• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

New Fire HD10 2019 Bootless Root Method + Bootloader Unlock Brainstorming

Search This thread

JJ2017

Senior Member
Jan 7, 2017
66
40
Huawei P20 Pro
The bootrom only comes on for a second. You need to run a script to stop it. If you are seeing phone you have access. Lab126 is different. The bottom was disabled about March 2020. I have successfully shorted this, posted earlier in this thread. Shorting isn't needed though. Volume + with the battery unplugged, then plugging in to USB gives you access, providing your device is older. Tested on 3 units.
IIRC, your 3 units were early ones? I've got a recent version (SN: '06' and Lot: J045) - seems likely I'm BootRom disabled.
When I use @k4y0z 's FireIso I don't even see 'Mediatek Phone' anywhere. And I can't get your battery unpluged / volume+ method to work - even using Suez (only with battery in will a button press combo get me into BootRom on that device). What is the the 'script to stop' you mention to access BootRom? Maybe that's what's missing for me (I've not come across that in the thread - can you help me with a link?)
 

Michajin

Senior Member
Oct 23, 2012
1,263
508
IIRC, your 3 units were early ones? I've got a recent version (SN: '06' and Lot: J045) - seems likely I'm BootRom disabled.
When I use @k4y0z 's FireIso I don't even see 'Mediatek Phone' anywhere. And I can't get your battery unpluged / volume+ method to work - even using Suez (only with battery in will a button press combo get me into BootRom on that device). What is the the 'script to stop' you mention to access BootRom? Maybe that's what's missing for me (I've not come across that in the thread - can you help me with a link?)
This volume plug in access would only apply to maverick. I thought you said you saw mediatek phone? When I access the bootrom, as soon as I plug in the battery, it goes to preloader, then to lab126. I just used the fire stick 4k script to stop boot. But likely yes your bootrom is disabled I have not seen anyone with that newer number have access.
 
  • Like
Reactions: k4y0z

k4y0z

Senior Member
Nov 27, 2015
1,446
1,868
No, I'm trying to use CVE-2021-0399. I already have a kernel heap double-free primitive but I don't know how to continue right now. I tried to use KSMA (Kernel Space Mirror Attack) but it seems it got fixed already. Is here someone that knows a little bit about linux kernel exploitation that could help out?

EDIT: typo

Might want to give @diplomatic a ping.

It will load into Preloader OK but even when Ubuntu 'thinks' it sees "Mediatek Phone" - if you run 'lsusb' all you see is listed is "Lab126, Inc"

If you see "Mediatek Phone" your device is vulnerable.

I tried the same BootRom trick on a Suez model and it was pretty easy to find a working test-point so I think I'm doing it properly.

Testpoint for suez is well-known and documented.

And I can't get your battery unpluged / volume+ method to work - even using Suez (only with battery in will a button press combo get me into BootRom on that device).
I am not aware of any button combination to enter bootrom on suez.
 
  • Like
Reactions: INetBowser

Juppy99

Member
Nov 10, 2016
11
7
You will need to wipe preloader in SP Flash (or enter BROM by shorting) for mmc-write to work in kamakiri.





Then use the attached kamakiri, which instead of just clearing RPMB will flash the missing partitions that couldn't be flashed with SP Flash (Unfortunately it's quite slow compared to SP Flash)
Thank you! I was able to successfully downgrade my HD 10 purchased in Dec. 2019 running 7.3.1.7 to 7.3.1.0 and unbricked it using this script!
 

newnewcomputer

Senior Member
Mar 26, 2014
77
56
Thank you! I was able to successfully downgrade my HD 10 purchased in Dec. 2019 running 7.3.1.7 to 7.3.1.0 and unbricked it using this script!

if u dont mind, plz post ur serial number. given ur purchase date, it probably looks like xxxx xx05 9xxx xxx.

anyone else purchase one in 2020 is able to roll back? seems like all successes are bought in 2019 so far.
 
  • Like
Reactions: Michajin

newnewcomputer

Senior Member
Mar 26, 2014
77
56
October 2020. 32Gb white. LOT P032. S/N: ХХХ 2D06 0325 ХХХХ
I can try to downgrade it from 7.3.1.8. If you point me how to do it.
ur chance is not good as Amazon made a change in early 2020 to block access to bootrom. so if u are happy w/ urs, u may not want to try.

if u really wanna, first thing is to check for bootrom access. i havent done it myself as mine had 7.3.1.0 but from @Michajin "...If you are interested in testing to see if you can downgrade, run a amonet script where you see "waiting for bootrom" Open the device and disconnect battery, pressing volume up (button closest to power button) and plug in the device into the usb (you should see remove short to continue). Do not continue, but in another terminal run a lsusb and verify you see a mediatek 6227 phone. This is the bootrom."

if u dont have bootrom, stop, close the tab back up n be happy :)
 
  • Like
Reactions: Michajin

mozgoeb

Member
Dec 21, 2020
15
5
ur chance is not good as Amazon made a change in early 2020 to block access to bootrom. so if u are happy w/ urs, u may not want to try.

Open the device and disconnect battery, pressing volume up (button closest to power button) and plug in the device into the usb (you should see remove short to continue).
I guess that sooner or later I will need root (for example for tasker). And I'll have to try to downgrade. =(
"remove short" == "release buttons"???
 

Michajin

Senior Member
Oct 23, 2012
1,263
508
I guess that sooner or later I will need root (for example for tasker). And I'll have to try to downgrade. =(
"remove short" == "release buttons"???
This is just to see if you have bootrom access. Just don't hit enter to continue on PC. Run the lsusb and see if you have mediatek phone (bootrom) or preloader. Do not connect the battery power, if you do it always goes right into preloader. If you have mediatek phone, your device can be downgraded.
 

Haldi4803

Senior Member
Oct 14, 2010
3,886
1,572
Amazon Fire HD 8 and HD 10
Xperia XZ2
How do you decode Serial number into production date?
Mine is XXXX 1J06 0343 XXXX
bought on 13 October 2020.
Lot: J034

Edit:
These look a lot, like they could be year and week of production.
I.E J939 being 39th week of 2019.
J035 being 35th week of 2020 etc.
mhmmm. Guess i'd have to open it to know for sure.
 
Last edited:

Michajin

Senior Member
Oct 23, 2012
1,263
508
How do you decode Serial number into production date?
Mine is XXXX 1J06 0343 XXXX
bought on 13 October 2020.
Lot: J034

Edit:
These look a lot, like they could be year and week of production.

mhmmm. Guess i'd have to open it to know for sure.
Lot numbers seem to indicate date of production for sure. Knowing when i bought mine and tham all being J9XX when i got mine were last couple months of 2019 and january of 2020. I have yet to see any success for anything that is J0-00+
 

weishu

Senior Member
Mar 8, 2018
51
561
Beijing
github.com
No, I'm trying to use CVE-2021-0399. I already have a kernel heap double-free primitive but I don't know how to continue right now. I tried to use KSMA (Kernel Space Mirror Attack) but it seems it got fixed already. Is here someone that knows a little bit about linux kernel exploitation that could help out?

EDIT: typo
You can try this: https://speakerdeck.com/retme7/the-...ntional-use-after-free-bugs-in-android-kernel, could you share the poc? Maybe we can work it together.
 

z0oinks1

Member
Sep 7, 2017
7
1
Can I downgrade from 7.3.1.2 to 7.3.1.0 to root?

And are there any Lineage ROMS available? Didn't see any in the forum but I could've missed something
 

Michajin

Senior Member
Oct 23, 2012
1,263
508
Yes, the process is not totally refined. But if you bought your device before January 2020. You have to verify you have access to the bootrom.
 
Jun 3, 2021
26
6
I'm currently looking into two methods for the HD 10, still brainstorming it and not tried it on my own units yet - I have working downgrade method to 7.3.1.0 for this device I think, thats if it wasn't a hardware patch on this device. Needs testing, but problem is exploit is major computing exploit not just Android exploit.... Working out what to do about it generally as something I've discovered.

Second method, which doesn't involve a downgrade, is using fbtool on this device. This is likely to be able to turned into a software based fastboot cable. Still ironing out details here:

Would need to locate or work out how to produce a patch for fbtool for the HD's SoC, though. Anyone know any githubs which contain MTK Board tools source (i.e. fbtool source) for this SoC?
 
  • Like
Reactions: mindmajick

Top Liked Posts

  • There are no posts matching your filters.
  • 11
    mtk-su for OS 7.3.1.0

    I just uploaded the latest mtk-su (a thing that gives you temp root) in the Temp root thread. It only supports the original OS. No solution yet for the updated version, but hoping a downgrade or unlock method will be found.
    8
    Can you take apart (remove back cover) your newest Fire HD 10 and post the motherboard pictures with test point like CLK, DAT0, CMD and removed metal shield.

    AmznUser444,

    I’m actually going to respectfully ask you to stop responding to my posts and stop asking me for anything. I will no longer reply to your posts other than to make this request.
    8
    Thanks to @Kramar111, we now have a full dump of 7.3.1.0:

    And a little present from me, minimal kamakiri for maverick.
    All it does is downgrade RPMB, flashing can be done with SP Flash.
    Thanks again to @bengris32 for testing.
    8
    I have repacked and reuploaded maverick-downgrade-7.0_PS7310_940N.zip
    It contains FireOS 7.0/PS7310/940N, scatter file and kamakiri for RPMB downgrade.

    Apparently there are multiple versions of 7.3.1.0 and the files originally uploaded here are from version 7.0/PS7310/939N.
    Also lk was incomplete.

    Thanks again to @Kramar111 for the files :)
    7
    7.3.1.0 Images

    So here are some images extracted from the stock 7.3.1.0 FW, courtesy of @dr_docdoc. I trimmed the extra partition data. It would be great if @k4y0z or @xyz` could take a look at them.