• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Fire 7 (2019, mustang) unbrick, downgrade, unlock & root

Search This thread

waylo

Senior Member
May 9, 2010
1,670
489
Hi everyone,

Started perusing this thread after my toddler became of age and started getting interested in this tablet. It is practically unusable in its native state due to its sluggishness!

From what I've read, the hardware version is important because the HW exploit was patched in later versions. Just a few questions for the veterans in the thread:

1. I purchased mine in Nov of 2019. Does this mean the hardware exploit will probably work?

2. I couldn't turn off the software updates until just now, so I'm on the latest Fire OS 7.3.2.1. Does this prevent the software exploit from working now?

Thanks for any direction.
 

Soniciso1

Member
Jul 26, 2020
10
1
Fire 7 9th gen on 7.3x. software method absolutely would not work (not a noob and did everything right.) I ended up doing the hw method and it was actually a ****load faster and worked first try. I soldered the wire to the point and then fastened it with heavy duty body tape and loosened the screw and fastened it in until I need to unfasten. I left it soldered in until I was 100% done flashing all my files then I fully desoldered the wire and put the case back. I attached a photo of the wire install for reference. Unless someone can prove otherwise I'm pretty sure the software method won't work on the 7 9th gen end of life (EOL) firmware. I get why cell phones need locked bootloader's but have no clue why it's necessary to lock them on tablets and ATV devices. I actually did all this on a HP Chromebox g1 that I threw mr Chromebox a cfw on and installed ubuntu 20 on it (which worked 100% out the box) all I did extra was apt install adb, apt install fastboot, apt install pip3, pip3 install pyserial, and disabled modem manager. After I satisfied those prerequisites and jumped the bootloader point every step worked with not 1 issue. Hope it helps.
 

Attachments

  • PXL_20210919_052035041.jpg
    PXL_20210919_052035041.jpg
    2.1 MB · Views: 19
Last edited:

Soniciso1

Member
Jul 26, 2020
10
1
Fire 7 9th gen on 7.3x. software method absolutely would not work (not a noob and did everything right.) I ended up doing the hw method and it was actually a ****load faster and worked first try. I soldered the wire to the point and then fastened it with heavy duty body tape and loosened the screw and fastened it in until I need to unfasten. I left it soldered in until I was 100% done flashing all my files then I fully desoldered the wire and put the case back. I attached a photo of the wire install for reference. Unless someone can prove otherwise I'm pretty sure the software method won't work on the 7 9th gen end of life (EOL) firmware. I get why cell phones need locked bootloader's but have no clue why it's necessary to lock them on tablets and ATV devices. I actually did all this on a HP Chromebox g1 that I threw mr Chromebox a cfw on and installed ubuntu 20 on it (which worked 100% out the box) all I did extra was apt install adb, apt install fastboot, apt install pip3, pip3 install pyserial, and disabled modem manager. After I satisfied those prerequisites and jumped the bootloader point every step worked with not 1 issue. Hope it helps.
 

Attachments

  • PXL_20210919_052035041.jpg
    PXL_20210919_052035041.jpg
    2.1 MB · Views: 8
Last edited:
Sep 17, 2021
18
4
Make sure to read this guide completely before starting.

You will lose all data on the tablet, make a backup of important data before you start.

What you need:
- a Linux installation. Don't use a VM! Use a live USB, if you don't have Linux installed, but don't use a virtual machine.
- a microusb cable to connect your tablet to the PC
- (if you go with hw option) some way to open the tablet (pry tool, opening picks, etc)
- (if you go with hw option) something conductive (metal tweezers, a paper clip, a piece of wire, etc)
- (if you go with sw option) mtk-su from https://forum.xda-developers.com/android/development/amazing-temp-root-mediatek-armv8-t3922213
- amonet-mustang.zip from this post
- finalize.zip from this post
- update-kindle-NS6312_user_1827_0002517050244.bin: https://fireos-tablet-src.s3.amazon...ate-kindle-NS6312_user_1827_0002517050244.bin
- Magisk-v19.3.zip: https://github.com/topjohnwu/Magisk/releases/download/v19.3/Magisk-v19.3.zip

Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work "sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot".

0. Disconnect the tablet and all other Android devices from the PC.
1. Back up whatever important data you have on the device and perform a complete factory reset of the tablet. When going through the initial setup, don't connect to a network (see below on how to do that).
2. Disable or uninstall ModemManager from your Linux installation
3. At this point you need to get your tablet into the bootrom download mode. There are two ways it can be achieved.
a) If your tablet works, you can use the software method (which doesn't require opening the tablet) or the hardware method. Note that if something goes horribly wrong, you might still be required to open up the tablet.
b) If your tablet doesn't boot (bricked), you can only use the hardware method

----------------------------------------------------------------------------------------------------

Software method:
This will get you into bootrom mode by obtaining temporary root and temporarily bricking the device.

