Fire HD 8 (2018 ONLY) unbrick, downgrade, unlock & root

Search This thread

Tres_Tigers

Member
Apr 26, 2021
40
5
(Quote from #1)

If the script freezes at some point, you will have to restart it. Terminate the script, unplug USB, and try again starting at step 4. If after unplugging USB cable the device doesn't shut down, you might have to disconnect the battery. You can keep it disconnected until the script succeeds, but once it's done you must reconnect it before booting to fastboot
What do you not get out of 'when I short the tablet, it freezes up'?
The tablet itself is what's not working, it keeps freezing up and not working with the waiting script.
It doesn't even matter if it's plugged in, shorting it causes my tablet to freeze until the battery is reconnected.
 

cibolo

Member
Sep 30, 2021
17
1
I've followed the instructions and can't get 6300.zip from the link. What is a safe source of that file?
 

cibolo

Member
Sep 30, 2021
17
1
Is 6300.zip not on an open website anywhere? If so, why not, what is it? I am probably wanting to keep fireOS so I can download library ebooks with DRM controls.
 

cibolo

Member
Sep 30, 2021
17
1
I figured it out by reading all of the instructions... "20. Done. The device should now boot into a rooted 6.3.0.0 firmware. A ha! 6300.zip is the downgrade version of firmware... I was able to get it -- someone changed the link on mega.nz, so now I'll try the instructions again. Thanks for the help and for making these ways to reflash fire tablets.
 

cibolo

Member
Sep 30, 2021
17
1
Hi, I tried the procedure on page 1 above again today and journalctl -k -n 10 shows this when I have the bootrom-step program running and plug into USB, (no other androids connected to USB):
Oct 02 17:05:21 thinktool kernel: usb 2-1.4: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00
Oct 02 17:05:21 thinktool kernel: usb 2-1.4: New USB device strings: Mfr=0, Product=0, SerialNumber=0
Oct 02 17:05:21 thinktool kernel: cdc_acm 2-1.4:1.0: ttyACM0: USB ACM device


So that looks good, but no change of the program:

./bootrom-step.sh
[2021-10-02 17:11:21.446527] Waiting for bootrom

The above results are the same with fire hd8 battery connector off or on. I did the most tests with the fire hd8 battery connector undone so it would shut down and be ready to try again. I had a good probe contact to the CLK pad and the RF shield before conecting the USB cable other end.


This fire hd8 has fireOS 7.3.2.1
7.3.2.1 is newer than mentioned in the howto's. Could that be a problem?
 

Rortiz2

Senior Member
Hi, I tried the procedure on page 1 above again today and journalctl -k -n 10 shows this when I have the bootrom-step program running and plug into USB, (no other androids connected to USB):
Oct 02 17:05:21 thinktool kernel: usb 2-1.4: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00
Oct 02 17:05:21 thinktool kernel: usb 2-1.4: New USB device strings: Mfr=0, Product=0, SerialNumber=0
Oct 02 17:05:21 thinktool kernel: cdc_acm 2-1.4:1.0: ttyACM0: USB ACM device


So that looks good, but no change of the program:

./bootrom-step.sh
[2021-10-02 17:11:21.446527] Waiting for bootrom

The above results are the same with fire hd8 battery connector off or on. I did the most tests with the fire hd8 battery connector undone so it would shut down and be ready to try again. I had a good probe contact to the CLK pad and the RF shield before conecting the USB cable other end.


This fire hd8 has fireOS 7.3.2.1
7.3.2.1 is newer than mentioned in the howto's. Could that be a problem?
Try to run the command as sudo (sudo ./bootrom-step.sh). I don't think your firmware version matters since you can access bootrom (see the 003 PID).
 
  • Like
Reactions: cibolo

cibolo

Member
Sep 30, 2021
17
1
Now I've gotten to step 15 and results don't match.

When I select reboot system from TWRP, I get the fire logo and three dots marching like caterpillar footprints to the right -- forever it seems -- definitely for more than 20 minutes. Is it OK to go without the fire setup steps and flash Magisk-v18.0.zip and finalize.zip? They are loaded to /sdcard now.

Tried that ans same symptom: three dots marching.

