
raise RuntimeError("ERROR: Serial protocol mismatch")
RuntimeError: ERROR: Serial protocol mismatch
===>>> why , help me :<
 

ABC00012345

Member
Apr 10, 2023
14
4
I have also a Amazon fire hd 10 2017.
It is completely bricked (I have flash a false ROM. This script also not worked )


Sorry if is now 2023 but I have it since 2017. And it is now get bricked a few months ago.

I can't turn it on it can't boot and no recovery no Fastboot. It's completely black.
What can I do?
 
  • Like
Reactions: bbt995

bbt995

Member
Dec 13, 2022
9
0
I have also a Amazon fire hd 10 2017.
It is completely bricked (I have flash a false ROM. This script also not worked )


Sorry if is now 2023 but I have it since 2017. And it is now get bricked a few months ago.

I can't turn it on it can't boot and no recovery no Fastboot. It's completely black.
What can I do?
you just need to follow this method
 

thamind

Member
Oct 17, 2007
28
6
@retyre I love you. lol. This revived it for me cause this is what i mucked up:
  • Ran kingoroot and flashed twrp without unlocking bootloader (soft brick)
  • Boot stuck on fire logo (not amazon)
  • Downloaded original firmware .bin file and tried flashing via stock recovery adb sideload ...resulting in a complete brick
Opened tablet on up and followed your directions. In the process the molex connector to the battery wouldn't come out and i literally BUTCHERED the pins on the logic board. Had to "rebuild" them with some solder and a lot of patience and good tunes. Everything is great now THANK YOU THANK YOU

UPDATE: Got back into FireOS, ran kingoroot again, rooted, then ran @k4y0z UNLOCK/ROOT/UNBRICK script step-1.sh ...rebooted my tablet and NOW STUCK IN FIRE LOGO again :( did i corrupt my boot img? How do i get this back to working?
 
Last edited:

MarkTBowden

New member
Aug 29, 2023
2
0
Hard Bricked my 2017 10hd fire tablet after os downgrade. I have setup Ubuntu 22.04 in oracle virtualbox, installed all necessary programs, open my tablet and disconnected both battery and screen. I have shorted the right point, ran the bootrom, plug in the usb cable, but still have nothing coming up in terminal after waiting for bootrom.

I have seen this question asked but not answered, please help.
 

MarkTBowden

New member
Aug 29, 2023
2
0
Hard Bricked my 2017 10hd fire tablet after os downgrade. I have setup Ubuntu 22.04 in oracle virtualbox, installed all necessary programs, open my tablet and disconnected both battery and screen. I have shorted the right point, ran the bootrom, plug in the usb cable, but still have nothing coming up in terminal after waiting for bootrom.

I have seen this question asked but not answered, please help.
Nevermind, managed to find the problem. USB cable was not detected in Ubuntu. Either typing "sudo apt-get install android-sdk-platform-tools" into a terminal or adding a filter in virtual box for Ubuntu in USB done the trick and was able to short and plug in successfully.

Thank you all for what you are doing to help us unfortunate people who find ourselves in these positions.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 22
    Disclaimer: To go through with this, you will have to open up your device to get access to the back of the PCB. This is not for everyone. If you encounter issues, I (or the others here) will try to help you, but the risk is all yours.

    First, credit where credit is due. To xyz` for coming up with this and taking the time to help and to k4y0z for helping me get unstuck multiple times.

    What's the purpose of this thread, you ask? It's to recover from a bricked 2017 Fire HD 10 as a result of sideloading to a lower version (from anti-rollback). This thread is not about rooting or other apps. Numerous threads of that type exist on these forums. If your device can get to the "amazon" screen or the "Fire" screen, do not waste your time here. Questions unrelated to anti-rollback unbricking will be mostly ignored.

    This has only been tested on Linux (Ubuntu 16.04). In general, getting familiar with Linux (as opposed to Windows) can make all the difference in projects like these.

    1. Make sure your device is powered off and disconnected from your PC.

    2. Take off the back cover, remove the pieces of tape from the battery and display connectors, disconnect the battery and display cables, unscrew the PCB (11 screws), and gently lift it up. Take care not to rip the speaker wires from the board. (To unbrick, you do not have to connect the battery.)

    3. Download and extract the contents of unbrick_suez.zip (attached).

    4. Navigate to the root of the extracted archive and open a terminal there.

    5. Optional: If you see serial port errors, disable or remove modem manager as root (command may vary with distro; try one or more of these commands in Ubuntu 16.04):
    Code:
    sudo apt-get remove modemmanager
    sudo apt-get remove --auto-remove modemmanager
    sudo systemctl stop ModemManager.service

    6. Run the unbricking script as root:
    Code:
    sudo ./bootrom.sh

    You should see it waiting for the bootrom. Let it be and do the following with the PCB.

    7. Connect the microUSB end of the cable to the PCB. This is the more physically-challenging end of the connection. Leave open the PC side.

    8. Short the point (highlighted in blue in the attached picture) to ground. Work with what you're comfortable with, but here's my approach (use M/M jumper wire if you have access to it):
    a. Gently nudge one end of the wire into the metal case of the SD slot so that it stays in place (keyword: gently). This frees up one hand. You need just enough grip to ensure it doesn't fall off unexpectedly.
    b. Hold the other tip of the jumper wire to the point highlighted in blue.
    c. Connect the other end of the USB cable to your Linux box (remove the jumper wire when you're instructed to and press Enter on your keyboard).

    You should see the following:
    Code:
    k@Cray2:~/Desktop/unbrick_suez$ sudo ./bootrom.sh
    [2019-02-03 12:28:08.466131] Waiting for bootrom
    [2019-02-03 12:35:22.602290] Found port = /dev/ttyACM0
    [2019-02-03 12:35:22.602653] Handshake
    [2019-02-03 12:35:22.603225] Disable watchdog
    
     * * * Remove the short and press Enter * * * 
    
    
    [2019-02-03 12:35:27.691503] Init crypto engine
    [2019-02-03 12:35:27.709450] Disable caches
    [2019-02-03 12:35:27.709854] Disable bootrom range checks
    [2019-02-03 12:35:27.721298] Load payload from ../brom-payload/build/payload.bin = 0x45D0 bytes
    [2019-02-03 12:35:27.724457] Send payload
    [2019-02-03 12:35:28.262081] Let's rock
    [2019-02-03 12:35:28.262834] Wait for the payload to come online...
    [2019-02-03 12:35:31.824056] all good
    [2019-02-03 12:35:31.824533] Check GPT
    [2019-02-03 12:35:33.103565] gpt_parsed = {'lk': (20480, 2048), 'recovery': (174080, 34816), 'MISC': (123904, 1024), 'cache': (3515392, 868352), 'tee1': (22528, 10240), 'dkb': (18432, 2048), '': (0, 1), 'userdata': (4383744, 56687583), 'system': (208896, 3306496), 'PMT': (7168, 9216), 'tee2': (32768, 10240), 'proinfo': (1024, 6144), 'reserved': (124928, 16384), 'metadata': (43008, 80896), 'boot': (141312, 32768), 'kb': (16384, 2048)}
    [2019-02-03 12:35:33.103747] Check boot0
    [2019-02-03 12:35:34.291300] Check rpmb
    [2019-02-03 12:35:34.499043] Downgrade rpmb
    [2019-02-03 12:35:34.501403] Recheck rpmb
    [2019-02-03 12:35:35.392720] rpmb downgrade ok

    It should complete in a few seconds.

    9. Unplug the USB cable after "rpmb downgrade ok" appears in the terminal.

    10. Put your device back together (PCB and display/battery cables). Do not screw the PCB in or snap the back cover until you confirm your device has been unbricked.

    11. Depress the power button (with your nail or a suitable tool) to turn on your device. (If it doesn't turn back on, hold it down for a few seconds. If you hear a ding, that's usually a good sign.) This can be challenging for the uninitiated, but don't complain. Obviously, it's better to verify unbricking now than after you put everything back together.

    12. If the device turns back on, you can shut it down and put everything back together. If it does not turn back on, connect it to your PC and see what shows up with lsusb. Time to troubleshoot.

    If you have questions, read the two linked threads above. If you cannot find the answer to your question(s), post here. If you append this entire OP to your post (instead of snipping most/all of it), I will, on general principle, ignore your post.
    2
    I just 'freed' two Fire HD 10 inch 2017 models
    I used the alternate root exploit which seemed to work fine.