1. Download mtk-su from https://forum.xda-developers.com/android/development/amazing-temp-root-mediatek-armv8-t3922213
2. Enable developer mode and USB debugging on the tablet
3. Unzip the mtk-su archive
4. Transfer the executable to your tablet: "adb push arm/mtk-su /data/local/tmp"
5. Run "adb shell"
6. Keep the screen on and run the following commands in the shell on the device:
Code:
cd /data/local/tmp
./mtk-su
getenforce # Just to confirm it says Permissive
echo 0 > /sys/block/mmcblk0boot0/force_ro
dd if=/dev/zero of=/dev/block/mmcblk0boot0 bs=512 count=8

This is the sort of output you should see for that step:

Code:
[email protected]:~/Downloads/mtk-su $ adb shell
mustang:/ $ cd /data/local/tmp
mustang:/data/local/tmp $ ./mtk-su                                                                                                                                                
New UID/GID: 0/0
mustang:/data/local/tmp # getenforce                                                                                                                                              
Permissive
mustang:/data/local/tmp # echo 0 > /sys/block/mmcblk0boot0/force_ro                                                                                                          
mustang:/data/local/tmp # dd if=/dev/zero of=/dev/block/mmcblk0boot0 bs=512 count=8                                                                                               
8+0 records in
8+0 records out
4096 bytes transferred in 0.001 secs (4096000 bytes/sec)
mustang:/data/local/tmp #

Don't close the console just yet.

Hardware method:
This will get you into bootrom mode by opening up the tablet and shorting a point to the ground.

1. Shut your device down and disconnect it from USB
2. Use a pry tool to remove the back shell from the tablet. Start at the bottom and work your way up. There are no cables between the back shell and the motherboard.
3. You will need to get something conductive and temporarily connect a point to the ground. A point suggested by @ggow is: https://forum.xda-developers.com/showpost.php?p=79683131&postcount=22. You will need to pop up the metallic shield to access it. Alternatively, there are multiple points on the back of the PCB which also work (marked as CLK/CMD/DAT0).

----------------------------------------------------------------------------------------------------

4. At this point if you went with software method, you should have a root shell open, and if you went with the hardware method you should have a capacitor or a testpoint grounded to the shield.

5. Now, open another terminal on your PC, extract amonet-mustang.zip, navigate to it, and run `sudo ./bootrom-step.sh`. It should print "Waiting for the bootrom".
6.
a) For the software method, you should already have the USB cable plugged in. Type "reboot" in the first terminal (the one you that's running "adb shell"). [If you're trying this for the second time because it didn't work for the first time, you won't have an "adb shell" terminal. In that case, just plugging the USB cable in should be enough.]
b) For the hardware method, ensure the short is applied and then plug in the USB cable.

7. You should see the following device appear in your "dmesg" log:

Code:
[1141765.113884] usb 3-1.4.3.1: USB disconnect, device number 59
[1141783.057101] usb 3-1.4.3.1: new full-speed USB device number 60 using xhci_hcd
[1141783.226498] usb 3-1.4.3.1: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00
[1141783.226502] usb 3-1.4.3.1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[1141783.506877] cdc_acm 3-1.4.3.1:1.0: ttyACM0: USB ACM device

This *must* be the device you see. If you see a "preloader" device instead, your short probably didn't work (for the hw method), or your system inexinexplicably didn't brick (for the sw method). Unplug everything and try again. If the tablet doesn't shut down, you might need to open it up and disconnect the battery.

8. The script should now tell you to remove the short. If you went with hardware method, you do need to remove it first. Otherwise, just press Enter.
9. The script will now proceed to downgrade your device and flash some essential files. Just let it be, it will take about 4 minutes. You should see the following output:

Code:
[2019-06-30 02:48:59.334098] Waiting for bootrom
[2019-06-30 02:50:41.179571] Found port = /dev/ttyACM0
[2019-06-30 02:50:41.180204] Handshake

* * * If you have a short attached, remove it now * * *
* * * Press Enter to continue * * *