Is this a problem? -->

Code:
Oct 03 12:31:15 thinktool kernel: usb 2-1.4: USB disconnect, device number 41

Oct 03 12:31:20 thinktool kernel: usb 2-1.4: new high-speed USB device number 42 using ehci-pci

Oct 03 12:31:20 thinktool kernel: usb 2-1.4: New USB device found, idVendor=0e8d, idProduct=2000, bcdDevice= 1.00

Oct 03 12:31:20 thinktool kernel: usb 2-1.4: New USB device strings: Mfr=1, Product=2, SerialNumber=0

Oct 03 12:31:20 thinktool kernel: usb 2-1.4: Product: MT65xx Preloader

Oct 03 12:31:20 thinktool kernel: usb 2-1.4: Manufacturer: MediaTek

Oct 03 12:31:20 thinktool kernel: cdc_acm 2-1.4:1.0: Zero length descriptor references

Oct 03 12:31:20 thinktool kernel: cdc_acm: probe of 2-1.4:1.0 failed with error -22

Oct 03 12:31:20 thinktool kernel: cdc_acm 2-1.4:1.1: ttyACM0: USB ACM device

Oct 03 12:31:22 thinktool kernel: usb 2-1.4: USB disconnect, device number 42

Does seeing preloader mean start over?

I CAN boot the TWRP still.

Thanks, John
 
Last edited:

cibolo

Member
Sep 30, 2021
17
1
The fact that your getting "preloader" (i think) shouldnt matter now that you have access to TWRP, i wouldnt proceed with Magisk and finalize.zip until you do the inital setup,

Did you factory reset in TWRP after flashing 6300.zip?
No. Maybe I am not getting how to do that. I'll go back and see if I didn't follow. I am installing 6300.zip again. I don't see "factory reset in TWRP" in the instructions. What I am unable to follow is:
13. In the recovery, go to "Install", navigate to "/sdcard" and flash 6300.zip
14. Go to "Wipe" and do the default wipe, then reboot
15. At the Fire setup screen,
I did the dalvik wipe. I got that from another write up. I'm trying as stated above now for first time: select wipe in TWRP, then no other selections and slide the button to do wipe to factory reset.

I still get the marching dots after reboot. I power down, wait, power up, and now I get marching dots for only one minute then intro screen! Success finally.
 
Last edited:

cibolo

Member
Sep 30, 2021
17
1
I wanted to check which version of OS and chose device options and system, but it is blank black screen. It does return to the settings menu via the back triangle at the bottom of the screen. So not sure if still on 6.3.0.0. Isn't that bad that the updates tab under settings is blank?

Now I'd like to try to use a magisk module, but: "Only ever flash boot images from TWRP. Since nothing but TWRP is aware of the exploit"

I found a way to do it from twrp. I got magisk-xxxx.apk from github and renamed it with .zip ending and TWRP installed it.

When I run magisk and use the safetynet test it fails. I'd like to use this fire hd8 to read ebooks, so any help getting it able to do that will be appreciated.
 
Last edited:

cibolo

Member
Sep 30, 2021
17
1
What is a way to disable annoying adware on fire hd8 2018?

I got only one app to stop using pm disable, and so far this is not rooted, so I guess that is what is needed next?

Code:
[email protected] [amazon-fire-hd8-2018]adb shell
karnak:/ $ pm disable-user com.goodreads.kindle
Package com.goodreads.kindle new state: disabled-user
karnak:/ $ pm disable com.amazon.recess
Error: java.lang.SecurityException: Shell cannot change component state for com.amazon.recess/null to 2
1|karnak:/ $ pm disable com.android.printspoole
Error: java.lang.IllegalArgumentException: Unknown package: com.android.printspoole
1|karnak:/ $ pm disable com.android.printspooler                                                                                                                                                                           
Error: java.lang.SecurityException: Shell cannot change component state for com.android.printspooler/null to 2
1|karnak:/ $ pm disable com.amazon.camera
Error: java.lang.IllegalArgumentException: Unknown package: com.amazon.camera
1|karnak:/ $ pm disable com.amazon.unifiedsharegoodreads
Error: java.lang.SecurityException: Shell cannot change component state for com.amazon.unifiedsharegoodreads/null to 2
1|karnak:/ $ pm hide com.amazon.unifiedsharegoodreads
Error: java.lang.SecurityException: Neither user 2000 nor current process has android.permission.MANAGE_USERS.
1|karnak:/ $ su

