New Fire HD10 2019 Bootless Root Method + Bootloader Unlock Brainstorming

[k4y0z]

My serial number is G001 2D05 9376 XXXX, so it could support the 05/06 situation?

To further confirm @bibikalkas color-theory, is your device a different color than black or plumb? (Since it's neither 1J nor 2C, but 2D)

@k4y0z @INetBowser @StonedEngineer97 @Michajin @samdotci @Kramar111

I was thinking, would deep discharge of the battery do the same thing as battery removal for the purpose of accessing BootRom? At first, let it drain normally, then go into fastboot, and leave it there so it drains some more, and does not boot. Anyway, just a thought to avoid opening up the devices ...

For data collection purposes, I looked into getting more specific info on the hardware. The bulk of it is stored in /prod/idme. Here are the commands:

adb shell
cd /proc/idme
for f in board_id manufacturing device_type_id productid productid2 serial; do echo $f; cat $f; echo ""; done

Here is my output (X is obfuscation). If you have several devices, and some of these IDs are the same on more than 1, please don't obfuscate those. I cannot tell what is unique from a single device, and thus probably obfuscated a bit too much.

board_id
003F00140001XXXX
manufacturing
PSN=P001P30303XXXXXX FSN=5919835XXXXXX
device_type_id
A1ZB65LA39XXXX
productid
0
productid2
1241FFFFFFFFFFFFFFFF
serial
G0011J060344XXXX

Could you all post yours? Hopefully we can figure out BootRom accessibility a bit more accurately.

Most of these (besides serial and possibly PSN, FSN) shouldn't be device-specific.

 

[bibikalka]

@bibikalka
7.3.1.0 w/ BootROM (Vol+ & Plug In)
board_id
003F00140001xxxx

OK, looks like board_id is OK to reveal fully.Here is mine (003F001400010019):

Spoiler: 7.3.1.2 with BootRom status unknown

board_id
003F001400010019
manufacturing
PSN=P001P30303XXXXXX FSN=5919835XXXXXX
device_type_id
A1ZB65LA390I4K
productid
0
productid2
1241FFFFFFFFFFFFFFFF
serial
G0011J060344XXXX

To further confirm @bibikalkas color-theory, is your device a different color than black or plumb? (Since it's neither 1J nor 2C, but 2D)

Most of these (besides serial and possibly PSN, FSN) shouldn't be device-specific.

I am thinking something must be updated hardware-wise if they disabled BootRom. It's either in the board (new revision?), or the MTK chip itself. Unless there is more memory that can be written by Amazon to disable BootRom during initialization (fuses?). But they don't seem to be able to disable that remotely via new versions.

The serial number is changing, but should not something else change as well if hardware is different?

Update: Here is a link to another Maverick: http://newandroidbook.com/ddb/Maverick/
[ro.build.version.name]: [Fire OS 7.3.1.0 (PS7310/940)]

Something tells me he should be able to get root, LOL

 

[k4y0z]

I am thinking something must be updated hardware-wise if they disabled BootRom. It's either in the board (new revision?), or the MTK chip itself. Unless there is more memory that can be written by Amazon to disable BootRom during initialization (fuses?). But they don't seem to be able to disable that remotely via new versions.

It's very likely just an efuse for disabling brom-mode that is burned during manufacturing.
On mantis (Fire TV Stick 4K) the latest firmware actually looks like they're preparing to burn the fuse with a future update.

 

[bibikalka]

It's very likely just an efuse for disabling brom-mode that is burned during manufacturing.
On mantis (Fire TV Stick 4K) the latest firmware actually looks like they're preparing to burn the fuse with a future update.

Seriously??? I got to root my mantis ASAP then. Or the root is lost forever!

 

[INetBowser]

Could you all post yours? Hopefully we can figure out BootRom accessibility a bit more accurately.

board_id
003F00140001XXXX
manufacturing
 PSN=P001P30303XXXXXX FSN=5924307XXXXXX
device_type_id
A1ZB65LA39XXXX
productid
0
productid2
1241FFFFFFFFFFFFFFFF
serial
G0011J060356XXXX

seems like i leaked my own serial earlier lol. a quick question: can something happen now that i leaked it?

 

[bibikalka]

board_id
003F00140001XXXX
manufacturing
PSN=P001P30303XXXXXX FSN=5924307XXXXXX
device_type_id
A1ZB65LA39XXXX
productid
0
productid2
1241FFFFFFFFFFFFFFFF
serial
G0011J060356XXXX

seems like i leaked my own serial earlier lol. a quick question: can something happen now that i leaked it?

Other than Amazon sending a Predator drone to take you out (they know where you live by your serial number) - NOTHING

Could you post your full board_id, it should be OK to share ? If anything, I think serial number & board ID are the keys to understand which devices cannot do BootRom.

