New Fire HD10 2019 Bootless Root Method + Bootloader Unlock Brainstorming

Search This thread

k4y0z

Senior Member
Nov 27, 2015
1,468
2,003
My serial number is G001 2D05 9376 XXXX, so it could support the 05/06 situation?
To further confirm @bibikalkas color-theory, is your device a different color than black or plumb? (Since it's neither 1J nor 2C, but 2D)

@k4y0z @INetBowser @StonedEngineer97 @Michajin @samdotci @Kramar111

I was thinking, would deep discharge of the battery do the same thing as battery removal for the purpose of accessing BootRom? At first, let it drain normally, then go into fastboot, and leave it there so it drains some more, and does not boot. Anyway, just a thought to avoid opening up the devices ...

For data collection purposes, I looked into getting more specific info on the hardware. The bulk of it is stored in /prod/idme. Here are the commands:

Code:
adb shell
cd /proc/idme
for f in board_id manufacturing device_type_id productid productid2 serial; do echo $f; cat $f; echo ""; done

Here is my output (X is obfuscation). If you have several devices, and some of these IDs are the same on more than 1, please don't obfuscate those. I cannot tell what is unique from a single device, and thus probably obfuscated a bit too much.
Code:
board_id
003F00140001XXXX
manufacturing
PSN=P001P30303XXXXXX FSN=5919835XXXXXX
device_type_id
A1ZB65LA39XXXX
productid
0
productid2
1241FFFFFFFFFFFFFFFF
serial
G0011J060344XXXX

Could you all post yours? Hopefully we can figure out BootRom accessibility a bit more accurately.

Most of these (besides serial and possibly PSN, FSN) shouldn't be device-specific.
 

bibikalka

Senior Member
May 14, 2015
1,430
1,114
@bibikalka
7.3.1.0 w/ BootROM (Vol+ & Plug In)
board_id
003F00140001xxxx

OK, looks like board_id is OK to reveal fully.Here is mine (003F001400010019):
board_id
003F001400010019
manufacturing
PSN=P001P30303XXXXXX FSN=5919835XXXXXX
device_type_id
A1ZB65LA390I4K
productid
0
productid2
1241FFFFFFFFFFFFFFFF
serial
G0011J060344XXXX


To further confirm @bibikalkas color-theory, is your device a different color than black or plumb? (Since it's neither 1J nor 2C, but 2D)

Most of these (besides serial and possibly PSN, FSN) shouldn't be device-specific.

I am thinking something must be updated hardware-wise if they disabled BootRom. It's either in the board (new revision?), or the MTK chip itself. Unless there is more memory that can be written by Amazon to disable BootRom during initialization (fuses?). But they don't seem to be able to disable that remotely via new versions.

The serial number is changing, but should not something else change as well if hardware is different?

Update: Here is a link to another Maverick: http://newandroidbook.com/ddb/Maverick/
[ro.build.version.name]: [Fire OS 7.3.1.0 (PS7310/940)]

Something tells me he should be able to get root, LOL
 
Last edited:

k4y0z

Senior Member
Nov 27, 2015
1,468
2,003
I am thinking something must be updated hardware-wise if they disabled BootRom. It's either in the board (new revision?), or the MTK chip itself. Unless there is more memory that can be written by Amazon to disable BootRom during initialization (fuses?). But they don't seem to be able to disable that remotely via new versions.
It's very likely just an efuse for disabling brom-mode that is burned during manufacturing.
On mantis (Fire TV Stick 4K) the latest firmware actually looks like they're preparing to burn the fuse with a future update.
 

bibikalka

Senior Member
May 14, 2015
1,430
1,114
It's very likely just an efuse for disabling brom-mode that is burned during manufacturing.
On mantis (Fire TV Stick 4K) the latest firmware actually looks like they're preparing to burn the fuse with a future update.

Seriously??? I got to root my mantis ASAP then. Or the root is lost forever!
 

INetBowser

Member
Dec 4, 2020
12
6
Could you all post yours? Hopefully we can figure out BootRom accessibility a bit more accurately.

