Fire HD 8 (2018 ONLY) unbrick, downgrade, unlock & root

Search This thread
May 30, 2019
23
1
Hi all. I recently bought a HD8 8th generation on ebay. It was supposed to be Karnak, but such an interesting device arrived. It has custom firmware 7.1.2 installed, as well as stock recovery. And judging by the fact that I can’t flash TWRP through fastboot, it is still blocked. It also does not respond to a short circuit when hacked. Did not help me and not a single way I know of getting root rights. I would like to hack it and install custom software from this site. I also want to get Google services on it. I ask for your help!!!
Hello my friend .. Any luck to unlock your device?
 

jumstec

Senior Member
yes but this didnt work too
I thought I had posted a comment, but it disappeared, so I am adding it.
-Text from here-.
Have you tried amonet-3?

This thread states.
NOTE: If you are on a firmware newer than 6.3.0.1, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)


WARNING: There have been numerous reports that would indicate a hardware-change that doesn't allow access to the bootrom.
When bricking these devices there is currently no known way to unbrick.
This makes the hardware-method currently the safest option.
Unbricking / Unlocking with Firmware 6.3.1.2+

If Recovery OR FireOS are still accessible (or your firmware is below 6.3.1.2) there are other means of recovery, don't continue.

If your device shows one of the following symptoms:
  1. It doesn't show any life (screen stays dark)
  2. You see the white amazon logo, but cannot access Recovery or FireOS.

If you have a Type 1 brick, you may not have to open the device, if your device comes up in bootrom-mode (See Checking USB connection below).
  1. Make sure the device is powered off, by holding the power-button for 20+ seconds
  2. Start bootrom-step.sh
  3. Plug in USB

In all other cases you will have to open the device.

Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager


NOTE: If you have issues running the scripts, you might have to run them using sudo.
Also try using different USB-ports (preferably USB-2.0-ports)


Open the device and short the pin marked in the attached photo to ground while plugging in.
1. Extract the attached zip-file "amonet-karnak-v3.0.zip" and open a terminal in that directory.

2. start the script:
Code:
sudo ./bootrom-step.sh

It should now say Waiting for bootrom.

3. Short the device according to the attached photo and plug it in.

4. When the script asks you to remove the short, remove the short and press enter.

5. Wait for the script to finish.
If it stalls at some point, stop it and restart the process from step 2.

6. Your device should now reboot into unlocked fastboot state.

7. Run
Code:
sudo ./fastboot-step.sh

8. Wait for the device to reboot into TWRP.

9. Use TWRP to flash custom ROM, Magisk or SuperSU

Checking USB connection
In lsusb the boot-rom shows up as:
Code:
Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone

If it shows up as:
Code:
Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader
instead, you are in preloader-mode, try again.

dmesg lists the correct device as:
Code:
[ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00
Also, if you have never opened the back, open and work with it.

Just... To me it still looks like after trying everything.
 
May 30, 2019
23
1
I thought I had posted a comment, but it disappeared, so I am adding it.
-Text from here-.
Have you tried amonet-3?

This thread states.


Also, if you have never opened the back, open and work with it.

Just... To me it still looks like after trying everything.

Yes I did try Amonet3 - shorting the pin method.

It worked on HD8 running FireOS version 6.3.1.5 but it didnt work on HD8 running FireOS version vNext
 

jumstec

Senior Member
Yes I did try Amonet3 - shorting the pin method.

It worked on HD8 running FireOS version 6.3.1.5 but it didnt work on HD8 running FireOS version vNext
Guys so sorry to bother you again.

I've notices that the fireOS version is vNext !!! is it possible to unlock it and install twrp?
I have looked into fire os vNext and there is no significant difference.
But I found that it apparently has rootADB access in its original state.
Just not a big difference.
As @Michajin said, (https://xdaforums.com/t/windows-tool-fire-toolbox-v30-2.3889604/post-82959907) something is definitely changed in this OS I am not sure what is going on with the OS, but I am sure that something has changed.

Perhaps this OS is a pre production version to be exact.
This thread is a prototype of fire 2020.

I digress a bit.
Is there anything unusual about the test points on the back?
As I said, this device is a prototype.
At any rate, there are only 3 people who have had this device in their hands that we have been able to confirm...
They made changes not only to the OS, but also to the chip.
Each TWRP is made to fit the device. Of course, so is rom.

