Fire HD 10 11th Generation (2021) Bootloader Unlock + Root Brainstorming

Search This thread
Currently running: Fire OS 7.3.2.1 - Fire HD 10 (2021 - 11th gen)

I think anything is possible. I don't want to hear that Fire OS 7 is "unrootable". Nonsense!

I also don't see many threads for this generation of the device on here, which is why I opted to make this thread.

But seriously, I want to try and tackle this crazy complex puzzle. Fire Toolbox is amazing and really improves the performance of the tablet. But I just want more. Would anyone have any tips on how to start brainstorming and planning how to find any vulnerabilities within the device/software? Are there certain files on the device I have to look in? Maybe running some scripts or doing some programming? I really wanna see what I can contribute but I just have no clue where to start.

I guess it would be helpful to mention what my personal end goal with this tablet is:
  • Unlock bootloader
  • Root
  • Install custom roms (upgrading Android version)
Any feedback/ideas/brainstorming/thoughts of any kind would be much appreciated!
 

dawill9

New member
Oct 27, 2022
1
0
How about HD8 plus latest edition android 11 12th gen? Google Play having issues installing. Tried manually as well as fire toolbox 29.2.
 

Rortiz2

Senior Member
Currently running: Fire OS 7.3.2.1 - Fire HD 10 (2021 - 11th gen)

I think anything is possible. I don't want to hear that Fire OS 7 is "unrootable". Nonsense!

I also don't see many threads for this generation of the device on here, which is why I opted to make this thread.

But seriously, I want to try and tackle this crazy complex puzzle. Fire Toolbox is amazing and really improves the performance of the tablet. But I just want more. Would anyone have any tips on how to start brainstorming and planning how to find any vulnerabilities within the device/software? Are there certain files on the device I have to look in? Maybe running some scripts or doing some programming? I really wanna see what I can contribute but I just have no clue where to start.

I guess it would be helpful to mention what my personal end goal with this tablet is:
  • Unlock bootloader
  • Root
  • Install custom roms (upgrading Android version)
Any feedback/ideas/brainstorming/thoughts of any kind would be much appreciated!
Sorry to burst your bubble of illusion, but it's practically impossible. The latest unlocking methods (amonet, kamakiri) exploited bootrom to achieve arbitrary RW of the eMMC. However, as you may well know, Amazon has disabled bootrom on their newer devices (or even on the 'older' ones, with OTA updates - that's called blowing fuses -). Considering the conditions presented, the chances of unlocking the new devices are minimal if not nil.

If you really want to do some research to find something useful, find an exploit in the preloader, which is still accessible. Another thing that could be useful is a root shell (even if it is temporary). That requires you to find some exploit that fits your kernel (which is probably new, considering the Android version).

That said, don't expect this to be a piece of cake.​
 
A temp root shell should be possible via the waiting game. We could watch the still opensource upstream android OS code for possible kernel exploits. Then just find a way to run a found exploit in a fire hd before amazon rolls a patch OTA. Fire OS is highly customized, but obviously is still android in there somewhere.
 
  • Like
Reactions: nsfxpython

Zorazza

Member
Sep 2, 2021
10
2
The Android platform certs got leaked somewhere and are being used to sign malware as per this issue on the chromium bug tracker: https://bugs.chromium.org/p/apvi/issues/detail?id=100
It might be possible to spoof an application's signature to be that of the android uid using whatever those certs are to gain root access. Probably just grasping at straws here though.
Smart idea! MediaTek is also affected.
Now only a public key-list is needed to run apps on system level.
 

Brettroth

Senior Member
Apr 4, 2018
205
39
Isn't there something about taking it apart and shorting the motherboard somewhere like the old psp battery.
 

Reverse-anastomosis

Senior Member
Oct 31, 2018
308
184
I don’t know the significance of this, but I was playing around with some old equipment that I had laying around and ran across something interesting. I don’t have the time or knowledge to do anything with it however…

I plugged one of these usbc converted into my HD 8 2020 and 2022. https://a.co/d/bRtoBPw

I then plugged in a uart cable that I had built for a different project. Which is essentially the nexus debug cable with a male USB end instead of a headphone jack. ( https://wiki.postmarketos.org/wiki/File:Nexus-debug-cable.png )

I did try the headphone jack, but there is no output from there.

Looking at the output during boot up it sure looks like uart to me, I can’t seem to get the baud right - I tried everything that minicom has without success.

Long story short, I’m pretty sure there’s uart hidden in the USB c connector on the HD 8 2020 and 2022 devices.
 

Reverse-anastomosis

Senior Member
Oct 31, 2018
308
184
I don’t know the significance of this, but I was playing around with some old equipment that I had laying around and ran across something interesting. I don’t have the time or knowledge to do anything with it however…

I plugged one of these usbc converted into my HD 8 2020 and 2022. https://a.co/d/bRtoBPw

I then plugged in a uart cable that I had built for a different project. Which is essentially the nexus debug cable with a male USB end instead of a headphone jack. ( https://wiki.postmarketos.org/wiki/File:Nexus-debug-cable.png )

I did try the headphone jack, but there is no output from there.

Looking at the output during boot up it sure looks like uart to me, I can’t seem to get the baud right - I tried everything that minicom has without success.

Long story short, I’m pretty sure there’s uart hidden in the USB c connector on the HD 8 2020 and 2022 devices.
Update:
I think that what I was seeing was probably just garbage from the USB OTG adapter that I was using. That would explain why I couldn't get the baud rate right.

I built a cable that should have worked the same way, without using the adapter, and got nothing back from the device.

MTK devices usually don't use the ID resistor method on their debug cables, but I did try that as well with various resistances - without success.

If I could figure out what multiplexer these devices use, I might be able to get somewhere, but as it stands, I think it is a dead end. If they left UART open on the device, it could lead to a root solution - and it doesn't appear that this has been investigated.

The boards on both the 2020 and the 2022 have pads marked RXD and TXD, I tried connecting directly to these without any success, so they must be turned off. I attempted to turn UART on via fastboot, but any OEM commands I tried were locked (not surprising)

If anyone has a USB C breakout like what is used for Google debugging; it would be interesting to see if it did anything. I don't have one, and don't really need one.

If anyone has any other ideas, I am willing to use my devices for testing. The 2020 model is pretty beat up by my kids, and it won't break my heart if I kill it. I got a pretty rocking deal on the 2022 model, I'd rather not brick it, but am willing to take some risk.
 
  • Like
Reactions: Zorazza

Reverse-anastomosis

Senior Member
Oct 31, 2018
308
184
Update:
I think that what I was seeing was probably just garbage from the USB OTG adapter that I was using. That would explain why I couldn't get the baud rate right.

I built a cable that should have worked the same way, without using the adapter, and got nothing back from the device.

MTK devices usually don't use the ID resistor method on their debug cables, but I did try that as well with various resistances - without success.

If I could figure out what multiplexer these devices use, I might be able to get somewhere, but as it stands, I think it is a dead end. If they left UART open on the device, it could lead to a root solution - and it doesn't appear that this has been investigated.

The boards on both the 2020 and the 2022 have pads marked RXD and TXD, I tried connecting directly to these without any success, so they must be turned off. I attempted to turn UART on via fastboot, but any OEM commands I tried were locked (not surprising)

If anyone has a USB C breakout like what is used for Google debugging; it would be interesting to see if it did anything. I don't have one, and don't really need one.

If anyone has any other ideas, I am willing to use my devices for testing. The 2020 model is pretty beat up by my kids, and it won't break my heart if I kill it. I got a pretty rocking deal on the 2022 model, I'd rather not brick it, but am willing to take some risk.
Double Update:
I couldn't accept my failure - so I decided I had to sacrifice the 2020. I tore into it - and spent an unreasonable amount of time getting to know it with my multimeter. I stuck my probe where few have probed before!

I found an area around the main chip with an interesting bit of shielding and though to myself - you sneaky old amazon...what are you hiding here?

I found a nice little row of 4 pins...which have a hardwire connection to the USB-C port - on pin #3, or #6 depending on which direction you count from - and ground.

I am now 100% certain that the UART to USBC connection exists. I don't own a cable that outputs that pin - and unpowered my USBC-USBA OTG adapter does not output that pin - I assume that when it is powered with the resistors there must be enough crossover somewhere to see that a signal exists, it is just too corrupted to understand by the time it hits my serial/USB adapter.

I did throw my multimeter on the visible TXD testpoint on another 2020 device, and it did show some rapidly shifting voltage up to 1.8 volts during boot - so I assume I must have damaged the other one when I was soldering my jumper to it, so it must be outputting something. Also, there are RX0 and TX0 on the back of the logic board - when I get my replacement testing board I will investigate those for anything interesting before I fry it with random components(see below)

I plan on purchasing a USBC cable with all of the pin wires, and hooking it up to see if we can get rx and tx - Maybe Console? I can't tell for sure, but it looks like the same row of pins are present on the 2022 model, so this probably translates to that device as well.

Also, of interest, there is a post here on XDA of a person who got their hands on an onyx development device. There is a small component present on that device, as well as the one in the FCC auth photos, that is conspicuously missing on our production devices - It appears that it was soldered on, and then removed(on the production devices). There is also a cable connector that has been removed - I couldn't find anything too interesting, other than some oscillating voltage up to 1.8V, so maybe another UART? This applies to the 2022 model as well.

As near as I can tell - the missing component that I am interested in, is a diode, although I can't identify what kind exactly. The pins don't ohm out to anywhere that I can tell, but the upper pin does draw down my multimeter - as if it is grounded, but the pin is not ground. The lower pin seems to be leaking just a little bit of power - up to around 1.8 volts before resetting.

Just thought vomiting here - but I wonder if this component is essential to accessing BROM and bypassing the efuses that prevent one from entering BROM via short (Which BTW I am pretty sure I shorted every test point on the logic board, some do nothing, some return you to preloader, and some just completely prevent powerup (like CLK). I didn't find any that caused a brick that wasn't fixed by battery disconnect.

I plan on purchasing another 2020 board to test my diode theory on. If anyone has a vulnerable 2018 HD8 and a non-vulnerable 2018 HD8 it would be interesting to see if we could find the same cluster of components on their logic boards to compare.

Part of the reason that I am so interested in the missing diode, is that this component cluster appears largely unchanged from the 2020 model to the 2022 model of the HD8, and if it does lead somewhere interesting, it would be a pretty easy hardware mod - as far as such things go.

I attached some images below with the interesting stuff circled.
 

Attachments

  • HD2020hiddenUART.jpg
    HD2020hiddenUART.jpg
    980.1 KB · Views: 87
  • HD2020Logicboard2.jpg
    HD2020Logicboard2.jpg
    901.7 KB · Views: 87
  • iMarkup_20221230_000114.jpg
    iMarkup_20221230_000114.jpg
    2.8 MB · Views: 89
Double Update:
I couldn't accept my failure - so I decided I had to sacrifice the 2020. I tore into it - and spent an unreasonable amount of time getting to know it with my multimeter. I stuck my probe where few have probed before!

I found an area around the main chip with an interesting bit of shielding and though to myself - you sneaky old amazon...what are you hiding here?

I found a nice little row of 4 pins...which have a hardwire connection to the USB-C port - on pin #3, or #6 depending on which direction you count from - and ground.

I am now 100% certain that the UART to USBC connection exists. I don't own a cable that outputs that pin - and unpowered my USBC-USBA OTG adapter does not output that pin - I assume that when it is powered with the resistors there must be enough crossover somewhere to see that a signal exists, it is just too corrupted to understand by the time it hits my serial/USB adapter.

I did throw my multimeter on the visible TXD testpoint on another 2020 device, and it did show some rapidly shifting voltage up to 1.8 volts during boot - so I assume I must have damaged the other one when I was soldering my jumper to it, so it must be outputting something. Also, there are RX0 and TX0 on the back of the logic board - when I get my replacement testing board I will investigate those for anything interesting before I fry it with random components(see below)

I plan on purchasing a USBC cable with all of the pin wires, and hooking it up to see if we can get rx and tx - Maybe Console? I can't tell for sure, but it looks like the same row of pins are present on the 2022 model, so this probably translates to that device as well.

Also, of interest, there is a post here on XDA of a person who got their hands on an onyx development device. There is a small component present on that device, as well as the one in the FCC auth photos, that is conspicuously missing on our production devices - It appears that it was soldered on, and then removed(on the production devices). There is also a cable connector that has been removed - I couldn't find anything too interesting, other than some oscillating voltage up to 1.8V, so maybe another UART? This applies to the 2022 model as well.

As near as I can tell - the missing component that I am interested in, is a diode, although I can't identify what kind exactly. The pins don't ohm out to anywhere that I can tell, but the upper pin does draw down my multimeter - as if it is grounded, but the pin is not ground. The lower pin seems to be leaking just a little bit of power - up to around 1.8 volts before resetting.

Just thought vomiting here - but I wonder if this component is essential to accessing BROM and bypassing the efuses that prevent one from entering BROM via short (Which BTW I am pretty sure I shorted every test point on the logic board, some do nothing, some return you to preloader, and some just completely prevent powerup (like CLK). I didn't find any that caused a brick that wasn't fixed by battery disconnect.

I plan on purchasing another 2020 board to test my diode theory on. If anyone has a vulnerable 2018 HD8 and a non-vulnerable 2018 HD8 it would be interesting to see if we could find the same cluster of components on their logic boards to compare.

Part of the reason that I am so interested in the missing diode, is that this component cluster appears largely unchanged from the 2020 model to the 2022 model of the HD8, and if it does lead somewhere interesting, it would be a pretty easy hardware mod - as far as such things go.

I attached some images below with the interesting stuff circled.
Wow, any more updates to this? I don't know much about finding these kinds of exploits via hardware but this "uart" that you mention is able to possibly give root access? I'm intrigued....
 

Reverse-anastomosis

Senior Member
Oct 31, 2018
308
184
Wow, any more updates to this? I don't know much about finding these kinds of exploits via hardware but this "uart" that you mention is able to possibly give root access? I'm intrigued....
Not really - you can follow my progress over on my other thread. I am going to post an update today.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    Currently running: Fire OS 7.3.2.1 - Fire HD 10 (2021 - 11th gen)

    I think anything is possible. I don't want to hear that Fire OS 7 is "unrootable". Nonsense!

    I also don't see many threads for this generation of the device on here, which is why I opted to make this thread.

    But seriously, I want to try and tackle this crazy complex puzzle. Fire Toolbox is amazing and really improves the performance of the tablet. But I just want more. Would anyone have any tips on how to start brainstorming and planning how to find any vulnerabilities within the device/software? Are there certain files on the device I have to look in? Maybe running some scripts or doing some programming? I really wanna see what I can contribute but I just have no clue where to start.

    I guess it would be helpful to mention what my personal end goal with this tablet is:
    • Unlock bootloader
    • Root
    • Install custom roms (upgrading Android version)
    Any feedback/ideas/brainstorming/thoughts of any kind would be much appreciated!
    2
    Currently running: Fire OS 7.3.2.1 - Fire HD 10 (2021 - 11th gen)

    I think anything is possible. I don't want to hear that Fire OS 7 is "unrootable". Nonsense!

    I also don't see many threads for this generation of the device on here, which is why I opted to make this thread.

    But seriously, I want to try and tackle this crazy complex puzzle. Fire Toolbox is amazing and really improves the performance of the tablet. But I just want more. Would anyone have any tips on how to start brainstorming and planning how to find any vulnerabilities within the device/software? Are there certain files on the device I have to look in? Maybe running some scripts or doing some programming? I really wanna see what I can contribute but I just have no clue where to start.

    I guess it would be helpful to mention what my personal end goal with this tablet is:
    • Unlock bootloader
    • Root
    • Install custom roms (upgrading Android version)
    Any feedback/ideas/brainstorming/thoughts of any kind would be much appreciated!
    Sorry to burst your bubble of illusion, but it's practically impossible. The latest unlocking methods (amonet, kamakiri) exploited bootrom to achieve arbitrary RW of the eMMC. However, as you may well know, Amazon has disabled bootrom on their newer devices (or even on the 'older' ones, with OTA updates - that's called blowing fuses -). Considering the conditions presented, the chances of unlocking the new devices are minimal if not nil.

    If you really want to do some research to find something useful, find an exploit in the preloader, which is still accessible. Another thing that could be useful is a root shell (even if it is temporary). That requires you to find some exploit that fits your kernel (which is probably new, considering the Android version).

    That said, don't expect this to be a piece of cake.​
    2
    Update:
    I think that what I was seeing was probably just garbage from the USB OTG adapter that I was using. That would explain why I couldn't get the baud rate right.

    I built a cable that should have worked the same way, without using the adapter, and got nothing back from the device.

    MTK devices usually don't use the ID resistor method on their debug cables, but I did try that as well with various resistances - without success.