Code:
board_id
003F00140001XXXX
manufacturing
 PSN=P001P30303XXXXXX FSN=5924307XXXXXX
device_type_id
A1ZB65LA39XXXX
productid
0
productid2
1241FFFFFFFFFFFFFFFF
serial
G0011J060356XXXX

seems like i leaked my own serial earlier lol. a quick question: can something happen now that i leaked it?😂
 
  • Like
Reactions: bibikalka

bibikalka

Senior Member
May 14, 2015
1,430
1,114
Code:
board_id
003F00140001XXXX
manufacturing
PSN=P001P30303XXXXXX FSN=5924307XXXXXX
device_type_id
A1ZB65LA39XXXX
productid
0
productid2
1241FFFFFFFFFFFFFFFF
serial
G0011J060356XXXX

seems like i leaked my own serial earlier lol. a quick question: can something happen now that i leaked it?😂

Other than Amazon sending a Predator drone to take you out (they know where you live by your serial number) - NOTHING :D

Could you post your full board_id, it should be OK to share ? If anything, I think serial number & board ID are the keys to understand which devices cannot do BootRom.
 
  • Haha
Reactions: INetBowser

Michajin

Senior Member
Oct 23, 2012
1,340
535
@k4y0z @INetBowser @StonedEngineer97 @Michajin @samdotci @Kramar111

I was thinking, would deep discharge of the battery do the same thing as battery removal for the purpose of accessing BootRom? At first, let it drain normally, then go into fastboot, and leave it there so it drains some more, and does not boot. Anyway, just a thought to avoid opening up the devices ...

For data collection purposes, I looked into getting more specific info on the hardware. The bulk of it is stored in /prod/idme. Here are the commands:

Code:
Here is my output (X is obfuscation). If you have several devices, and some of these IDs are the same on more than 1, please don't obfuscate those. I cannot tell what is unique from a single device, and thus probably obfuscated a bit too much.
[CODE]
board_id
003F00140001XXXX
manufacturing
PSN=P001P30303XXXXXX FSN=5919835XXXXXX
device_type_id
A1ZB65LA39XXXX
productid
0
productid2
1241FFFFFFFFFFFFFFFF
serial
G0011J060344XXXX

Could you all post yours? Hopefully we can figure out BootRom accessibility a bit more accurately.
1.
board_id
003F001400010019
manufacturing
PSN=P001P30394XXXXXX FSN=5696591XXXXXX
device_type_id
A1ZB65LA39XXXX
productid
0
productid2
1241FFFFFFFFFFFFFFFF

2.
board_id
003F001400010019
manufacturing
PSN=P001P30393XXXXXX FSN=5632550XXXXXX
device_type_id
A1ZB65LA39XXXX
productid
0
productid2
1241FFFFFFFFFFFFFFFF

3.
board_id
003F001400010019
manufacturing
PSN=P001P30394XXXXXX FSN=5670586XXXXXX
device_type_id
A1ZB65LA39XXXX
productid
0
productid2
1251FFFFFFFFFFFFFFFF
 
Last edited:

Michajin

Senior Member
Oct 23, 2012
1,340
535
@bibikalka, post: 84608059, member: 6680544"]


I was thinking, would deep discharge of the battery do the same thing as battery removal for the purpose of accessing BootRom? At first, let it drain normally, then go into fastboot, and leave it there so it drains some more, and does not boot. Anyway, just a thought to avoid opening up the devices ...



I was thinking, would deep discharge of the battery do the same thing as battery removal for the purpose of accessing BootRom? At first, let it drain normally, then go into fastboot, and leave it there so it drains some more, and does not boot. Anyway, just a thought to avoid opening up the devices ...

The only way i could get into bootrom was the battery disconnected. But the only way i could write to the emmc was to have power on the battery. That is why we formatted the preloader at that point. It may have been possible to write after the shorting method, but i never tried it. This was my experience anyways while on any version 7.3.1.2 or higher. 7.3.1.1 will boot right into bootrom.
 

samdotci

Member
Mar 5, 2021
5
11
To further confirm @bibikalkas color-theory, is your device a different color than black or plumb? (Since it's neither 1J nor 2C, but 2D)



Most of these (besides serial and possibly PSN, FSN) shouldn't be device-specific.

My device is white, so could explain the 2D difference, Not sure if serial numbers differ based on location either, but mine is produced for Amazon EU (as printed on the back of the tablet).
 
  • Like
Reactions: k4y0z

samdotci

Member
Mar 5, 2021
5
11
Other than Amazon sending a Predator drone to take you out (they know where you live by your serial number) - NOTHING :D

Could you post your full board_id, it should be OK to share ? If anything, I think serial number & board ID are the keys to understand which devices cannot do BootRom.

My output from my white device purchased in late-2018 is below:

board_id
003F001400010019
manufacturing
FSN=561741370XXXX PSN=P001P3039374XXXX
device_type_id
A1ZB65LA39XXXX
productid
0
productid2
1251FFFFFFFFFFFFFFFF
serial
G0012D059376XXXX
 
  • Like
Reactions: k4y0z and bibikalka

bibikalka

Senior Member
May 14, 2015
1,430
1,114
My output from my white device purchased in late-2018 is below:
board_id
003F001400010019
serial
G0012D059376XXXX

Again, you got the magic 059 in your serial number.

On the other hand, board_id seems the same for everybody. I've asked for board_id on Fire4k thread, to see if it stayed the same when BootRom got disabled.

Some people think Amazon can kill BootRom on demand. @xyz` claimed it's a hardware thing (from Mantis thread):

No, the only way they can fix it is with a new hardware revision.

Anyway, hopefully we can get more clarity in the near future.
 

newnewcomputer

Senior Member
Mar 26, 2014
82
64
all mine were bought within a few months of release n all shipped from Amazon w/ 7.3.1.0. so my data cant help to identify any hw change made to disable bootroom but it may help to confirm the "color and storage code" in serial number.

Blue 64MB:
G001 2E05 9393 xxxx

White 32MB:
G001 2D05 9375 xxxx

Plum 64MB:
G001 2F05 9436 xxxx

Black 64MB:
G001 1K05 9427 xxxx

so the "05" could be a board rev code and the letter before "05" could be the color n storage code. all of 'em have the same board id of 003F001400010019 and device type id of A1ZB65LA390I4K.

1615106152302.png


pic is from the blog linked earlier. based on that, bootrom is so early in the boot process that any change in its access must be hardware; not by a firmware rev. Amazon can disable the volume button access from a board rev though.

according to the blog, MediaTek never implemented any patch on bootrom exploit on existing chips. so the question is whether there is still a test point exploit in newer Fire HD10 to allow bootrom access.
 

Michajin

Senior Member
Oct 23, 2012
1,340
535
Again, you got the magic 059 in your serial number.

On the other hand, board_id seems the same for everybody. I've asked for board_id on Fire4k thread, to see if it stayed the same when BootRom got disabled.

Some people think Amazon can kill BootRom on demand. @xyz` claimed it's a hardware thing (from Mantis thread):



Anyway, hopefully we can get more clarity in the near future.


Almost all the amazon devices being sold after March of 2020 started coming with the bootrom disabled. It was identified in the hd8 (2018) thread and i think they had some identification to tell if you could still unlock. The hd8 started bricking with the wiping of the preloader.
 

Michajin

Senior Member
Oct 23, 2012
1,340
535
all mine were bought within a few months of release n all shipped from Amazon w/ 7.3.1.0. so my data cant help to identify any hw change made to disable bootroom but it may help to confirm the "color and storage code" in serial number.

Blue 64MB:
G001 2E05 9393 xxxx

White 32MB:
G001 2D05 9375 xxxx

Plum 64MB:
G001 2F05 9436 xxxx

Black 64MB:
G001 1K05 9427 xxxx

so the "05" could be a board rev code and the letter before "05" could be the color n storage code. all of 'em have the same board id of 003F001400010019 and device type id of A1ZB65LA390I4K.

View attachment 5242437

pic is from the blog linked earlier. based on that, bootrom is so early in the boot process that any change in its access must be hardware; not by a firmware rev. Amazon can disable the volume button access from a board rev though.

according to the blog, MediaTek never implemented any patch on bootrom exploit on existing chips. so the question is whether there is still a test point exploit in newer Fire HD10 to allow bootrom access.
The test points on my hd10 work for me, but not others. 7.3.1.2 disabled access with just volume+ and plugging in, but access is still available with the battery disconnected.
 
  • Like
Reactions: Kramar111

k4y0z

Senior Member
Nov 27, 2015
1,468
2,003
Some people think Amazon can kill BootRom on demand. @xyz` claimed it's a hardware thing (from Mantis thread):


pic is from the blog linked earlier. based on that, bootrom is so early in the boot process that any change in its access must be hardware; not by a firmware rev. Amazon can disable the volume button access from a board rev though.

according to the blog, MediaTek never implemented any patch on bootrom exploit on existing chips. so the question is whether there is still a test point exploit in newer Fire HD10 to allow bootrom access.

The Volume-Button access is implemented in Preloader not in Bootrom.
Bootrom is HW and can't be changed, but it can be configured via efuses, these are one-time-programmable and once set cannot be reversed.

Disabling BROM-Access is not really a fix of the vulnerability, but more of a mitigation , so in that sense xyz is right in saying that it can only be fixed in HW.
 

bibikalka

Senior Member
May 14, 2015
1,430
1,114
Almost all the amazon devices being sold after March of 2020 started coming with the bootrom disabled. It was identified in the hd8 (2018) thread and i think they had some identification to tell if you could still unlock. The hd8 started bricking with the wiping of the preloader.

Right, there is a "lot code" that was used for Karnak. My lot code for HD10 is J034 (it's on the orange packaging box right under the serial number). See this image for an example:

So if you try the method and succeed/fail, please post your serial and lot code. I wonder if any of 060 devices can be BootRom'ed.
 
  • Like
Reactions: Kramar111

Michajin

Senior Member
Oct 23, 2012
1,340
535
Right, there is a "lot code" that was used for Karnak. My lot code for HD10 is J034 (it's on the orange packaging box right under the serial number). See this image for an example:

So if you try the method and succeed/fail, please post your serial and lot code. I wonder if any of 060 devices can be BootRom'ed.
I didnt have the boxes, but it does say on the back of them.
J939 (black)- bootrom success Downgrade success
J945 (black)-bootrom success Downgrade sucesss
J949 (plum)-bootrom success (did not attempt downgrade, on 7.3.1.0)
 
  • Like
Reactions: Kramar111

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    well i finally got it working and downgraded to 7.3.1.0 and i went ahead and pushed the MTK-su file and i keep getting this ./mtk-su: no such file or directory.

    I can see the file in there so maybe i did something wrong :|
  • 11
    mtk-su for OS 7.3.1.0

    I just uploaded the latest mtk-su (a thing that gives you temp root) in the Temp root thread. It only supports the original OS. No solution yet for the updated version, but hoping a downgrade or unlock method will be found.
    10
    I have repacked and reuploaded maverick-downgrade-7.0_PS7310_940N.zip
    It contains FireOS 7.0/PS7310/940N, scatter file and kamakiri for RPMB downgrade.

    Apparently there are multiple versions of 7.3.1.0 and the files originally uploaded here are from version 7.0/PS7310/939N.
    Also lk was incomplete.

    Thanks again to @Kramar111 for the files :)
    8
    Can you take apart (remove back cover) your newest Fire HD 10 and post the motherboard pictures with test point like CLK, DAT0, CMD and removed metal shield.

    AmznUser444,

    I’m actually going to respectfully ask you to stop responding to my posts and stop asking me for anything. I will no longer reply to your posts other than to make this request.
    8
    Thanks to @Kramar111, we now have a full dump of 7.3.1.0:

    And a little present from me, minimal kamakiri for maverick.
    All it does is downgrade RPMB, flashing can be done with SP Flash.
    Thanks again to @bengris32 for testing.
    7
    7.3.1.0 Images

    So here are some images extracted from the stock 7.3.1.0 FW, courtesy of @dr_docdoc. I trimmed the extra partition data. It would be great if @k4y0z or @xyz` could take a look at them.