• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[DOWNGRADE] [UNBRICK] [TWRP] any Fire 7 2015, any softbrick

Search This thread

k4y0z

Senior Member
Nov 27, 2015
1,446
1,863
NOTE:This guide is deprecated, please refer to here


Hi Everyone,

Thanks to the awesome work of @xyz` it's just a matter of time until all the MTK-Devices are hacked. :D
For the Fire 7 2015 I present you a way to recover any brick and to downgrade any version to the 5.0.1 preloader/lk.
This will allow to run TWRP as has been known for these versions
Code:
fastboot boot twrp.img

This also allows getting an adb root-shell using
Code:
fastboot oem append-cmdline "androidboot.unlocked_kernel=true"

So far this has only been tested on linux, but should theoretically also work on windows (you will need to install the correct drivers).. Windows is currently not supported.
Download the attached zip-file and run
Code:
./bootrom-step.sh

You will then need to get your tablet in boot-rom mode to continue.
To do this, first power off your device.
With older preloader-versions you can then simply hold the left volume-button while pluging the device in.
If you have a newer version, you will have to open the device and remove the metal-shielding (it is clipped on)
Then connect the dot marked in the picture with ground (the cage is ground) using a paperclip or similar.
while you are doing that, connect the tablet.

A successful Downgrade/Unbrick attempt will look like this:
Code:
[2019-01-29 02:45:45.724950] Waiting for bootrom
[2019-01-29 02:45:50.322991] Found port = /dev/ttyACM3
[2019-01-29 02:45:50.323733] Handshake
[2019-01-29 02:45:50.324554] Disable watchdog

 * * * Remove the short and press Enter * * * 


[2019-01-29 02:45:51.627402] Init crypto engine
[2019-01-29 02:45:51.647094] Disable caches
[2019-01-29 02:45:51.647573] Disable bootrom range checks
[2019-01-29 02:45:51.664056] Load payload from ../brom-payload/build/payload.bin = 0x45DC bytes
[2019-01-29 02:45:51.668210] Send payload
[2019-01-29 02:45:52.151926] Let's rock
[2019-01-29 02:45:52.152613] Wait for the payload to come online...
[2019-01-29 02:45:52.762757] all good
[2019-01-29 02:45:52.763430] Check GPT
[2019-01-29 02:45:53.056690] gpt_parsed = {'KB': (2048, 2048), 'DKB': (4096, 2048), 'EXPDB': (6144, 35584), 'UBOOT': (41728, 2048), 'boot': (43776, 32768), 'recovery': (76544, 32768), 'MISC': (109312, 1024), 'LOGO': (110336, 7168), 'TEE1': (117504, 10240), 'TEE2': (127744, 10240), 'system': (137984, 2457600), 'cache': (2595584, 512000), 'userdata': (3107584, 12162271), '': (0, 1)}
[2019-01-29 02:45:53.057001] Check boot0
[2019-01-29 02:45:53.261515] Check rpmb
[2019-01-29 02:45:53.470606] b'AMZN\x01\x00\x00\x00\x02\x00\x020\x02\x00]4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
[2019-01-29 02:45:53.471067] Downgrade rpmb
[2019-01-29 02:45:53.472914] Recheck rpmb
[2019-01-29 02:45:54.367002] rpmb downgrade ok
[2019-01-29 02:45:54.367393] Flash preloader
[247 / 247]
[2019-01-29 02:45:59.715624] Flash tz
[2079 / 2079]
[2019-01-29 02:46:43.189119] Flash lk
[795 / 795]
[2019-01-29 02:46:59.949855] Reboot

After that you will be able to boot twrp via
Code:
fastboot boot twrp.img

Note: If you are having issues with communication to the device uninstall modemmanager.
On a debian(-derivative) the following command will uninstall modemmanager:
Code:
sudo apt remove modemmanager

