New Fire HD10 2019 Bootless Root Method + Bootloader Unlock Brainstorming

Search This thread

moomph

Member
May 11, 2009
10
4
Finally got it, thank you!

For anyone else, the trick was holding power and pressing and releasing the VOL up button (or maybe holding VOL and pressing power, I don't remember exactly). This will take you to a recovery mode menu.
 
  • Like
Reactions: 789mod

PRInCEI7

Senior Member
Aug 14, 2016
85
9
Hi all

This week I was trying to do a downgrade FireOS 7.3.2.2 to 7.3.1.0

By Dumping the files of an old device and rewriting them on a device with a version of FireOS 7.3.2.2

The device is working but I get a warning ⚠️

I managed to get into the recovery, but I can't get into the device because I think I have to fix the gpt so that you can get into the device

— I have a strange question 😅 Can I reactivate the 'Test Point' vulnerability?

Where is this protection located in which Partition?



By the way I have all isp points

I can modify all parts of the device to read and write to any version Fire OS

____

I have another question, can I Disable DM-Verity protection?

And modifying system files only needed to modify one file ‘App in System’ !! How can i do this?
 

Attachments

  • B7C04658-0249-4D9D-B9BD-8F0FB9819232.jpeg
    B7C04658-0249-4D9D-B9BD-8F0FB9819232.jpeg
    91.8 KB · Views: 61
  • Like
Reactions: JJ2017

789mod

Senior Member

Hi all

This week I was trying to do a downgrade FireOS 7.3.2.2 to 7.3.1.0

By Dumping the files of an old device and rewriting them on a device with a version of FireOS 7.3.2.2

The device is working but I get a warning ⚠️

I managed to get into the recovery, but I can't get into the device because I think I have to fix the gpt so that you can get into the device

— I have a strange question 😅 Can I reactivate the 'Test Point' vulnerability?

Where is this protection located in which Partition?





I can modify all parts of the device to read and write to any version Fire OS

____

I have another question, can I Disable DM-Verity protection?

And modifying system files only needed to modify one file ‘App in System’ !! How can i do this?
Try fromat preloader using SP flash tool
 
  • Like
Reactions: PRInCEI7

PRInCEI7

Senior Member
Aug 14, 2016
85
9
Hi all

This week I was trying to do a downgrade FireOS 7.3.2.2 to 7.3.1.0

By Dumping the files of an old device and rewriting them on a device with a version of FireOS 7.3.2.2

The device is working but I get a warning ⚠️

I managed to get into the recovery, but I can't get into the device because I think I have to fix the gpt so that you can get into the device

— I have a strange question 😅 Can I reactivate the 'Test Point' vulnerability?

Where is this protection located in which Partition?



By the way I have all isp points

I can modify all parts of the device to read and write to any version Fire OS

____

I have another question, can I Disable DM-Verity protection?

And modifying system files only needed to modify one file ‘App in System’ !! How can i do this?


Try fromat preloader using SP flash tool
Does not recognize the mode preloader

Only when I pressing power + vol up
Recognizes adb or fastboot mode but just i can do reboot 😢
 

JJ2017

Senior Member
Jan 7, 2017
79
48
Huawei P20 Pro
Hi all

This week I was trying to do a downgrade FireOS 7.3.2.2 to 7.3.1.0

By Dumping the files of an old device and rewriting them on a device with a version of FireOS 7.3.2.2

The device is working but I get a warning ⚠️

I managed to get into the recovery.....
You've probably tried already, but might a 'factory reset' from the recovery menu help you boot?

Also, I like the photo of the test points above (reminds me of this thread https://forum.xda-developers.com/t/...azon-fire-hd-8-7th-gen.3851617/#post-77823799)
How do you interface with the eMMC memory so you can read/write partitions? USB-serial adapter, maybe?
I've got one of those annoying bootrom disabled HD 10's (2020 production date) - some kind of hardware-mod might be an option - looks like you might have already cracked it?
 
  • Like
Reactions: PRInCEI7

PRInCEI7

Senior Member
Aug 14, 2016
85
9
You've probably tried already, but might a 'factory reset' from the recovery menu help you boot?

