• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

New Fire HD10 2019 Bootless Root Method + Bootloader Unlock Brainstorming

Search This thread

Michajin

Senior Member
Oct 23, 2012
1,265
512
Did you end up doing it? I have a Blue Fire HD10 with lot P041. SO wondering can I root
You can root if you have bootrom access. I had to open mine. Disconnect battery, plug in and see if you can get mediatek phone. It's still limited to the first few months of production. Approximately January 2020.
 
  • Like
Reactions: copymach

tsupatsupa

New member
Aug 2, 2021
1
0
I have Fire HD 10 9th gen with 7.3.1.2 firmware.

I'm able to get to bootrom after removing the battery. How do I proceed to downgrade the firmware to 7.3.1.0? I have the files but not sure how to flash the device.
 

Kramar111

Senior Member
Feb 16, 2014
315
140
Near Center of Ukraine
@tsupatsupa
@Syco54645
and some posts between
 
  • Like
Reactions: Syco54645

Syco54645

Senior Member
Jun 29, 2010
131
8
Pittsburgh
splra.org
@tsupatsupa
@Syco54645
and some posts between
Thanks, I am still foggy on this process though. I have both of those downloaded but I am unsure of the steps to get to the point of using them. The thread seems to be full of people trying things and reporting what works and that is what is causing my confusion.

Best I can tell
Remove Battery
Plug device in
Use SP flash to clear the Preloader
Use kamakiri to complete the downgrade
 
  • Like
Reactions: StonedEngineer97

Michajin

Senior Member
Oct 23, 2012
1,265
512
Thanks, I am still foggy on this process though. I have both of those downloaded but I am unsure of the steps to get to the point of using them. The thread seems to be full of people trying things and reporting what works and that is what is causing my confusion.

Best I can tell
Remove Battery
Plug device in
Use SP flash to clear the Preloader
Use kamakiri to complete the downgrade
OK, open the device
disconnect battery connector (remove the tape piece)
plug device in
Seems you have to dc battery to access bootrom, but you cant write to emmc without the battery connected, when you connect to battery, it goes into preloader. We wiped the preloader then you can stay in bootrom and flash...
 
  • Like
Reactions: Syco54645

Syco54645

Senior Member
Jun 29, 2010
131
8
Pittsburgh
splra.org
I can't remember seems like I wiped it with a command. @k4y0z might know
Thanks. It seems I get no life out of the tablet after disconnecting the battery and then plugging it in. I have tried both Linux and Windows. I am much more familiar with Linux so not really sure how to check in windows but in Linux dmesg shows nothing when I plug it in. Curious if I need to power it on first or something, granted I held the power button and it didnt work.
 

Michajin

Senior Member
Oct 23, 2012
1,265
512
Thanks. It seems I get no life out of the tablet after disconnecting the battery and then plugging it in. I have tried both Linux and Windows. I am much more familiar with Linux so not really sure how to check in windows but in Linux dmesg shows nothing when I plug it in. Curious if I need to power it on first or something, granted I held the power button and it didnt work.
Then you probably don't have access. It was limited to the first few months of production. You need to have bootrom access to do anything. Think it was before January 2020
 

k4y0z

Senior Member
Nov 27, 2015
1,446
1,871
What version of SP Flash should we be using? I found version 6.2124.00 but when I try to format the preloader it errors with "Please select flash xml before operation"

I can't remember seems like I wiped it with a command. @k4y0z might know

While I haven't tested every version, probably any version that uses a scatter file and doesn't require an XML will do.
I'd suggest going with a version 5.x.


Then you probably don't have access. It was limited to the first few months of production. You need to have bootrom access to do anything. Think it was before January 2020

Thanks. It seems I get no life out of the tablet after disconnecting the battery and then plugging it in. I have tried both Linux and Windows. I am much more familiar with Linux so not really sure how to check in windows but in Linux dmesg shows nothing when I plug it in. Curious if I need to power it on first or something, granted I held the power button and it didnt work.

