[DEV] Bootloader unlock procedure and software

dpeddi · Feb 14, 2015

I get to unlock the bootloader of my kindle hdx 8.9

Prerequisite:
- Bootloader shipped with firmwareversion 1[34].3.1.0 <= x <= 1[34].3.2.4 (as we use the rsa bug)
- Rooted kindle

adb shell
cat /sys/block/mmcblk0/device/manfid
cat /sys/block/mmcblk0/device/serial

create a file unlock.img with following content:
0xmmssssssss
where mm=manfid and ss=serial

encrypt it with my vortox fork of signing tool at

https://github.com/dpeddi/Cuber

./cuber_unlockbl --sign ./unlock.img ./unlock.signed

connect the hdx to a linux box and do following command:

./fastboot -i 0x1949 devices
./fastboot -i 0x1949 flash unlock unlock.signed
./fastboot -i 0x1949 reboot

adb shell
idme print
[...]
unlock_code: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMsv9S[...]WRUFx7FaA==

to get into fastboot mode you can press:
standby volume+ volume- at the same time and keep pressed

follows list of fastboot command:
fastboot -i 0x1949 getvar product
fastboot -i 0x1949 getvar version
fastboot -i 0x1949 getvar kernel
fastboot -i 0x1949 getvar serialno
fastboot -i 0x1949 getvar production
fastboot -i 0x1949 getvar partition-size:userdata|sytem|cache
fastboot -i 0x1949 getvar partition-type:userdata|sytem|cache
fastboot -i 0x1949 getvar max-download-size
fastboot -i 0x1949 boot (still untested by me)
fastboot -i 0x1949 verify (still untested by me)
fastboot -i 0x1949 flash (still untested by me)
fastboot -i 0x1949 erase (still untested by me)
fastboot -i 0x1949 continue
fastboot -i 0x1949 reboot
fastboot -i 0x1949 reboot-bootloader
fastboot -i 0x1949 oem device-info
fastboot -i 0x1949 oem idme ? (only if unlocked)
fastboot -i 0x1949 oem idme cl3an (untested by me but is destructive!)
fastboot -i 0x1949 oem idme v3rsion (untested by me but seems destructive!)
fastboot -i 0x1949 oem relock (i'm lazy to test it)
fastboot -i 0x1949 dump (don't work with current windows implementation of fastboot that i'm using now - try this)

you can use python only tool too :
http://forum.xda-developers.com/kin...tools-create-unlock-img-fix-boot-img-t3050689
http://forum.xda-developers.com/kin...e-software-t3030281/post58897784#post58897784

Regards and thank to all (ralekdev, jcase, Hashcode, Cpasjuste, Vortox, draxie...)

EncryptedCurse · Feb 14, 2015

Congratulations! This is a huge breakthrough. Perhaps this will finally attract the developers these devices deserve.

Just to let you know, there are some errors upon compilation:

Code:

g++ -Wall -Wextra -Wno-unused-result -march=native -O2 -Iinclude cuber.cpp -o cuber -lcrypto
g++ -Wall -Wextra -Wno-unused-result -march=native -O2 -Iinclude cuber_unlockbl.cpp -o cuber_unlockbl -lcrypto
cuber_unlockbl.cpp:204:2: warning: "/*" within comment [-Wcomment]
  /*
 ^
cuber_unlockbl.cpp: In function ‘int sign_image(char*, char*)’:
cuber_unlockbl.cpp:194:11: warning: variable ‘imagesize_actual’ set but not used [-Wunused-but-set-variable]
  unsigned imagesize_actual;
           ^
cuber_unlockbl.cpp:250:16: warning: unused variable ‘hash’ [-Wunused-variable]
  unsigned char hash[65];
                ^
cuber_unlockbl.cpp: At global scope:
cuber_unlockbl.cpp:322:33: warning: unused parameter ‘image_ptr’ [-Wunused-parameter]
 int verify_image(unsigned char *image_ptr, unsigned char *signature_ptr, unsigned int image_size)
                                 ^
cuber_unlockbl.cpp:322:87: warning: unused parameter ‘image_size’ [-Wunused-parameter]
 int verify_image(unsigned char *image_ptr, unsigned char *signature_ptr, unsigned int image_size)
                                                                                       ^
cuber_unlockbl.cpp: In function ‘int check_image(char*)’:
cuber_unlockbl.cpp:135:64: warning: ‘imagesize_actual’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  verify_image(image, image + imagesize_actual, imagesize_actual);
                                                                ^