Permission denied
 

cibolo

Member
Sep 30, 2021
17
1
Thanks for the continuing tips Falcon342.
Does lineageOS have any DRM that allows ebooks to be read?

here's the results of your suggested commands:

Code:
[email protected] [moredata]adb devices
List of devices attached
G0W0T9058362F0CQ    device

[email protected] [moredata]adb shell
karnak:/ $ pm disable-user --user 0 com.amazon.kso
Error: java.lang.IllegalArgumentException: Unknown package: com.amazon.kso
1|karnak:/ $ uname -r
3.18.19-g11668f5c4e7
karnak:/ $ uname -a                                                                                                                                     
Linux localhost 3.18.19-g11668f5c4e7 #1 SMP PREEMPT Sat Jun 9 18:55:44 UTC 2018 armv8l
karnak:/ $ pm disable com.android.printspooler
Error: java.lang.SecurityException: Shell cannot change component state for com.android.printspooler/null to 2
1|karnak:/ $ disable-user --user 0 com.amazon.unifiedsharegoodreads
/system/bin/sh: disable-user: not found


After figuring how to do su, (see notice on the fire hd8 and answer yes), I got these results:

Code:
karnak:/ $ su
karnak:/ # pm disable com.android.printspooler
Package com.android.printspooler new state: disabled
karnak:/ # pm disable com.amazon.camera
Error: java.lang.IllegalArgumentException: Unknown package: com.amazon.camera
1|karnak:/ # pm disable com.amazon.unifiedsharegoodreads
Package com.amazon.unifiedsharegoodreads new state: disabled
karnak:/ # pm disable-user --user 0 com.amazon.kso
Error: java.lang.IllegalArgumentException: Unknown package: com.amazon.kso


This seems like the version got upgraded beyond what worked back when this exploit howto was written... Since apps have different names, etc.

I bet this:
1|karnak:/ $ uname -r
3.18.19-g11668f5c4e7
corresponds to other than 6.3.0.0 fireOS

since John Wu now works for Google MagiskHide will be removed due to conflict of interest,

So, what else is there for fire hd8 2018 that can let it use DRM? If nothing I guess I will install LineageOS and give up on ebooks except with spam and such on an unmodified fire tablet..

I've been reading at his github pages and see this:


Why is X app detecting root?​


Manually enable MagiskHide in settings (MagiskHide is no longer enabled by default). Also, there are known methods to detect Magisk, so your mileage may vary.

So, I'll try that soon.

Here is something else from John Wu that does not match this howto as applied to my fire hd8:

As a summary, after installing Magisk in recovery (starting from power off):


  • (Power up normally) → (System with NO Magisk)
  • (Recovery Key Combo) → (Splash screen) → (Release all buttons) → (System with Magisk)
  • (Recovery Key Combo) → (Splash screen) → (Long press volume up) → (Recovery Mode)
Instead of the above, my fire hd8 goes to TWRP with the 2nd step. and the 2nd step does not match -- I don't get the audible splash screen, just TWRP starting.
 
Last edited:

karl001

Member
Feb 5, 2009
9
0
I think I flashed a faulty bootloader .img with TWRP and now I'm in an infinte boot loop. When I try to execute bootrom-step it gives the error after Handshake: "device reports readiness to read but returned no data".
Any possibility to rescue the device?

Update: Nevermind. After several tries it worked. I think the short breaking was just not connected right.
 
Last edited:

cibolo

Member
Sep 30, 2021
17
1
I've been able to use the libby android app from google play store to read ebooks.

So the remaining want I have is losing ads. Any hints on ways to stop ads?