As @Michajin already said, the prerequisite for any of the modifications is access to brom DL-Mode.
Linux is the preferred OS for running the bypass or kamakiri, it does however require a patched Linux kernel https://github.com/amonet-kamakiri/prebuilt-kernels or FireISO.

Checking access to bootrom DL Mode doesn't require the patch and can be confirmed via lsusb on Linux:
Code:
0e8d:0003 MediaTek Inc. MT6227 phone
 
  • Like
Reactions: Kramar111

daveaspy

Member
Jun 3, 2011
28
3
I've been following this thread to try and recover an unmodified HD10 which was stuck on the fire boot logo but I fear the eMMC is dead. Using recovery I get errors when trying to do factory reset as /cache cannot be mounted - makes me think the storage is corrupt?

I have the MT6227 phone device, finally cleared the preloader with SP Flash tool (after pulling the battery), but did get some intermittent errors about STATUS_STOR_LIFE EXHAUST as I was trying to get this to work. Then I tried gpt-fix which seemed to work ok. bootrom-step.sh said rpmb looked broken but I continued and that all went ok but was no closer to getting me a booting device (back in recovery I still have the cannot mount cache issue)

When I've tried to do these steps again, gpt-fix starts up ok but fails at "flashing GPT" because emmc_write() is giving "device failure". Could the eMMC really be dead? Is there any hope for this device??
 

greenlndr

Member
Feb 11, 2011
38
1
I feel really dumb because I can't even install UsbDk_1.0.22_x64.msi It opens but quickly closes. Able to get everything else going. Running python main.py results in:
Traceback (most recent call last):
File "C:\bypass\main.py", line 3, in <module>
from src.exploit import exploit
File "C:\bypass\src\exploit.py", line 2, in <module>
from serial.serialutil import SerialException
ModuleNotFoundError: No module named 'serial'

Tried on my old laptop, same thing. Both Win10 64.

My Fire HD 10 is on 7.0/PS7318/1957N, just want to get rid of the awful Amazon entirely and put custom recovery and standard android.. Any chance of me doing that, without cracking the case open? Screens already broken, it won't survive the surgery. :p
 

Michajin

Senior Member
Oct 23, 2012
1,265
512
I feel really dumb because I can't even install UsbDk_1.0.22_x64.msi It opens but quickly closes. Able to get everything else going. Running python main.py results in:


Tried on my old laptop, same thing. Both Win10 64.

My Fire HD 10 is on 7.0/PS7318/1957N, just want to get rid of the awful Amazon entirely and put custom recovery and standard android.. Any chance of me doing that, without cracking the case open? Screens already broken, it won't survive the surgery. :p
No chance, unless you bought it prior to january 2020. If you got it prior to that you can get temp root, but not unlock. There is no unlock, custom recovery, or custom rom. Just a temp root, which cannot modify the system partition.
 
  • Like
Reactions: Kramar111

greenlndr

Member
Feb 11, 2011
38
1
No chance, unless you bought it prior to january 2020. If you got it prior to that you can get temp root, but not unlock. There is no unlock, custom recovery, or custom rom. Just a temp root, which cannot modify the system partition.
Oh it's from 2019, for sure. Should I just try to run SP Flash Tool and flash maverick-downgrade-7.0_PS7310_940N? I can't get bypass_utility-v.1.4.2 to work.
 

Michajin

Senior Member
Oct 23, 2012
1,265
512
Oh it's from 2019, for sure. Should I just try to run SP Flash Tool and flash maverick-downgrade-7.0_PS7310_940N? I can't get bypass_utility-v.1.4.2 to work.
You have to get into the bootrom to downgrade. Volume (+or- sorry it's been a while) and power worked on 7.3.1.0, 7.3.1.1, and possibly 7.3.1.2. run lsusb verify you see mediatek phone. What os are you on? After 7.3.1.2 you have to disconnect the battery to get into bootrom and connect it to flash emmc.
 