Also, I like the photo of the test points above (reminds me of this thread https://forum.xda-developers.com/t/...azon-fire-hd-8-7th-gen.3851617/#post-77823799)
How do you interface with the eMMC memory so you can read/write partitions? USB-serial adapter, maybe?
I've got one of those annoying bootrom disabled HD 10's (2020 production date) - some kind of hardware-mod might be an option - looks like you might have already cracked it?
Great idea, but I think it will not work because if I change any file in System , the device will not work because of DM-Verity protection
 

Michajin

Senior Member
Oct 23, 2012
1,296
519
Hi all

This week I was trying to do a downgrade FireOS 7.3.2.2 to 7.3.1.0

By Dumping the files of an old device and rewriting them on a device with a version of FireOS 7.3.2.2

The device is working but I get a warning ⚠️

I managed to get into the recovery, but I can't get into the device because I think I have to fix the gpt so that you can get into the device

— I have a strange question 😅 Can I reactivate the 'Test Point' vulnerability?

Where is this protection located in which Partition?





I can modify all parts of the device to read and write to any version Fire OS

____

I have another question, can I Disable DM-Verity protection?

And modifying system files only needed to modify one file ‘App in System’ !! How can i do this?

Does not recognize the mode preloader

Only when I pressing power + vol up
Recognizes adb or fastboot mode but just i can do reboot 😢
What is the test point vulnerability? 7.3.1.0 and 7.3.1.1 you could boot into the bootrom direct if you had a 2019 version, after 7.3.1.2 you could boot into the bootrom, but you had to disconnect the battery to get into the boot rom, then plug in the battery to give write access. Then wipe the preloader, this will brick it unitl you flash the with the spflash tool.
 

kbl

Member
Feb 20, 2008
9
1
Hi All, I've got 2x 2019 (Maverick) tablets that both have gone into brick mode with no modifications attempts on my own. I'd really like just to bring them back to a working condition. They were purchased shortly after the device was released.

The screen is completely black; but I do hear USB sounds cycling (Win10). With USBTreeView I can see COM3 become available for a short period of time. Can I use any of the methods here (or any other suggestions) to bring them back to a working factory config?

In terms of what got them into this state; I'd like to know ... i suspect an Amazon update of sorts... but regardless at this point they are paper weights.
 

Michajin

Senior Member
Oct 23, 2012
1,296
519
Hi All, I've got 2x 2019 (Maverick) tablets that both have gone into brick mode with no modifications attempts on my own. I'd really like just to bring them back to a working condition. They were purchased shortly after the device was released.

The screen is completely black; but I do hear USB sounds cycling (Win10). With USBTreeView I can see COM3 become available for a short period of time. Can I use any of the methods here (or any other suggestions) to bring them back to a working factory config?

In terms of what got them into this state; I'd like to know ... i suspect an Amazon update of sorts... but regardless at this point they are paper weights.
If start with trying to see if they are in bootrom mode. Running the fire ISO or linux and doing a lsusb to see what your PC sees. There are options from there. If you bought them before Jan 2020 you can re-install everything.
 
  • Like
Reactions: kbl

kbl

Member
Feb 20, 2008
9
1
If start with trying to see if they are in bootrom mode. Running the fire ISO or linux and doing a lsusb to see what your PC sees. There are options from there. If you bought them before Jan 2020 you can re-install everything.
Here's what I see:
Bus 001 Device 006: ID 0e8d:0003 MediaTek Inc. MT6227 phone

I got them in Nov 2019 so this sounds promising.
 
  • Like
Reactions: StonedEngineer97
Here's what I see:
Bus 001 Device 006: ID 0e8d:0003 MediaTek Inc. MT6227 phone

I got them in Nov 2019 so this sounds promising.
I don't have access to information that I could provide at the moment but that looks correct as well and promising. If you go back <10 pages you should see instructions on how to boot into fire iso and run mtk bypass to downgrade (in your case recover) the units when bootrom is available
 
  • Like
Reactions: kbl

kbl

Member
Feb 20, 2008
9
1
I don't have access to information that I could provide at the moment but that looks correct as well and promising. If you go back <10 pages you should see instructions on how to boot into fire iso and run mtk bypass to downgrade (in your case recover) the units when bootrom is available
This post have what I need along with FireISO?

https://forum.xda-developers.com/t/...er-unlock-brainstorming.3979343/post-84499719

UPDATE#1:
So I got the bypass utility, payloads, SP flash utility as well.

