New Fire HD10 2019 Bootless Root Method + Bootloader Unlock Brainstorming

Search This thread

k4y0z

Senior Member
Nov 27, 2015
1,429
1,834
I didnt have the boxes, but it does say on the back of them.
J939 (black)- bootrom success Downgrade success
J945 (black)-bootrom success Downgrade sucesss
J949 (plum)-bootrom success (did not attempt downgrade, on 7.3.1.0)

Mine has J035 (black).

These look a lot, like they could be year and week of production.
I.E J939 being 39th week of 2019.
J035 being 35th week of 2020 etc.
 

lewmur

Senior Member
Apr 30, 2011
1,726
365
These look a lot, like they could be year and week of production.
I.E J939 being 39th week of 2019.
J035 being 35th week of 2020 etc.
So, mine being J946, it is likely it will be downgradeable? I've been trying to follow this thread but I'm having a hard time with it. If a tablet IS downgraded, can it be rooted? If so, is there a single method for doing it or does if differ with different builds? Can it be done without removing the MB?
 

Michajin

Senior Member
Oct 23, 2012
1,213
475
So, mine being J946, it is likely it will be downgradeable? I've been trying to follow this thread but I'm having a hard time with it. If a tablet IS downgraded, can it be rooted? If so, is there a single method for doing it or does if differ with different builds? Can it be done without removing the MB?
Yes looks very likely to be downgraded.

Yes, but it is a temp root (mtk-su)

It is a different method to get it downgraded, but the root is the same. Mtk-su

Depends on what version fireOS you are on. Worse case is opening the device, but you don't need to pull the motherboard. Just unplug the battery.

You are trying to access the bootrom, on Linux it shows up as a mediatek phone 6227.
 
  • Like
Reactions: lewmur

lewmur

Senior Member
Apr 30, 2011
1,726
365
Yes looks very likely to be downgraded.

Yes, but it is a temp root (mtk-su)

It is a different method to get it downgraded, but the root is the same. Mtk-su

Depends on what version fireOS you are on. Worse case is opening the device, but you don't need to pull the motherboard. Just unplug the battery.

You are trying to access the bootrom, on Linux it shows up as a mediatek phone 6227.
Thanks for the reply. I'm on 7.3.1.6 I have both Win 10 Pro and a Mint 21.1 desktop, so which ever is easier. I have used the Toolbox to get rid of the Amazon bloat, so I don't have any pressing need for root . But being a born tinkerer, I'd like to know how just for the fun of it and to be ready in case anyone comes up with a custom ROM.
 
Jan 27, 2021
42
12
So I looked my serial numbers and my newer tablet on 7.3.1.2 has an 1J06 in the serial number and lot J038 (38th week of 2020?)

And the 7.3.1.5 has a 1J05 in the serial number and lot J017 (17th week) which suggests I should be able to get into bootrom on this one atleast based on the serial number
 

Michajin

Senior Member
Oct 23, 2012
1,213
475
Thanks for the reply. I'm on 7.3.1.6 I have both Win 10 Pro and a Mint 21.1 desktop, so which ever is easier. I have used the Toolbox to get rid of the Amazon bloat, so I don't have any pressing need for root . But being a born tinkerer, I'd like to know how just for the fun of it and to be ready in case anyone comes up with a custom ROM.
You would need to run a different version of linux to actually run the script. But you can verify you have root access by pulling the cover (running any amonet script, but dont hit enter to continue if you get past the waiting for bootrom). Wither the cover remove disconnect the battery, run the bootrom-step.sh (you should see waiting for bootrom). With the battery disconnected, press volume up and plug in to mint PC, at this point you should see remove short to continue. Open another terminal and type lsusb to see if you have a mediatek phone 6227 on the list or a preloader. The MediaTek phone is the device in bootrom. This would verify you have access to downgrading. Being a temp root, it really doesn't give you access to a custom rom or system modifications. Being you are happy with the current tablet seems like a lot of work at this point. The idea is to get the tablet unlocked so it opens it up to a custom recovery and lineage. If you just interested in root, i can explain how to do it...
 

Michajin

Senior Member
Oct 23, 2012
1,213
475
So I looked my serial numbers and my newer tablet on 7.3.1.2 has an 1J06 in the serial number and lot J038 (38th week of 2020?)

And the 7.3.1.5 has a 1J05 in the serial number and lot J017 (17th week) which suggests I should be able to get into bootrom on this one atleast based on the serial number
j017 might be too late. I have not seen any success in the 2020 series yet. Have you tried the battery unplugged, vol+ on the j017 device?
 
Last edited:

retyre

Senior Member
Jan 14, 2011
279
302
Central FL
1J05 serial says "YES", j017 lot says "NO". Who is gonna win??? :)
Lot numbers are more likely to be chronological than serial numbers, but it's all a guess. This is like going online to find out your current weather when ... you can just walk out the door and find out firsthand? You have the device. Open it up and tell us what you find. Michajin has told us there isn't even a need to short a point on the PCB to enter BootROM.
 

lewmur

Senior Member
Apr 30, 2011
1,726
365
You would need to run a different version of linux to actually run the script. But you can verify you have root access by pulling the cover (running any amonet script, but dont hit enter to continue if you get past the waiting for bootrom). Wither the cover remove disconnect the battery, run the bootrom-step.sh (you should see waiting for bootrom). With the battery disconnected, press volume up and plug in to mint PC, at this point you should see remove short to continue. Open another terminal and type lsusb to see if you have a mediatek phone 6227 on the list or a preloader. The MediaTek phone is the device in bootrom. This would verify you have access to downgrading. Being a temp root, it really doesn't give you access to a custom rom or system modifications. Being you are happy with the current tablet seems like a lot of work at this point. The idea is to get the tablet unlocked so it opens it up to a custom recovery and lineage. If you just interested in root, i can explain how to do it...
Why would I need a different version of Linux?
 

INetBowser

Member
Dec 4, 2020
11
5
Can someone with root access on their Fire HD 10 (preferably 9th gen) run this command and post the output. I'm currently working on an exploit and would really appreciate every help.

Code:
maverick:/ # grep "Kernel code" /proc/iomem
 

INetBowser

Member
Dec 4, 2020
11
5
Are you looking at badbinder?
No, I'm trying to use CVE-2021-0399. I already have a kernel heap double-free primitive but I don't know how to continue right now. I tried to use KSMA (Kernel Space Mirror Attack) but it seems it got fixed already. Is here someone that knows a little bit about linux kernel exploitation that could help out?

EDIT: typo
 
Last edited:

JJ2017

Senior Member
Jan 7, 2017
56
35
Huawei P20 Pro
Just to confirm what's already been discussed in this thread:
(e.g. https://forum.xda-developers.com/t/...er-unlock-brainstorming.3979343/post-84610817)

Looks like Amazon have successfully 'hardware' disabled BootRom on the newer editions of Maverick. I've had the board out from a newer model (SN: G001 2B06 04XX XXXX) and tried to test-point pretty much everything front and back (OK, I exaggerate, but I've tried all the likely areas).

It will load into Preloader OK but even when Ubuntu 'thinks' it sees "Mediatek Phone" - if you run 'lsusb' all you see is listed is "Lab126, Inc"

I tried the same BootRom trick on a Suez model and it was pretty easy to find a working test-point so I think I'm doing it properly.

... So looks like Amazon have won this round, no Kamakiri this time (n)
 

Michajin

Senior Member
Oct 23, 2012
1,213
475
Just to confirm what's already been discussed in this thread:
(e.g. https://forum.xda-developers.com/t/...er-unlock-brainstorming.3979343/post-84610817)

Looks like Amazon have successfully 'hardware' disabled BootRom on the newer editions of Maverick. I've had the board out from a newer model (SN: G001 2B06 04XX XXXX) and tried to test-point pretty much everything front and back (OK, I exaggerate, but I've tried all the likely areas).

It will load into Preloader OK but even when Ubuntu 'thinks' it sees "Mediatek Phone" - if you run 'lsusb' all you see is listed is "Lab126, Inc"

I tried the same BootRom trick on a Suez model and it was pretty easy to find a working test-point so I think I'm doing it properly.

... So looks like Amazon have won this round, no Kamakiri this time (n)
The bootrom only comes on for a second. You need to run a script to stop it. If you are seeing phone you have access. Lab126 is different. The bottom was disabled about March 2020. I have successfully shorted this, posted earlier in this thread. Shorting isn't needed though. Volume + with the battery unplugged, then plugging in to USB gives you access, providing your device is older. Tested on 3 units.
 
  • Like
Reactions: Kramar111 and k4y0z

Top Liked Posts

  • There are no posts matching your filters.
  • 4
    You will need to wipe preloader in SP Flash (or enter BROM by shorting) for mmc-write to work in kamakiri.





    Then use the attached kamakiri, which instead of just clearing RPMB will flash the missing partitions that couldn't be flashed with SP Flash (Unfortunately it's quite slow compared to SP Flash)
    Thank you! I was able to successfully downgrade my HD 10 purchased in Dec. 2019 running 7.3.1.7 to 7.3.1.0 and unbricked it using this script!
    3
    maverick:/ # grep "Kernel code" /proc/iomem
    40080000-41123fff : Kernel code
    Thanks! If I manage to get the exploit fully working there would be a possible root for Fire OS 7.3.1.2, maybe also for higher versions.
    2
    Can someone with root access on their Fire HD 10 (preferably 9th gen) run this command and post the output. I'm currently working on an exploit and would really appreciate every help.

    Code:
    maverick:/ # grep "Kernel code" /proc/iomem
    maverick:/ # grep "Kernel code" /proc/iomem
    40080000-41123fff : Kernel code
    2
    Just to confirm what's already been discussed in this thread:
    (e.g. https://forum.xda-developers.com/t/...er-unlock-brainstorming.3979343/post-84610817)

    Looks like Amazon have successfully 'hardware' disabled BootRom on the newer editions of Maverick. I've had the board out from a newer model (SN: G001 2B06 04XX XXXX) and tried to test-point pretty much everything front and back (OK, I exaggerate, but I've tried all the likely areas).

    It will load into Preloader OK but even when Ubuntu 'thinks' it sees "Mediatek Phone" - if you run 'lsusb' all you see is listed is "Lab126, Inc"

    I tried the same BootRom trick on a Suez model and it was pretty easy to find a working test-point so I think I'm doing it properly.

    ... So looks like Amazon have won this round, no Kamakiri this time (n)
    The bootrom only comes on for a second. You need to run a script to stop it. If you are seeing phone you have access. Lab126 is different. The bottom was disabled about March 2020. I have successfully shorted this, posted earlier in this thread. Shorting isn't needed though. Volume + with the battery unplugged, then plugging in to USB gives you access, providing your device is older. Tested on 3 units.
    1
    IIRC, your 3 units were early ones? I've got a recent version (SN: '06' and Lot: J045) - seems likely I'm BootRom disabled.
    When I use @k4y0z 's FireIso I don't even see 'Mediatek Phone' anywhere. And I can't get your battery unpluged / volume+ method to work - even using Suez (only with battery in will a button press combo get me into BootRom on that device). What is the the 'script to stop' you mention to access BootRom? Maybe that's what's missing for me (I've not come across that in the thread - can you help me with a link?)
    This volume plug in access would only apply to maverick. I thought you said you saw mediatek phone? When I access the bootrom, as soon as I plug in the battery, it goes to preloader, then to lab126. I just used the fire stick 4k script to stop boot. But likely yes your bootrom is disabled I have not seen anyone with that newer number have access.
  • 11
    mtk-su for OS 7.3.1.0

    I just uploaded the latest mtk-su (a thing that gives you temp root) in the Temp root thread. It only supports the original OS. No solution yet for the updated version, but hoping a downgrade or unlock method will be found.
    8
    Can you take apart (remove back cover) your newest Fire HD 10 and post the motherboard pictures with test point like CLK, DAT0, CMD and removed metal shield.

    AmznUser444,

    I’m actually going to respectfully ask you to stop responding to my posts and stop asking me for anything. I will no longer reply to your posts other than to make this request.
    8
    Thanks to @Kramar111, we now have a full dump of 7.3.1.0:

    And a little present from me, minimal kamakiri for maverick.
    All it does is downgrade RPMB, flashing can be done with SP Flash.
    Thanks again to @bengris32 for testing.
    8
    I have repacked and reuploaded maverick-downgrade-7.0_PS7310_940N.zip
    It contains FireOS 7.0/PS7310/940N, scatter file and kamakiri for RPMB downgrade.

    Apparently there are multiple versions of 7.3.1.0 and the files originally uploaded here are from version 7.0/PS7310/939N.
    Also lk was incomplete.

    Thanks again to @Kramar111 for the files :)
    7
    7.3.1.0 Images

    So here are some images extracted from the stock 7.3.1.0 FW, courtesy of @dr_docdoc. I trimmed the extra partition data. It would be great if @k4y0z or @xyz` could take a look at them.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone