• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[DEV] Bootloader unlock procedure and software

Search This thread

dpeddi

Senior Member
Mar 10, 2007
206
133
I get to unlock the bootloader of my kindle hdx 8.9

Prerequisite:
- Bootloader shipped with firmwareversion 1[34].3.1.0 <= x <= 1[34].3.2.4 (as we use the rsa bug)
- Rooted kindle

adb shell
cat /sys/block/mmcblk0/device/manfid
cat /sys/block/mmcblk0/device/serial

create a file unlock.img with following content:
0xmmssssssss
where mm=manfid and ss=serial

encrypt it with my vortox fork of signing tool at

https://github.com/dpeddi/Cuber

./cuber_unlockbl --sign ./unlock.img ./unlock.signed

connect the hdx to a linux box and do following command:

./fastboot -i 0x1949 devices
./fastboot -i 0x1949 flash unlock unlock.signed
./fastboot -i 0x1949 reboot

adb shell
idme print
[...]
unlock_code: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMsv9S[...]WRUFx7FaA==

to get into fastboot mode you can press:
standby volume+ volume- at the same time and keep pressed

follows list of fastboot command:
fastboot -i 0x1949 getvar product
fastboot -i 0x1949 getvar version
fastboot -i 0x1949 getvar kernel
fastboot -i 0x1949 getvar serialno
fastboot -i 0x1949 getvar production
fastboot -i 0x1949 getvar partition-size:userdata|sytem|cache
fastboot -i 0x1949 getvar partition-type:userdata|sytem|cache
fastboot -i 0x1949 getvar max-download-size
fastboot -i 0x1949 boot (still untested by me)
fastboot -i 0x1949 verify (still untested by me)
fastboot -i 0x1949 flash (still untested by me)
fastboot -i 0x1949 erase (still untested by me)
fastboot -i 0x1949 continue
fastboot -i 0x1949 reboot
fastboot -i 0x1949 reboot-bootloader
fastboot -i 0x1949 oem device-info
fastboot -i 0x1949 oem idme ? (only if unlocked)
fastboot -i 0x1949 oem idme cl3an (untested by me but is destructive!)
fastboot -i 0x1949 oem idme v3rsion (untested by me but seems destructive!)
fastboot -i 0x1949 oem relock (i'm lazy to test it)
fastboot -i 0x1949 dump (don't work with current windows implementation of fastboot that i'm using now - try this)

you can use python only tool too :
http://forum.xda-developers.com/kin...tools-create-unlock-img-fix-boot-img-t3050689
http://forum.xda-developers.com/kin...e-software-t3030281/post58897784#post58897784

Regards and thank to all (ralekdev, jcase, Hashcode, Cpasjuste, Vortox, draxie...)
 

Attachments

  • 20150214_023152.jpg
    20150214_023152.jpg
    235.9 KB · Views: 13,135
  • 20150214_023222.jpg
    20150214_023222.jpg
    244.7 KB · Views: 12,563
Last edited:

EncryptedCurse

Senior Member
Jul 9, 2014
650
300
Congratulations! This is a huge breakthrough. Perhaps this will finally attract the developers these devices deserve.

Just to let you know, there are some errors upon compilation:
Code:
g++ -Wall -Wextra -Wno-unused-result -march=native -O2 -Iinclude cuber.cpp -o cuber -lcrypto
g++ -Wall -Wextra -Wno-unused-result -march=native -O2 -Iinclude cuber_unlockbl.cpp -o cuber_unlockbl -lcrypto
cuber_unlockbl.cpp:204:2: warning: "/*" within comment [-Wcomment]
  /*
 ^
cuber_unlockbl.cpp: In function ‘int sign_image(char*, char*)’:
cuber_unlockbl.cpp:194:11: warning: variable ‘imagesize_actual’ set but not used [-Wunused-but-set-variable]
  unsigned imagesize_actual;
           ^
cuber_unlockbl.cpp:250:16: warning: unused variable ‘hash’ [-Wunused-variable]
  unsigned char hash[65];
                ^
cuber_unlockbl.cpp: At global scope:
cuber_unlockbl.cpp:322:33: warning: unused parameter ‘image_ptr’ [-Wunused-parameter]
 int verify_image(unsigned char *image_ptr, unsigned char *signature_ptr, unsigned int image_size)
                                 ^
cuber_unlockbl.cpp:322:87: warning: unused parameter ‘image_size’ [-Wunused-parameter]
 int verify_image(unsigned char *image_ptr, unsigned char *signature_ptr, unsigned int image_size)
                                                                                       ^
cuber_unlockbl.cpp: In function ‘int check_image(char*)’:
cuber_unlockbl.cpp:135:64: warning: ‘imagesize_actual’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  verify_image(image, image + imagesize_actual, imagesize_actual);
                                                                ^

