New Fire HD10 2019 Bootless Root Method + Bootloader Unlock Brainstorming

Search This thread

INetBowser

Member
Dec 4, 2020
11
5
Cant get into bootrom. Tried already (with disconnected battery):
- shorting pins to shield
- shorting pin-to-pin
- holding vol+/vol- while plugging usb in

Im running Fire HD 10 (9th gen) with 7.3.1.2 (Serial number: G001 1J06 0356 04PE).

Edit: bought mine in october 2020.
Seems like bootrom is disabled in my unit.
 

blaze2051

Senior Member
Jul 26, 2010
122
11
LG G7 ThinQ
LG V40
all of mine where purchased the first couple months of the release. I ran the main.py in windows and volume up with battery disconnected then plugged in, and right into bootrom it went ... then wiped the preloader, to make it easier. then flashed in sp tools, then ran the kamakari script on fireISO.
so 7.3.1.7 can be rolled to 7.3.1.0 with out bricking? could you list a step by step guide
 
  • Like
Reactions: blaacksheep

Michajin

Senior Member
Oct 23, 2012
1,214
475
so 7.3.1.7 can be rolled to 7.3.1.0 with out bricking? could you list a step by step guide
Well it seems the exploit to downgrade is limited to early releases of the HD10 Maverick. I bought all 3 of mine the first few months of its release. When i received mine, two were on 7.3.1.0 and the other was on 7.3.1.1. I did the temp root on one and let the other 2 update. During these tests we found that i could downgrade. Keep in mind, downgrading only give access to mtk-su (Temp root) and not unlocking. If you are interested in testing to see if you can downgrade, run a amonet script where you see "waiting for bootrom" Open the device and disconnect battery, pressing volume up (button closest to power button) and plug in the device into the usb (you should see remove short to continue). Do not continue, but in another terminal run a lsusb and verify you see a mediatek 6227 phone. This is the bootrom. If you have access to it, you are in the can downgrade group and i would be more than happy to assist. IT being a temp root and what appears to be a limited amount of people, i worry that instructions could cause bricks.
 
Last edited:

bibikalka

Senior Member
May 14, 2015
1,351
1,086
Well it seems the exploit to downgrade is limited to early releases of the HD10 Maverick. I bought all 3 of mine the first few months of its release. When i received mine, two were on 7.3.1.0 and the other was on 7.3.1.1.
...

Can you give us an idea what YOUR serial numbers are? We have 1 report about NO BootRom:

Im running Fire HD 10 (9th gen) with 7.3.1.2 (Serial number: G001 1J06 0356 04PE).

Edit: bought mine in october 2020.



I have a device here that I also bought in Oct 2020, same 7.3.1.2 (a sale at Target store). I was actually digging through the units to get the lowest serial, LOL. Serial number is G001 1J06 0344 XXXX (last 4 are obfuscated). Am I out of luck?
 
Last edited:

bibikalka

Senior Member
May 14, 2015
1,351
1,086
So the scatter file is confirmed working thanks to @bengris32.
He currently has 7.3.1.1 and tried downgrading only the boot.img.
While that did allow using mtk-su, it broke wifi and battery (and probably other drivers).

Yeah, it should.
Order would be the other way around, flash first, then downgrade RPMB.
RPMB downgrade is only needed if you downgrade

Just catching up on things I've missed. Can I seamlessly downgrade 7.3.1.2 to 7.3.1.0 using the new MTK Bypass and doing mtk-su ? I should be OK keeping the higher version LK/TEE/etc, those were usually forgiving within a certain range of versions.

Are there any show stoppers? I don't see that 7.3.1.2 image downgrade to 7.3.1.0 was ever tested, but are there any reasons it would not work?
 

Michajin

Senior Member
Oct 23, 2012
1,214
475
Can you give us an idea what YOUR serial numbers are? We have 1 report about NO BootRom:

Im running Fire HD 10 (9th gen) with 7.3.1.2 (Serial number: G001 1J06 0356 04PE).

Edit: bought mine in october 2020.



I have a device here that I also bought in Oct 2020, same 7.3.1.2 (a sale at Target store). I was actually digging through the units to get the lowest serial, LOL. Serial number is G001 1J06 0344 XXXX (last 4 are obfuscated). Am I out of luck?