[2019-06-30 02:50:49.195782] Init crypto engine
[2019-06-30 02:50:49.214278] Disable caches
[2019-06-30 02:50:49.214801] Disable bootrom range checks
[2019-06-30 02:50:49.229877] Load payload from ../brom-payload/build/payload.bin = 0x46B8 bytes
[2019-06-30 02:50:49.233418] Send payload
[2019-06-30 02:50:49.958957] Let's rock
[2019-06-30 02:50:49.959812] Wait for the payload to come online...
[2019-06-30 02:50:50.904341] all good
[2019-06-30 02:50:50.904714] Check GPT
[2019-06-30 02:50:51.240034] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216), 'kb': (16384, 2048), 'dkb': (18432, 2048), 'lk': (20480, 2048), 'tee1': (22528, 10240), 'tee2': (32768, 10240), 'metadata': (43008, 80896), 'MISC': (123904, 1024), 'reserved': (124928, 16384), 'boot': (141312, 32768), 'recovery': (174080, 40960), 'system': (215040, 6354944), 'vendor': (6569984, 460800), 'cache': (7030784, 1024000), 'userdata': (8054784, 22722527)}
[2019-06-30 02:50:51.240157] Check boot0
[2019-06-30 02:50:51.485287] Check rpmb
[2019-06-30 02:50:51.695083] Downgrade rpmb
[2019-06-30 02:50:51.696759] Recheck rpmb
[2019-06-30 02:50:52.591407] rpmb downgrade ok
[2019-06-30 02:50:52.837668] Clear preloader 1
[1 / 1]
[2019-06-30 02:50:52.859908] Clear preloader 2
[1 / 1]
[2019-06-30 02:50:52.882059] Flash lk-payload
[4 / 4]
[2019-06-30 02:50:53.214382] Flash tz
[5547 / 5547]
[2019-06-30 02:52:51.150851] Flash lk
[651 / 651]
[2019-06-30 02:53:05.192112] Inject microloader
[4 / 4]
[2019-06-30 02:53:05.524154] Flash preloader
[271 / 271]
[2019-06-30 02:53:11.525329] Restore preloader
[8 / 8]
[2019-06-30 02:53:11.695348] Reboot to unlocked fastboot

If the script freezes at some point, you will have to restart it. Terminate the script, then immediately run `sudo ./bootrom-step.sh` again. The exploit it set up so that after about 40 seconds of inactivity it would reboot your device and drop you back into the bootrom mode, which the script is waiting for. If you cannot restart the process, you might have to open up the tablet and replug the battery to completely power off the device.

10. You should see a success message: "Reboot to unlocked fastboot". Only proceed if you see the message.
11. Once the device boots to fastboot (check with "fastboot devices"; you should also see amazon logo on the screen.), you can run "sudo ./fastboot-step.sh".
12. At this point the device should boot into recovery, however the screen will be off. Just press the power button twice and the screen should turn on.
13. Success! You now have a custom recovery installed that can be accessed by holding down power and volume down (the leftmost) buttons. At this point if you came here from a custom ROM thread you should probably follow the ROM installation instructions. Alternatively, the next steps will detail installing a stock firmware and rooting it with Magisk.

----------------------------------------------------------------------------------------------------

14. We'll now upload required files to the recovery. On your PC, do:

adb push update-kindle-NS6312_user_1827_0002517050244.bin /sdcard/fw.zip
adb push Magisk-v19.3.zip /sdcard
adb push finalize.zip /sdcard

15. In the recovery, go to "Install", navigate to "/sdcard" and flash fw.zip
16. Go to "Wipe" and do the default wipe, then reboot
17. At the Fire setup screen, select your language. On the next screen, Wifi setup, select any password-protected network, then instead of entering the password press "cancel". Now, back at the wifi setup screen, press "Skip setup" and "Skip" in the dialog pop-up again
18. Wait for the update to finish (wait until the updating fire notification disappears)
19. Hold down the power button, press Restart and hold volume down to boot into recovery.
20. In the recovery, go to "Install", navigate to "/sdcard" and flash Magisk-v19.3.zip
21. Press back, select finalize.zip and flash it
22. Once finalize.zip is flashed, press "Reboot System"

VERY IMPORTANT STUFF:
Only ever flash boot images from TWRP. Since nothing but TWRP is aware of the exploit, if you try to flash a boot image from Android, it won't have the exploit integrated into it! This includes Magisk as well, so do NOT install or uninstall it from Magisk Manager (However, installing modules should be fine; although it depends on the specific module).

Due to how the exploit works, it takes over the first 0x400 bytes of boot.img/recovery.img. When flashing zips from the recovery, it will transparently remove and then reinstall the exploit when needed. So long as you flash zips from the recovery, you should treat the boot image normally. However, this means that you cannot use any other apps (e.g. FlashFire) to flash the boot or recovery partitions.


To uninstall the hack and revert back to stock:
- Download an update package to your PC (the update-kindle-NS6312_user_1827_0002517050244.bin file)
- Flash revert-stock-mustang.zip from TWRP
- Perform the default wipe
- Reboot to recovery; you should see amazon recovery now
- Select "apply update from ADB" in the recovery menu
- Run "adb sideload update-kindle-NS6312_user_1827_0002517050244.bin" on your PC


Other misc information / troubleshooting:
- If you need to disconnect the battery, use a pair of tweezers to grab the wires and gently pull towards yourself. You can do bootrom-step.sh either with or without the battery connected, however fastboot-step.sh should be done with the battery connected.
- If your device is bricked (e.g. from a downgrade), just follow the steps as-is.
- If you're getting an error like "Serial protocol mismatch", or any other error in bootrom-step, try disabling or temporarily uninstalling ModemManager from your Linux
- To remount /system as rw use "mount -o rw,remount /system". ("mount -o remount,rw /system" will not work)