From FireISO, the bypass utility seemed to work fine:
  1. [email protected] ~/Desktop/bypass_utility-v.1.4.2]# sudo python main.py
  2. [2022-05-27 00:11:43.410928] Waiting for device
  3. [2022-05-27 00:12:19.538243] Found port = /dev/ttyACM0

  4. [2022-05-27 00:12:19.573769] Device hw code: 0x788
  5. [2022-05-27 00:12:19.573883] Device hw sub code: 0x8a00
  6. [2022-05-27 00:12:19.573969] Device hw version: 0xca00
  7. [2022-05-27 00:12:19.574061] Device sw version: 0x0
  8. [2022-05-27 00:12:19.574126] Device secure boot: True
  9. [2022-05-27 00:12:19.574226] Device serial link authorization: False
  10. [2022-05-27 00:12:19.574308] Device download agent authorization: True

  11. [2022-05-27 00:12:19.574425] Disabling watchdog timer
  12. [2022-05-27 00:12:19.575030] Disabling protection
  13. [2022-05-27 00:12:19.632974] Protection disabled

But then running SP Flash started and then bombed about 6 seconds in. I didn't save the output ... but now the device isn't showing up in lsusb. I'm guessing it'll continue to be a paper weight :(

My other tablet is also not showing in lsusb (but I'm not sure it was in exactly the same state as the one i started with anyhow).

UPDATE #2:
Holding Power and Volume buttons seems to have brought it back in lsusb. So I'm at the point where bypass utility appears to do what it needs to do again. But now when I try to run sp flash or kamakiri/bootrom_step.sh it's not finding the device...

Any suggestions most welcome.
 
Last edited:

PRInCEI7

Senior Member
Aug 14, 2016
85
9
You've probably tried already, but might a 'factory reset' from the recovery menu help you boot?

Also, I like the photo of the test points above (reminds me of this thread https://forum.xda-developers.com/t/...azon-fire-hd-8-7th-gen.3851617/#post-77823799)
How do you interface with the eMMC memory so you can read/write partitions? USB-serial adapter, maybe?
I've got one of those annoying bootrom disabled HD 10's (2020 production date) - some kind of hardware-mod might be an option - looks like you might have already cracked it?


The problem is that when I try to modify any file within the system, the device does not boot. Hex also tried to disable the dm-verty protection, but the device also did not boot. Is there a way to modify the system files? Sometimes when I move a file to the system/priv-app path, the application does not appear and I do not know why
 

JJ2017

Senior Member
Jan 7, 2017
79
48
Huawei P20 Pro
The problem is that when I try to modify any file within the system, the device does not boot. Hex also tried to disable the dm-verty protection, but the device also did not boot. Is there a way to modify the system files? Sometimes when I move a file to the system/priv-app path, the application does not appear and I do not know why
From my limited understanding, I don't think you can 'adjust' System files without tripping dm-verity - I've not heard of a work-around, unfortunately.

What I'd like to know (and I think you might've already tried this) - could we flash the 7.3.1.0 ROM using an eMMC hack to a newer model (one that's bootrom disabled). And if so, could we temp root that device? And even better, maybe get the device into bootrom mode so we can use SPflash Tool / mtkclient? That would be awesome but I don't think it'll work - disabling bootrom was probably a hardware fix (from what I've read on this thread)
 
  • Like
Reactions: PRInCEI7

Rortiz2

Senior Member
Mar 1, 2018
2,450
1,865
Barcelona
From my limited understanding, I don't think you can 'adjust' System files without tripping dm-verity - I've not heard of a work-around, unfortunately.

What I'd like to know (and I think you might've already tried this) - could we flash the 7.3.1.0 ROM using an eMMC hack to a newer model (one that's bootrom disabled). And if so, could we temp root that device? And even better, maybe get the device into bootrom mode so we can use SPflash Tool / mtkclient? That would be awesome but I don't think it'll work - disabling bootrom was probably a hardware fix (from what I've read on this thread)
Unfortunately, that's not how it works. That could work, however you might run into problems with RPMB (the initialization phase) because (if I'm not mistaken), the keys are shared between the CPU and the eMMC.

On the other hand, bootrom would still be disabled as the fuse is in the SoC and therefore you would need to replace the CPU as well. If you're interested, something similar to your idea was already done a few months ago with the Amazon Fire TV Stick 4K.​
 
Last edited:
  • Like
Reactions: PRInCEI7 and JJ2017

PRInCEI7

Senior Member
Aug 14, 2016
85
9
From my limited understanding, I don't think you can 'adjust' System files without tripping dm-verity - I've not heard of a work-around, unfortunately.