I will look for the numbers tonight. Everything is still tied to access to the bootrom. I was able to downgrade a 7.3.1.2 and a 7.3.1.7. Then i updated one to the 7.3.1.8 and downgraded is ack to 7.3.1.0. It was the full image. SP tools would only let me flash system, boot, recovery, and Vendor. The rest was done through k4y0z's script. I found that i could access the bootrom with the battery disconnected, volume + and plugging in USB (as soon as you plug in the battery, it goes into preloader). I have yet to find anyone else who can do this, I also have a shorting point, but it only has worked for me so far (i tested the shorting over 5 times). See if you can find access to the bootrom you should have access to downgrade.
 

bibikalka

Senior Member
May 14, 2015
1,351
1,086
I will look for the numbers tonight. Everything is still tied to access to the bootrom. I was able to downgrade a 7.3.1.2 and a 7.3.1.7. Then i updated one to the 7.3.1.8 and downgraded is ack to 7.3.1.0. It was the full image. SP tools would only let me flash system, boot, recovery, and Vendor. The rest was done through k4y0z's script. I found that i could access the bootrom with the battery disconnected, volume + and plugging in USB (as soon as you plug in the battery, it goes into preloader). I have yet to find anyone else who can do this, I also have a shorting point, but it only has worked for me so far (i tested the shorting over 5 times). See if you can find access to the bootrom you should have access to downgrade.

OK, have you tried to only downgrade system, boot, recovery, and Vendor from 7.3.1.2 to 7.3.1.0, leaving the rest at 7.3.1.2, and seeing if it works fully? You could even test 7.3.1.7 downgraded to 7.3.1.0, but only those 4 partitions. If that works OK, there is a nice way for everybody to have root!

I am thinking if all versions give you BootRom, that means that there was a hardware change past some serial numbers. Your BootRom access is never disabled, through the volume button, which sits in the preloader (?). To be fair, there is only 1 other report trying the BootRom method, so perhaps there could have been a user error.

Until BootRom gives some magical access (bootloader unlock!), there is really no point in chasing it.

Edit:
Actually, given that you can get always into BootRom on your devices, can you try the old trick with zeroing out the preloader to get into BootRom (check the partition name first!)
echo 0 > /sys/block/mmcblk0boot0/force_ro
dd if=/dev/zero of=/dev/block/mmcblk0boot0
echo 'EMMC_BOOT' > /dev/block/mmcblk0boot0


If that works with temporary root, it would be possible to get into BootRom without opening the device.
 
Last edited:
  • Like
Reactions: Kramar111

k4y0z

Senior Member
Nov 27, 2015
1,429
1,834
OK, have you tried to only downgrade system, boot, recovery, and Vendor from 7.3.1.2 to 7.3.1.0, leaving the rest at 7.3.1.2, and seeing if it works fully? You could even test 7.3.1.7 downgraded to 7.3.1.0, but only those 4 partitions. If that works OK, there is a nice way for everybody to have root!
What would be the point of that?
You need bootrom access or an already rooted device to achieve that anyway.

Actually, given that you can get always into BootRom on your devices, can you try the old trick with zeroing out the preloader to get into BootRom (check the partition name first!)
echo 0 > /sys/block/mmcblk0boot0/force_ro
dd if=/dev/zero of=/dev/block/mmcblk0boot0
echo 'EMMC_BOOT' > /dev/block/mmcblk0boot0


If that works with temporary root, it would be possible to get into BootRom without opening the device.
Yes, wiping preloader will get you into bootrom on a device that doesn't have bootrom mode disabled.
On a device, that has it disabled this would lead to a permanent brick (as happened to some on karnak).
If you already have temp root that probably means you are already on 7.3.1.0, so no point in accessing bootrom by wiping PL either.
 
Last edited:

samdotci

Member
Mar 5, 2021
5
11
I will look for the numbers tonight. Everything is still tied to access to the bootrom. I was able to downgrade a 7.3.1.2 and a 7.3.1.7. Then i updated one to the 7.3.1.8 and downgraded is ack to 7.3.1.0. It was the full image. SP tools would only let me flash system, boot, recovery, and Vendor. The rest was done through k4y0z's script. I found that i could access the bootrom with the battery disconnected, volume + and plugging in USB (as soon as you plug in the battery, it goes into preloader). I have yet to find anyone else who can do this, I also have a shorting point, but it only has worked for me so far (i tested the shorting over 5 times). See if you can find access to the bootrom you should have access to downgrade.

I'm in the same situation as you with the tablet entering bootrom with the battery disconnected and holding the volume + button - purchased the device in November 2019!

Currently, however, sitting on a semi-bricked device... Had the same issue with SP Flash Tool only permitting system, boot, recovery, etc. to be flashed and it considering the other files to be unverified.

Tried using k4y0z's script but unfortunately receive an error writing to the eMMC just after it confirms both the 1st and 2nd stage of loading the payloads have come online. I've tried reconnecting the battery whilst it's in the bootrom but makes no different. Have also tried using the FireISO to do this, both the original and the new, along with Windows 10, but doesn't seem to make any difference to the ability to write to the eMMC.

Did you have any similar issues with yours?
 

k4y0z

Senior Member
Nov 27, 2015
1,429
1,834
I'm in the same situation as you with the tablet entering bootrom with the battery disconnected and holding the volume + button - purchased the device in November 2019!

Currently, however, sitting on a semi-bricked device... Had the same issue with SP Flash Tool only permitting system, boot, recovery, etc. to be flashed and it considering the other files to be unverified.

Tried using k4y0z's script but unfortunately receive an error writing to the eMMC just after it confirms both the 1st and 2nd stage of loading the payloads have come online. I've tried reconnecting the battery whilst it's in the bootrom but makes no different. Have also tried using the FireISO to do this, both the original and the new, along with Windows 10, but doesn't seem to make any difference to the ability to write to the eMMC.

Did you have any similar issues with yours?

You will need to wipe preloader in SP Flash (or enter BROM by shorting) for mmc-write to work in kamakiri.


  1. Go into the Format tab
  2. Select Manual Format Flash
  3. Choose Region EMMC_BOOT1
  4. Set Format Length to 0x100000


Then use the attached kamakiri, which instead of just clearing RPMB will flash the missing partitions that couldn't be flashed with SP Flash (Unfortunately it's quite slow compared to SP Flash)
 

Attachments

  • kamakiri-flash-v3.zip
    7.5 MB · Views: 21
Last edited:

Michajin

Senior Member
Oct 23, 2012
1,214
475
I'm in the same situation as you with the tablet entering bootrom with the battery disconnected and holding the volume + button - purchased the device in November 2019!

Currently, however, sitting on a semi-bricked device... Had the same issue with SP Flash Tool only permitting system, boot, recovery, etc. to be flashed and it considering the other files to be unverified.

Tried using k4y0z's script but unfortunately receive an error writing to the eMMC just after it confirms both the 1st and 2nd stage of loading the payloads have come online. I've tried reconnecting the battery whilst it's in the bootrom but makes no different. Have also tried using the FireISO to do this, both the original and the new, along with Windows 10, but doesn't seem to make any difference to the ability to write to the eMMC.

Did you have any similar issues with yours?
Exactly what i had. Everytime i plugged in the battery it went into preloader, but you can't write to emmc without the battery. Follow k4y0z's direction above.

Thank you, this confirms i am not the only one that has access to downloading! What version were you on?
 
Last edited:
  • Like
Reactions: samdotci

Michajin

Senior Member
Oct 23, 2012
1,214
475
Can you give us an idea what YOUR serial numbers are? We have 1 report about NO BootRom:

Im running Fire HD 10 (9th gen) with 7.3.1.2 (Serial number: G001 1J06 0356 04PE).

Edit: bought mine in october 2020.



I have a device here that I also bought in Oct 2020, same 7.3.1.2 (a sale at Target store). I was actually digging through the units to get the lowest serial, LOL. Serial number is G001 1J06 0344 XXXX (last 4 are obfuscated). Am I out of luck?
g001 2c05 9496 XXXX
g001 1j05 9395 XXXX
g001 1j05 9457 XXXX

All 3 have accessible bootroms, but after 7.3.1.2 accessing bootrom is different. You have to disconnect the battery while pressing vol+ and plugging in USB. 7.3.1.1 and 7.3.1.0 the battery did not matter. I have a shorting option that works but there isnt a point in my opinion cause if the vol + and plugging in (without battery) dont work, i believe the bootrom is disabled...
 
  • Like
Reactions: Kramar111

bibikalka

Senior Member
May 14, 2015
1,351
1,086
What would be the point of that?
You need bootrom access or an already rooted device to achieve that anyway.


Yes, wiping preloader will get you into bootrom on a device that doesn't have bootrom mode disabled.
On a device, that has it disabled this would lead to a permanent brick (as happened to some on karnak).
If you already have temp root that probably means you are already on 7.3.1.0, so no point in accessing bootrom by wiping PL either.

OK, thanks! I misunderstood the fact that to flash system/boot partitions one needs BootRom already to be accessible.

g001 2c05 9496 XXXX
g001 1j05 9395 XXXX
g001 1j05 9457 XXXX

Is your 2c05 device a different color/memory configuration from 1j05's ? Wonder if it's 05 vs 06 making the difference. 1j06 was reported not to respond with BootRom. The shorting point might still work, unless they had a quick hardware revision. At least, why don't you post your image for reference?
 