Thanks to: aftv2-tools contributors https://gitlab.com/zeroepoch/aftv2-tools: for an implementation of mtk download protocol, @diplomatic for mtk-su, @Michajin for testing the instructions.
Shell output after

mustang:/ $ cd /data/local/tmp
mustang:/data/local/tmp $ ./mtk-su
Failed critical init step 3
1|mustang:/data/local/tmp $ getenforce # Just to confirm it says Permissive
Enforcing
mustang:/data/local/tmp $ echo 0 > /sys/block/mmcblk0boot0/force_ro
/system/bin/sh: can't create /sys/block/mmcblk0boot0/force_ro: Permission denied
1|mustang:/data/local/tmp $ dd if=/dev/zero of=/dev/block/mmcblk0boot0 bs=512 count=8
dd: /dev/block/mmcblk0boot0: Permission denied

Fire OS 7.3.2.1 - Just updated because original post didn't say there was anything wrong with updating.

Do I have to try HW method?
 
Sep 17, 2021
18
4
Finally bricked with software method.

I try to find a picture for where i can make my wire for hardware method.

SOLVED:
My battery was empty so i have just disconnect battery and plug usb with paperclip and i have got bootrom.

Great !!
How did you get the metal backing in the first pic off?

EDIT:

Metal casing comes off quite easily when you work it from the bottom
 
Last edited:
Sep 17, 2021
18
4
Fire 7 9th gen on 7.3x. software method absolutely would not work (not a noob and did everything right.) I ended up doing the hw method and it was actually a ****load faster and worked first try. I soldered the wire to the point and then fastened it with heavy duty body tape and loosened the screw and fastened it in until I need to unfasten. I left it soldered in until I was 100% done flashing all my files then I fully desoldered the wire and put the case back. I attached a photo of the wire install for reference. Unless someone can prove otherwise I'm pretty sure the software method won't work on the 7 9th gen end of life (EOL) firmware. I get why cell phones need locked bootloader's but have no clue why it's necessary to lock them on tablets and ATV devices. I actually did all this on a HP Chromebox g1 that I threw mr Chromebox a cfw on and installed ubuntu 20 on it (which worked 100% out the box) all I did extra was apt install adb, apt install fastboot, apt install pip3, pip3 install pyserial, and disabled modem manager. After I satisfied those prerequisites and jumped the bootloader point every step worked with not 1 issue. Hope it helps.
Its also called a heat shield for anyone wondering. When shorting connect the conducter to a dot and the casing of the heatshield.
 
Last edited:
Sep 17, 2021
18
4
Hi All
First attempt and managed to get it working, just wanted to add a few notes to some troubles i had, hope it helps others.

using ubuntu live cd, couldnt install adb so i had to download the file structure manually (on another xda thread just google it) and copy it over, no big deal but meant i had to put ./ infront of any fastboot or adb command.

Modemanager i had to disable and then stop via cmds
systemctl disable ModemManager.service
systemctl stop ModemManager.service

Tried software version no luck with firmware, did the hardware method. Easy enough, pry around the outside with a thin plastic tool, snap it off. Just pull hard at the heat shield and go around it and if it will come off, its tougher than it looks. Put a metal paper clip, one end on what the diagram shows, the other end touching the metal shrink around the outside. keep it face down and plug in the usb and it worked first time.

I had an error with step 11, when i ran the fastboot command i got an error saying couldnt find fastboot, the issue was the fastboot-step.sh needed editing to put ./ infront of anything that had fastboot (lines 5 6 and 7 from memory) this will be needed on anyone who doesnt install adb/fastboot directly.

Then everything ran fine but got stuck on fire boot screen, had to load back into twrp and factory reset again for it to work.

Hope that helps anyone, but dont be scared to give it ago.
Having problems taking of the metal casing...the heat shield? How did you get it off?
 

Phil750123

Senior Member
Apr 6, 2010
817
130
Birmingham, UK
Having problems taking of the metal casing...the heat shield? How did you get it off?
Just keep trying, be patient with it but firm. Takes more effort than you think but with a decent plastic pry tool work around the edge going round a few times and itl come off eventually. Heating it with a hairdryer might help if your really struggling
 
  • Love
Reactions: thisisnotatest
Sep 17, 2021
18
4
Just keep trying, be patient with it but firm. Takes more effort than you think but with a decent plastic pry tool work around the edge going round a few times and itl come off eventually. Heating it with a hairdryer might help if your really struggling
Thanks a lot. Just done it. Now going forward will it work with 7.3.2.1? I know you can come back from softbrick but what are the chances of hard brick?
 
