I guess that either nobody can help or this is completely dead as no-one has made a reply
Fire 7 (2019, mustang) unbrick, downgrade, unlock & root
- Thread starter xyz`
- Start date
MY guess is you are in preloader not bootrom. Run a lsusb (you should see something like MediaTek phone6227) if you see preloader you hav eto keep tryign the short. Seems like the exploit got blocked on these chips possibly. But there is a new development going on that might open up a downgrade.... Regardless you have to find a way to access the bootrom....
I literally spent the past two days tearing my tablet apart to get the HW method working after the SW method didn't and I just read that its not compatible with the newer ones or ones that were updated. None of my contacts worked. I just want to use the damn thing
Hi everyone,
I'm fairly new to this scene and have a fire tab 7 purchased in November of 2020 running fire os 7.
If I'm to understand this thread correctly, and other similar threads around here, the software root was patched a long time ago and the hardware trick was also patched in the entire line of fire tablets starting in feburary 2020. So this leads me to think that its not possible at the moment to downgrade or flash a custom recovery to this tablet?
Is this true and is there any development ongoing that I can keep a look out for? Thanks!
I'm fairly new to this scene and have a fire tab 7 purchased in November of 2020 running fire os 7.
If I'm to understand this thread correctly, and other similar threads around here, the software root was patched a long time ago and the hardware trick was also patched in the entire line of fire tablets starting in feburary 2020. So this leads me to think that its not possible at the moment to downgrade or flash a custom recovery to this tablet?
Is this true and is there any development ongoing that I can keep a look out for? Thanks!
Mine was an older one so I'm not sure which version you have; verify your FireOS version with what's already been talked about.
Even if you can't root and install a custom ROM, I think the current models still let you sideload APKs like the Google Play store, so if you can do that and install your own launcher, that could give it a new look.
Unless you bought your tablet pre-February 2020 chances are you don't have root or unlock exploit. Like @klamation said, Changing launchers and play store mostly give you the same as a custom rom. You can also disable bloatware.... Just takes some effort. Doesn't seem like mustang was a big seller so it might be a while before (if ever) an exploit is found....
Unfortunately, I don't have the hardware necessary to test as you're explaining. Curious about the bug though, you might as well try reporting it to the Android project if you believe this affects all AOSP, and not just Lineage.
Should affect everything in IT not just android. Generic new tool to gain system access with. Also know of two more serious bugs with Nix and Windows but neither are appropriate to talk about here. Need to work out best way to communicate them as they are very major (affects billions of systems...) On this system the android bug can cause this level of brick (i could of bricked it even worse by the bug, was using bug to see if i could get mtk-su working by downgrade to 6.3.1.2 - was thinking it might be software patch for emmc short, much more likely this was hardware patch as well as software)
Last edited:
I come from a tech support background, so my first thought is, what did you do that got you into a state like this? If you can provide details, it could help.
Nothing at all. Like in the post from metaplop the device would just not power on one day. It was on the charger and was fully charged. Prior issues were that when it would sit for prolonged periods of time it of no use but charging, it would be in a black screen state and would not turn on with just the power button. I would have to hold left vol and power to boot into TWRP and the reboot into system. This most recent time it had been days before it had been used. I have checked the battery voltage and it does have 4.1v. When plugged in it is recognized as
[10998.804702] usb 1-6.1: new full-speed USB device number 91 using xhci_hcd
[10999.025205] usb 1-6.1: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00
[10999.025206] usb 1-6.1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[10999.032575] cdc_acm 1-6.1:1.0: ttyACM0: USB ACM device
This is with out even grounding the pin on the board. Not sure if that is an issue or not. I have done it both ways though with the same result.
I have another Fire 7 same model (M8S26G) and I was able to extract the gpt.bin from that one (Attached to this post) with insturctions from this post k4y0z post
I then tried to flash this to the non booting device by adding "flash_binary(dev, "../bin/gpt.bin", 0x0, 0x800*0x200)" to main.py but this is the output, I get to Check GPT and it stops at 3/34 then shows the remainder of the output.