What other forum threads would be appropriate to ask in?
I tried some use of # pm disable but the names in lists about fire hd8 2018 seem not to match today -- some amazon apps must have changed names. Is there a command to list installed apps?
 

cibolo

Member
Sep 30, 2021
17
1

I read about fire toolbox and it said hd8 not supported as I have it with TWRP and root exploit and magisk. So I searched and found these adb shell commands that worked:

Code:
install firefox  get launcher hijack

adb devices
adb shell
su
settings put secure enabled_accessibility_services com.baronkiko.launcherhijack/com.baronkiko.launcherhijack.AccServ
settings put secure accessibility_enabled 1
reboot

https://forum.xda-developers.com/t/guide-no-root-remove-amazon-apps-on-fire-10-hd-2019.4009547/page-2

karnak:/ # pm disable-user --user 0 com.amazon.legalsettings = Legal Notices
Package com.amazon.legalsettings new state: disabled-user
karnak:/ # pm disable-user --user 0 com.amazon.kindle.cms                                                                                               Package com.amazon.kindle.cms new state: disabled-user
1|karnak:/ # pm disable-user --user 0 com.amazon.weather = Weather
Package com.amazon.weather new state: disabled-user
karnak:/ # pm disable-user --user 0 com.amazon.kindle = Kindle books
Package com.amazon.kindle new state: disabled-user
karnak:/ # pm disable-user --user 0 com.amazon.kindle.kso = Special offers
Package com.amazon.kindle.kso new state: disabled-user
karnak:/ # pm disable-user --user 0 com.amazon.webapp = Kindle store
Package com.amazon.webapp new state: disabled-user
karnak:/ # pm disable-user --user 0 com.amazon.tahoe = Freetime
Package com.amazon.tahoe new state: disabled-user
karnak:/ # pm disable-user --user 0 com.audible.application.kindle = Audible
Package com.audible.application.kindle new state: disabled-user
1|karnak:/ # pm disable-user --user 0 com.amazon.cloud9.kids = Kids web browser
Package com.amazon.cloud9.kids new state: disabled-user
karnak:/ # pm disable-user --user 0 com.amazon.cloud9.contentservice = Silk content service
Package com.amazon.cloud9.contentservice new state: disabled-user
karnak:/ # pm disable-user --user 0 com.amazon.cloud9 = Silk browser
Package com.amazon.cloud9 new state: disabled-user
karnak:/ # pm disable-user --user 0 com.amazon.venezia = Amazon app store
Package com.amazon.venezia new state: disabled-user
karnak:/ # pm disable-user --user 0 com.amazon.unifiedsharegoodreads = Amazon goodreads share
Package com.amazon.unifiedsharegoodreads new state: disabled-user
karnak:/ # pm disable-user --user 0 com.goodreads.kindle = Goodreads
Package com.goodreads.kindle new state: disabled-user
karnak:/ # pm disable-user --user 0 com.amazon.ags.app = Amazon gamecircle
Package com.amazon.ags.app new state: disabled-user
karnak:/ # pm disable-user --user 0 com.amazon.geo.mapsv2.services = n/a
Package com.amazon.geo.mapsv2.services new state: disabled-user
karnak:/ # pm disable-user --user 0 com.amazon.geo.mapsv2 = n/a
Package com.amazon.geo.mapsv2 new state: disabled-user
karnak:/ # pm disable-user --user 0 com.amazon.geo.client.maps = Maps
Package com.amazon.geo.client.maps new state: disabled-user
karnak:/ # pm disable-user --user 0 com.amazon.windowshop = Shop Amazon
Package com.amazon.windowshop new state: disabled-user
karnak:/ # pm disable-user --user 0 com.amazon.csapp = Help
Package com.amazon.csapp new state: disabled-user
karnak:/ # pm disable-user --user 0 amazon.alexa.tablet = n/a
Package amazon.alexa.tablet new state: disabled-user
karnak:/ # pm disable-user --user 0 com.amazon.dee.app = n/a
Package com.amazon.dee.app new state: disabled-user
karnak:/ # pm disable-user --user 0 com.amazon.mp3 = Music
Package com.amazon.mp3 new state: disabled-user
karnak:/ # pm disable-user --user 0 com.amazon.photos = Amazon Photos
Package com.amazon.photos new state: disabled-user
karnak:/ # pm disable-user --user 0 com.amazon.firelauncher
Package com.amazon.firelauncher new state: disabled-user
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    Gotcha, thank you very much. Looking forward to this been years since I had a device needing a root & rom.
    I should mention that amazon has started to use a efuse on the firestick 4k that seem to block it. But i have not heard of this being done on any other devices. About april 2020 it was noticed that any new device was blocked from accessing the bootrom. It also has been noticed though if you run the exploit on the device on first boot when new it was also accessible. The shorting method was totally easy on the HD 8 was totally easy, just do not run the brick as it will do that and there has not been a way to recover from it. Check back into the posts April 2020 for more details.
    2
    Worthless. Why cant this be done on windows? Its only the most popular operating system in the entire world... Instead everyone says you have to download virtualization software and a linux distro they dont know how to use and will likely never use again just to unlock their device. Anyone who asks for help using windows just gets ignored. Its so frustrating to go through 50+ pages of comments for this when the original post even said they'd update with a windows guide that never seemed to happen... I just bought this thing refurbished off of woot.com after people over on slickdeals reccommended it and said that XDA had guides for unlocking and unrooting it so it could run Android. Now Im learning that this thing is a ****ing paperweight and waste of money.
    Comments like this are a disgrace to this community.