Source Code: https://github.com/chaosmaster/amonet/tree/mt8127
 

Attachments

  • fire7-brom.jpg
    fire7-brom.jpg
    106.2 KB · Views: 2,534
  • fire7-2015-downgrade-unbrick.zip
    1.4 MB · Views: 2,244
Last edited:

Rortiz2

Senior Member
Mar 1, 2018
2,149
1,419
Barcelona
Amazon Fire HD 8 and HD 10
Hi Everyone,

Thanks to the awesome work of @xyz` it's just a matter of time until all the MTK-Devices are hacked. :D
For the Fire 7 2015 I present you a way to recover any brick and to downgrade any version to the 5.0.1 preloader/lk.
This will allow to run TWRP as has been known for these versions
Code:
fastboot boot twrp.img

This also allows getting an adb root-shell using
Code:
fastboot oem append-cmdline "androidboot.unlocked_kernel=true"

So far this has only been tested on linux, but should theoretically also work on windows (you will need to install the correct drivers).
Download the attached zip-file and run
Code:
./bootrom-step.sh

You will then need to get your tablet in boot-rom mode to continue.
To do this, first power off your device.
With older preloader-versions you can then simply hold the left volume-button while pluging the device in.
If you have a newer version, you will have to open the device and remove the metal-shielding (it is clipped on)
Then connect the dot marked in the picture with ground (the cage is ground) using a paperclip or similar.
while you are doing that, connect the tablet.

A successful Downgrade/Unbrick attempt will look like this:
Code:
[2019-01-29 02:45:45.724950] Waiting for bootrom
[2019-01-29 02:45:50.322991] Found port = /dev/ttyACM3
[2019-01-29 02:45:50.323733] Handshake
[2019-01-29 02:45:50.324554] Disable watchdog

 * * * Remove the short and press Enter * * * 


[2019-01-29 02:45:51.627402] Init crypto engine
[2019-01-29 02:45:51.647094] Disable caches
[2019-01-29 02:45:51.647573] Disable bootrom range checks
[2019-01-29 02:45:51.664056] Load payload from ../brom-payload/build/payload.bin = 0x45DC bytes
[2019-01-29 02:45:51.668210] Send payload
[2019-01-29 02:45:52.151926] Let's rock
[2019-01-29 02:45:52.152613] Wait for the payload to come online...
[2019-01-29 02:45:52.762757] all good
[2019-01-29 02:45:52.763430] Check GPT
[2019-01-29 02:45:53.056690] gpt_parsed = {'KB': (2048, 2048), 'DKB': (4096, 2048), 'EXPDB': (6144, 35584), 'UBOOT': (41728, 2048), 'boot': (43776, 32768), 'recovery': (76544, 32768), 'MISC': (109312, 1024), 'LOGO': (110336, 7168), 'TEE1': (117504, 10240), 'TEE2': (127744, 10240), 'system': (137984, 2457600), 'cache': (2595584, 512000), 'userdata': (3107584, 12162271), '': (0, 1)}
[2019-01-29 02:45:53.057001] Check boot0
[2019-01-29 02:45:53.261515] Check rpmb
[2019-01-29 02:45:53.470606] b'AMZN\x01\x00\x00\x00\x02\x00\x020\x02\x00]4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
[2019-01-29 02:45:53.471067] Downgrade rpmb
[2019-01-29 02:45:53.472914] Recheck rpmb
[2019-01-29 02:45:54.367002] rpmb downgrade ok
[2019-01-29 02:45:54.367393] Flash preloader
[247 / 247]
[2019-01-29 02:45:59.715624] Flash tz
[2079 / 2079]
[2019-01-29 02:46:43.189119] Flash lk
[795 / 795]
[2019-01-29 02:46:59.949855] Reboot

After that you will be able to boot twrp via
Code:
fastboot boot twrp.img
This will work with 7th gen?
 