    If I could figure out what multiplexer these devices use, I might be able to get somewhere, but as it stands, I think it is a dead end. If they left UART open on the device, it could lead to a root solution - and it doesn't appear that this has been investigated.

    The boards on both the 2020 and the 2022 have pads marked RXD and TXD, I tried connecting directly to these without any success, so they must be turned off. I attempted to turn UART on via fastboot, but any OEM commands I tried were locked (not surprising)

    If anyone has a USB C breakout like what is used for Google debugging; it would be interesting to see if it did anything. I don't have one, and don't really need one.

    If anyone has any other ideas, I am willing to use my devices for testing. The 2020 model is pretty beat up by my kids, and it won't break my heart if I kill it. I got a pretty rocking deal on the 2022 model, I'd rather not brick it, but am willing to take some risk.
    Double Update:
    I couldn't accept my failure - so I decided I had to sacrifice the 2020. I tore into it - and spent an unreasonable amount of time getting to know it with my multimeter. I stuck my probe where few have probed before!

    I found an area around the main chip with an interesting bit of shielding and though to myself - you sneaky old amazon...what are you hiding here?

    I found a nice little row of 4 pins...which have a hardwire connection to the USB-C port - on pin #3, or #6 depending on which direction you count from - and ground.

    I am now 100% certain that the UART to USBC connection exists. I don't own a cable that outputs that pin - and unpowered my USBC-USBA OTG adapter does not output that pin - I assume that when it is powered with the resistors there must be enough crossover somewhere to see that a signal exists, it is just too corrupted to understand by the time it hits my serial/USB adapter.

    I did throw my multimeter on the visible TXD testpoint on another 2020 device, and it did show some rapidly shifting voltage up to 1.8 volts during boot - so I assume I must have damaged the other one when I was soldering my jumper to it, so it must be outputting something. Also, there are RX0 and TX0 on the back of the logic board - when I get my replacement testing board I will investigate those for anything interesting before I fry it with random components(see below)

    I plan on purchasing a USBC cable with all of the pin wires, and hooking it up to see if we can get rx and tx - Maybe Console? I can't tell for sure, but it looks like the same row of pins are present on the 2022 model, so this probably translates to that device as well.

    Also, of interest, there is a post here on XDA of a person who got their hands on an onyx development device. There is a small component present on that device, as well as the one in the FCC auth photos, that is conspicuously missing on our production devices - It appears that it was soldered on, and then removed(on the production devices). There is also a cable connector that has been removed - I couldn't find anything too interesting, other than some oscillating voltage up to 1.8V, so maybe another UART? This applies to the 2022 model as well.

    As near as I can tell - the missing component that I am interested in, is a diode, although I can't identify what kind exactly. The pins don't ohm out to anywhere that I can tell, but the upper pin does draw down my multimeter - as if it is grounded, but the pin is not ground. The lower pin seems to be leaking just a little bit of power - up to around 1.8 volts before resetting.

    Just thought vomiting here - but I wonder if this component is essential to accessing BROM and bypassing the efuses that prevent one from entering BROM via short (Which BTW I am pretty sure I shorted every test point on the logic board, some do nothing, some return you to preloader, and some just completely prevent powerup (like CLK). I didn't find any that caused a brick that wasn't fixed by battery disconnect.

    I plan on purchasing another 2020 board to test my diode theory on. If anyone has a vulnerable 2018 HD8 and a non-vulnerable 2018 HD8 it would be interesting to see if we could find the same cluster of components on their logic boards to compare.

    Part of the reason that I am so interested in the missing diode, is that this component cluster appears largely unchanged from the 2020 model to the 2022 model of the HD8, and if it does lead somewhere interesting, it would be a pretty easy hardware mod - as far as such things go.

    I attached some images below with the interesting stuff circled.
    2
    The Android platform certs got leaked somewhere and are being used to sign malware as per this issue on the chromium bug tracker: https://bugs.chromium.org/p/apvi/issues/detail?id=100
    It might be possible to spoof an application's signature to be that of the android uid using whatever those certs are to gain root access. Probably just grasping at straws here though.
    2
    Fire OS 8.3.1.1 gives elevated access to system apps via USB debugging; see here. likely another Amazon mistake - too bad its never been released on Fire HD 10.