What I'd like to know (and I think you might've already tried this) - could we flash the 7.3.1.0 ROM using an eMMC hack to a newer model (one that's bootrom disabled). And if so, could we temp root that device? And even better, maybe get the device into bootrom mode so we can use SPflash Tool / mtkclient? That would be awesome but I don't think it'll work - disabling bootrom was probably a hardware fix (from what I've read on this thread)
Rortiz2

I tried this method with the Amazon Fire HD 7 9Gen and it worked, I was able to get into TWRP Recovery, with bootrom disabled, and I installed ROM , everything was okay


, but with Amazon Fire HD 10-9Gen
It's more complicated, but nothing is impossible I just need to disable DM-verty, any idea I would be happy to try I have a lot of devices + tools ,
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    From my limited understanding, I don't think you can 'adjust' System files without tripping dm-verity - I've not heard of a work-around, unfortunately.

    What I'd like to know (and I think you might've already tried this) - could we flash the 7.3.1.0 ROM using an eMMC hack to a newer model (one that's bootrom disabled). And if so, could we temp root that device? And even better, maybe get the device into bootrom mode so we can use SPflash Tool / mtkclient? That would be awesome but I don't think it'll work - disabling bootrom was probably a hardware fix (from what I've read on this thread)
    Unfortunately, that's not how it works. That could work, however you might run into problems with RPMB (the initialization phase) because (if I'm not mistaken), the keys are shared between the CPU and the eMMC.

    On the other hand, bootrom would still be disabled as the fuse is in the SoC and therefore you would need to replace the CPU as well. If you're interested, something similar to your idea was already done a few months ago with the Amazon Fire TV Stick 4K.​
    1
    The problem is that when I try to modify any file within the system, the device does not boot. Hex also tried to disable the dm-verty protection, but the device also did not boot. Is there a way to modify the system files? Sometimes when I move a file to the system/priv-app path, the application does not appear and I do not know why
    From my limited understanding, I don't think you can 'adjust' System files without tripping dm-verity - I've not heard of a work-around, unfortunately.

    What I'd like to know (and I think you might've already tried this) - could we flash the 7.3.1.0 ROM using an eMMC hack to a newer model (one that's bootrom disabled). And if so, could we temp root that device? And even better, maybe get the device into bootrom mode so we can use SPflash Tool / mtkclient? That would be awesome but I don't think it'll work - disabling bootrom was probably a hardware fix (from what I've read on this thread)
    1
    Rortiz2

    I tried this method with the Amazon Fire HD 7 9Gen and it worked, I was able to get into TWRP Recovery, with bootrom disabled, and I installed ROM , everything was okay


    , but with Amazon Fire HD 10-9Gen
    It's more complicated, but nothing is impossible I just need to disable DM-verty, any idea I would be happy to try I have a lot of devices + tools ,
    I guess you already tried to use this.
    1
    Doesn't support Android 11 ,
    As for Downgrade, I think it will work, but through the hardware, I will try downgrading from a new version, to old version such as 7.3.2.1 supports root
    maverick uses Android 9.
  • 11
    mtk-su for OS 7.3.1.0

    I just uploaded the latest mtk-su (a thing that gives you temp root) in the Temp root thread. It only supports the original OS. No solution yet for the updated version, but hoping a downgrade or unlock method will be found.
    10
    I have repacked and reuploaded maverick-downgrade-7.0_PS7310_940N.zip
    It contains FireOS 7.0/PS7310/940N, scatter file and kamakiri for RPMB downgrade.

    Apparently there are multiple versions of 7.3.1.0 and the files originally uploaded here are from version 7.0/PS7310/939N.
    Also lk was incomplete.

    Thanks again to @Kramar111 for the files :)
    8
    Can you take apart (remove back cover) your newest Fire HD 10 and post the motherboard pictures with test point like CLK, DAT0, CMD and removed metal shield.

    AmznUser444,

    I’m actually going to respectfully ask you to stop responding to my posts and stop asking me for anything. I will no longer reply to your posts other than to make this request.
    8
    Thanks to @Kramar111, we now have a full dump of 7.3.1.0:

    And a little present from me, minimal kamakiri for maverick.
    All it does is downgrade RPMB, flashing can be done with SP Flash.
    Thanks again to @bengris32 for testing.
    7
    7.3.1.0 Images

    So here are some images extracted from the stock 7.3.1.0 FW, courtesy of @dr_docdoc. I trimmed the extra partition data. It would be great if @k4y0z or @xyz` could take a look at them.