k4y0z

Senior Member
Nov 27, 2015
1,446
1,863
This will work with 7th gen?
I don't have a 7th gen, so someone will have to try.
You will have to find a way to enter boot-rom mode.
I have attached a "safe" version, which just tries to run the exploit and readout partitions and rpmb.
You can test that and post the output.
If that works, we can try the 2015 preloader/lk on the 2017 fire. (Just need to have a backup ready, in case they don't work)

Old Devices = 5th Gen
New Devices = 7th Gen ???
Yes, 5th gen = 2015, 7th gen = 2017
Here is a nice overview:
https://developer.amazon.com/docs/fire-tablets/ft-device-and-feature-specifications.html
 

Attachments

  • fire7-2017-test.zip
    1.4 MB · Views: 674
Last edited:

k4y0z

Senior Member
Nov 27, 2015
1,446
1,863
I will get my 5th Gen tomorrow and test. I'm not home now. Oh, yeah need to install linux too.
So, you're telling that the script will automatically downgrade my Fire? I mean we don't need the old ROM files right?
It might also work on windows, I just haven't tested it.
Yes it will downgrade the preloader, bootloader and tz which are included in the zip.
After that you can use TWRP to install any ROM you wish. ;)
 

Rortiz2

Senior Member
Mar 1, 2018
2,149
1,419
Barcelona
Amazon Fire HD 8 and HD 10
It might also work on windows, I just haven't tested it.
Yes it will downgrade the preloader, bootloader and tz which are included in the zip.
After that you can use TWRP to install any ROM you wish. ;)


Hello,
Three questions:
- Is 100% safe?
- How do I open the tablet because it is almost impossible
- Where are the points to enter bootrom? Should we disarm?
This is the mainboard o fire 7 7th gen:
3c5c8f6bf63e9cfa4a550461c47c4426.gif


https://www.youtube.com/watch?v=aD0nsvim_ow
 

bibikalka

Senior Member
May 14, 2015
1,370
1,090
With older preloader-versions you can then simply hold the left volume-button while pluging the device in.
If you have a newer version, you will have to open the device and remove the metal-shielding (it is clipped on)
Then connect the dot marked in the picture with ground (the cage is ground) using a paperclip or similar.
while you are doing that, connect the tablet.

Would you happen to know which older preloader versions can do this? Is it the ones that had UART output back in the day? Or is there a way to look at the preloader strings?
 

k4y0z

Senior Member
Nov 27, 2015
1,446
1,863
Hello,
Three questions:
- Is 100% safe?
- How do I open the tablet because it is almost impossible
- Where are the points to enter bootrom? Should we disarm?
Well, I can't guarantee that it will be 100% safe. But if the boot-rom-exploit works there will always be a way to unbrick.
You probably need a prying tool/guitar pick to pry it open.
I don't know where they are on the 7th gen, since I don't own that device, most likely it will be close to the FLASH-chip.
From the image it looks very similar to the 5th gen so take a look at the image attached to the OP.
Also take a look here: https://www.ifixit.com/Teardown/Amazon+Fire+5th+Generation+Teardown/54868

Would you happen to know which older preloader versions can do this? Is it the ones that had UART output back in the day? Or is there a way to look at the preloader strings?
To be honest, I can only tell you that it works on the 5.0.1 preloader, and doesn't work on the newest.
I haven't tested the versions in between.
 
Last edited:

Rortiz2

Senior Member
Mar 1, 2018
2,149
1,419
Barcelona
Amazon Fire HD 8 and HD 10
Hello,
Three questions:
- Is 100% safe?
- How do I open the tablet because it is almost impossible
- Where are the points to enter bootrom? Should we disarm?
Well, I can't guarantee that it will be 100% safe. But if the boot-rom-exploit works there will always be a way to unbrick.
You probably need a prying tool/guitar pick to pry it open.
I don't know where they are on the 7th gen, since I don't own that device, most likely it will be close to the FLASH-chip.
From the image it looks very similar to the 5th gen so take a look at the image attached to the OP.
Also take a look here: https://www.ifixit.com/Teardown/Amazon+Fire+5th+Generation+Teardown/54868


To be honest, I can only tell you that it works on the 5.0.1 preloader, and doesn't work on the newest.
I haven't tested the versions in between.