Last edited:
Sep 17, 2021
18
4
Just try to follow the procedure, if you get can't see "MT6627" under lsusb while shorting it's probably patched.
I got

[2021-09-19 22:08:01.830606] Waiting for bootrom
[2021-09-19 22:14:51.117273] Found port = /dev/ttyACM0
[2021-09-19 22:14:51.156682] Handshake

* * * If you have a short attached, remove it now * * *
* * * Press Enter to continue * * *

Traceback (most recent call last):
File "main.py", line 161, in <module>
main()
File "main.py", line 82, in main
load_payload(dev, "../brom-payload/build/payload.bin")
File "/home/xxx/Downloads/Package/amonet-mustang/modules/load_payload.py", line 99, in load_payload
dev.write32(0x10007008, 0x1971) # low-level watchdog kick
File "/home/xxx/Downloads/Package/amonet-mustang/modules/common.py", line 147, in write32
self.check(self.dev.read(2), b'\x00\x01') # arg check
File "/home/xxx/Downloads/Package/amonet-mustang/modules/common.py", line 84, in check
raise RuntimeError("ERROR: Serial protocol mismatch")
RuntimeError: ERROR: Serial protocol mismatch
 
Sep 17, 2021
18
4
Just try to follow the procedure, if you get can't see "MT6627" under lsusb while shorting it's probably patched.
Nothing happened so disconnected usb, then battery then reconnected both. black screen but the amazon sounded went off twice. then terminal gave:

[2021-09-19 22:16:30.914182] Waiting for bootrom
[2021-09-19 22:16:43.735687] Found port = /dev/ttyACM0
[2021-09-19 22:16:43.736460] Handshake
run lsusb
sudo /home/xxx/Downloads/Package/amonet-mustang/bootrom-step.sh

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 501, in read
'device reports readiness to read but returned no data '
serial.serialutil.SerialException: device reports readiness to read but returned no data (device disconnected or multiple access on port?)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "main.py", line 161, in <module>
main()
File "main.py", line 79, in main
handshake(dev)
File "/home/xxx/Downloads/Package/amonet-mustang/modules/handshake.py", line 9, in handshake
dev.handshake()
File "/home/xxx/Downloads/Package/amonet-mustang/modules/common.py", line 97, in handshake
c = self._writeb(b'\xa0')
File "/home/xxx/Downloads/Package/amonet-mustang/modules/common.py", line 92, in _writeb
return self.dev.read()
File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 509, in read
raise SerialException('read failed: {}'.format(e))
serial.serialutil.SerialException: read failed: device reports readiness to read but returned no data (device disconnected or multiple access on port?)
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Shell output after

    mustang:/ $ cd /data/local/tmp
    mustang:/data/local/tmp $ ./mtk-su
    Failed critical init step 3
    1|mustang:/data/local/tmp $ getenforce # Just to confirm it says Permissive
    Enforcing
    mustang:/data/local/tmp $ echo 0 > /sys/block/mmcblk0boot0/force_ro
    /system/bin/sh: can't create /sys/block/mmcblk0boot0/force_ro: Permission denied
    1|mustang:/data/local/tmp $ dd if=/dev/zero of=/dev/block/mmcblk0boot0 bs=512 count=8
    dd: /dev/block/mmcblk0boot0: Permission denied

    Fire OS 7.3.2.1 - Just updated because original post didn't say there was anything wrong with updating.

    Do I have to try HW method?
    Bro the hw method was a million times easier than the sw method. I literally had 0 luck with mtk-su. I kept getting errors. The hw method worked first try after soldering a wire to the test point and grounding it to a chassis screw. The heat shield was very simple to pry off. I took a knife (very carefully!) Put it sideways between the main heat shield and the one next to it and used the second shield as leverage to pry the main shield off. Took very little effort. Once the first side popped off the rest came off by hand. I tried tweezers and paperclip to perform the jump but no dice. Soldering the wire to the test point and grounding it with a screw was the only thing that worked. I'm thinking about maybe installing a push switch on to the point and a ground so I can always have access to bootloader mode as I almost ****ed up and updated my device. It almost updated when booting the stock rom I flashed from the OP. It almost updated when I booted the stock rom (as it mentions to do in the first step after you have twrp running.). I avoided this when I saw "updating" on the screen shortly after I setup wifi by holding down power. Once back in twrp I removed the stock rom provided in the first post and replaced it with lineage 14.1 and Gapps. So instead of flashing in the order of first post I did this : 1-flash lineage14.1 2- flash Gapps then wipe dalvik and cache and reboot. Then reboot back into twrp using vol and power and flash finalize then flash magisk and reboot. Do not ever use magisk to install magisk to the device. Instead grab latest magisk rename it from .apk to .zip and flash it via twrp. Flashing magisk using the apk and within AOS will result in a bootloop no matter what rom you use. I tried a few dif ones. So far the best and last one I will install is 14.x. I tried 17 beta but it ran stupid slow and I suspect the dev will not update it due to hw limitations. Then I tried the one before it and it had slight speed improvement but still not what I was looking for. Going to 14 did the trick. Basically if you're gonna use any custom rims get anything based on Android 7 only as android 8 9 and 10 are not supported even stock due to slow hw. Hell even my Nokia 8.1 can't support android 12 and it's similar to my pixel 4a.
    1
    Hw method isn't patched pretty sure it's not possible to patch it without a hardware change which I believe was done in newer models. My 7 was on the end of life firmware when I started this venture. The sw method was infact patched after 6.3.x. the hw method worked flawlessly when executed properly. By properly I mean solder the wire to the test point and don't use tweezers or paper clip. I didn't have luck with my tweezers. Same tweezers I hacked a Nintendo Wii with years back. The point is just too damn tiny. Also don't use anything thicker than 30awg as you will def pull that trace out then would need to find a alt point.
    I'm sorry to tell you that you are not right. If you read this thread, you will see, that many people with new HW revisions have not been able to unlock their tablets (i.e: this thread). I would not recommend soldering the pads unless you know what you're doing and you have enough knowledge to do it since a few people have killed their devices by soldering these pads (see FireTV 2 unlock thread as an example.).
  • 46
    Make sure to read this guide completely before starting.