Code:
[2021-06-22 20:51:33.184931] Init crypto engine
[2021-06-22 20:51:33.204323] Disable caches
[2021-06-22 20:51:33.204901] Disable bootrom range checks
[2021-06-22 20:51:33.219319] Load payload from ../brom-payload/build/payload.bin = 0x46B8 bytes
[2021-06-22 20:51:33.220267] Send payload
[2021-06-22 20:51:34.064694] Let's rock
[2021-06-22 20:51:34.068141] Wait for the payload to come online...
[2021-06-22 20:51:34.799682] all good
[2021-06-22 20:51:34.800117] Check GPT
[3 / 34]
Traceback (most recent call last):
File "main.py", line 193, in <module>
main()
File "main.py", line 96, in main
switch_user(dev)
File "main.py", line 56, in switch_user
flash_binary(dev, "../bin/gpt.bin", 0x0, 0x800*0x200)
File "main.py", line 37, in flash_binary
flash_data(dev, data, start_block, max_size=0)
File "main.py", line 28, in flash_data
dev.emmc_write(start_block + x, data[x * 0x200:(x + 1) * 0x200])
File "/home/ubuntu/Desktop/Fire/amonet-mustang/modules/common.py", line 199, in emmc_write
raise RuntimeError("device failure")
RuntimeError: device failureflash_binary(dev, "../bin/gpt.bin", 0x0, 0x800*0x200)
Maybe k4y0z would have a better idea?
That "emmc_write" faiure.... I have a ford Fire 7 that had the same thing that happened, and it turned out the storage was bad. It's currently a brick, unable to boot in any way, so I suspect yours might be heading down that same fate. You could try an "adb shell" from bootloader mode and see if you can do anything on it, but that looks like what I experienced.
Might be time to consider using the trade-in 20% discount, if you want another Fire tablet. Maybe Prime Day discounts would help, like $45 for the HD8, but I think all the current models are unhackable.
This might be possible if fbtool does what I think, which is to use fbtool to boot into fastboot (it pushes preloader and lk.bin into SRAM or RAM)
Then use fastboot to boot a modified boot.img from microSD, which loads its other partitions like system from microSD.
I.e. you can boot up your Fire using USB to use the microSD to load Android.
Still investigating fbtool though...
Then use fastboot to boot a modified boot.img from microSD, which loads its other partitions like system from microSD.
I.e. you can boot up your Fire using USB to use the microSD to load Android.
Still investigating fbtool though...
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
50Make sure to read this guide completely before starting.
You will lose all data on the tablet, make a backup of important data before you start.
What you need:
- a Linux installation. Don't use a VM! Use a live USB, if you don't have Linux installed, but don't use a virtual machine.
- a microusb cable to connect your tablet to the PC
- (if you go with hw option) some way to open the tablet (pry tool, opening picks, etc)
- (if you go with hw option) something conductive (metal tweezers, a paper clip, a piece of wire, etc)
- (if you go with sw option) mtk-su from https://xdaforums.com/android/development/amazing-temp-root-mediatek-armv8-t3922213
- amonet-mustang.zip from this post
- finalize.zip from this post
- update-kindle-NS6312_user_1827_0002517050244.bin: https://fireos-tablet-src.s3.amazon...ate-kindle-NS6312_user_1827_0002517050244.bin
- Magisk-v19.3.zip: https://github.com/topjohnwu/Magisk/releases/download/v19.3/Magisk-v19.3.zip
Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work "sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot".
0. Disconnect the tablet and all other Android devices from the PC.
1. Back up whatever important data you have on the device and perform a complete factory reset of the tablet. When going through the initial setup, don't connect to a network (see below on how to do that).
2. Disable or uninstall ModemManager from your Linux installation
3. At this point you need to get your tablet into the bootrom download mode. There are two ways it can be achieved.
a) If your tablet works, you can use the software method (which doesn't require opening the tablet) or the hardware method. Note that if something goes horribly wrong, you might still be required to open up the tablet.
b) If your tablet doesn't boot (bricked), you can only use the hardware method
----------------------------------------------------------------------------------------------------
Software method:
This will get you into bootrom mode by obtaining temporary root and temporarily bricking the device.
1. Download mtk-su from https://xdaforums.com/android/development/amazing-temp-root-mediatek-armv8-t3922213
2. Enable developer mode and USB debugging on the tablet
3. Unzip the mtk-su archive
4. Transfer the executable to your tablet: "adb push arm/mtk-su /data/local/tmp"
5. Run "adb shell"
6. Keep the screen on and run the following commands in the shell on the device:
Code:cd /data/local/tmp ./mtk-su getenforce # Just to confirm it says Permissive echo 0 > /sys/block/mmcblk0boot0/force_ro dd if=/dev/zero of=/dev/block/mmcblk0boot0 bs=512 count=8
This is the sort of output you should see for that step:
Don't close the console just yet.
Hardware method:
This will get you into bootrom mode by opening up the tablet and shorting a point to the ground.
1. Shut your device down and disconnect it from USB
2. Use a pry tool to remove the back shell from the tablet. Start at the bottom and work your way up. There are no cables between the back shell and the motherboard.
3. You will need to get something conductive and temporarily connect a point to the ground. A point suggested by @ggow is: https://xdaforums.com/showpost.php?p=79683131&postcount=22. You will need to pop up the metallic shield to access it. Alternatively, there are multiple points on the back of the PCB which also work (marked as CLK/CMD/DAT0).
----------------------------------------------------------------------------------------------------
4. At this point if you went with software method, you should have a root shell open, and if you went with the hardware method you should have a capacitor or a testpoint grounded to the shield.
5. Now, open another terminal on your PC, extract amonet-mustang.zip, navigate to it, and run `sudo ./bootrom-step.sh`. It should print "Waiting for the bootrom".
6.
a) For the software method, you should already have the USB cable plugged in. Type "reboot" in the first terminal (the one you that's running "adb shell"). [If you're trying this for the second time because it didn't work for the first time, you won't have an "adb shell" terminal. In that case, just plugging the USB cable in should be enough.]
b) For the hardware method, ensure the short is applied and then plug in the USB cable.
7. You should see the following device appear in your "dmesg" log:
Code:[1141765.113884] usb 3-1.4.3.1: USB disconnect, device number 59 [1141783.057101] usb 3-1.4.3.1: new full-speed USB device number 60 using xhci_hcd [1141783.226498] usb 3-1.4.3.1: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00 [1141783.226502] usb 3-1.4.3.1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [1141783.506877] cdc_acm 3-1.4.3.1:1.0: ttyACM0: USB ACM device
This *must* be the device you see. If you see a "preloader" device instead, your short probably didn't work (for the hw method), or your system inexinexplicably didn't brick (for the sw method). Unplug everything and try again. If the tablet doesn't shut down, you might need to open it up and disconnect the battery.
8. The script should now tell you to remove the short. If you went with hardware method, you do need to remove it first. Otherwise, just press Enter.
9. The script will now proceed to downgrade your device and flash some essential files. Just let it be, it will take about 4 minutes. You should see the following output:
If the script freezes at some point, you will have to restart it. Terminate the script, then immediately run `sudo ./bootrom-step.sh` again. The exploit it set up so that after about 40 seconds of inactivity it would reboot your device and drop you back into the bootrom mode, which the script is waiting for. If you cannot restart the process, you might have to open up the tablet and replug the battery to completely power off the device.
10. You should see a success message: "Reboot to unlocked fastboot". Only proceed if you see the message.
11. Once the device boots to fastboot (check with "fastboot devices"; you should also see amazon logo on the screen.), you can run "sudo ./fastboot-step.sh".