Ok I will try it.
But what I want to know is how to remove the metal cover that is on top of the points to restart in bootrom
 

bibikalka

Senior Member
May 14, 2015
1,370
1,090
To be honest, I can only tell you that it works on the 5.0.1 preloader, and doesn't work on the newest.
I haven't tested the versions in between.

OK. Is the method related to the unbrick thread from a while ago that uses AFTV2-tools ? Here:
https://forum.xda-developers.com/amazon-fire/development/unbrick-fire-7-5th-gen-downgrade-t3388747

AFTV2-tools only worked for 5.1.1, but nothing beyond.

Btw, I'd like to try this on HD6/7 2014. Are these the same tools as AFTV2-tools? What scripts of yours should I modify to use it for Fire 2014?
https://forum.xda-developers.com/fire-hd/development/unbrick-fire-hd-6-7-flashing-lollipop-t3405797

I have a couple of weird HD6/7 bricks - tried to update LK/TZ/recovery already via aftv2-tools, but no luck. Perhaps, updating rpm (which seems to happen for Fire 7 during downgrade) might do the trick.

Update: How do I go about building a payload file for MT8135, as per this:
https://developer.amazon.com/docs/f....html#device-specifications-2014-2015-devices
 
Last edited:

blueberry.sky

Senior Member
Aug 20, 2014
400
150
Wow, this is great. I didn't expect after all these years we would get a new way in. My friend has 2 5th gens which sadly missed the original chance.

But what I want to know is how to remove the metal cover that is on top of the points to restart in bootrom
On the 5th gen, the metal cover is snapped onto a frame. For your device, it might be snap on too or it could be fully soldered down. :( Inspect the edge of the metal cover. If you can't tell, post good quality pics.
 
Last edited:

bibikalka

Senior Member
May 14, 2015
1,370
1,090
@k4y0z

Updating post, I totally forgot to start with the handshake, then plugin the device while pushing the button ... So with 5.1.2 bootloaders for Fire 7 I am getting a proper handshake, but things are crashing, perhaps because I am using Python3 under Windows XP. Anyway, will keep looking into this a bit. But this is good news, being able to go from 5.1.2 bootloaders to 5.0.1 is nice! The device calls itself "MTK USB Port". I tried the same for Fire HD 2014, it seems to go into the pre-loader mode, so I will keep trying.

Code:
C:\extra\android\fire_2015\fire7-2017-test\modules>python main.py
[2019-01-29 20:46:00.234375] Waiting for bootrom
[2019-01-29 20:46:16.765625] Found port = COM10
[2019-01-29 20:46:16.796875] Handshake
[2019-01-29 20:46:16.812500] Disable watchdog

 * * * Remove the short and press Enter * * *


[2019-01-29 20:46:21.265625] Init crypto engine
[2019-01-29 20:46:21.515625] Disable caches
[2019-01-29 20:46:21.515625] Disable bootrom range checks
[2019-01-29 20:46:21.640625] Load payload from ../brom-payload/build/payload.bin
 = 0x45DC bytes
[2019-01-29 20:46:21.656250] Send payload
[2019-01-29 20:46:26.156250] Let's rock
[2019-01-29 20:46:26.156250] Wait for the payload to come online...
[2019-01-29 20:46:26.765625] all good
[2019-01-29 20:46:26.765625] Check GPT
Traceback (most recent call last):
  File "main.py", line 128, in <module>
    main()
  File "main.py", line 64, in main
    switch_user(dev)
  File "main.py", line 33, in switch_user
    block = dev.emmc_read(0)
  File "C:\extra\android\fire_2015\fire7-2017-test\modules\common.py", line 185,
 in emmc_read
    raise RuntimeError("read fail")
RuntimeError: read fail


@Kramar111
 
Last edited:

k4y0z

Senior Member
Nov 27, 2015
1,446
1,863
OK. Is the method related to the unbrick thread from a while ago that uses AFTV2-tools ? Here:
https://forum.xda-developers.com/amazon-fire/development/unbrick-fire-7-5th-gen-downgrade-t3388747

AFTV2-tools only worked for 5.1.1, but nothing beyond.
Yes and no, it is based on @xyz` s work for the HD8, wich uses parts of aftv2-tools.
Since it is a boot-rom exploit though it will work on any firmware-version.