Additionally, how exactly do we create the image file? (i.e. what format and all that)
 
Last edited:

dpeddi

Senior Member
Mar 10, 2007
206
133
As writtten before the unlock file is x9911223344 nothing more.

This file is encripted as well using similar method like the image files.

But is not hashed... just encripted with private key.

Image otherwise is hashed and just the hash is encripted.

I'm not interested in fixing code warning... if you want pull me the fix to github. I was interested only by unlock my device.
 
Last edited:

AmazonLeaker

Senior Member
Nov 20, 2014
72
21
I get to unlock the bootloader of my kindle hdx 8.9

Prerequisite: 1[34].3.1.0 < x < 1[34].3.2.4 (as it use the rsa bug)
Rooted kindle

cat /sys/block/mmcblk0/device/manfid
cat /sys/block/mmcblk0/device/serial

create a file unlock.img with following content:
0xmmssssssss
where mm=manfid and ss=serial

encrypt it with my vortox fork of signing tool at

https://github.com/dpeddi/Cuber

./cuber_unlockbl --sign ./unlock.img ./unlock.signed

connect the hdx to a linux box and do following command:

./fastboot -i 0x1949 devices
./fastboot -i 0x1949 flash unlock unlock.signed
./fastboot -i 0x1949 reboot

adb shell
idme print
[...]
unlock_code: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMsv9S[...]WRUFx7FaA==

Regards and thank to all (Hashcode, Cpasjuste, Vortox...)

Hearty congratulations @dpeddi !!!!

Can you let us know which sw ver is this applicable to ?
As amazon is again allowing the roll back process with almost no questions asked, if this implies to the downgrade they are allowing its a massive win and breakthrough in HDX DEVELOPMENT (i dont exactly remember the version they are downgrading to - its the one that has been patched with vulnerability)

Edit: its 14.3.2.8


Edit 2 : i believe the answer would be NO, just compared the version number you mentioned, can there be any possibility for 14.3.2.8 version kindles to get root or downgrade or any thing ?

To be honest it would be a shame that just on software version kindle has no future and other software versions have :(

Again cheers for your achievement
 
Last edited:

dpeddi

Senior Member
Mar 10, 2007
206
133
Exactly. .. encrypted unlock file isn't valid with patched openssl vulnerability. However if you want you can give a try.. i've uploaded more time invalid unlock file with no issue.
 

rubinho

Senior Member
Feb 4, 2006
83
13
Saarland
@dpeddi
I get an error message when I sign the file
I assume that this message is not normal.
My OS is Ubuntu 14.4 x64 and my HDX Modell is Thor 32GB (Bootloaderversion 3.2.3)
./cuber_unlockbl --sign ./unlock.img ./unlock.signed

[ STATUS ] Signing image... ./unlock.img
debug: imagefilesize, :13
debug: image 0x3312345678
[ STATUS ] Checking created signature...
[ STATUS ] Checking created image...
debug: plain_text 0x3312345678
[ ERROR ] Invalid signature
 
Last edited:

mxzwhx

Member
May 19, 2011
47
3
Thanks ,I've noticed one of step need a Linux box,but I just have a Windows PC as I think many people just like me as well,how do we fulfill that step?