  • Like
Reactions: k4y0z

Michajin

Senior Member
Oct 23, 2012
1,214
475
OK, thanks! I misunderstood the fact that to flash system/boot partitions one needs BootRom already to be accessible.



Is your 2c05 device a different color/memory configuration from 1j05's ? Wonder if it's 05 vs 06 making the difference. 1j06 was reported not to respond with BootRom. The shorting point might still work, unless they had a quick hardware revision. At least, why don't you post your image for reference?

It was a plumb one that I got right when people started saying the black ones were coming with 7.3.1.1. It came with 7.3.1.0. I am not really all that experienced on how to do what you are asking about posting my image, what image? I have never tested shorting on my 2c05, so i check it.. i can send you a picture of what i shorted on my other ones to access the bootrom and do more testing on this one.... but it very well could be the 05 vs 06 you suggest... Just had someone else say they could acces it same as i did, curious what their SN was...

@samdotci
 
  • Like
Reactions: k4y0z and samdotci

bibikalka

Senior Member
May 14, 2015
1,351
1,086
It was a plumb one that I got right when people started saying the black ones were coming with 7.3.1.1. It came with 7.3.1.0. I am not really all that experienced on how to do what you are asking about posting my image, what image? I have never tested shorting on my 2c05, so i check it.. i can send you a picture of what i shorted on my other ones to access the bootrom and do more testing on this one.... but it very well could be the 05 vs 06 you suggest... Just had someone else say they could acces it same as i did, curious what their SN was...

@samdotci

Don't worry about 2c05, any picture is good for shorting points (the ones you already tried, from 1j05). I just wanted to figure out if 2c actually meant color, and not hardware revision. So looks like it's potentially 05 vs 06 issue.
 
  • Like
Reactions: Michajin

Michajin

Senior Member
Oct 23, 2012
1,214
475
Don't worry about 2c05, any picture is good for shorting points (the ones you already tried, from 1j05). I just wanted to figure out if 2c actually meant color, and not hardware revision. So looks like it's potentially 05 vs 06 issue.
i sent a private message... your risk... lol
 

samdotci

Member
Mar 5, 2021
5
11
Exactly what i had. Everytime i plugged in the battery it went into preloader, but you can't write to emmc without the battery. Follow k4y0z's direction above.

Thank you, this confirms i am not the only one that has access to downloading! What version were you on?

Pretty sure I was on 7.3.1.7. I updated it to the latest available back in December!

It was a plumb one that I got right when people started saying the black ones were coming with 7.3.1.1. It came with 7.3.1.0. I am not really all that experienced on how to do what you are asking about posting my image, what image? I have never tested shorting on my 2c05, so i check it.. i can send you a picture of what i shorted on my other ones to access the bootrom and do more testing on this one.... but it very well could be the 05 vs 06 you suggest... Just had someone else say they could acces it same as i did, curious what their SN was...

@samdotci

My serial number is G001 2D05 9376 XXXX, so it could support the 05/06 situation?
 
  • Like
Reactions: k4y0z

samdotci

Member
Mar 5, 2021
5
11
You will need to wipe preloader in SP Flash (or enter BROM by shorting) for mmc-write to work in kamakiri.





Then use the attached kamakiri, which instead of just clearing RPMB will flash the missing partitions that couldn't be flashed with SP Flash (Unfortunately it's quite slow compared to SP Flash)

Thank you so much for the explanation - that worked perfectly! Had some issues with my device being stuck at the "Fire" logo when turning it on, but a factory reset from the recovery menu cleared that up. Would have investigated further to resolve that but I had no data to lose on the device anyway. Managed to successfully downgrade to 7.3.1.0!
 

bibikalka

Senior Member
May 14, 2015
1,351
1,086
@k4y0z @INetBowser @StonedEngineer97 @Michajin @samdotci @Kramar111

I was thinking, would deep discharge of the battery do the same thing as battery removal for the purpose of accessing BootRom? At first, let it drain normally, then go into fastboot, and leave it there so it drains some more, and does not boot. Anyway, just a thought to avoid opening up the devices ...

For data collection purposes, I looked into getting more specific info on the hardware. The bulk of it is stored in /prod/idme. Here are the commands:

Code:
adb shell
cd /proc/idme
for f in board_id manufacturing device_type_id productid productid2 serial; do echo $f; cat $f; echo ""; done

Here is my output (X is obfuscation). If you have several devices, and some of these IDs are the same on more than 1, please don't obfuscate those. I cannot tell what is unique from a single device, and thus probably obfuscated a bit too much.
Code:
board_id
003F001400010019
manufacturing
PSN=P001P30303XXXXXX FSN=5919835XXXXXX
device_type_id
A1ZB65LA390I4K
productid
0
productid2
1241FFFFFFFFFFFFFFFF
serial
G0011J060344XXXX

Could you all post yours? Hopefully we can figure out BootRom accessibility a bit more accurately.
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 4
    You will need to wipe preloader in SP Flash (or enter BROM by shorting) for mmc-write to work in kamakiri.