  • Like
Reactions: Kramar111

almazen81

Member
Aug 15, 2017
9
4
40
iraq
Is there any news for maverick root permanent ؟ I have a problem when I try to downgrade to 7.3.1.0 The operation succeeded, but the touch does not work Note that the previous version was 7.3.1.1 Is there any solution؟
 

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    Unlock bootloader using adb and root using magisk
    If it was that easy do you think people would donate 100$? Unfortunately to use Magisk you need an unlocked bootloader and we can only archieve bootless root with mtk-su (which limits us from editing the /system partition).
    2
    This tool works on this device, but after sending dd if file to the device is dead link

    Supported devices​

    DeviceModelAndroid VersionTested
    Amazon Fire 7 2017austin – mt8127_evb15.1Yes
    Amazon Fire 7 2015ford – mt8127_evb15.1Yes
    Amazon Fire HD8 2016giza5.1Yes
    Amazon Fire HD8 2017giza5.1Yes
    Amazon Fire HD10 2017suez5.1Yes
    Amazon Fire HD10 2019maverick9.0Yes
    Amazon Fire HD10 2021trona9.0No
    Amazon Fire TV Stick Basictank – mt8127_evb15.1Yes
    Amazon Fire TV Stick 4Kmantis7.1No
    Amazon Fire TV Stick Litesheldon9.0No
    Amazon Fire TV 2 (2015)sloane5.1Yes
    Amazon Echo Inputcupcake7.1Yes
    Amazon Echo Dot 2biscuit5.1No
    Of course the device is dead. The images patched by that tool are supposed to be used with mtkclient to temporarily boot them to temporarily unlock the device. So yeah. It indeed unlocks the bootloader but you need a PC every time you want to reboot the tablet. It's basically some kind of tethered unlock (something like xyz mentioned long time ago).
    1
    Is there any news for maverick root permanent ؟ I have a problem when I try to downgrade to 7.3.1.0 The operation succeeded, but the touch does not work Note that the previous version was 7.3.1.1 Is there any solution؟
    Try reflashing the full load, I think there was downgrade issue with the wifi for a user here and a reflash fixed it
    1

    I am ready to donate $100 to anyone who permanently root this device(y):cowboy:

    1

    I am ready to donate $100 to anyone who permanently root this device(y):cowboy:

    Eh, I know I probably shouldn't engage in this topic because I know developers are probably already trying their hardest, but I would also contribute +50usd if it installs on .12 without hoops, custom recovery to flash without computer would be nice.
    If it does happen the Developer may contact me where to send. If this is out of line, sorry, please remove post.
  • 11
    mtk-su for OS 7.3.1.0

    I just uploaded the latest mtk-su (a thing that gives you temp root) in the Temp root thread. It only supports the original OS. No solution yet for the updated version, but hoping a downgrade or unlock method will be found.
    8
    Can you take apart (remove back cover) your newest Fire HD 10 and post the motherboard pictures with test point like CLK, DAT0, CMD and removed metal shield.

    AmznUser444,

    I’m actually going to respectfully ask you to stop responding to my posts and stop asking me for anything. I will no longer reply to your posts other than to make this request.
    8
    Thanks to @Kramar111, we now have a full dump of 7.3.1.0:

    And a little present from me, minimal kamakiri for maverick.
    All it does is downgrade RPMB, flashing can be done with SP Flash.
    Thanks again to @bengris32 for testing.
    8
    I have repacked and reuploaded maverick-downgrade-7.0_PS7310_940N.zip
    It contains FireOS 7.0/PS7310/940N, scatter file and kamakiri for RPMB downgrade.

    Apparently there are multiple versions of 7.3.1.0 and the files originally uploaded here are from version 7.0/PS7310/939N.
    Also lk was incomplete.

    Thanks again to @Kramar111 for the files :)
    7
    7.3.1.0 Images

    So here are some images extracted from the stock 7.3.1.0 FW, courtesy of @dr_docdoc. I trimmed the extra partition data. It would be great if @k4y0z or @xyz` could take a look at them.