Sent from my MI 2C using XDA Free mobile app
 

rubinho

Senior Member
Feb 4, 2006
83
13
Saarland
You need linux for all steps (both fastboot and signing).

I read here (at xda) that windows fastboot can't run with Kindle hdx.

Fastboot works fine on my Windows 8.1 x64
I use following Amazon adb/fastboot drivers.... https://mega.co.nz/#!8JtUkSyZ!UbWCYyHVlfpk51FMYzQ5wR89CLWu9gTccJFVEx0lhjI

I have the unlock procedure now been successfully completed. I think at least. :D (thx @dpeddi)
Do you know a command that I can query the bootloader status ? "oem unlock" does not work
with "fastboot -i 0x1949 oem device-info" comes following message ... Device tampered: false. (whatever that means)
 
  • Like
Reactions: kmtk.inb

dpeddi

Senior Member
Mar 10, 2007
206
133
Fastboot works fine on my Windows 8.1 x64
I use following Amazon adb/fastboot drivers.... https://mega.co.nz/#!8JtUkSyZ!UbWCYyHVlfpk51FMYzQ5wR89CLWu9gTccJFVEx0lhjI

I have the unlock procedure now been successfully completed. I think at least. :D (thx @dpeddi)
Do you know a command that I can query the bootloader status ? "oem unlock" does not work
with "fastboot -i 0x1949 oem device-info" comes following message ... Device tampered: false. (whatever that means)

Look at photo attached on my first post.

You should see unlock successful. Fastballs one unlock doesn't exist on our device.

Adb shell idme print should show you if unlock is ok.
You should see unlock code set with as ascii
 

mxzwhx

Member
May 19, 2011
47
3
Hello,can you teach me step by step to unlock the bootloader on Windows 8.1 64bit version ?I am afriad something would go wrong if I do it myself .

Sent from my Nexus HDX 8.9 using XDA Free mobile app

---------- Post added at 02:21 PM ---------- Previous post was at 02:18 PM ----------

OK thx for the info.
The result was exactly as you described it have.
Thus my bootloader should be unlocked.
@rubinho, is that okay ?

Sent from my Nexus HDX 8.9 using XDA Free mobile app
 

Top Liked Posts

  • There are no posts matching your filters.
  • 39
    I get to unlock the bootloader of my kindle hdx 8.9

    Prerequisite:
    - Bootloader shipped with firmwareversion 1[34].3.1.0 <= x <= 1[34].3.2.4 (as we use the rsa bug)
    - Rooted kindle

    adb shell
    cat /sys/block/mmcblk0/device/manfid
    cat /sys/block/mmcblk0/device/serial

    create a file unlock.img with following content:
    0xmmssssssss
    where mm=manfid and ss=serial

    encrypt it with my vortox fork of signing tool at

    https://github.com/dpeddi/Cuber

    ./cuber_unlockbl --sign ./unlock.img ./unlock.signed

    connect the hdx to a linux box and do following command:

    ./fastboot -i 0x1949 devices
    ./fastboot -i 0x1949 flash unlock unlock.signed
    ./fastboot -i 0x1949 reboot

    adb shell
    idme print
    [...]
    unlock_code: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMsv9S[...]WRUFx7FaA==

    to get into fastboot mode you can press:
    standby volume+ volume- at the same time and keep pressed

    follows list of fastboot command:
    fastboot -i 0x1949 getvar product
    fastboot -i 0x1949 getvar version
    fastboot -i 0x1949 getvar kernel
    fastboot -i 0x1949 getvar serialno
    fastboot -i 0x1949 getvar production
    fastboot -i 0x1949 getvar partition-size:userdata|sytem|cache
    fastboot -i 0x1949 getvar partition-type:userdata|sytem|cache
    fastboot -i 0x1949 getvar max-download-size
    fastboot -i 0x1949 boot (still untested by me)
    fastboot -i 0x1949 verify (still untested by me)
    fastboot -i 0x1949 flash (still untested by me)
    fastboot -i 0x1949 erase (still untested by me)
    fastboot -i 0x1949 continue
    fastboot -i 0x1949 reboot
    fastboot -i 0x1949 reboot-bootloader
    fastboot -i 0x1949 oem device-info
    fastboot -i 0x1949 oem idme ? (only if unlocked)
    fastboot -i 0x1949 oem idme cl3an (untested by me but is destructive!)
    fastboot -i 0x1949 oem idme v3rsion (untested by me but seems destructive!)
    fastboot -i 0x1949 oem relock (i'm lazy to test it)
    fastboot -i 0x1949 dump (don't work with current windows implementation of fastboot that i'm using now - try this)

