New Fire HD10 2019 Bootless Root Method + Bootloader Unlock Brainstorming

Search This thread

JJ2017

Senior Member
Jan 7, 2017
87
51
Huawei P20 Pro
you can't enter to bootrom after 7.3.1.0

:(
If the 9th Gen HD10 was manufactured in 2019 it is probably vulnerable to the kamakiri hack and can be rolled back. I (and others on here) have done it.
Amazon managed to patch the bootrom in later devices - the Lot No. printed on the back of the case gives a clue to the manufacture year. I have a J936 which can be hacked and a J045 which can't. This was discussed a lot previously in this thread. The thinking is J9xx = 2019 and J0xx = 2020.
If the device is vulnerable it is probably necessary to also remove the rear cover and disconnect battery to enter bootrom mode . I haven't tested that myself tho' - I just took the back off following the guidance of others on here.

TL;DR - should've mentioned in my post above: device must be manufactured in 2019 & rear cover (probably) needs to come off so battery can be disconnected. These are essential requirements to run the exploits.
 

789mod

Senior Member
I thinking your device product before 2020
If the 9th Gen HD10 was manufactured in 2019 it is probably vulnerable to the kamakiri hack and can be rolled back. I (and others on here) have done it.
Amazon managed to patch the bootrom in later devices - the Lot No. printed on the back of the case gives a clue to the manufacture year. I have a J936 which can be hacked and a J045 which can't. This was discussed a lot previously in this thread. The thinking is J9xx = 2019 and J0xx = 2020.
If the device is vulnerable it is probably necessary to also remove the rear cover and disconnect battery to enter bootrom mode . I haven't tested that myself tho' - I just took the back off following the guidance of others on here.

TL;DR - should've mentioned in my post above: device must be manufactured in 2019 & rear cover (probably) needs to come off so battery can be disconnected. These are essential requirements to run the exploits.
You mean j9 that is searl number ?
 

rdpeake

Member
Jul 6, 2022
14
3
If the 9th Gen HD10 was manufactured in 2019 it is probably vulnerable to the kamakiri hack and can be rolled back. I (and others on here) have done it.
Amazon managed to patch the bootrom in later devices - the Lot No. printed on the back of the case gives a clue to the manufacture year. I have a J936 which can be hacked and a J045 which can't. This was discussed a lot previously in this thread. The thinking is J9xx = 2019 and J0xx = 2020.
If the device is vulnerable it is probably necessary to also remove the rear cover and disconnect battery to enter bootrom mode . I haven't tested that myself tho' - I just took the back off following the guidance of others on here.

TL;DR - should've mentioned in my post above: device must be manufactured in 2019 & rear cover (probably) needs to come off so battery can be disconnected. These are essential requirements to run the exploits.
the lot number is j940 - and it is already in boot rom mode on usb connection - as that is where it fails in the initialization process... i'm ultimately just trying to get it to boot again, in preference into a normal OS version. at the moment it is just an expensive paper weight.
 

789mod

Senior Member
the lot number is j940 - and it is already in boot rom mode on usb connection - as that is where it fails in the initialization process... i'm ultimately just trying to get it to boot again, in preference into a normal OS version. at the moment it is just an expensive paper weight.
i can ran it agein , but can't enter it to bootrom , i will pm you ok ?
 
  • Like
Reactions: StonedEngineer97

fastness2020

New member
Dec 7, 2020
3
3
try to downgrade HD 10 gen9, with a Windows 10
got "Protection disabled" with bypass_utility .
But the MS windows 10 shows bluescreen and reboots, for Stop code: WDF_VIOLATION.
 
  • Like
Reactions: 789mod

fastness2020

New member
Dec 7, 2020
3
3
Got "Protection disabled" with bypass_utility under [FireISO]
1, download the fireiso-2.0.0-amd64.iso from https://github.com/amonet-kamakiri/fireiso/releases,
2, burn the the iso image to a blank DVD. boot the computer into fireiso liveCD, with an DVD drive .
3, load all the files to a USB flash drive, USB32GB, mounted automatically at /run/media/root/USB32GB/
4, bypass_utility-v.1.4.2 is unzipped, saved in a USB flashdrive, in the folder /bypass, mounted as /run/media/root/USB32GB/bypass/
5, exploits_collection-1.6.zip is unzipped, saved in the folder /bypass too

