It works on any OS.
Because this is a poor mediatak chip, it will work if you have a 2018 fire hd 8.
Fire HD 8 (2018 ONLY) unbrick, downgrade, unlock & root
- Thread starter xyz`
- Start date
Because this is a poor mediatak chip, it will work if you have a 2018 fire hd 8.
I got the HD8 2018 one on amazon renewed for $30 to give as a gift (after removing the junk first of course). It would be sinful not to remove the garbage first!
Any update to if this works on windows or not?
Unfortunately, it is impossible.
It is impossible because the .sh file is made to work on linux and does not pass data properly on windows. (serial communication).
If you run it on windows, you risk bricking it.
The quickest way would be to install the .iso file at this link
Releases · amonet-kamakiri/fireiso
ISO with patched kernel for kamakiri and amonet. Contribute to amonet-kamakiri/fireiso development by creating an account on GitHub.
github.com
Since adb and python are already installed, you only need the files from this site.
Edit: When I first unlocked the bootloader, this is the video I used as a reference.
https: //www.youtube.com/watch?v=Iavjnzxnjl4
Last edited:
I just ordered a refurbed 2018 Fire HD 8 off Amazon for a measly $30, because I come back to this guide now and again and it just seems too tempting NOT to try. Will update when I get the tablet.
I've created a live Ubuntu USB and installed all the prerequisites like adb and fastboot. But shorting is just not working. I've used several different paperclips and wires and nothing works. I shut down the tablet, plug one end of the micro usb into the tablet, run the boot.sh, connect CLK to the metal housing next to it, and connect the other end of the usb into my computer, but nothing happens. Thoughts?
I believe any hd8 bought january 2020 or later from amazon had the bootrom access blocked.
Damn thanks for the heads up. I bought this used off Amazon Warehouse. Are there any ways or sites where you can buy these tablets that were made pre 2020?
it is a gamble. Likely ebay or shopgoodwill? I think they stop making them not too long after they blocked it.
I don't think that's necessarily true.
If nothing is showing up, I think it's just a bad contact or something.
Waiting for bootrom
If you can't proceed from this command, it's almost always a bad contact.
If you are using a clip, make sure to press down firmly on the connection from directly above, rather than sticking the corners together.
In other words, if the clip is cut at an angle, push it at an angle.
If the contact is correct, linux will recognize it in about 10 seconds. It should then proceed from this command.
At least, it is still possible.
Good to know, I'll attempt it again tomorrow. It's possible I wasn't pushing down hard enough. The USB ports on my PC are a little finnicky as well, so I'll be sure to try different ports.
So I'm officially giving up with the current Fire HD 8 I have. I couldn't get the short to work no matter what I did, so I gave up on that method. Then I tried booting to recovery, rebooted to bootloader and ran the bootloader script. The device was detected!! I press enter and it immediately fails in a Serial protocol mismatch or whatever it is. Come to find out, my device always loads the preloader, not the bootloader, and this means that my device is patched and therefore not be able to take advantage of this exploit. Bummer!
I might look on eBay to see if I can find a tablet that was made pre 2020 but I'm sure it would be difficult. I'll see what I can find and update again if I decide to give this another shot.
I might look on eBay to see if I can find a tablet that was made pre 2020 but I'm sure it would be difficult. I'll see what I can find and update again if I decide to give this another shot.
That is unfortunate.
In that case, you can modify it by using fire tool box.
It also has a show mode, so you can use it as a table clock by buying a cover, etc.
This is a good toy for $80.
What he said was right in the end.
editing
If you really want one, try to buy a used fire hd 8 from a private seller.
Still a gamble, though.
Yeah its not a total loss. I bought the used Fire HD 8 for $30 off Amazon. It came with FireOS 7.3.2.3 though, so its not going to be entirely compatible with Toolbox...
But I also have a 2021 Fire HD 10 that I set up with Toolbox. I got this one right before they released 7.3.2.2 so I pretty much disabled OTAs on this tablet under the wire lol. It works great, and I expanded the storage with a 128gb sdcard. The sole reason I wanted to root a Fire HD 8 was because I wanted to update the Android OS on the tablet. My Fire HD 10 2021 obviously runs Android 9, but I saw a Lineage ROM on here built on Android 13 for the 2018 Fire HD 8. I guess I could just play the long game and wait for any exploits for the 2021 Fire HD 10, maybe contribute myself and see if I find anything haha
Hi Guys
Please I need help. The tablet freezes when I run ./fastboot-step.sh and now the tablet is stuck on Amazon logo.
I am using Ubuntu 18.
Can anybody guide me please? I have 3 devices
Please I need help. The tablet freezes when I run ./fastboot-step.sh and now the tablet is stuck on Amazon logo.
I am using Ubuntu 18.
Can anybody guide me please? I have 3 devices
Perhaps you've done it before...
Did you turn the screen off and on? (Press the power button twice).
If this does not work, force the power off. If this is not possible, disconnect the power plug at the rear.
Replace the plug and then turn the power on again.
Then, run . /fastboot.sh.
Turn the screen off and on again.