Let's be honest. As this is a prototype, there is nothing else we can do. The only thing we can do is to try all the test points on the back. I am so sorry that I cannot help you.

By the way, did you find out that this fire os a vNext? This is my only question.

If I had known this ahead of time I could have assured you that it was impossible...
 
May 30, 2019
23
1
I have looked into fire os vNext and there is no significant difference.
But I found that it apparently has rootADB access in its original state.
Just not a big difference.
As @Michajin said, (https://xdaforums.com/t/windows-tool-fire-toolbox-v30-2.3889604/post-82959907) something is definitely changed in this OS I am not sure what is going on with the OS, but I am sure that something has changed.

Perhaps this OS is a pre production version to be exact.
This thread is a prototype of fire 2020.

I digress a bit.
Is there anything unusual about the test points on the back?
As I said, this device is a prototype.
At any rate, there are only 3 people who have had this device in their hands that we have been able to confirm...
They made changes not only to the OS, but also to the chip.
Each TWRP is made to fit the device. Of course, so is rom.

Let's be honest. As this is a prototype, there is nothing else we can do. The only thing we can do is to try all the test points on the back. I am so sorry that I cannot help you.

By the way, did you find out that this fire os a vNext? This is my only question.

If I had known this ahead of time I could have assured you that it was impossible...

Thanks mate for your efforts and time.

When I get into "System update" it says that current version is FireOS vNext.

I wonder if anybody of the developers would like to carry out some tests on my device.
 
May 30, 2019
23
1
if you have a adb connection, try downloading a stock version and apply update from adb. I would look for the original one 6300. might have to rename it as a bin? i have not done much with adb in stock recovery...
I tried with 2 stock versions (6300 from xda and the latest one from amazon site) .. one of them gave me error 7 at 47%
the another stock gave me error 21 at the beginning
 

Michajin

Senior Member
Oct 23, 2012
1,390
559
I tried with 2 stock versions (6300 from xda and the latest one from amazon site) .. one of them gave me error 7 at 47%
the another stock gave me error 21 at the beginning
when do the shorting option, does it give the "hit any key to continue"? If is does, does it come up as a mediatek phone if you type in a terminal lsusb? what error comes up when you try to continue? I am probably not the one to help you, i am just curious if it is something with the addressing of the bootroom script that may be different.
 

Michajin

Senior Member
Oct 23, 2012
1,390
559
when do the shorting option, does it give the "hit any key to continue"? If is does, does it come up as a mediatek phone if you type in a terminal lsusb? what error comes up when you try to continue? I am probably not the one to help you, i am just curious if it is something with the addressing of the bootroom script that may be different.
For a test... i came across this yo ucan try. not sure if it will do anything at all....

 

jumstec

Senior Member
Personally, it seems to me that we really need to have a fire os "vNext" to restore this terminal.
By any chance, if I can install the zip with fastboot, does that mean the bootloader is unlocked at that point?
If so, it seems to me that you can install lineage os as is.
 
Last edited:

Michajin

Senior Member
Oct 23, 2012
1,390
559
Personally, it seems to me that we really need to have a fire os "vNext" to restore this terminal.
By any chance, if I can install the zip with fastboot, does that mean the bootloader is unlocked at that point?
If so, it seems to me that you can install lineage os as is.
If fastboot is unlocked and available you can flash twrp, use that and should be able to flash stock or lineage.
 

jumstec

Senior Member
If fastboot is unlocked and available you can flash twrp, use that and should be able to flash stock or lineage.
Just install a new TWRP and you should be good to go.

But the expectation is that fire hd 8 2018 "vnext" will be different from fire hd 8. fire hd 8 2017 and 2018 are not the same, and just as the same rom is not available, TWRP will not be available as well.
So TWRP is trying to activate, but may not be able to. Especially since the 7th and 8th generation are on different OS versions, so it would be very different. In other words, the prototype and the product are very different.
 

Toast5000

Member
Dec 15, 2010
19
2
First of all thank you all for this amazing work and effort you gave to this!

I managed to follow the instructions without any issues and now got a working HD 8 1018 with TWRP and root.
1. Can I now install this ROM via TWRP:
2. If so, do I only need to flash linage and gapps as advised in the instructions, or do I have to flash Magisk and finalize.zip afterwards to preserver unlocked bootloader?