[[email protected] ~]# python3 --version
Python 3.9.1
[[email protected] ~]# python3 -m pip --version
pip 20.3.1 from /usr/lib/python3.9/site-packages/pip (python 3.9)
[[email protected] ~]# python3 -m ensurepip --default-pip
Looking in links: /tmp/tmpdmgv09oh
Requirement already satisfied: setuptools in /usr/lib/python3.9/site-packages (53.0.0)
Requirement already satisfied: pip in /usr/lib/python3.9/site-packages (20.3.1)
[[email protected] ~]# python3 -m pip install pyusb pyserial json5
Requirement already satisfied: pyusb in /usr/lib/python3.9/site-packages (1.1.1)
Requirement already satisfied: pyserial in /usr/lib/python3.9/site-packages (3.5)
Requirement already satisfied: json5 in /usr/lib/python3.9/site-packages (0.9.5)
[[email protected] ~]# cd /run/media/root/USB32GB/bypass/
[[email protected] /run/media/root/USB32GB/bypass]# su root
[[email protected] /run/media/root/USB32GB/bypass]# python3 ./main.py
[2022-09-30 20:36:25.552713] Waiting for device
[2022-09-30 20:36:36.062088] Found port = /dev/ttyACM0
[2022-09-30 20:36:36.203511] Device hw code: 0x788
[2022-09-30 20:36:36.309112] Device hw sub code: 0x8a00
[2022-09-30 20:36:36.419109] Device hw version: 0xca00
[2022-09-30 20:36:36.529119] Device sw version: 0x0
[2022-09-30 20:36:36.639113] Device secure boot: True
[2022-09-30 20:36:36.749112] Device serial link authorization: False
[2022-09-30 20:36:36.859110] Device download agent authorization: True
[2022-09-30 20:36:36.969128] Disabling watchdog timer
[2022-09-30 20:36:37.079595] Disabling protection
[2022-09-30 20:36:37.244340] Protection disabled
[[email protected] /run/media/root/USB32GB/bypass]#
[[email protected] /run/media/root/USB32GB/bypass]# cd /run/media/root/USB32GB/SP_Flash_Tool-5.1916_Linux/
[[email protected] /run/media/root/USB32GB/SP_Flash_Tool-5.1916_Linux]# lsusb
...
Bus 003 Device 012: ID 0e8d:0003 MediaTek Inc. MT6227 phone
...

Now, how to run the SP_Flash_Tool-5.1916_Linux with this fireiso liveCD ?
 
  • Like
Reactions: lex66676 and 789mod

789mod

Senior Member
Got "Protection disabled" with bypass_utility under [FireISO]
1, download the fireiso-2.0.0-amd64.iso from https://github.com/amonet-kamakiri/fireiso/releases,
2, burn the the iso image to a blank DVD. boot the computer into fireiso liveCD, with an DVD drive .
3, load all the files to a USB flash drive, USB32GB, mounted automatically at /run/media/root/USB32GB/
4, bypass_utility-v.1.4.2 is unzipped, saved in a USB flashdrive, in the folder /bypass, mounted as /run/media/root/USB32GB/bypass/
5, exploits_collection-1.6.zip is unzipped, saved in the folder /bypass too