    As far as I know (since nobody has never given an exact answer), the unlock process uses a library called pyserial which is used to communicate with the device and uploads a payload (which is pure C) via USB. The communication between the payload and the computer doesn't work at all on Windows (try yourself, you won't be able to read the eMMC) and therefore you need Linux.

    I don't recall the original creator of the exploit saying he would create a Windows version, so if you don't mind, could you link me to the post in which it states what you say?

    Honestly, I don't understand what's the problem with using Linux. Even if you're a noob there are PLENTY of tutorials on the internet (even videos) on how to create an Ubuntu bootable USB (which should be enough to run the exploit).

    Next time you want to do something, make sure you CAN and ARE ABLE to do it. That way you will avoid having more paperweights ;).​
  • 112
    VWWdRf9.jpg

    Changelog:
    v2 - Fixed the issue with the screen


    Make sure to read this guide completely before starting. It requires you to open the tablet, however you don't need to solder or use any advanced tools.

    This is only for Fire HD 8, 8th generation, also known as karnak or KFKAWI. It's now confirmed to work on both 16GB and 32GB models.

    You will lose all data on the tablet, make a backup of important data before you start. If you've enabled encryption, it's probably a good idea to disable it before you proceed with the guide.

    What you need:
    - a Linux installation. Since I had to rush it, this guide is only for Linux. Once I get a chance to test it on Windows I'll update the guide.
    - microusb cable to connect your tablet to the PC
    - some way to open the tablet (pry tool, opening picks, etc)
    - something conductive (metal tweezers, a paper clip, a piece of wire, etc)
    - amonet.tar.gz
    - 6300.zip: https://mega.nz/#!FI1HSI5T!2zUAeiW9I-eH3Ph0Ar10_2nioNIm0ilSnNYgOG9YPNE
    - Magisk-v18.0.zip: https://github.com/topjohnwu/Magisk/releases/download/v18.0/Magisk-v18.0.zip
    - finalize.zip

    Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work "sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot".

    Extract amonet.tar.gz, open a terminal and navigate to it.

    You might need to run the scripts on your PC under sudo if you're getting permission errors.

    0. Shut your device down and disconnect it from USB! Also, disconnect all other Android devices you might have connected from your PC. Also, if you have ModemManager installed, you MUST disable or uninstall it before you begin
    1. Use a pry tool to remove the back shell from the tablet. Start at the bottom and work your way up. There are no cables between the back shell and the motherboard.
    2. On the left side of the board there are 4 test points labeled DAT0, RST, CMD, CLK. We only care about the bottom one, CLK.
    3. Plug in one end of the microusb cable, either to the PC or to the tablet, whatever's more convenient.
    4. On your PC, run `./bootrom-step.sh`. It should print "Waiting for the bootrom".
    5. Using your conductive apparatus, short the CLK test point to the ground. This means you should connect one side of your paperclip to the CLK pin and the other to the metallic shield or a side of the PCB. Firmly hold it in place so that there is connection. (See https://i.imgur.com/7BXIb2y.jpg)
    6. Plug in the other end of the microusb cable.
    7. You should see a new device appear on your PC

    Code:
    [10894.058045] usb 3-2.4.1: new full-speed USB device number 9 using xhci_hcd
    [10894.239684] usb 3-2.4.1: New USB device found, idVendor=0e8d, idProduct=0003
    [10894.239690] usb 3-2.4.1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
    [10894.241330] cdc_acm 3-2.4.1:1.0: ttyACM0: USB ACM device

    This *must* be the device you see. If you see a "preloader" device instead, you didn't hold the paperclip strong enough. Unplug it, shut down your Fire (pull out USB cord and wait; if it doesn't shut down, you might have to disconnect the battery) and try again starting at step 4.

    8. The script you ran in step 4 should now tell you to remove the short. Remove the paperclip and press Enter as instructed.
    9. The script will now proceed to downgrade your device and flash some essential files. Just let it be, it will take about 4 minutes. You should see the following output:

    Code:
    [2019-01-26 23:30:02.157670] Waiting for bootrom
    [2019-01-26 23:30:20.438333] Found port = /dev/ttyACM0
    [2019-01-26 23:30:20.439362] Handshake
    [2019-01-26 23:30:20.441693] Disable watchdog
    
     * * * Remove the short and press Enter * * * 
    
    
    [2019-01-26 23:30:22.636037] Init crypto engine
    [2019-01-26 23:30:22.661832] Disable caches
    [2019-01-26 23:30:22.662505] Disable bootrom range checks
    [2019-01-26 23:30:22.685773] Load payload from ../brom-payload/build/payload.bin = 0x4690 bytes
    [2019-01-26 23:30:22.693170] Send payload
    [2019-01-26 23:30:23.527965] Let's rock
    [2019-01-26 23:30:23.528832] Wait for the payload to come online...
    [2019-01-26 23:30:24.260602] all good
    [2019-01-26 23:30:24.261069] Check GPT
    [2019-01-26 23:30:24.596346] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216), 'kb': (16384, 2048), 'dkb': (18432, 2048), 'lk': (20480, 2048), 'tee1': (22528, 10240), 'tee2': (32768, 10240), 'metadata': (43008, 80896), 'MISC': (123904, 1024), 'reserved': (124928, 16384), 'boot': (141312, 32768), 'recovery': (174080, 40960), 'system': (215040, 6354944), 'vendor': (6569984, 460800), 'cache': (7030784, 1024000), 'userdata': (8054784, 22722527)}
    [2019-01-26 23:30:24.596619] Check boot0
    [2019-01-26 23:30:24.841858] Check rpmb
    [2019-01-26 23:30:25.051079] Downgrade rpmb
    [2019-01-26 23:30:25.052924] Recheck rpmb
    [2019-01-26 23:30:25.949978] rpmb downgrade ok
    [2019-01-26 23:30:25.950284] Flash lk-payload
    [5 / 5]
    [2019-01-26 23:30:26.471797] Flash preloader
    [288 / 288]
    [2019-01-26 23:30:44.845804] Flash tz
    [6732 / 6732]
    [2019-01-26 23:33:08.502134] Flash lk
    [685 / 685]
    [2019-01-26 23:33:23.337460] Inject microloader
    [4 / 4]
    [2019-01-26 23:33:23.667547] Reboot to unlocked fastboot

    If the script freezes at some point, you will have to restart it. Terminate the script, unplug USB, and try again starting at step 4. If after unplugging USB cable the device doesn't shut down, you might have to disconnect the battery. You can keep it disconnected until the script succeeds, but once it's done you must reconnect it before booting to fastboot.

    9. You should see a success message: "Reboot to unlocked fastboot". Only proceed if you see the message.
    10. Once the device boots to fastboot (check with "fastboot devices". You should see amazon logo on the screen.), you can run "./fastboot-step.sh". Then, flip the device over so that you can see the display.
    11. At this point the device should boot into recovery, however it's possible that the screen will be off by default. Just press the power button twice and the screen should turn on.
    12. We'll now upload required files to the recovery. On your PC, do:

    adb push 6300.zip /sdcard
    adb push Magisk-v18.0.zip /sdcard
    adb push finalize.zip /sdcard

    13. In the recovery, go to "Install", navigate to "/sdcard" and flash 6300.zip
    14. Go to "Wipe" and do the default wipe, then reboot
    15. At the Fire setup screen, select your language. On the next screen, Wifi setup, select any password-protected network, then instead of entering the password press "cancel". Now, back at the wifi setup screen, press "skip" and "skip" in the dialog pop-up again
    16. Hold down the power button, press Restart and hold volume down to boot into recovery.