 

[Michajin]

@k4y0z @INetBowser @StonedEngineer97 @Michajin @samdotci @Kramar111

I was thinking, would deep discharge of the battery do the same thing as battery removal for the purpose of accessing BootRom? At first, let it drain normally, then go into fastboot, and leave it there so it drains some more, and does not boot. Anyway, just a thought to avoid opening up the devices ...

For data collection purposes, I looked into getting more specific info on the hardware. The bulk of it is stored in /prod/idme. Here are the commands:

Here is my output (X is obfuscation). If you have several devices, and some of these IDs are the same on more than 1, please don't obfuscate those. I cannot tell what is unique from a single device, and thus probably obfuscated a bit too much.
[CODE]
board_id
003F00140001XXXX
manufacturing
PSN=P001P30303XXXXXX FSN=5919835XXXXXX
device_type_id
A1ZB65LA39XXXX
productid
0
productid2
1241FFFFFFFFFFFFFFFF
serial
G0011J060344XXXX

Could you all post yours? Hopefully we can figure out BootRom accessibility a bit more accurately.

1.
board_id
003F001400010019
manufacturing
PSN=P001P30394XXXXXX FSN=5696591XXXXXX
device_type_id
A1ZB65LA39XXXX
productid
0
productid2
1241FFFFFFFFFFFFFFFF

2.
board_id
003F001400010019
manufacturing
PSN=P001P30393XXXXXX FSN=5632550XXXXXX
device_type_id
A1ZB65LA39XXXX
productid
0
productid2
1241FFFFFFFFFFFFFFFF

3.
board_id
003F001400010019
manufacturing
PSN=P001P30394XXXXXX FSN=5670586XXXXXX
device_type_id
A1ZB65LA39XXXX
productid
0
productid2
1251FFFFFFFFFFFFFFFF

 

[Michajin]

@bibikalka, post: 84608059, member: 6680544"]


I was thinking, would deep discharge of the battery do the same thing as battery removal for the purpose of accessing BootRom? At first, let it drain normally, then go into fastboot, and leave it there so it drains some more, and does not boot. Anyway, just a thought to avoid opening up the devices ...

I was thinking, would deep discharge of the battery do the same thing as battery removal for the purpose of accessing BootRom? At first, let it drain normally, then go into fastboot, and leave it there so it drains some more, and does not boot. Anyway, just a thought to avoid opening up the devices ...

The only way i could get into bootrom was the battery disconnected. But the only way i could write to the emmc was to have power on the battery. That is why we formatted the preloader at that point. It may have been possible to write after the shorting method, but i never tried it. This was my experience anyways while on any version 7.3.1.2 or higher. 7.3.1.1 will boot right into bootrom.

 

[castone123]

Plum 2c, on 7.3.18.

 

[samdotci]

To further confirm @bibikalkas color-theory, is your device a different color than black or plumb? (Since it's neither 1J nor 2C, but 2D)



Most of these (besides serial and possibly PSN, FSN) shouldn't be device-specific.

My device is white, so could explain the 2D difference, Not sure if serial numbers differ based on location either, but mine is produced for Amazon EU (as printed on the back of the tablet).

 

[samdotci]

Other than Amazon sending a Predator drone to take you out (they know where you live by your serial number) - NOTHING

Could you post your full board_id, it should be OK to share ? If anything, I think serial number & board ID are the keys to understand which devices cannot do BootRom.

My output from my white device purchased in late-2018 is below:

Spoiler

board_id
003F001400010019
manufacturing
FSN=561741370XXXX PSN=P001P3039374XXXX
device_type_id
A1ZB65LA39XXXX
productid
0
productid2
1251FFFFFFFFFFFFFFFF
serial
G0012D059376XXXX

 

[bibikalka]

My output from my white device purchased in late-2018 is below:
board_id
003F001400010019
serial
G0012D059376XXXX

Again, you got the magic 059 in your serial number.

On the other hand, board_id seems the same for everybody. I've asked for board_id on Fire4k thread, to see if it stayed the same when BootRom got disabled.

Some people think Amazon can kill BootRom on demand. @xyz` claimed it's a hardware thing (from Mantis thread):

No, the only way they can fix it is with a new hardware revision.

Anyway, hopefully we can get more clarity in the near future.

 

[newnewcomputer]

all mine were bought within a few months of release n all shipped from Amazon w/ 7.3.1.0. so my data cant help to identify any hw change made to disable bootroom but it may help to confirm the "color and storage code" in serial number.

Blue 64MB:
G001 2E05 9393 xxxx

White 32MB:
G001 2D05 9375 xxxx

Plum 64MB:
G001 2F05 9436 xxxx

Black 64MB:
G001 1K05 9427 xxxx

so the "05" could be a board rev code and the letter before "05" could be the color n storage code. all of 'em have the same board id of 003F001400010019 and device type id of A1ZB65LA390I4K.

pic is from the blog linked earlier. based on that, bootrom is so early in the boot process that any change in its access must be hardware; not by a firmware rev. Amazon can disable the volume button access from a board rev though.

according to the blog, MediaTek never implemented any patch on bootrom exploit on existing chips. so the question is whether there is still a test point exploit in newer Fire HD10 to allow bootrom access.

 

[Michajin]

Again, you got the magic 059 in your serial number.

On the other hand, board_id seems the same for everybody. I've asked for board_id on Fire4k thread, to see if it stayed the same when BootRom got disabled.

Some people think Amazon can kill BootRom on demand. @xyz` claimed it's a hardware thing (from Mantis thread):



Anyway, hopefully we can get more clarity in the near future.

Almost all the amazon devices being sold after March of 2020 started coming with the bootrom disabled. It was identified in the hd8 (2018) thread and i think they had some identification to tell if you could still unlock. The hd8 started bricking with the wiping of the preloader.

 

[Michajin]

all mine were bought within a few months of release n all shipped from Amazon w/ 7.3.1.0. so my data cant help to identify any hw change made to disable bootroom but it may help to confirm the "color and storage code" in serial number.

Blue 64MB:
G001 2E05 9393 xxxx

White 32MB:
G001 2D05 9375 xxxx

Plum 64MB:
G001 2F05 9436 xxxx

Black 64MB:
G001 1K05 9427 xxxx

so the "05" could be a board rev code and the letter before "05" could be the color n storage code. all of 'em have the same board id of 003F001400010019 and device type id of A1ZB65LA390I4K.

View attachment 5242437

pic is from the blog linked earlier. based on that, bootrom is so early in the boot process that any change in its access must be hardware; not by a firmware rev. Amazon can disable the volume button access from a board rev though.

according to the blog, MediaTek never implemented any patch on bootrom exploit on existing chips. so the question is whether there is still a test point exploit in newer Fire HD10 to allow bootrom access.

The test points on my hd10 work for me, but not others. 7.3.1.2 disabled access with just volume+ and plugging in, but access is still available with the battery disconnected.

 

[INetBowser]

Could you post your full board_id, it should be OK to share ? If anything, I think serial number & board ID are the keys to understand which devices cannot do BootRom.

board_id
003F001400010019

 

[k4y0z]

Some people think Amazon can kill BootRom on demand. @xyz` claimed it's a hardware thing (from Mantis thread):

pic is from the blog linked earlier. based on that, bootrom is so early in the boot process that any change in its access must be hardware; not by a firmware rev. Amazon can disable the volume button access from a board rev though.

according to the blog, MediaTek never implemented any patch on bootrom exploit on existing chips. so the question is whether there is still a test point exploit in newer Fire HD10 to allow bootrom access.

The Volume-Button access is implemented in Preloader not in Bootrom.
Bootrom is HW and can't be changed, but it can be configured via efuses, these are one-time-programmable and once set cannot be reversed.

Disabling BROM-Access is not really a fix of the vulnerability, but more of a mitigation , so in that sense xyz is right in saying that it can only be fixed in HW.

 

[bibikalka]

Almost all the amazon devices being sold after March of 2020 started coming with the bootrom disabled. It was identified in the hd8 (2018) thread and i think they had some identification to tell if you could still unlock. The hd8 started bricking with the wiping of the preloader.

Right, there is a "lot code" that was used for Karnak. My lot code for HD10 is J034 (it's on the orange packaging box right under the serial number). See this image for an example:

https://forum.xda-developers.com/attachments/packet-jpg.5003531/

So if you try the method and succeed/fail, please post your serial and lot code. I wonder if any of 060 devices can be BootRom'ed.

 

[Michajin]

Right, there is a "lot code" that was used for Karnak. My lot code for HD10 is J034 (it's on the orange packaging box right under the serial number). See this image for an example:

https://forum.xda-developers.com/attachments/packet-jpg.5003531/

So if you try the method and succeed/fail, please post your serial and lot code. I wonder if any of 060 devices can be BootRom'ed.

I didnt have the boxes, but it does say on the back of them.
J939 (black)- bootrom success Downgrade success
J945 (black)-bootrom success Downgrade sucesss
J949 (plum)-bootrom success (did not attempt downgrade, on 7.3.1.0)

 

[INetBowser]

Right, there is a "lot code" that was used for Karnak. My lot code for HD10 is J034 (it's on the orange packaging box right under the serial number). See this image for an example:

Mine has J035 (black).