[[email protected] ~]# python3 --version
Python 3.9.1
[[email protected] ~]# python3 -m pip --version
pip 20.3.1 from /usr/lib/python3.9/site-packages/pip (python 3.9)
[[email protected] ~]# python3 -m ensurepip --default-pip
Looking in links: /tmp/tmpdmgv09oh
Requirement already satisfied: setuptools in /usr/lib/python3.9/site-packages (53.0.0)
Requirement already satisfied: pip in /usr/lib/python3.9/site-packages (20.3.1)
[[email protected] ~]# python3 -m pip install pyusb pyserial json5
Requirement already satisfied: pyusb in /usr/lib/python3.9/site-packages (1.1.1)
Requirement already satisfied: pyserial in /usr/lib/python3.9/site-packages (3.5)
Requirement already satisfied: json5 in /usr/lib/python3.9/site-packages (0.9.5)
[[email protected] ~]# cd /run/media/root/USB32GB/bypass/
[[email protected] /run/media/root/USB32GB/bypass]# su root
[[email protected] /run/media/root/USB32GB/bypass]# python3 ./main.py
[2022-09-30 20:36:25.552713] Waiting for device
[2022-09-30 20:36:36.062088] Found port = /dev/ttyACM0
[2022-09-30 20:36:36.203511] Device hw code: 0x788
[2022-09-30 20:36:36.309112] Device hw sub code: 0x8a00
[2022-09-30 20:36:36.419109] Device hw version: 0xca00
[2022-09-30 20:36:36.529119] Device sw version: 0x0
[2022-09-30 20:36:36.639113] Device secure boot: True
[2022-09-30 20:36:36.749112] Device serial link authorization: False
[2022-09-30 20:36:36.859110] Device download agent authorization: True
[2022-09-30 20:36:36.969128] Disabling watchdog timer
[2022-09-30 20:36:37.079595] Disabling protection
[2022-09-30 20:36:37.244340] Protection disabled
[[email protected] /run/media/root/USB32GB/bypass]#
[[email protected] /run/media/root/USB32GB/bypass]# cd /run/media/root/USB32GB/SP_Flash_Tool-5.1916_Linux/
[[email protected] /run/media/root/USB32GB/SP_Flash_Tool-5.1916_Linux]# lsusb
...
Bus 003 Device 012: ID 0e8d:0003 MediaTek Inc. MT6227 phone
...

Now, how to run the SP_Flash_Tool-5.1916_Linux with this fireiso liveCD ?
You must uninstall MTK drive , or disable sugrediver
 

789mod

Senior Member
Got "Protection disabled" with bypass_utility under [FireISO]
1, download the fireiso-2.0.0-amd64.iso from https://github.com/amonet-kamakiri/fireiso/releases,
2, burn the the iso image to a blank DVD. boot the computer into fireiso liveCD, with an DVD drive .
3, load all the files to a USB flash drive, USB32GB, mounted automatically at /run/media/root/USB32GB/
4, bypass_utility-v.1.4.2 is unzipped, saved in a USB flashdrive, in the folder /bypass, mounted as /run/media/root/USB32GB/bypass/
5, exploits_collection-1.6.zip is unzipped, saved in the folder /bypass too

[[email protected] ~]# python3 --version
Python 3.9.1
[[email protected] ~]# python3 -m pip --version
pip 20.3.1 from /usr/lib/python3.9/site-packages/pip (python 3.9)
[[email protected] ~]# python3 -m ensurepip --default-pip
Looking in links: /tmp/tmpdmgv09oh
Requirement already satisfied: setuptools in /usr/lib/python3.9/site-packages (53.0.0)
Requirement already satisfied: pip in /usr/lib/python3.9/site-packages (20.3.1)
[[email protected] ~]# python3 -m pip install pyusb pyserial json5
Requirement already satisfied: pyusb in /usr/lib/python3.9/site-packages (1.1.1)
Requirement already satisfied: pyserial in /usr/lib/python3.9/site-packages (3.5)
Requirement already satisfied: json5 in /usr/lib/python3.9/site-packages (0.9.5)
[[email protected] ~]# cd /run/media/root/USB32GB/bypass/
[[email protected] /run/media/root/USB32GB/bypass]# su root
[[email protected] /run/media/root/USB32GB/bypass]# python3 ./main.py
[2022-09-30 20:36:25.552713] Waiting for device
[2022-09-30 20:36:36.062088] Found port = /dev/ttyACM0
[2022-09-30 20:36:36.203511] Device hw code: 0x788
[2022-09-30 20:36:36.309112] Device hw sub code: 0x8a00
[2022-09-30 20:36:36.419109] Device hw version: 0xca00
[2022-09-30 20:36:36.529119] Device sw version: 0x0
[2022-09-30 20:36:36.639113] Device secure boot: True
[2022-09-30 20:36:36.749112] Device serial link authorization: False
[2022-09-30 20:36:36.859110] Device download agent authorization: True
[2022-09-30 20:36:36.969128] Disabling watchdog timer
[2022-09-30 20:36:37.079595] Disabling protection
[2022-09-30 20:36:37.244340] Protection disabled
[[email protected] /run/media/root/USB32GB/bypass]#
[[email protected] /run/media/root/USB32GB/bypass]# cd /run/media/root/USB32GB/SP_Flash_Tool-5.1916_Linux/
[[email protected] /run/media/root/USB32GB/SP_Flash_Tool-5.1916_Linux]# lsusb
...
Bus 003 Device 012: ID 0e8d:0003 MediaTek Inc. MT6227 phone
...

Now, how to run the SP_Flash_Tool-5.1916_Linux with this fireiso liveCD ?
Pm me
 
  • Like
Reactions: Michajin

Arilan

Member
May 24, 2019
7
1
Ok im mad confused when its comes to this.

Fireiso 2.00 doesn't launch into XFCe I had to revert to using Fire ISO 1.00.

Any issues with using that version?

Also not sure after running the spflash to flashing the recovery , boot vendor & system. Do I need to power the device off and run the bypass again before connecting it to a device with Fireiso so I can run the scripts?

*do i really need to remove the battery?
 

Michajin

Senior Member
Oct 23, 2012
1,340
535
Ok im mad confused when its comes to this.

Fireiso 2.00 doesn't launch into XFCe I had to revert to using Fire ISO 1.00.

Any issues with using that version?

Also not sure after running the spflash to flashing the recovery , boot vendor & system. Do I need to power the device off and run the bypass again before connecting it to a device with Fireiso so I can run the scripts?

*do i really need to remove the battery?
Not sure about all of this, pulling the battery gets you into bootrom, but access to the preloader you need the battery. From what I experienced when we developed the downgrade.... Been a while to remember all the details though. I don't think the version is matters. All this is going to do is give you a temp root access. Not a unlock....
 

Arilan

Member
May 24, 2019
7
1
well i finally got it working and downgraded to 7.3.1.0 and i went ahead and pushed the MTK-su file and i keep getting this ./mtk-su: no such file or directory.

I can see the file in there so maybe i did something wrong :|
 
  • Like
Reactions: Michajin

kountzero

Member
Nov 6, 2010
6
0
Late to the game here, ty for all the work so far. I have 2 mavericks , one virgin, one bricked. The 2nd seems to boot loop at the boot of preloader stage. I can access it with mtkclient and flash the partitions. But the ./bootrom-step and gpt scripts both fail at the 2nd stage loader with errror 5. Bypass works without the battery connected but flash_tool doesn't connect after the battery is connected. I think the partitions table is messed up somehow. Could someone list ALL the tables and what is flashed in what. Particularly the kb one at the start of the flash. Should it be zeroed out? Thanks.
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    well i finally got it working and downgraded to 7.3.1.0 and i went ahead and pushed the MTK-su file and i keep getting this ./mtk-su: no such file or directory.

    I can see the file in there so maybe i did something wrong :|
  • 11
    mtk-su for OS 7.3.1.0

    I just uploaded the latest mtk-su (a thing that gives you temp root) in the Temp root thread. It only supports the original OS. No solution yet for the updated version, but hoping a downgrade or unlock method will be found.
    10
    I have repacked and reuploaded maverick-downgrade-7.0_PS7310_940N.zip
    It contains FireOS 7.0/PS7310/940N, scatter file and kamakiri for RPMB downgrade.

    Apparently there are multiple versions of 7.3.1.0 and the files originally uploaded here are from version 7.0/PS7310/939N.
    Also lk was incomplete.

    Thanks again to @Kramar111 for the files :)
    8
    Can you take apart (remove back cover) your newest Fire HD 10 and post the motherboard pictures with test point like CLK, DAT0, CMD and removed metal shield.

    AmznUser444,

    I’m actually going to respectfully ask you to stop responding to my posts and stop asking me for anything. I will no longer reply to your posts other than to make this request.
    8
    Thanks to @Kramar111, we now have a full dump of 7.3.1.0:

    And a little present from me, minimal kamakiri for maverick.
    All it does is downgrade RPMB, flashing can be done with SP Flash.
    Thanks again to @bengris32 for testing.
    7
    7.3.1.0 Images

    So here are some images extracted from the stock 7.3.1.0 FW, courtesy of @dr_docdoc. I trimmed the extra partition data. It would be great if @k4y0z or @xyz` could take a look at them.