    you can use python only tool too :
    http://forum.xda-developers.com/kin...tools-create-unlock-img-fix-boot-img-t3050689
    http://forum.xda-developers.com/kin...e-software-t3030281/post58897784#post58897784

    Regards and thank to all (ralekdev, jcase, Hashcode, Cpasjuste, Vortox, draxie...)
    33
    Hi there,

    With so many complaints about Linux dependencies,
    I figured a Python-only version of cuber may be a good idea.
    (Windows does have Python ports, right?
    You'll still need python-gmpy2, in addition to fairly standard Python stuff.)

    So, here it comes.
    Both boot images and unlock codes are supported,
    depending on what you pass on the command line.

    For unlock codes, figure out your manfid and serial
    as explained by the OP, and use the following:
    Code:
    > python cuberHDX.py [I]mmssssssss[/I]
    Your unlock code is in '[I]mmssssssss[/I].unlock'.
    And, then do the fastboot dance from the OP.

    For boot images, the procedure is fairly similar:
    Code:
    > python cuberHDX.py [I]your-boot.img[/I]
    Your image '[I]your-boot.img[/I]' is now "signed".

    I've downloaded and tested the new version (-v2),
    and it works fine on my Apollo.

    For other that might not have understood as easily..., (its been a while since I work with anything) complete as follows. tested on HDX 7 (Thor) Rooted 13.3.1.0

    get Python 2.7 for windows and install it

    get GMPY2 for Python 2.7

    open command prompt to your ADB directory:

    Code:
    adb shell
    cat /sys/block/mmcblk0/device/manfid
    cat /sys/block/mmcblk0/device/serial

    from these 2 results you get your the code we need, insert the last 2 digits of the manfID with your serial
    following

    like this: mmssssssss

    download the attachment on the following post: http://forum.xda-developers.com/showpost.php?p=58864282&postcount=46
    Then place the file inside the attachement to C:\Python27 should be C:\Python\cuberHDX.py

    open command prompt in: C:\Python27

    replace "mmssssssss" with yours below:
    Code:
    python.exe cuberHDX.py 0xmmssssssss

    that will put a new 0xmmssssssss.UNLOCK file in the Python27 directory

    copy that file to your fastboot directory.

    on an ADB prompt type

    Code:
    adb reboot-bootloader

    then on a fastboot prompt type

    Code:
    fastboot -i 0x1949 devices
    fastboot -i 0x1949 flash unlock 0xmmssssssss.unlock
    fastboot -i 0x1949 reboot

    thats it.

    Gathered all from this thread, just a little clearer I think...
    thanks to @dpeddi, @vortox, @draxie, @ApokrifX
    8
    Python-only cuber

    Don't bother with the obsolete cuberHDX.py, please refer to this post my new post for a python-less alternative instead.

    Hi there,

    With so many complaints about Linux dependencies,
    I figured a Python-only version of cuber may be a good idea.
    (Windows does have Python ports, right?
    You'll still need python-gmpy2, in addition to fairly standard Python stuff.)

    So, here it comes.
    Both boot images and unlock codes are supported,
    depending on what you pass on the command line.

    For unlock codes, figure out your manfid and serial
    as explained by the OP, and use the following:
    Code:
    > python cuberHDX.py [I]mmssssssss[/I]
    Your unlock code is in '[I]mmssssssss[/I].unlock'.
    And, then do the fastboot dance from the OP.