Btw, I'd like to try this on HD6/7 2014. Are these the same tools as AFTV2-tools? What scripts of yours should I modify to use it for Fire 2014?
The HD6/7 2014 are based on the MT8135 SOC for which no port exists yet.
So far there is xyz`s original work for MT8163 and my port for MT8127.
Porting the exploit to new hardware isn't an easy task.

I have a couple of weird HD6/7 bricks - tried to update LK/TZ/recovery already via aftv2-tools, but no luck. Perhaps, updating rpm (which seems to happen for Fire 7 during downgrade) might do the trick.
Yes that would work, but needs porting of the exploit. I don't have any hardware based on MT8135, so I can't help with that.

On the 5th gen, the metal cover is snapped onto a frame. For your device, it might be snap on too or it could be fully soldered down. :( Inspect the edge of the metal cover. If you can't tell, post good quality pics.
I believe on the 7th gen it sadly is soldered on :/

@k4y0z

Updating post, I totally forgot to start with the handshake, then plugin the device while pushing the button ... So with 5.1.2 bootloaders for Fire 7 I am getting a proper handshake, but things are crashing, perhaps because I am using Python3 under Windows XP. Anyway, will keep looking into this a bit. But this is good news, being able to go from 5.1.2 bootloaders to 5.0.1 is nice! The device calls itself "MTK USB Port". I tried the same for Fire HD 2014, it seems to go into the pre-loader mode, so I will keep trying.

Code:
C:\extra\android\fire_2015\fire7-2017-test\modules>python main.py
[2019-01-29 20:46:00.234375] Waiting for bootrom
[2019-01-29 20:46:16.765625] Found port = COM10
[2019-01-29 20:46:16.796875] Handshake
[2019-01-29 20:46:16.812500] Disable watchdog

 * * * Remove the short and press Enter * * *


[2019-01-29 20:46:21.265625] Init crypto engine
[2019-01-29 20:46:21.515625] Disable caches
[2019-01-29 20:46:21.515625] Disable bootrom range checks
[2019-01-29 20:46:21.640625] Load payload from ../brom-payload/build/payload.bin
 = 0x45DC bytes
[2019-01-29 20:46:21.656250] Send payload
[2019-01-29 20:46:26.156250] Let's rock
[2019-01-29 20:46:26.156250] Wait for the payload to come online...
[2019-01-29 20:46:26.765625] all good
[2019-01-29 20:46:26.765625] Check GPT
Traceback (most recent call last):
  File "main.py", line 128, in <module>
    main()
  File "main.py", line 64, in main
    switch_user(dev)
  File "main.py", line 33, in switch_user
    block = dev.emmc_read(0)
  File "C:\extra\android\fire_2015\fire7-2017-test\modules\common.py", line 185,
 in emmc_read
    raise RuntimeError("read fail")
RuntimeError: read fail


@Kramar111

That's interesting, it looks like the payload successfully executed, but then fails to read for some reason.
If you have serial connected to the fire, it would be interesting to see, what it prints.
 
Last edited:
  • Like
Reactions: Kramar111

Rortiz2

Senior Member
Mar 1, 2018
2,149
1,419
Barcelona
Amazon Fire HD 8 and HD 10
Yes and no, it is based on @xyz` s work for the HD8, wich uses parts of aftv2-tools.
Since it is a boot-rom exploit though it will work on any firmware-version.