--- EDIT ---
I tried flashing the lineage-20.0-20230104-UNOFFICIAL-karnak.zip, I saw the "Remove/Install boot patch" note of amonet, but after reboot device got stuck at amazon logo. Managed to revert back to patched update 6300.zip with TWRP.

--- EDIT ---
Seems to be an issue with the linage 20 ROM, sorry for bothering in this thread. LOS 18.1 works perfect. I can now answer both questions by myself:
1. No, al least not the latest, use 18.1 or older.
2. Yes, just flash the image, and optionally GApps. Use official Magisk for root (rename apk to zip and flash with TWRP), the modified version of this post is not compatible wir LOS. No need to flash finalize.zip.
 
Last edited:

jumstec

Senior Member
First of all thank you all for this amazing work and effort you gave to this!

I managed to follow the instructions without any issues and now got a working HD 8 1018 with TWRP and root.
1. Can I now install this ROM via TWRP:
2. If so, do I only need to flash linage and gapps as advised in the instructions, or do I have to flash Magisk and finalize.zip afterwards to preserver unlocked bootloader?

--- EDIT ---
I tried flashing the lineage-20.0-20230104-UNOFFICIAL-karnak.zip, I saw the "Remove/Install boot patch" note of amonet, but after reboot device got stuck at amazon logo. Managed to revert back to patched update 6300.zip with TWRP.

--- EDIT ---
Seems to be an issue with the linage 20 ROM, sorry for bothering in this thread. LOS 18.1 works perfect. I can now answer both questions by myself:
1. No, al least not the latest, use 18.1 or older.
2. Yes, just flash the image, and optionally GApps. Use official Magisk for root (rename apk to zip and flash with TWRP), the modified version of this post is not compatible wir LOS. No need to flash finalize.zip.
After all this time, lineage 20 works perfectly.
Except that it sometimes gets stuck on the amazon logo.
When that happens, you may want to flash a new rm or replace it with the latest version of twrp.
Either way, it is compatible with lineage 20.

By the way, the startup time of lineage 20 is 1 minute at the amazon logo and 30 seconds after the lineage logo appears.
 

jumstec

Senior Member
I apologise for my noob questions, but which github post?
Sorry for the late reply.

Kernel
Android Devices
lineage 20

It may seem persistent, but it is already 4 years old since manufacture.
Might be good to use for testing.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 114
    VWWdRf9.jpg

    Changelog:
    v2 - Fixed the issue with the screen


    Make sure to read this guide completely before starting. It requires you to open the tablet, however you don't need to solder or use any advanced tools.

    This is only for Fire HD 8, 8th generation, also known as karnak or KFKAWI. It's now confirmed to work on both 16GB and 32GB models.

    You will lose all data on the tablet, make a backup of important data before you start. If you've enabled encryption, it's probably a good idea to disable it before you proceed with the guide.

    What you need:
    - a Linux installation. Since I had to rush it, this guide is only for Linux. Once I get a chance to test it on Windows I'll update the guide.
    - microusb cable to connect your tablet to the PC
    - some way to open the tablet (pry tool, opening picks, etc)
    - something conductive (metal tweezers, a paper clip, a piece of wire, etc)
    - amonet.tar.gz
    - 6300.zip: https://mega.nz/#!FI1HSI5T!2zUAeiW9I-eH3Ph0Ar10_2nioNIm0ilSnNYgOG9YPNE
    - Magisk-v18.0.zip: https://github.com/topjohnwu/Magisk/releases/download/v18.0/Magisk-v18.0.zip
    - finalize.zip

    Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work "sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot".

    Extract amonet.tar.gz, open a terminal and navigate to it.

    You might need to run the scripts on your PC under sudo if you're getting permission errors.