Additionally, how exactly do we create the image file? (i.e. what format and all that)

icedtrip · Feb 14, 2015

This is great news! I'll take a further look tomorrow into trying this out. Getting late and time for bed.

dpeddi · Feb 14, 2015

As writtten before the unlock file is x9911223344 nothing more.

This file is encripted as well using similar method like the image files.

But is not hashed... just encripted with private key.

Image otherwise is hashed and just the hash is encripted.

I'm not interested in fixing code warning... if you want pull me the fix to github. I was interested only by unlock my device.

AmazonLeaker · Feb 14, 2015

dpeddi said:
I get to unlock the bootloader of my kindle hdx 8.9

Prerequisite: 1[34].3.1.0 < x < 1[34].3.2.4 (as it use the rsa bug)
Rooted kindle

cat /sys/block/mmcblk0/device/manfid
cat /sys/block/mmcblk0/device/serial

create a file unlock.img with following content:
0xmmssssssss
where mm=manfid and ss=serial

encrypt it with my vortox fork of signing tool at

https://github.com/dpeddi/Cuber

./cuber_unlockbl --sign ./unlock.img ./unlock.signed

connect the hdx to a linux box and do following command:

./fastboot -i 0x1949 devices
./fastboot -i 0x1949 flash unlock unlock.signed
./fastboot -i 0x1949 reboot

adb shell
idme print
[...]
unlock_code: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMsv9S[...]WRUFx7FaA==

Regards and thank to all (Hashcode, Cpasjuste, Vortox...)

Hearty congratulations @dpeddi !!!!

Can you let us know which sw ver is this applicable to ?
As amazon is again allowing the roll back process with almost no questions asked, if this implies to the downgrade they are allowing its a massive win and breakthrough in HDX DEVELOPMENT (i dont exactly remember the version they are downgrading to - its the one that has been patched with vulnerability)

Edit: its 14.3.2.8

Edit 2 : i believe the answer would be NO, just compared the version number you mentioned, can there be any possibility for 14.3.2.8 version kindles to get root or downgrade or any thing ?

To be honest it would be a shame that just on software version kindle has no future and other software versions have

Again cheers for your achievement

dpeddi · Feb 14, 2015

Should be up to 3.2.4. However wit unlocked bl.. development should be a little safer.

Inviato dal mio GT-I9505 utilizzando Tapatalk

AmazonLeaker · Feb 14, 2015

dpeddi said:
Should be up to 3.2.4. However wit unlocked bl.. development should be a little safer.

Inviato dal mio GT-I9505 utilizzando Tapatalk

Yes true bit this clearly means that 14.3.2.8 will have no development right ?

dpeddi · Feb 14, 2015

Exactly. .. encrypted unlock file isn't valid with patched openssl vulnerability. However if you want you can give a try.. i've uploaded more time invalid unlock file with no issue.

dpeddi · Feb 14, 2015

I forgot to tell you that if you upgrade bootloader to newer image with fixed openssl you lost unlock.

rubinho · Feb 14, 2015

@dpeddi
I get an error message when I sign the file
I assume that this message is not normal.
My OS is Ubuntu 14.4 x64 and my HDX Modell is Thor 32GB (Bootloaderversion 3.2.3)

./cuber_unlockbl --sign ./unlock.img ./unlock.signed

[ STATUS ] Signing image... ./unlock.img
debug: imagefilesize, :13
debug: image 0x3312345678
[ STATUS ] Checking created signature...
[ STATUS ] Checking created image...
debug: plain_text 0x3312345678
[ ERROR ] Invalid signature

dpeddi · Feb 14, 2015

rubinho said:
@dpeddi
I get an error message when I sign the file
I assume that this message is not normal.
My OS is Ubuntu 14.4 x64 and my HDX Modell is Thor 32GB (Bootloaderversion 3.2.3)

Ok I'll fix the program. However if you have a signed image not empty it should be good.