Please I have the same device if you want to get in touch and help me to unlock it
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
114
Changelog:
Make sure to read this guide completely before starting. It requires you to open the tablet, however you don't need to solder or use any advanced tools.
This is only for Fire HD 8, 8th generation, also known as karnak or KFKAWI. It's now confirmed to work on both 16GB and 32GB models.
You will lose all data on the tablet, make a backup of important data before you start. If you've enabled encryption, it's probably a good idea to disable it before you proceed with the guide.
What you need:
- a Linux installation. Since I had to rush it, this guide is only for Linux. Once I get a chance to test it on Windows I'll update the guide.
- microusb cable to connect your tablet to the PC
- some way to open the tablet (pry tool, opening picks, etc)
- something conductive (metal tweezers, a paper clip, a piece of wire, etc)
- amonet.tar.gz
- 6300.zip: https://mega.nz/#!FI1HSI5T!2zUAeiW9I-eH3Ph0Ar10_2nioNIm0ilSnNYgOG9YPNE
- Magisk-v18.0.zip: https://github.com/topjohnwu/Magisk/releases/download/v18.0/Magisk-v18.0.zip
- finalize.zip
Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work "sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot".
Extract amonet.tar.gz, open a terminal and navigate to it.
You might need to run the scripts on your PC under sudo if you're getting permission errors.
0. Shut your device down and disconnect it from USB! Also, disconnect all other Android devices you might have connected from your PC. Also, if you have ModemManager installed, you MUST disable or uninstall it before you begin
1. Use a pry tool to remove the back shell from the tablet. Start at the bottom and work your way up. There are no cables between the back shell and the motherboard.
2. On the left side of the board there are 4 test points labeled DAT0, RST, CMD, CLK. We only care about the bottom one, CLK.
3. Plug in one end of the microusb cable, either to the PC or to the tablet, whatever's more convenient.
4. On your PC, run `./bootrom-step.sh`. It should print "Waiting for the bootrom".
5. Using your conductive apparatus, short the CLK test point to the ground. This means you should connect one side of your paperclip to the CLK pin and the other to the metallic shield or a side of the PCB. Firmly hold it in place so that there is connection. (See https://i.imgur.com/7BXIb2y.jpg)
6. Plug in the other end of the microusb cable.
7. You should see a new device appear on your PC
Code:[10894.058045] usb 3-2.4.1: new full-speed USB device number 9 using xhci_hcd [10894.239684] usb 3-2.4.1: New USB device found, idVendor=0e8d, idProduct=0003 [10894.239690] usb 3-2.4.1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [10894.241330] cdc_acm 3-2.4.1:1.0: ttyACM0: USB ACM device
This *must* be the device you see. If you see a "preloader" device instead, you didn't hold the paperclip strong enough. Unplug it, shut down your Fire (pull out USB cord and wait; if it doesn't shut down, you might have to disconnect the battery) and try again starting at step 4.
8. The script you ran in step 4 should now tell you to remove the short. Remove the paperclip and press Enter as instructed.
9. The script will now proceed to downgrade your device and flash some essential files. Just let it be, it will take about 4 minutes. You should see the following output:
If the script freezes at some point, you will have to restart it. Terminate the script, unplug USB, and try again starting at step 4. If after unplugging USB cable the device doesn't shut down, you might have to disconnect the battery. You can keep it disconnected until the script succeeds, but once it's done you must reconnect it before booting to fastboot.
9. You should see a success message: "Reboot to unlocked fastboot". Only proceed if you see the message.
10. Once the device boots to fastboot (check with "fastboot devices". You should see amazon logo on the screen.), you can run "./fastboot-step.sh". Then, flip the device over so that you can see the display.
11. At this point the device should boot into recovery, however it's possible that the screen will be off by default. Just press the power button twice and the screen should turn on.
12. We'll now upload required files to the recovery. On your PC, do:
adb push 6300.zip /sdcard
adb push Magisk-v18.0.zip /sdcard
adb push finalize.zip /sdcard
13. In the recovery, go to "Install", navigate to "/sdcard" and flash 6300.zip
14. Go to "Wipe" and do the default wipe, then reboot
15. At the Fire setup screen, select your language. On the next screen, Wifi setup, select any password-protected network, then instead of entering the password press "cancel". Now, back at the wifi setup screen, press "skip" and "skip" in the dialog pop-up again
16. Hold down the power button, press Restart and hold volume down to boot into recovery.
17. In the recovery, go to "Install", navigate to "/sdcard" and flash Magisk-v18.0.zip
18. Press back, select finalize.zip and flash it
19. Once finalize.zip is flashed, press "Reboot System"
20. Done. The device should now boot into a rooted 6.3.0.0 firmware. You should have Magisk manager installed, and root working. You will be able to boot into recovery by holding volume down.
21. At this point it should be safe to connect to wifi. If everything works okay, assemble your device.
Your device is now unlocked. You can flash a custom boot image, system image, etc. However, if you ever brick the device so bad the recovery does not boot, you will have to repeat these steps starting from the first one. Read below for what you should not do.