    On the 2nd tablet however, I got stuck in bootrom-step-minimal.sh
    For some reason it didn't want to read the GPT partition
    [2022-07-23 21:00:52.411325] Waiting for bootrom
    [2022-07-23 21:01:00.657884] Found port = /dev/cu.usbmodem11101
    [2022-07-23 21:01:00.665413] Handshake
    [2022-07-23 21:01:00.666984] Disable watchdog
    * * * Remove the short and press Enter * * *
    [2022-07-23 21:01:15.049972] Init crypto engine
    [2022-07-23 21:01:15.078454] Disable caches
    [2022-07-23 21:01:15.079360] Disable bootrom range checks
    [2022-07-23 21:01:15.095713] Load payload from ../brom-payload/build/payload.bin = 0x4820 bytes
    [2022-07-23 21:01:15.097519] Send payload
    [2022-07-23 21:01:15.791339] Let's rock
    [2022-07-23 21:01:15.792479] Wait for the payload to come online...
    [2022-07-23 21:01:15.796302] all good
    [2022-07-23 21:01:15.796431] Running in minimal mode, assuming LK and TZ to have already been flashed.
    [2022-07-23 21:01:15.796655] If this is correct (i.e. you used "brick" option in step 1) press enter, otherwise terminate with Ctrl+C


    [2022-07-23 21:01:18.585629] Check GPT
    Traceback (most recent call last):
    File "main.py", line 192, in <module>
    main()
    File "main.py", line 95, in main
    switch_user(dev)
    File "main.py", line 56, in switch_user
    block = dev.emmc_read(0)
    File "~/Downloads/amonet-suez-v1.1.2/amonet/modules/common.py", line 196, in emmc_read
    raise RuntimeError("read fail")
    RuntimeError: read fail

    After a bit of poking around, I just added a retry for that read since the first one returned with a 0 length answer.
    So I changed the function from:
    Python:
    def emmc_read(self, idx):
            # magic
            self.dev.write(p32_be(0xf00dd00d))
            # cmd
            self.dev.write(p32_be(0x1000))
            # block to read
            self.dev.write(p32_be(idx))
    
    
            data = self.dev.read(0x200)
            if len(data) != 0x200:
                raise RuntimeError("read fail")

    To:

    Python:
    def emmc_read(self, idx):
            # magic
            self.dev.write(p32_be(0xf00dd00d))
            # cmd
            self.dev.write(p32_be(0x1000))
            # block to read
            self.dev.write(p32_be(idx))
    
    
            data = self.dev.read(0x200)
            if len(data) != 0x200:
                data = self.dev.read(0x200)
                if len(data) != 0x200:
                    raise RuntimeError("read fail")

    Surprisingly that worked and I was able to continue with fastboot \o/
    Just thought I'd comment because I found a few identical questions but couldn't find anyone else that figured out the workaround :)
    2
    If he has to do that, it will also likely require an edit to the script to allow enter to be tapped. I'll have to look back on where that edit needs to go.

    There's no need for any edit to the script. It has always included a pause for user input. In an earlier post, you told him/her to try all the six points and that you will look at one of your boards and take a picture. Why? The OP has always included a picture of the PCB with a clear marking of which point to short. There's no need for trial-and-error.

    To shadowcliffs: Opening the back should not have resulted in damage to the PCB. Disconnect the battery and display cables, remove the PCB from the case, and try again. If you don't have jumper wire, use a metal clip. Get a second pair of hands to help. Tell us what you see with lsusb as you do this.
    1
    This method worked and unbricked my 2017 HD 10 after a bad firmware flash. Had to run the script twice, the first time succeeded but the tablet didn't boot up. May have been completely out of battery after running itself down in a media loader bootloop all night but after a short charge the low battery icon flashed and back in business. Also helps to have a friend ready to plug/unplug the USB and hit enter when required, it's a very small spot on the board that you're shorting.

    The hardest part was getting the shell off, once you unclip the sides you'll feel it's still "stuck" because there are 3 more clips about 1.5-2" from the left side of the tablet, starting 3" from the bottom. You just have to force them and the shell will pop off. Be careful they clip back in when you reassemble or they will push against the screen and cause white spots.

    Thank you retyre for your efforts amongst many posts here, without this guide I'd be stuck with a paperweight. For anyone else with a hard bricked HD 10 2017 model, you've got nothing to lose giving this a go!
    1
    I have also a Amazon fire hd 10 2017.
    It is completely bricked (I have flash a false ROM. This script also not worked )


    Sorry if is now 2023 but I have it since 2017. And it is now get bricked a few months ago.

    I can't turn it on it can't boot and no recovery no Fastboot. It's completely black.
    What can I do?