    You will lose all data on the tablet, make a backup of important data before you start.

    What you need:
    - a Linux installation. Don't use a VM! Use a live USB, if you don't have Linux installed, but don't use a virtual machine.
    - a microusb cable to connect your tablet to the PC
    - (if you go with hw option) some way to open the tablet (pry tool, opening picks, etc)
    - (if you go with hw option) something conductive (metal tweezers, a paper clip, a piece of wire, etc)
    - (if you go with sw option) mtk-su from https://forum.xda-developers.com/android/development/amazing-temp-root-mediatek-armv8-t3922213
    - amonet-mustang.zip from this post
    - finalize.zip from this post
    - update-kindle-NS6312_user_1827_0002517050244.bin: https://fireos-tablet-src.s3.amazon...ate-kindle-NS6312_user_1827_0002517050244.bin
    - Magisk-v19.3.zip: https://github.com/topjohnwu/Magisk/releases/download/v19.3/Magisk-v19.3.zip

    Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work "sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot".

    0. Disconnect the tablet and all other Android devices from the PC.
    1. Back up whatever important data you have on the device and perform a complete factory reset of the tablet. When going through the initial setup, don't connect to a network (see below on how to do that).
    2. Disable or uninstall ModemManager from your Linux installation
    3. At this point you need to get your tablet into the bootrom download mode. There are two ways it can be achieved.
    a) If your tablet works, you can use the software method (which doesn't require opening the tablet) or the hardware method. Note that if something goes horribly wrong, you might still be required to open up the tablet.
    b) If your tablet doesn't boot (bricked), you can only use the hardware method

    ----------------------------------------------------------------------------------------------------

    Software method:
    This will get you into bootrom mode by obtaining temporary root and temporarily bricking the device.

    1. Download mtk-su from https://forum.xda-developers.com/android/development/amazing-temp-root-mediatek-armv8-t3922213
    2. Enable developer mode and USB debugging on the tablet
    3. Unzip the mtk-su archive
    4. Transfer the executable to your tablet: "adb push arm/mtk-su /data/local/tmp"
    5. Run "adb shell"
    6. Keep the screen on and run the following commands in the shell on the device:
    Code:
    cd /data/local/tmp
    ./mtk-su
    getenforce # Just to confirm it says Permissive
    echo 0 > /sys/block/mmcblk0boot0/force_ro
    dd if=/dev/zero of=/dev/block/mmcblk0boot0 bs=512 count=8

    This is the sort of output you should see for that step:

    Code:
    [email protected]:~/Downloads/mtk-su $ adb shell
    mustang:/ $ cd /data/local/tmp
    mustang:/data/local/tmp $ ./mtk-su                                                                                                                                                 
    New UID/GID: 0/0
    mustang:/data/local/tmp # getenforce                                                                                                                                               
    Permissive
    mustang:/data/local/tmp # echo 0 > /sys/block/mmcblk0boot0/force_ro                                                                                                           
    mustang:/data/local/tmp # dd if=/dev/zero of=/dev/block/mmcblk0boot0 bs=512 count=8                                                                                                
    8+0 records in
    8+0 records out
    4096 bytes transferred in 0.001 secs (4096000 bytes/sec)
    mustang:/data/local/tmp #

    Don't close the console just yet.

    Hardware method:
    This will get you into bootrom mode by opening up the tablet and shorting a point to the ground.