    0. Shut your device down and disconnect it from USB! Also, disconnect all other Android devices you might have connected from your PC. Also, if you have ModemManager installed, you MUST disable or uninstall it before you begin
    1. Use a pry tool to remove the back shell from the tablet. Start at the bottom and work your way up. There are no cables between the back shell and the motherboard.
    2. On the left side of the board there are 4 test points labeled DAT0, RST, CMD, CLK. We only care about the bottom one, CLK.
    3. Plug in one end of the microusb cable, either to the PC or to the tablet, whatever's more convenient.
    4. On your PC, run `./bootrom-step.sh`. It should print "Waiting for the bootrom".
    5. Using your conductive apparatus, short the CLK test point to the ground. This means you should connect one side of your paperclip to the CLK pin and the other to the metallic shield or a side of the PCB. Firmly hold it in place so that there is connection. (See https://i.imgur.com/7BXIb2y.jpg)
    6. Plug in the other end of the microusb cable.
    7. You should see a new device appear on your PC

    Code:
    [10894.058045] usb 3-2.4.1: new full-speed USB device number 9 using xhci_hcd
    [10894.239684] usb 3-2.4.1: New USB device found, idVendor=0e8d, idProduct=0003
    [10894.239690] usb 3-2.4.1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
    [10894.241330] cdc_acm 3-2.4.1:1.0: ttyACM0: USB ACM device

    This *must* be the device you see. If you see a "preloader" device instead, you didn't hold the paperclip strong enough. Unplug it, shut down your Fire (pull out USB cord and wait; if it doesn't shut down, you might have to disconnect the battery) and try again starting at step 4.

    8. The script you ran in step 4 should now tell you to remove the short. Remove the paperclip and press Enter as instructed.
    9. The script will now proceed to downgrade your device and flash some essential files. Just let it be, it will take about 4 minutes. You should see the following output:

    Code:
    [2019-01-26 23:30:02.157670] Waiting for bootrom
    [2019-01-26 23:30:20.438333] Found port = /dev/ttyACM0
    [2019-01-26 23:30:20.439362] Handshake
    [2019-01-26 23:30:20.441693] Disable watchdog
    
     * * * Remove the short and press Enter * * * 
    
    
    [2019-01-26 23:30:22.636037] Init crypto engine
    [2019-01-26 23:30:22.661832] Disable caches
    [2019-01-26 23:30:22.662505] Disable bootrom range checks
    [2019-01-26 23:30:22.685773] Load payload from ../brom-payload/build/payload.bin = 0x4690 bytes
    [2019-01-26 23:30:22.693170] Send payload
    [2019-01-26 23:30:23.527965] Let's rock
    [2019-01-26 23:30:23.528832] Wait for the payload to come online...
    [2019-01-26 23:30:24.260602] all good
    [2019-01-26 23:30:24.261069] Check GPT
    [2019-01-26 23:30:24.596346] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216), 'kb': (16384, 2048), 'dkb': (18432, 2048), 'lk': (20480, 2048), 'tee1': (22528, 10240), 'tee2': (32768, 10240), 'metadata': (43008, 80896), 'MISC': (123904, 1024), 'reserved': (124928, 16384), 'boot': (141312, 32768), 'recovery': (174080, 40960), 'system': (215040, 6354944), 'vendor': (6569984, 460800), 'cache': (7030784, 1024000), 'userdata': (8054784, 22722527)}
    [2019-01-26 23:30:24.596619] Check boot0
    [2019-01-26 23:30:24.841858] Check rpmb
    [2019-01-26 23:30:25.051079] Downgrade rpmb
    [2019-01-26 23:30:25.052924] Recheck rpmb
    [2019-01-26 23:30:25.949978] rpmb downgrade ok
    [2019-01-26 23:30:25.950284] Flash lk-payload
    [5 / 5]
    [2019-01-26 23:30:26.471797] Flash preloader
    [288 / 288]
    [2019-01-26 23:30:44.845804] Flash tz
    [6732 / 6732]
    [2019-01-26 23:33:08.502134] Flash lk
    [685 / 685]
    [2019-01-26 23:33:23.337460] Inject microloader
    [4 / 4]
    [2019-01-26 23:33:23.667547] Reboot to unlocked fastboot

    If the script freezes at some point, you will have to restart it. Terminate the script, unplug USB, and try again starting at step 4. If after unplugging USB cable the device doesn't shut down, you might have to disconnect the battery. You can keep it disconnected until the script succeeds, but once it's done you must reconnect it before booting to fastboot.