    For boot images, the procedure is fairly similar:
    Code:
    > python cuberHDX.py [I]your-boot.img[/I]
    Your image '[I]your-boot.img[/I]' is now "signed".

    Finally, v3 fixes the text/binary issue and SHOULD work also on Windows.
    I cannot test as I do not have that OS..

    Oh, and thanks go to @vortox and @dpeddi for the predecessors of this script.


    UPDATE:

    For those who miss the '-c|--check' option of the original cuber,
    you can simply use the openssl command line to verify your unlock code.
    (Scroll to the right for the revelation.)
    Code:
    > python cuberHDX.py AA12345678
    Your unlock code is in 'AA12345678.unlock'.
    > openssl rsautl -verify -inkey unlock.crt -certin -in AA12345678.unlock -hexdump
    0000 - 30 78 41 41 31 32 33 34-35 36 37 38 0a 00 00 00   0xAA12345678....
    0010 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
    0020 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
    0030 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
    0040 - 00 00 00 00 00 00 00 00-00 00 00 93 6a d2 8e da   ............j...
    0050 - 94 30 8b 2c 38 21 09 2e-bd e1 13 7d dd e0 ba 22   .0.,8!.....}..."
    0060 - e0 1d 8d 73 8a a3 f1 ac-5b f5 3d 06 c5 95 ba 2f   ...s....[.=..../
    0070 - ab fe 86 7c 26 64 3d ee-47 84 1b cb 12 6a 42 27   ...|&d=.G....jB'
    0080 - 53 04 14 f6 a4 17 89 fc-8c b6 96 d3 10 de 21 35   S.............!5
    0090 - dc 8b c5 6e 4c ec f2 9e-c1 50 72 8a 06 ff 3b 61   ...nL....Pr...;a
    00a0 - 1a a3 52 bd c3 04 13 4c-a1 2a 8f 93 88 6b 46 cf   ..R....L.*...kF.
    00b0 - df 1f 1b f3 a1 7a d1 9d-a2 04 77 8a a3 37 14 c5   .....z....w..7..
    00c0 - 08 98 5f ac 5b d7 0f 1f-fa fe 0f e2 a4 65 5f b3   .._.[........e_.
    00d0 - f7 8b 9f bf a5 b2 28 84-39 e2 0d 03 6b 82 03 f2   ......(.9...k...
    00e0 - 25 dc f1 41 9d 27 75 6f-10 fe 93 0d c7 95 71 67   %..A.'uo......qg
    00f0 - 54 2b                                             T+
    00f5 - <SPACES/NULS>
    You can add the '-raw' flag to the end of the command line
    if you also want to see the PKCS padding string...