    1. Shut your device down and disconnect it from USB
    2. Use a pry tool to remove the back shell from the tablet. Start at the bottom and work your way up. There are no cables between the back shell and the motherboard.
    3. You will need to get something conductive and temporarily connect a point to the ground. A point suggested by @ggow is: https://forum.xda-developers.com/showpost.php?p=79683131&postcount=22. You will need to pop up the metallic shield to access it. Alternatively, there are multiple points on the back of the PCB which also work (marked as CLK/CMD/DAT0).

    ----------------------------------------------------------------------------------------------------

    4. At this point if you went with software method, you should have a root shell open, and if you went with the hardware method you should have a capacitor or a testpoint grounded to the shield.

    5. Now, open another terminal on your PC, extract amonet-mustang.zip, navigate to it, and run `sudo ./bootrom-step.sh`. It should print "Waiting for the bootrom".
    6.
    a) For the software method, you should already have the USB cable plugged in. Type "reboot" in the first terminal (the one you that's running "adb shell"). [If you're trying this for the second time because it didn't work for the first time, you won't have an "adb shell" terminal. In that case, just plugging the USB cable in should be enough.]
    b) For the hardware method, ensure the short is applied and then plug in the USB cable.

    7. You should see the following device appear in your "dmesg" log:

    Code:
    [1141765.113884] usb 3-1.4.3.1: USB disconnect, device number 59
    [1141783.057101] usb 3-1.4.3.1: new full-speed USB device number 60 using xhci_hcd
    [1141783.226498] usb 3-1.4.3.1: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00
    [1141783.226502] usb 3-1.4.3.1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
    [1141783.506877] cdc_acm 3-1.4.3.1:1.0: ttyACM0: USB ACM device

    This *must* be the device you see. If you see a "preloader" device instead, your short probably didn't work (for the hw method), or your system inexinexplicably didn't brick (for the sw method). Unplug everything and try again. If the tablet doesn't shut down, you might need to open it up and disconnect the battery.

    8. The script should now tell you to remove the short. If you went with hardware method, you do need to remove it first. Otherwise, just press Enter.
    9. The script will now proceed to downgrade your device and flash some essential files. Just let it be, it will take about 4 minutes. You should see the following output:

    Code:
    [2019-06-30 02:48:59.334098] Waiting for bootrom
    [2019-06-30 02:50:41.179571] Found port = /dev/ttyACM0
    [2019-06-30 02:50:41.180204] Handshake
    
     * * * If you have a short attached, remove it now * * * 
     * * * Press Enter to continue * * * 
    
    
    [2019-06-30 02:50:49.195782] Init crypto engine
    [2019-06-30 02:50:49.214278] Disable caches
    [2019-06-30 02:50:49.214801] Disable bootrom range checks
    [2019-06-30 02:50:49.229877] Load payload from ../brom-payload/build/payload.bin = 0x46B8 bytes
    [2019-06-30 02:50:49.233418] Send payload
    [2019-06-30 02:50:49.958957] Let's rock
    [2019-06-30 02:50:49.959812] Wait for the payload to come online...
    [2019-06-30 02:50:50.904341] all good
    [2019-06-30 02:50:50.904714] Check GPT
    [2019-06-30 02:50:51.240034] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216), 'kb': (16384, 2048), 'dkb': (18432, 2048), 'lk': (20480, 2048), 'tee1': (22528, 10240), 'tee2': (32768, 10240), 'metadata': (43008, 80896), 'MISC': (123904, 1024), 'reserved': (124928, 16384), 'boot': (141312, 32768), 'recovery': (174080, 40960), 'system': (215040, 6354944), 'vendor': (6569984, 460800), 'cache': (7030784, 1024000), 'userdata': (8054784, 22722527)}
    [2019-06-30 02:50:51.240157] Check boot0
    [2019-06-30 02:50:51.485287] Check rpmb
    [2019-06-30 02:50:51.695083] Downgrade rpmb
    [2019-06-30 02:50:51.696759] Recheck rpmb
    [2019-06-30 02:50:52.591407] rpmb downgrade ok
    [2019-06-30 02:50:52.837668] Clear preloader 1
    [1 / 1]
    [2019-06-30 02:50:52.859908] Clear preloader 2
    [1 / 1]
    [2019-06-30 02:50:52.882059] Flash lk-payload
    [4 / 4]
    [2019-06-30 02:50:53.214382] Flash tz
    [5547 / 5547]
    [2019-06-30 02:52:51.150851] Flash lk
    [651 / 651]
    [2019-06-30 02:53:05.192112] Inject microloader
    [4 / 4]
    [2019-06-30 02:53:05.524154] Flash preloader
    [271 / 271]
    [2019-06-30 02:53:11.525329] Restore preloader
    [8 / 8]
    [2019-06-30 02:53:11.695348] Reboot to unlocked fastboot

    If the script freezes at some point, you will have to restart it. Terminate the script, then immediately run `sudo ./bootrom-step.sh` again. The exploit it set up so that after about 40 seconds of inactivity it would reboot your device and drop you back into the bootrom mode, which the script is waiting for. If you cannot restart the process, you might have to open up the tablet and replug the battery to completely power off the device.