12. At this point the device should boot into recovery, however the screen will be off. Just press the power button twice and the screen should turn on.
13. Success! You now have a custom recovery installed that can be accessed by holding down power and volume down (the leftmost) buttons. At this point if you came here from a custom ROM thread you should probably follow the ROM installation instructions. Alternatively, the next steps will detail installing a stock firmware and rooting it with Magisk.
----------------------------------------------------------------------------------------------------
14. We'll now upload required files to the recovery. On your PC, do:
adb push update-kindle-NS6312_user_1827_0002517050244.bin /sdcard/fw.zip
adb push Magisk-v19.3.zip /sdcard
adb push finalize.zip /sdcard
15. In the recovery, go to "Install", navigate to "/sdcard" and flash fw.zip
16. Go to "Wipe" and do the default wipe, then reboot
17. At the Fire setup screen, select your language. On the next screen, Wifi setup, select any password-protected network, then instead of entering the password press "cancel". Now, back at the wifi setup screen, press "Skip setup" and "Skip" in the dialog pop-up again
18. Wait for the update to finish (wait until the updating fire notification disappears)
19. Hold down the power button, press Restart and hold volume down to boot into recovery.
20. In the recovery, go to "Install", navigate to "/sdcard" and flash Magisk-v19.3.zip
21. Press back, select finalize.zip and flash it
22. Once finalize.zip is flashed, press "Reboot System"
VERY IMPORTANT STUFF:
Only ever flash boot images from TWRP. Since nothing but TWRP is aware of the exploit, if you try to flash a boot image from Android, it won't have the exploit integrated into it! This includes Magisk as well, so do NOT install or uninstall it from Magisk Manager (However, installing modules should be fine; although it depends on the specific module).
Due to how the exploit works, it takes over the first 0x400 bytes of boot.img/recovery.img. When flashing zips from the recovery, it will transparently remove and then reinstall the exploit when needed. So long as you flash zips from the recovery, you should treat the boot image normally. However, this means that you cannot use any other apps (e.g. FlashFire) to flash the boot or recovery partitions.
To uninstall the hack and revert back to stock:
Other misc information / troubleshooting:
- If you need to disconnect the battery, use a pair of tweezers to grab the wires and gently pull towards yourself. You can do bootrom-step.sh either with or without the battery connected, however fastboot-step.sh should be done with the battery connected.
- If your device is bricked (e.g. from a downgrade), just follow the steps as-is.
- If you're getting an error like "Serial protocol mismatch", or any other error in bootrom-step, try disabling or temporarily uninstalling ModemManager from your Linux
- To remount /system as rw use "mount -o rw,remount /system". ("mount -o remount,rw /system" will not work)
Thanks to: aftv2-tools contributors https://gitlab.com/zeroepoch/aftv2-tools: for an implementation of mtk download protocol, @diplomatic for mtk-su, @Michajin for testing the instructions.5They are working to port lineage OS 14.1 from the Fire 8 to it. Waiting for it too, will use my 7th gen tablet in the meantime
.
https://xdaforums.com/hd8-hd10/gene...e-hd8-2018-t3936242/post79915018#post79915018
I already port it. The problem is that I don't have a good Wi-Fi since I'm not a thome this days.4Thanks for your work!
On a side note, I also had adaptive storage on during the process. I was having crashing issues after install. I re-installed the firmware-wiped and booted. I followed the steps to boot without setup. Then booted back into TWRP, flashed magisk, but did not flash finalize. I like access to some of the amazon apps. Once I rebooted (I stayed off wi-fi) I sideloaded a package disabler and disabled the OTA. I registered then disabled the amazon bloat I didn't want. I have installed my sd card as portable this time, just to be safe.
also, TWRP does not have backup and restore options, is this normal on this currently?4New TWRP for mustang (with backup-support) is now available: https://xdaforums.com/amazon-fire/orig-development/recovery-twrp-touch-recovery-fire-7-t3949114