Please ignore that error...

3am work not always is without stupid warning

dpeddi · Feb 14, 2015

fixed error, pull code again. . I confirm the error is not a true error

mxzwhx · Feb 14, 2015

Is this work on 14.3.1.0?I am little confused cause you said x>14.3.1.0

Sent from my MI 2C using XDA Free mobile app

dpeddi · Feb 14, 2015

mxzwhx said:
Is this work on 14.3.1.0?I am little confused cause you said x>14.3.1.0

Sent from my MI 2C using XDA Free mobile app

Sure, my wrong... I correct first post

mxzwhx · Feb 14, 2015

Thanks ,I've noticed one of step need a Linux box,but I just have a Windows PC as I think many people just like me as well,how do we fulfill that step?

Sent from my MI 2C using XDA Free mobile app

dpeddi · Feb 14, 2015

mxzwhx said:
Thanks ,I've noticed one of step need a Linux box,but I just have a Windows PC as I think many people just like me as well,how do we fulfill that step?

You need linux for all steps (both fastboot and signing).

I read here (at xda) that windows fastboot can't run with Kindle hdx.

rubinho · Feb 14, 2015

dpeddi said:
You need linux for all steps (both fastboot and signing).

I read here (at xda) that windows fastboot can't run with Kindle hdx.

Fastboot works fine on my Windows 8.1 x64
I use following Amazon adb/fastboot drivers.... https://mega.co.nz/#!8JtUkSyZ!UbWCYyHVlfpk51FMYzQ5wR89CLWu9gTccJFVEx0lhjI

I have the unlock procedure now been successfully completed. I think at least.

(thx @dpeddi)
Do you know a command that I can query the bootloader status ? "oem unlock" does not work
with "fastboot -i 0x1949 oem device-info" comes following message ... Device tampered: false. (whatever that means)

dpeddi · Feb 14, 2015

rubinho said:
Fastboot works fine on my Windows 8.1 x64
I use following Amazon adb/fastboot drivers.... https://mega.co.nz/#!8JtUkSyZ!UbWCYyHVlfpk51FMYzQ5wR89CLWu9gTccJFVEx0lhjI

I have the unlock procedure now been successfully completed. I think at least. (thx @dpeddi)
Do you know a command that I can query the bootloader status ? "oem unlock" does not work
with "fastboot -i 0x1949 oem device-info" comes following message ... Device tampered: false. (whatever that means)

Look at photo attached on my first post.

You should see unlock successful. Fastballs one unlock doesn't exist on our device.

Adb shell idme print should show you if unlock is ok.
You should see unlock code set with as ascii

rubinho · Feb 14, 2015

OK thx for the info.
The result was exactly as you described it have.
Thus my bootloader should be unlocked.

mxzwhx · Feb 14, 2015

Hello,can you teach me step by step to unlock the bootloader on Windows 8.1 64bit version ?I am afriad something would go wrong if I do it myself .

Sent from my Nexus HDX 8.9 using XDA Free mobile app

---------- Post added at 02:21 PM ---------- Previous post was at 02:18 PM ----------

rubinho said:
OK thx for the info.
The result was exactly as you described it have.
Thus my bootloader should be unlocked.

@rubinho, is that okay ?

Sent from my Nexus HDX 8.9 using XDA Free mobile app

[DEV] Bootloader unlock procedure and software

Senior Member

Attachments

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Member

Senior Member

Member

Senior Member

Senior Member

Senior Member

Senior Member

Member

Similar threads

Top Liked Posts