VERY IMPORTANT STUFF:
Only ever flash boot images from TWRP. Since nothing but TWRP is aware of the exploit, if you try to flash a boot image from Android, it won't have the exploit integrated into it! This includes Magisk as well, so do NOT install or uninstall it from Magisk Manager (However, installing modules should be fine; although it depends on the specific module).
Due to how the exploit works, it takes over the first 0x400 bytes of boot.img/recovery.img. When flashing zips from the recovery, it will transparently remove and then reinstall the exploit when needed. So long as you flash zips from the recovery, you should treat the boot image normally. However, this means that you cannot use any other apps (e.g. FlashFire) to flash the boot or recovery partitions.
To revert back to stock:
Another way to fix a brick:
Other misc information / troubleshooting:
- If you need to disconnect the battery, use a pair of tweezers to grab the wires and gently pull towards yourself. You can do bootrom-step.sh either with or without the battery connected, however fastboot-step.sh should be done with the battery connected.
- If your device is bricked (e.g. from a downgrade), just follow the steps as-is.
- If you're getting an error like "Serial protocol mismatch", or any other error in bootrom-step, try disabling or temporarily uninstalling ModemManager from your Linux
- To remount /system as rw use "mount -o rw,remount /system". ("mount -o remount,rw /system" will not work)
Thanks to: @hwmod @firetablethelp for testing different versions of the payload.
Special thanks to: aftv2-tools contributors https://gitlab.com/zeroepoch/aftv2-tools; the bootrom download protocol scripts are largely based on their work21GPL Notice:
- Source code for modified TWRP is available from https://github.com/xyzz/android_bootable_recovery
- Source code for amonet/brom-payload is available from https://github.com/xyzz/amonet/tree/master/brom-payload
Device tree to build TWRP: https://github.com/xyzz/android_device_amazon_karnak
Additionally, source code of the full exploit chain is available from https://github.com/xyzz/amonet
When I finish the writeup for this vulnerability, I'll update this post with a URL to the writeup.7
The 'Magisk Hide' option (enabled by default) is sufficient on my phone to pass CTS, and I'm not doing anything other than that to hide Magisk. I'm just using the defaults, as I am on the Fire, yet one passes and one doesn't. Only if I disable that option then CTS fails (and basicIntegrity).
6.3.0.1 was bugged for me on first launch. I had to disable the Device Setup app via adb and then it was ok. On the plus side, it fixes the SD card setup bug (it stops asking what to do with it every boot) and the bug with some accessibility options being empty (can't toggle on/off).
Here is a link to 6.3.0.1 for those not sure about zipping/editing the script. If anyone tries flashing it, and it doesn't work, be specific. Like does Magisk throw an error (if so, what does it say), or is there an issue post boot or.. etc?7OK, this is the paper that I had in mind. It's by XDA member @djrbliss from 2013 for the Galaxy S4. And this is the thread he made.
Damn, if you were not aware of that work and came up with your exploit independently, that's even more amazing. My hat's off to you sir.
Interesting, definitely wasn't aware of this (and I guess neither was mediatek). So I guess what happened is both mediatek and qualcomm took Google's aboot which had no checks for boot.img load base, and added their own signature checking on top. Kinda amazing that it's been known for over 5 years.
I also had to exploit it in a different way, I see in that blog he's overwriting a function with his code, but in my case I have to overwrite a function pointer and set up a rop chain to do cache flush before jumping to the payload. Either way, the end result is the same.7
So first of all make sure you're accessing bootrom mode and not preloader mode (Although if the preloader supports read/write, the exploit should work there as well, I just haven't tested it since on hd 8 8th gen none of preloaders support these). I suggest soldering on a UART adapter, then use 115200 baud rate. When in bootrom dl mode, you should see "[DL] 00000BB8 444C0005 010701" (basically, the "[DL]" part is the important one)
If it's a different soc, you will have to dump the bootrom and find the offset where range check data is stored (in my case, 0x102868). You might have to modify the 4dd12bdf0ec7d26c482490b3482a1b1f part as well, it's basically calculated as a xor of expected data and actual data it's written. Then, you'll also need to update the pointer I'm overwriting (0x1028A8 in my case, called ptr_send in brom-payload). Again, if executing under preloader it's gonna be completely different way to exploit it.
Once all this is done, you should be able to load binary payloads and execute them in bootrom mode. You'll also need to edit brom-payload and set up proper pointers to send_dword/recv_dword/etc, these can be found by reversing your bootrom dump. At this point it should be possible to get emmc read/write.
Finally, if you want a persistent unlock (and not just the ability to modify /system) you'll need to port lk exploit as well. So you'll have to figure if your lk is vulnerable to the same bug, port microloader, inject_microloader.py and lk-payload to use the proper offsets. It's a lot of work.
I'll hopefully finish my writeup in the next weeks and post a link to it, that should be easier to understand since I'll explain the whole process from start to finish.
You're right about being able to load a custom preloader/lk, however the bootrom exploit requires a PC connection and a bunch of USB commands (so in a way, it's "tethered"). The actual unlock exploit isn't using any bootrom bugs, but rather the lk bug, since that one works without a PC. In fact, the bootrom exploit is only used to flash stuff to eMMC (but, of course you could probably do more fun stuff with it) in my chain.