    10. You should see a success message: "Reboot to unlocked fastboot". Only proceed if you see the message.
    11. Once the device boots to fastboot (check with "fastboot devices"; you should also see amazon logo on the screen.), you can run "sudo ./fastboot-step.sh".
    12. At this point the device should boot into recovery, however the screen will be off. Just press the power button twice and the screen should turn on.
    13. Success! You now have a custom recovery installed that can be accessed by holding down power and volume down (the leftmost) buttons. At this point if you came here from a custom ROM thread you should probably follow the ROM installation instructions. Alternatively, the next steps will detail installing a stock firmware and rooting it with Magisk.

    ----------------------------------------------------------------------------------------------------

    14. We'll now upload required files to the recovery. On your PC, do:

    adb push update-kindle-NS6312_user_1827_0002517050244.bin /sdcard/fw.zip
    adb push Magisk-v19.3.zip /sdcard
    adb push finalize.zip /sdcard

    15. In the recovery, go to "Install", navigate to "/sdcard" and flash fw.zip
    16. Go to "Wipe" and do the default wipe, then reboot
    17. At the Fire setup screen, select your language. On the next screen, Wifi setup, select any password-protected network, then instead of entering the password press "cancel". Now, back at the wifi setup screen, press "Skip setup" and "Skip" in the dialog pop-up again
    18. Wait for the update to finish (wait until the updating fire notification disappears)
    19. Hold down the power button, press Restart and hold volume down to boot into recovery.
    20. In the recovery, go to "Install", navigate to "/sdcard" and flash Magisk-v19.3.zip
    21. Press back, select finalize.zip and flash it
    22. Once finalize.zip is flashed, press "Reboot System"

    VERY IMPORTANT STUFF:
    Only ever flash boot images from TWRP. Since nothing but TWRP is aware of the exploit, if you try to flash a boot image from Android, it won't have the exploit integrated into it! This includes Magisk as well, so do NOT install or uninstall it from Magisk Manager (However, installing modules should be fine; although it depends on the specific module).

    Due to how the exploit works, it takes over the first 0x400 bytes of boot.img/recovery.img. When flashing zips from the recovery, it will transparently remove and then reinstall the exploit when needed. So long as you flash zips from the recovery, you should treat the boot image normally. However, this means that you cannot use any other apps (e.g. FlashFire) to flash the boot or recovery partitions.


    To uninstall the hack and revert back to stock:
    - Download an update package to your PC (the update-kindle-NS6312_user_1827_0002517050244.bin file)
    - Flash revert-stock-mustang.zip from TWRP
    - Perform the default wipe
    - Reboot to recovery; you should see amazon recovery now
    - Select "apply update from ADB" in the recovery menu
    - Run "adb sideload update-kindle-NS6312_user_1827_0002517050244.bin" on your PC


    Other misc information / troubleshooting:
    - If you need to disconnect the battery, use a pair of tweezers to grab the wires and gently pull towards yourself. You can do bootrom-step.sh either with or without the battery connected, however fastboot-step.sh should be done with the battery connected.
    - If your device is bricked (e.g. from a downgrade), just follow the steps as-is.
    - If you're getting an error like "Serial protocol mismatch", or any other error in bootrom-step, try disabling or temporarily uninstalling ModemManager from your Linux
    - To remount /system as rw use "mount -o rw,remount /system". ("mount -o remount,rw /system" will not work)

    Thanks to: aftv2-tools contributors https://gitlab.com/zeroepoch/aftv2-tools: for an implementation of mtk download protocol, @diplomatic for mtk-su, @Michajin for testing the instructions.
    5
    They are working to port lineage OS 14.1 from the Fire 8 to it. Waiting for it too, will use my 7th gen tablet in the meantime :).

    https://forum.xda-developers.com/hd...e-hd8-2018-t3936242/post79915018#post79915018

    I already port it. The problem is that I don't have a good Wi-Fi since I'm not a thome this days.
    4
    Thanks for your work!

    On a side note, I also had adaptive storage on during the process. I was having crashing issues after install. I re-installed the firmware-wiped and booted. I followed the steps to boot without setup. Then booted back into TWRP, flashed magisk, but did not flash finalize. I like access to some of the amazon apps. Once I rebooted (I stayed off wi-fi) I sideloaded a package disabler and disabled the OTA. I registered then disabled the amazon bloat I didn't want. I have installed my sd card as portable this time, just to be safe.

    also, TWRP does not have backup and restore options, is this normal on this currently?
    3
    Thanks. We will look if it's possible to compile LOS 14.1 since it has the same processor as the HD8 2018.