    9. You should see a success message: "Reboot to unlocked fastboot". Only proceed if you see the message.
    10. Once the device boots to fastboot (check with "fastboot devices". You should see amazon logo on the screen.), you can run "./fastboot-step.sh". Then, flip the device over so that you can see the display.
    11. At this point the device should boot into recovery, however it's possible that the screen will be off by default. Just press the power button twice and the screen should turn on.
    12. We'll now upload required files to the recovery. On your PC, do:

    adb push 6300.zip /sdcard
    adb push Magisk-v18.0.zip /sdcard
    adb push finalize.zip /sdcard

    13. In the recovery, go to "Install", navigate to "/sdcard" and flash 6300.zip
    14. Go to "Wipe" and do the default wipe, then reboot
    15. At the Fire setup screen, select your language. On the next screen, Wifi setup, select any password-protected network, then instead of entering the password press "cancel". Now, back at the wifi setup screen, press "skip" and "skip" in the dialog pop-up again
    16. Hold down the power button, press Restart and hold volume down to boot into recovery.

    17. In the recovery, go to "Install", navigate to "/sdcard" and flash Magisk-v18.0.zip
    18. Press back, select finalize.zip and flash it
    19. Once finalize.zip is flashed, press "Reboot System"

    20. Done. The device should now boot into a rooted 6.3.0.0 firmware. You should have Magisk manager installed, and root working. You will be able to boot into recovery by holding volume down.
    21. At this point it should be safe to connect to wifi. If everything works okay, assemble your device.

    Your device is now unlocked. You can flash a custom boot image, system image, etc. However, if you ever brick the device so bad the recovery does not boot, you will have to repeat these steps starting from the first one. Read below for what you should not do.

    VERY IMPORTANT STUFF:
    Only ever flash boot images from TWRP. Since nothing but TWRP is aware of the exploit, if you try to flash a boot image from Android, it won't have the exploit integrated into it! This includes Magisk as well, so do NOT install or uninstall it from Magisk Manager (However, installing modules should be fine; although it depends on the specific module).

    Due to how the exploit works, it takes over the first 0x400 bytes of boot.img/recovery.img. When flashing zips from the recovery, it will transparently remove and then reinstall the exploit when needed. So long as you flash zips from the recovery, you should treat the boot image normally. However, this means that you cannot use any other apps (e.g. FlashFire) to flash the boot or recovery partitions.


    To revert back to stock:
    - download update package from amazon https://fireos-tablet-src.s3.amazon...ate-kindle-NS6301_user_1611_0001309035396.bin to your PC
    - flash 6300.zip from twrp
    - flash revert-stock.zip from twrp
    - wipe data
    - reboot to recovery; you should see amazon recovery now
    - select "apply update from ADB" in the recovery menu
    - run "adb sideload update-kindle-NS6301_user_1611_0001309035396.bin" on your PC


    Another way to fix a brick:

    - Download update package from amazon https://fireos-tablet-src.s3.amazon...ate-kindle-NS6301_user_1611_0001309035396.bin to your PC
    - Download and unzip revert-stock.zip
    - Do steps 0 to 9 from this guide (so everything until fastboot-step.sh)
    - Wait for device to boot into fastboot mode (check with "fastboot devices")
    - Run "fastboot flash boot boot.img" using boot.img from the revert-stock.zip
    - Run "fastboot flash recovery recovery.img" using recovery.img from the from the revert-stock.zip
    - Run "fastboot reboot recovery"
    - Select "apply update from ADB" in the recovery menu
    - Run "adb sideload update-kindle-NS6301_user_1611_0001309035396.bin" on your PC


    Other misc information / troubleshooting:
    - If you need to disconnect the battery, use a pair of tweezers to grab the wires and gently pull towards yourself. You can do bootrom-step.sh either with or without the battery connected, however fastboot-step.sh should be done with the battery connected.
    - If your device is bricked (e.g. from a downgrade), just follow the steps as-is.
    - If you're getting an error like "Serial protocol mismatch", or any other error in bootrom-step, try disabling or temporarily uninstalling ModemManager from your Linux
    - To remount /system as rw use "mount -o rw,remount /system". ("mount -o remount,rw /system" will not work)

    Thanks to: @hwmod @firetablethelp for testing different versions of the payload.
    Special thanks to: aftv2-tools contributors https://gitlab.com/zeroepoch/aftv2-tools; the bootrom download protocol scripts are largely based on their work
    21
    GPL Notice:
    - Source code for modified TWRP is available from https://github.com/xyzz/android_bootable_recovery
    - Source code for amonet/brom-payload is available from https://github.com/xyzz/amonet/tree/master/brom-payload

    Device tree to build TWRP: https://github.com/xyzz/android_device_amazon_karnak

    Additionally, source code of the full exploit chain is available from https://github.com/xyzz/amonet

    When I finish the writeup for this vulnerability, I'll update this post with a URL to the writeup.
    7
    Unless you hide root CTS will always fail. Not easy to do even with magisk.