The HD6/7 2014 are based on the MT8135 SOC for which no port exists yet.
So far there is xyz`s original work for MT8163 and my port for MT8127.
Porting the exploit to new hardware isn't an easy task.


Yes that would work, but needs porting of the exploit. I don't have any hardware based on MT8135, so I can't help with that.


I believe on the 7th ghen it sadly is soldered on :/



That's interesting, it looks like the payload successfully executed, but then fails to read for some reason.
If you have serial connected to the fire, it would be interesting to see, what it prints.

Oh f**. Then there is no root ... If I have to disarm..
 

bibikalka

Senior Member
May 14, 2015
1,370
1,090
Yes and no, it is based on @xyz` s work for the HD8, wich uses parts of aftv2-tools.
Since it is a boot-rom exploit though it will work on any firmware-version.


The HD6/7 2014 are based on the MT8135 SOC for which no port exists yet.
So far there is xyz`s original work for MT8163 and my port for MT8127.
Porting the exploit to new hardware isn't an easy task.

Agreed. HD 2014 was a more powerful device than Fire 7, but more expensive. So fewer people have it, and the hacking talent pool is far more limited. Anyway, we'll keep trying.


That's interesting, it looks like the payload successfully executed, but then fails to read for some reason.
If you have serial connected to the fire, it would be interesting to see, what it prints.

This bootloader version 5.1.2 for Fire 7 can output UART over the USB connection. But I need to figure out how to have both the normal USB cable connected to a computer, and then spliced in wires to be reading UART output at the same time over the same cable, as per this:

https://forum.xda-developers.com/showpost.php?p=65585385&postcount=16
https://forum.xda-developers.com/showpost.php?p=65588189&postcount=18

Pinging the prior crew:
@hwmod, @sd_shadow, @Tomsgt, @Davey126, @DragonFire1024, @Rortiz2, @noelcragg, @zeroepoch
 
  • Like
Reactions: Kramar111

Rortiz2

Senior Member
Mar 1, 2018
2,149
1,419
Barcelona
Amazon Fire HD 8 and HD 10
Yes and no, it is based on @xyz` s work for the HD8, wich uses parts of aftv2-tools.
Since it is a boot-rom exploit though it will work on any firmware-version.


The HD6/7 2014 are based on the MT8135 SOC for which no port exists yet.
So far there is xyz`s original work for MT8163 and my port for MT8127.
Porting the exploit to new hardware isn't an easy task.


Yes that would work, but needs porting of the exploit. I don't have any hardware based on MT8135, so I can't help with that.


I believe on the 7th ghen it sadly is soldered on :/



That's interesting, it looks like the payload successfully executed, but then fails to read for some reason.
If you have serial connected to the fire, it would be interesting to see, what it prints.

Hi, Bad news .... I have opened the Fire 7 7th gen and this is what I have found ... Is soldered down ... I have found these points (see attachments)
 

Attachments

  • IMG_20190130_162627.jpg
    IMG_20190130_162627.jpg
    245.7 KB · Views: 440
  • IMG_20190130_162525.jpg
    IMG_20190130_162525.jpg
    219.8 KB · Views: 438
  • IMG_20190130_162502.jpg
    IMG_20190130_162502.jpg
    259.8 KB · Views: 411
  • IMG_20190130_162646.jpg
    IMG_20190130_162646.jpg
    240.2 KB · Views: 450
Last edited:

bibikalka

Senior Member
May 14, 2015
1,370
1,090
@k4y0z

It looks like for "live" Fire 7 2015 tablets with any ROM version (!!!) there is an easy way to get into 5.0.1 TWRP without opening the case!!! Yay!

See this:
https://forum.xda-developers.com/showpost.php?p=78796634&postcount=135

Method:

1) Brick the tablet by sideloading 5.0.1 ROM from here:
http://kindle-fire-updates.s3.amazo...ZjK/update-kindle-37.5.2.2_user_522054520.bin

2) For the bricked tablet, 5.0.1 preloader will enter the bootrom mode via the left volume button press (this happens before the anti-rollback check!!!).

3) Run the tools from this thread to zero out RPMB (can you make a clean version that only does this, and nothing else?)

4) Boot into the tethered TWRP since 5.0.1 should be able to boot now - and do whatever you want (root, custom ROM, etc)

5) Profit!!!

Once we have a brave volunteer to try this, could you put this information into post #1 ?

---------- Post added at 06:21 PM ---------- Previous post was at 06:20 PM ----------

Hi, Bad news .... I have opened the Fire 7 7th gen and this is what I have found ... Is soldered down ... I have found these points (see attachments)

Once somebody brave enough removes the cover and finds the right contact to short, one could simply drill a hole in the right spot - that's quicker than removing the whole shield.
 

ANDROID2468

Senior Member
Oct 19, 2016
375
140
Nashville
Hi, Bad news .... I have opened the Fire 7 7th gen and this is what I have found ... Is soldered down ... I have found these points (see attachments)

yea.. but I took the risk of removing the shield. I used a pocket knife and needle nose, pliers. I got some board damage but it still works.
https://imgur.com/a/YRxzM6y

update: I was rely close to damaging some traces.. :( yea I don't recommend doing it this way
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 10
    NOTE:This guide is deprecated, please refer to here


    Hi Everyone,

    Thanks to the awesome work of @xyz` it's just a matter of time until all the MTK-Devices are hacked. :D
    For the Fire 7 2015 I present you a way to recover any brick and to downgrade any version to the 5.0.1 preloader/lk.
    This will allow to run TWRP as has been known for these versions
    Code:
    fastboot boot twrp.img

    This also allows getting an adb root-shell using
    Code:
    fastboot oem append-cmdline "androidboot.unlocked_kernel=true"

    So far this has only been tested on linux, but should theoretically also work on windows (you will need to install the correct drivers).. Windows is currently not supported.
    Download the attached zip-file and run
    Code:
    ./bootrom-step.sh

    You will then need to get your tablet in boot-rom mode to continue.
    To do this, first power off your device.
    With older preloader-versions you can then simply hold the left volume-button while pluging the device in.
    If you have a newer version, you will have to open the device and remove the metal-shielding (it is clipped on)
    Then connect the dot marked in the picture with ground (the cage is ground) using a paperclip or similar.
    while you are doing that, connect the tablet.

    A successful Downgrade/Unbrick attempt will look like this:
    Code:
    [2019-01-29 02:45:45.724950] Waiting for bootrom
    [2019-01-29 02:45:50.322991] Found port = /dev/ttyACM3
    [2019-01-29 02:45:50.323733] Handshake
    [2019-01-29 02:45:50.324554] Disable watchdog
    
     * * * Remove the short and press Enter * * * 
    
    
    [2019-01-29 02:45:51.627402] Init crypto engine
    [2019-01-29 02:45:51.647094] Disable caches
    [2019-01-29 02:45:51.647573] Disable bootrom range checks
    [2019-01-29 02:45:51.664056] Load payload from ../brom-payload/build/payload.bin = 0x45DC bytes
    [2019-01-29 02:45:51.668210] Send payload
    [2019-01-29 02:45:52.151926] Let's rock
    [2019-01-29 02:45:52.152613] Wait for the payload to come online...
    [2019-01-29 02:45:52.762757] all good
    [2019-01-29 02:45:52.763430] Check GPT
    [2019-01-29 02:45:53.056690] gpt_parsed = {'KB': (2048, 2048), 'DKB': (4096, 2048), 'EXPDB': (6144, 35584), 'UBOOT': (41728, 2048), 'boot': (43776, 32768), 'recovery': (76544, 32768), 'MISC': (109312, 1024), 'LOGO': (110336, 7168), 'TEE1': (117504, 10240), 'TEE2': (127744, 10240), 'system': (137984, 2457600), 'cache': (2595584, 512000), 'userdata': (3107584, 12162271), '': (0, 1)}
    [2019-01-29 02:45:53.057001] Check boot0
    [2019-01-29 02:45:53.261515] Check rpmb
    [2019-01-29 02:45:53.470606] b'AMZN\x01\x00\x00\x00\x02\x00\x020\x02\x00]4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
    [2019-01-29 02:45:53.471067] Downgrade rpmb
    [2019-01-29 02:45:53.472914] Recheck rpmb
    [2019-01-29 02:45:54.367002] rpmb downgrade ok
    [2019-01-29 02:45:54.367393] Flash preloader
    [247 / 247]
    [2019-01-29 02:45:59.715624] Flash tz
    [2079 / 2079]
    [2019-01-29 02:46:43.189119] Flash lk
    [795 / 795]
    [2019-01-29 02:46:59.949855] Reboot