    17. In the recovery, go to "Install", navigate to "/sdcard" and flash Magisk-v18.0.zip
    18. Press back, select finalize.zip and flash it
    19. Once finalize.zip is flashed, press "Reboot System"

    20. Done. The device should now boot into a rooted 6.3.0.0 firmware. You should have Magisk manager installed, and root working. You will be able to boot into recovery by holding volume down.
    21. At this point it should be safe to connect to wifi. If everything works okay, assemble your device.

    Your device is now unlocked. You can flash a custom boot image, system image, etc. However, if you ever brick the device so bad the recovery does not boot, you will have to repeat these steps starting from the first one. Read below for what you should not do.

    VERY IMPORTANT STUFF:
    Only ever flash boot images from TWRP. Since nothing but TWRP is aware of the exploit, if you try to flash a boot image from Android, it won't have the exploit integrated into it! This includes Magisk as well, so do NOT install or uninstall it from Magisk Manager (However, installing modules should be fine; although it depends on the specific module).

    Due to how the exploit works, it takes over the first 0x400 bytes of boot.img/recovery.img. When flashing zips from the recovery, it will transparently remove and then reinstall the exploit when needed. So long as you flash zips from the recovery, you should treat the boot image normally. However, this means that you cannot use any other apps (e.g. FlashFire) to flash the boot or recovery partitions.


    To revert back to stock:
    - download update package from amazon https://fireos-tablet-src.s3.amazon...ate-kindle-NS6301_user_1611_0001309035396.bin to your PC
    - flash 6300.zip from twrp
    - flash revert-stock.zip from twrp
    - wipe data
    - reboot to recovery; you should see amazon recovery now
    - select "apply update from ADB" in the recovery menu
    - run "adb sideload update-kindle-NS6301_user_1611_0001309035396.bin" on your PC


    Another way to fix a brick:

    - Download update package from amazon https://fireos-tablet-src.s3.amazon...ate-kindle-NS6301_user_1611_0001309035396.bin to your PC
    - Download and unzip revert-stock.zip
    - Do steps 0 to 9 from this guide (so everything until fastboot-step.sh)
    - Wait for device to boot into fastboot mode (check with "fastboot devices")
    - Run "fastboot flash boot boot.img" using boot.img from the revert-stock.zip
    - Run "fastboot flash recovery recovery.img" using recovery.img from the from the revert-stock.zip
    - Run "fastboot reboot recovery"
    - Select "apply update from ADB" in the recovery menu
    - Run "adb sideload update-kindle-NS6301_user_1611_0001309035396.bin" on your PC


    Other misc information / troubleshooting:
    - If you need to disconnect the battery, use a pair of tweezers to grab the wires and gently pull towards yourself. You can do bootrom-step.sh either with or without the battery connected, however fastboot-step.sh should be done with the battery connected.
    - If your device is bricked (e.g. from a downgrade), just follow the steps as-is.
    - If you're getting an error like "Serial protocol mismatch", or any other error in bootrom-step, try disabling or temporarily uninstalling ModemManager from your Linux
    - To remount /system as rw use "mount -o rw,remount /system". ("mount -o remount,rw /system" will not work)

    Thanks to: @hwmod @firetablethelp for testing different versions of the payload.
    Special thanks to: aftv2-tools contributors https://gitlab.com/zeroepoch/aftv2-tools; the bootrom download protocol scripts are largely based on their work
    21
    GPL Notice:
    - Source code for modified TWRP is available from https://github.com/xyzz/android_bootable_recovery
    - Source code for amonet/brom-payload is available from https://github.com/xyzz/amonet/tree/master/brom-payload

    Device tree to build TWRP: https://github.com/xyzz/android_device_amazon_karnak

    Additionally, source code of the full exploit chain is available from https://github.com/xyzz/amonet

    When I finish the writeup for this vulnerability, I'll update this post with a URL to the writeup.
    7
    Unless you hide root CTS will always fail. Not easy to do even with magisk.