    The 'Magisk Hide' option (enabled by default) is sufficient on my phone to pass CTS, and I'm not doing anything other than that to hide Magisk. I'm just using the defaults, as I am on the Fire, yet one passes and one doesn't. Only if I disable that option then CTS fails (and basicIntegrity).

    6.3.0.1 was bugged for me on first launch. I had to disable the Device Setup app via adb and then it was ok. On the plus side, it fixes the SD card setup bug (it stops asking what to do with it every boot) and the bug with some accessibility options being empty (can't toggle on/off).

    Here is a link to 6.3.0.1 for those not sure about zipping/editing the script. If anyone tries flashing it, and it doesn't work, be specific. Like does Magisk throw an error (if so, what does it say), or is there an issue post boot or.. etc?
    7
    OK, this is the paper that I had in mind. It's by XDA member @djrbliss from 2013 for the Galaxy S4. And this is the thread he made.
    Damn, if you were not aware of that work and came up with your exploit independently, that's even more amazing. My hat's off to you sir. ;)

    Interesting, definitely wasn't aware of this (and I guess neither was mediatek). So I guess what happened is both mediatek and qualcomm took Google's aboot which had no checks for boot.img load base, and added their own signature checking on top. Kinda amazing that it's been known for over 5 years.

    I also had to exploit it in a different way, I see in that blog he's overwriting a function with his code, but in my case I have to overwrite a function pointer and set up a rop chain to do cache flush before jumping to the payload. Either way, the end result is the same.
    7
    This is very promising could you please elaborate, what exactly needs to be modified to port this to other MTK-hardware.
    I have a fire 5th gen here and I can access brom-mode by pressing left mute button while pluging in.
    tried your scripts as is (commenting out the parts that change rpmb or flash partitions) and it get's stuck at
    Code:
    [2019-01-28 00:01:40.973289] Disable bootrom range checks

    Does the hash in load_payload.py (4dd12bdf0ec7d26c482490b3482a1b1f) need to be modified?
    I do have the kernel-sources for the device and am willing to investigate correct addressing etc.

    Also since this is a boot-rom exploit wouldn't it allow flashing a hacked preloader + lk which just ignore boot-signatures so we can just run a standard twrp?

    So first of all make sure you're accessing bootrom mode and not preloader mode (Although if the preloader supports read/write, the exploit should work there as well, I just haven't tested it since on hd 8 8th gen none of preloaders support these). I suggest soldering on a UART adapter, then use 115200 baud rate. When in bootrom dl mode, you should see "[DL] 00000BB8 444C0005 010701" (basically, the "[DL]" part is the important one)

    If it's a different soc, you will have to dump the bootrom and find the offset where range check data is stored (in my case, 0x102868). You might have to modify the 4dd12bdf0ec7d26c482490b3482a1b1f part as well, it's basically calculated as a xor of expected data and actual data it's written. Then, you'll also need to update the pointer I'm overwriting (0x1028A8 in my case, called ptr_send in brom-payload). Again, if executing under preloader it's gonna be completely different way to exploit it.

    Once all this is done, you should be able to load binary payloads and execute them in bootrom mode. You'll also need to edit brom-payload and set up proper pointers to send_dword/recv_dword/etc, these can be found by reversing your bootrom dump. At this point it should be possible to get emmc read/write.

    Finally, if you want a persistent unlock (and not just the ability to modify /system) you'll need to port lk exploit as well. So you'll have to figure if your lk is vulnerable to the same bug, port microloader, inject_microloader.py and lk-payload to use the proper offsets. It's a lot of work.

    I'll hopefully finish my writeup in the next weeks and post a link to it, that should be easier to understand since I'll explain the whole process from start to finish.

    You're right about being able to load a custom preloader/lk, however the bootrom exploit requires a PC connection and a bunch of USB commands (so in a way, it's "tethered"). The actual unlock exploit isn't using any bootrom bugs, but rather the lk bug, since that one works without a PC. In fact, the bootrom exploit is only used to flash stuff to eMMC (but, of course you could probably do more fun stuff with it) in my chain.