    For boot images, slightly more acrobatics is needed,
    for getting the hash and the signature, but it's not too bad.
    This assumes 'dd' is available on your platform.
    Code:
    [COLOR="Lime"]>[/COLOR] dd if=boot.img bs=2k of=/dev/null
    [COLOR="Red"]3634[/COLOR]+0 records in
    3634+0 records out
    7442432 bytes (7.4 MB) copied, 0.00792165 s, 940 MB/s
    [COLOR="Lime"]>[/COLOR] dd if=boot.img bs=2k skip=[COLOR="Red"]3633[/COLOR] count=256 iflag=count_bytes of=sig
    0+1 records in
    0+1 records out
    256 bytes (256 B) copied, 0.000197051 s, 1.3 MB/s
    [COLOR="Lime"]>[/COLOR] openssl rsautl -verify -inkey production.crt -certin -in sig -hexdump
    0000 - ad 84 84 25 a7 89 57 c3-8c 67 6a c3 25 5c b7 2e   ...%..W..gj.%\..
    0010 - f4 c8 90 ac a2 fb bf 36-91 3c 43 18 f4 08 c4 9e   .......6.<C.....
    0020 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
    0030 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
    0040 - 00 00 00 00 00 00 00 00-00 00 00 a4 8f 3e 09 eb   .............>..
    0050 - 65 3c 1b 3e de 2e b8 0b-6c 37 55 40 40 9e c0 dd   e<.>[email protected]@...
    0060 - f7 e0 25 7d 32 18 1b 93-dc ee 1e 9f 7c b7 1b 00   ..%}2.......|...
    0070 - d8 62 ec 67 b2 46 74 e8-7f 58 3a b7 ff 22 60 cf   .b.g.Ft..X:.."`.
    0080 - c4 27 07 83 3f d1 01 06-f6 e6 63 b7 77 5e 45 1f   .'..?.....c.w^E.
    0090 - 6e 85 2f 29 4f d0 89 70-fb d7 3c e2 da 6f e3 06   n./)O..p..<..o..
    00a0 - 5a f2 1f 9e ca aa 7d 84-24 f4 56 9d 8f 16 cf 9c   Z.....}.$.V.....
    00b0 - c1 07 74 c4 b4 1b f4 7f-04 95 cf d4 93 a1 59 e8   ..t...........Y.
    00c0 - 34 a6 aa 2a 7a 39 05 50-0f bb 2d 41 71 cf 8b 47   4..*z9.P..-Aq..G
    00d0 - 7a e5 70 3c 36 27 e0 c1-a6 14 2b 28 92 f9 d1 c3   z.p<6'....+(....
    00e0 - ac 1e 54 05 10 49 00 6d-ed f9 8a 0b f6 e7 4a 29   ..T..I.m......J)
    00f0 - 9a 74 27 10                                       .t'.
    00f5 - <SPACES/NULS>
    [COLOR="Lime"]>[/COLOR] dd if=boot.img bs=2k count=[COLOR="Red"]3633[/COLOR] | sha256sum
    3633+0 records in
    3633+0 records out
    7440384 bytes (7.4 MB) copied, 0.0493471 s, 151 MB/s
    ad848425a78957c38c676ac3255cb72ef4c890aca2fbbf36913c4318f408c49e  -
    The first 'dd' line to '/dev/null' is just to get the size in pages.
    You can do the math yourself instead. I'm just lazy...
    The other 'dd' lines use that size-1, which may not always work,
    since some images contain additional all-zero pages at the end.
    In that case you'll need to experiment with the value to skip,
    or use a hexdump utility to figure out the offset.

    Oh, and you can get all those pesky certificates from
    an ancient post of mine (speculating about a bootloader unlock).
    4
    Hello,

    steps for unlocking described by @ceyo14 here
    Some additional tips/guidance here which complements the link in the post by @D0ubl3_X. Although there are several different BL unlock guides/tools circulating I have found the one by @cey014 works best for my limited brain power.

    Unlocking is not hard but does involve utilizing tools/techniques you may not be familiar with and potentially fighting with Windows device drivers/security...especially on Win 8.1 x64. Ask targeted questions along the way; folks are generally willing to help if you have done your homework. There are no one click apks or hand holding tutorials. Grab the beverage of your choice, roll up your sleeves and plan to spend a fun evening screwing with stuff that is somewhat arcane.
    3
    Note that it *IS* possible to roll back from 3.2.x to 3.1.0
    at least, up to and including 3.2.6, which I had before TWRP came.
    The instructions for 3.2.5 and above are at the end of the post.
    The procedure is verified for 3.2.6, but f you can get root on your device,
    I suspect that this might work for 3.2.7 & 3.28 as well, but I don't know
    (since I happened to have 3.2.6 at the time).

    If you are the adventurous type and you understand what the scripts do,
    you can "extrapolate" and move to 3.2.3.2 directly (which is what I did),
    but it may be both faster and easier to move to 3.1.0 first, and then use
    the stock update from Amazon to upgrade to 3.2.3.2.

    In either case, you'll need to fetch one of these, depending on your device:

    https://kindle-fire-updates.s3.amazonaws.com/update-kindle-13.3.2.3.2_user_323001720.bin
    https://kindle-fire-updates.s3.amazonaws.com/update-kindle-14.3.2.3.2_user_323001720.bin


    Good luck!

    Amazon started including anti-rollback protection for x.3.2.7 and x.3.2.8.