    After that you will be able to boot twrp via
    Code:
    fastboot boot twrp.img

    Note: If you are having issues with communication to the device uninstall modemmanager.
    On a debian(-derivative) the following command will uninstall modemmanager:
    Code:
    sudo apt remove modemmanager

    Source Code: https://github.com/chaosmaster/amonet/tree/mt8127
    4
    OK, for anyone willing to test on a 5th gen, I have a preview for you.
    bootrom-step.sh will bring you into a hacked fastboot.
    fastboot-step.sh will flash TWRP and reboot into it.

    After this you should already be able to get an adb root shell.

    If you want complete root, you can install Magisk from TWRP.

    Only ever install boot-images using TWRP, don't use Magisk-manager to update/install.
    This will not disable OTA, you will have to do that yourself

    This is a preview only, but I didn't find any issues, if I get back a few positive reports, I will create a separate thread with a complete guide.
    3
    Nice work!

    But, I am confused. Is it not possible to boot into twrp the old way, flash a zip with your new LK & TWRP, and simply reboot into recovery - your new twrp?
    That will not work, the lk-payload is stored on boot0, also new LK probably won't work because RPMB isn't reset.

    Btw, did you disable LK version updates to RPMB ?
    What do you mean? the preloader writes the RPMB.


    Also, FireOs 5 is Lollipop 5.11, is there any reason not to stick with the golden SuperSu 2.82SR5 ? In Lollipop the system root mode works great.
    I suppose SuperSu would work just as well, minus the hiding root and other features of Magisk.

    The biggest value i see in having twrp in recovery, and having the untethered twrp option.

    Or am I missing the bigger picture here?
    This opens up the door for newer ROMS, given that developers could now build custom kernels.
    @ggow @csolanol tagging you here :p

    wifi does not work on any firmware I tried so far
    Just noticed, as a quick fix, flash the tz.bin from the zip in the first post and zero out RPMB.
    Will post an update later.
    3
    @k4y0z If the computer detects the tablet like this (see image) is it in BootROM?
    792b3aaa962bbd356fb64dd06d694bb3.gif

    PS: Ubuntu not detects the fire in BootRom Mode after uninstall modemmanager...
    @ANDROID2468 How windows detects your tablet in BootROM Mode? As in my photo (# 0003)?

    You need to check the "Detalles" tab for a HW ID like USB\VID_0E8D&PID_0003. The #0003 tag in that window is something else. Having the modemmanager thing installed cannot possibly help.
    3
    I have an unrooted Fire 7 2015 (running OS 5.6.0.0 or 5.6.0.1) and I plan to use the method described in this thread to enable root. Once I have the 5.01 bootloader installed do I need to use adb to root or can I just flash SuperSU from TWRP?
    Do I need to change the versions of LK and TZ to work with this later software version? How do I do this? Can I just download suitable LK/ TZ files and replace the ones in the zip file used to carry out the downgrade procedure?

    You may want to start by bricking it via 5.0.1 sideload. Then you have a 5.0.1 preloader that can use the scripts here without opening the tablet. You can boot twrp from fastboot, but cannot save it into recovery partition.