    The 'Magisk Hide' option (enabled by default) is sufficient on my phone to pass CTS, and I'm not doing anything other than that to hide Magisk. I'm just using the defaults, as I am on the Fire, yet one passes and one doesn't. Only if I disable that option then CTS fails (and basicIntegrity).

    6.3.0.1 was bugged for me on first launch. I had to disable the Device Setup app via adb and then it was ok. On the plus side, it fixes the SD card setup bug (it stops asking what to do with it every boot) and the bug with some accessibility options being empty (can't toggle on/off).

    Here is a link to 6.3.0.1 for those not sure about zipping/editing the script. If anyone tries flashing it, and it doesn't work, be specific. Like does Magisk throw an error (if so, what does it say), or is there an issue post boot or.. etc?
    7
    OK, this is the paper that I had in mind. It's by XDA member @djrbliss from 2013 for the Galaxy S4. And this is the thread he made.
    Damn, if you were not aware of that work and came up with your exploit independently, that's even more amazing. My hat's off to you sir. ;)

    Interesting, definitely wasn't aware of this (and I guess neither was mediatek). So I guess what happened is both mediatek and qualcomm took Google's aboot which had no checks for boot.img load base, and added their own signature checking on top. Kinda amazing that it's been known for over 5 years.

    I also had to exploit it in a different way, I see in that blog he's overwriting a function with his code, but in my case I have to overwrite a function pointer and set up a rop chain to do cache flush before jumping to the payload. Either way, the end result is the same.
    7
    This is very promising could you please elaborate, what exactly needs to be modified to port this to other MTK-hardware.
    I have a fire 5th gen here and I can access brom-mode by pressing left mute button while pluging in.
    tried your scripts as is (commenting out the parts that change rpmb or flash partitions) and it get's stuck at
    Code:
    [2019-01-28 00:01:40.973289] Disable bootrom range checks

    Does the hash in load_payload.py (4dd12bdf0ec7d26c482490b3482a1b1f) need to be modified?
    I do have the kernel-sources for the device and am willing to investigate correct addressing etc.

    Also since this is a boot-rom exploit wouldn't it allow flashing a hacked preloader + lk which just ignore boot-signatures so we can just run a standard twrp?

    So first of all make sure you're accessing bootrom mode and not preloader mode (Although if the preloader supports read/write, the exploit should work there as well, I just haven't tested it since on hd 8 8th gen none of preloaders support these). I suggest soldering on a UART adapter, then use 115200 baud rate. When in bootrom dl mode, you should see "[DL] 00000BB8 444C0005 010701" (basically, the "[DL]" part is the important one)

    If it's a different soc, you will have to dump the bootrom and find the offset where range check data is stored (in my case, 0x102868). You might have to modify the 4dd12bdf0ec7d26c482490b3482a1b1f part as well, it's basically calculated as a xor of expected data and actual data it's written. Then, you'll also need to update the pointer I'm overwriting (0x1028A8 in my case, called ptr_send in brom-payload). Again, if executing under preloader it's gonna be completely different way to exploit it.

    Once all this is done, you should be able to load binary payloads and execute them in bootrom mode. You'll also need to edit brom-payload and set up proper pointers to send_dword/recv_dword/etc, these can be found by reversing your bootrom dump. At this point it should be possible to get emmc read/write.

    Finally, if you want a persistent unlock (and not just the ability to modify /system) you'll need to port lk exploit as well. So you'll have to figure if your lk is vulnerable to the same bug, port microloader, inject_microloader.py and lk-payload to use the proper offsets. It's a lot of work.

    I'll hopefully finish my writeup in the next weeks and post a link to it, that should be easier to understand since I'll explain the whole process from start to finish.

    You're right about being able to load a custom preloader/lk, however the bootrom exploit requires a PC connection and a bunch of USB commands (so in a way, it's "tethered"). The actual unlock exploit isn't using any bootrom bugs, but rather the lk bug, since that one works without a PC. In fact, the bootrom exploit is only used to flash stuff to eMMC (but, of course you could probably do more fun stuff with it) in my chain.