    Then use the attached kamakiri, which instead of just clearing RPMB will flash the missing partitions that couldn't be flashed with SP Flash (Unfortunately it's quite slow compared to SP Flash)
    Thank you! I was able to successfully downgrade my HD 10 purchased in Dec. 2019 running 7.3.1.7 to 7.3.1.0 and unbricked it using this script!
    3
    maverick:/ # grep "Kernel code" /proc/iomem
    40080000-41123fff : Kernel code
    Thanks! If I manage to get the exploit fully working there would be a possible root for Fire OS 7.3.1.2, maybe also for higher versions.
    2
    Can someone with root access on their Fire HD 10 (preferably 9th gen) run this command and post the output. I'm currently working on an exploit and would really appreciate every help.

    Code:
    maverick:/ # grep "Kernel code" /proc/iomem
    maverick:/ # grep "Kernel code" /proc/iomem
    40080000-41123fff : Kernel code
    2
    Just to confirm what's already been discussed in this thread:
    (e.g. https://forum.xda-developers.com/t/...er-unlock-brainstorming.3979343/post-84610817)

    Looks like Amazon have successfully 'hardware' disabled BootRom on the newer editions of Maverick. I've had the board out from a newer model (SN: G001 2B06 04XX XXXX) and tried to test-point pretty much everything front and back (OK, I exaggerate, but I've tried all the likely areas).

    It will load into Preloader OK but even when Ubuntu 'thinks' it sees "Mediatek Phone" - if you run 'lsusb' all you see is listed is "Lab126, Inc"

    I tried the same BootRom trick on a Suez model and it was pretty easy to find a working test-point so I think I'm doing it properly.

    ... So looks like Amazon have won this round, no Kamakiri this time (n)
    The bootrom only comes on for a second. You need to run a script to stop it. If you are seeing phone you have access. Lab126 is different. The bottom was disabled about March 2020. I have successfully shorted this, posted earlier in this thread. Shorting isn't needed though. Volume + with the battery unplugged, then plugging in to USB gives you access, providing your device is older. Tested on 3 units.
    1
    IIRC, your 3 units were early ones? I've got a recent version (SN: '06' and Lot: J045) - seems likely I'm BootRom disabled.
    When I use @k4y0z 's FireIso I don't even see 'Mediatek Phone' anywhere. And I can't get your battery unpluged / volume+ method to work - even using Suez (only with battery in will a button press combo get me into BootRom on that device). What is the the 'script to stop' you mention to access BootRom? Maybe that's what's missing for me (I've not come across that in the thread - can you help me with a link?)
    This volume plug in access would only apply to maverick. I thought you said you saw mediatek phone? When I access the bootrom, as soon as I plug in the battery, it goes to preloader, then to lab126. I just used the fire stick 4k script to stop boot. But likely yes your bootrom is disabled I have not seen anyone with that newer number have access.
  • 11
    mtk-su for OS 7.3.1.0

    I just uploaded the latest mtk-su (a thing that gives you temp root) in the Temp root thread. It only supports the original OS. No solution yet for the updated version, but hoping a downgrade or unlock method will be found.
    8
    Can you take apart (remove back cover) your newest Fire HD 10 and post the motherboard pictures with test point like CLK, DAT0, CMD and removed metal shield.

    AmznUser444,

    I’m actually going to respectfully ask you to stop responding to my posts and stop asking me for anything. I will no longer reply to your posts other than to make this request.
    8
    Thanks to @Kramar111, we now have a full dump of 7.3.1.0:

    And a little present from me, minimal kamakiri for maverick.
    All it does is downgrade RPMB, flashing can be done with SP Flash.
    Thanks again to @bengris32 for testing.
    8
    I have repacked and reuploaded maverick-downgrade-7.0_PS7310_940N.zip
    It contains FireOS 7.0/PS7310/940N, scatter file and kamakiri for RPMB downgrade.

    Apparently there are multiple versions of 7.3.1.0 and the files originally uploaded here are from version 7.0/PS7310/939N.
    Also lk was incomplete.

    Thanks again to @Kramar111 for the files :)
    7
    7.3.1.0 Images

    So here are some images extracted from the stock 7.3.1.0 FW, courtesy of @dr_docdoc. I trimmed the extra partition data. It would be great if @k4y0z or @xyz` could take a look at them.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone