• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

New Fire HD10 2019 Bootless Root Method + Bootloader Unlock Brainstorming

Search This thread

MrZaku086

Member
Apr 8, 2021
17
3
I'm currently looking into two methods for the HD 10, still brainstorming it and not tried it on my own units yet - I have working downgrade method to 7.3.1.0 for this device I think, thats if it wasn't a hardware patch on this device. Needs testing, but problem is exploit is major computing exploit not just Android exploit.... Working out what to do about it generally as something I've discovered.

Second method, which doesn't involve a downgrade, is using fbtool on this device. This is likely to be able to turned into a software based fastboot cable. Still ironing out details here:

Would need to locate or work out how to produce a patch for fbtool for the HD's SoC, though. Anyone know any githubs which contain MTK Board tools source (i.e. fbtool source) for this SoC?


hey do you thin this would work?


this device have the same mtk chip and a custom twrp


or


or


or


something of this help?

PD: sorry if dont help you but i really want to this device have a lineage os xD
 

Khiem Tran

Member
Mar 4, 2020
8
3
You will need to wipe preloader in SP Flash (or enter BROM by shorting) for mmc-write to work in kamakiri.





Then use the attached kamakiri, which instead of just clearing RPMB will flash the missing partitions that couldn't be flashed with SP Flash (Unfortunately it's quite slow compared to SP Flash)
I wiped preloader on 7.3.1.8 and device frozen at bootrom. Can anyone upload preloader 7.3.1.8 file?
 

Khiem Tran

Member
Mar 4, 2020
8
3
You need to downgrade to 7.3.1.0, you can get root access.

I tried using SPFlash to downgrade but I can't write EMMC. It is stopped as shown below.
Capture.PNG


Capture1.PNG
 

k4y0z

Senior Member
Nov 27, 2015
1,446
1,868

Khiem Tran

Member
Mar 4, 2020
8
3
Try selecting USB mode instead of Serial if you're on Windows.
Also you won't be able to flash all of the partitions using SPFT, the ones that don't work will need to be flashed using kamakiri.
You'll have to rerun the bypass after every action in SPFT.

I have done the following

Step1: Plug out battery. Then, hold volume up to bootrom
Step2: Run bypass and format preloader with SPFlash (length 0x100000)
Step3: Plugin battery. Run bypass and flash boot, recovey, vendor, system with SPFlash.
Step4: Run bootrom-step.sh in kamakiri folder.

What should I do next?

Do I have to flash preloader, lk, tee1, tee2m spmfw, sspm_1, cam_vpu1, cam_vpu2, cam_vpu3 using SPFlash?
 
Last edited:

k4y0z

Senior Member
Nov 27, 2015
1,446
1,868
I have done the following

Step1: Plug out battery. Then, hold volume up to bootrom
Step2: Run bypass and format preloader with SPFlash (length 0x100000)
Step3: Plugin battery. Run bypass and flash boot, recovey, vendor, system with SPFlash.
Step4: Run bootrom-step.sh in kamakiri folder.

What should I do next?

Do I have to flash preloader, lk, tee1, tee2m spmfw, sspm_1, cam_vpu1, cam_vpu2, cam_vpu3 using SPFlash?
The latest kamakiri version that I posted somewhere here in this thread, should flash all the partitions, that can't be flashed using SPFT.
 

INetBowser

Member
Dec 4, 2020
12
6
Hey guys,

I need some help regarding the root exploit I'm writing currently. If I manage to get it working, Fire HD 10 9th gen on version 7.3.1.2 (and maybe higher, I need to look into that) should be rootable.

Anyone with a rooted Fire HD 10 9th gen, can you please run this command as root
Code:
cat /proc/iomem
and post the output?

Thanks!
 
Last edited:
  • Like
Reactions: MrZaku086

Michajin

Senior Member
Oct 23, 2012
1,263
508
Unfortunately, Amazon has locked down FireOS pretty firmly. You can disable those apps though. Have you checked out Fire Toolbox?
With root access you can use a app disabler. Root works fine. Just can't modify the system apps. I use package disabler with root access to quickly disabled app. Full root would be better, and unlocking would be awesome. We will see, seems development had picked up lately.
 

MrZaku086

Member
Apr 8, 2021
17
3
With root access you can use a app disabler. Root works fine. Just can't modify the system apps. I use package disabler with root access to quickly disabled app. Full root would be better, and unlocking would be awesome. We will see, seems development had picked up lately.
well the 2017 model took many years and in the end you need to some hardware hackery to unlock the bootloader and be free.... maybe that is the route to this tablet some hardware thing to acess to factory mode or something like that and unblock the boatloader is very trashy to amazon bloking the bootloader using a android fork.
 

Michajin

Senior Member
Oct 23, 2012
1,263
508
well the 2017 model took many years and in the end you need to some hardware hackery to unlock the bootloader and be free.... maybe that is the route to this tablet some hardware thing to acess to factory mode or something like that and unblock the boatloader is very trashy to amazon bloking the bootloader using a android fork.
I have found the shorting method on it, but amazon/mediatek made a hardware change that disable the bootrom. It has been found on anything as of about January of 2020 had the bootrom disabled. The exploit would have to be a totally new route.
 
  • Like
Reactions: MrZaku086

lewmur

Senior Member
Apr 30, 2011
1,898
408
well the 2017 model took many years and in the end you need to some hardware hackery to unlock the bootloader and be free.... maybe that is the route to this tablet some hardware thing to acess to factory mode or something like that and unblock the boatloader is very trashy to amazon bloking the bootloader using a android fork.
You have to realize that Amazon tablets are very inexpensive because of all the advertising built into them. From their view point, rooting the tablet to get rid of their bloat, is cheating. So, of course, they are going to do their best to prevent it. I do my best to eliminate their bloat, but I don't find their efforts to stop me to be "trashy".
 

Top Liked Posts

  • There are no posts matching your filters.
  • 11
    mtk-su for OS 7.3.1.0

    I just uploaded the latest mtk-su (a thing that gives you temp root) in the Temp root thread. It only supports the original OS. No solution yet for the updated version, but hoping a downgrade or unlock method will be found.
    8
    Can you take apart (remove back cover) your newest Fire HD 10 and post the motherboard pictures with test point like CLK, DAT0, CMD and removed metal shield.

    AmznUser444,

    I’m actually going to respectfully ask you to stop responding to my posts and stop asking me for anything. I will no longer reply to your posts other than to make this request.
    8
    Thanks to @Kramar111, we now have a full dump of 7.3.1.0:

    And a little present from me, minimal kamakiri for maverick.
    All it does is downgrade RPMB, flashing can be done with SP Flash.
    Thanks again to @bengris32 for testing.
    8
    I have repacked and reuploaded maverick-downgrade-7.0_PS7310_940N.zip
    It contains FireOS 7.0/PS7310/940N, scatter file and kamakiri for RPMB downgrade.

    Apparently there are multiple versions of 7.3.1.0 and the files originally uploaded here are from version 7.0/PS7310/939N.
    Also lk was incomplete.

    Thanks again to @Kramar111 for the files :)
    7
    7.3.1.0 Images

    So here are some images extracted from the stock 7.3.1.0 FW, courtesy of @dr_docdoc. I trimmed the extra partition data. It would be great if @k4y0z or @xyz` could take a look at them.