the tablet was release in 2019? - but the software failure only happened recently - an update failed and now it doesn't power on passed boot rom
New Fire HD10 2019 Bootless Root Method + Bootloader Unlock Brainstorming
- Thread starter Kctucka
- Start date
If the 9th Gen HD10 was manufactured in 2019 it is probably vulnerable to the kamakiri hack and can be rolled back. I (and others on here) have done it.you can't enter to bootrom after 7.3.1.0
Amazon managed to patch the bootrom in later devices - the Lot No. printed on the back of the case gives a clue to the manufacture year. I have a J936 which can be hacked and a J045 which can't. This was discussed a lot previously in this thread. The thinking is J9xx = 2019 and J0xx = 2020.
If the device is vulnerable it is probably necessary to also remove the rear cover and disconnect battery to enter bootrom mode . I haven't tested that myself tho' - I just took the back off following the guidance of others on here.
TL;DR - should've mentioned in my post above: device must be manufactured in 2019 & rear cover (probably) needs to come off so battery can be disconnected. These are essential requirements to run the exploits.
the lot number is j940 - and it is already in boot rom mode on usb connection - as that is where it fails in the initialization process... i'm ultimately just trying to get it to boot again, in preference into a normal OS version. at the moment it is just an expensive paper weight.
i can ran it agein , but can't enter it to bootrom , i will pm you ok ?
You must uninstall drivers MTK , and try it if still do that , try other bybass
Got "Protection disabled" with bypass_utility under [FireISO]
1, download the fireiso-2.0.0-amd64.iso from https://github.com/amonet-kamakiri/fireiso/releases,
2, burn the the iso image to a blank DVD. boot the computer into fireiso liveCD, with an DVD drive .
3, load all the files to a USB flash drive, USB32GB, mounted automatically at /run/media/root/USB32GB/
4, bypass_utility-v.1.4.2 is unzipped, saved in a USB flashdrive, in the folder /bypass, mounted as /run/media/root/USB32GB/bypass/
5, exploits_collection-1.6.zip is unzipped, saved in the folder /bypass too
[[email protected] ~]# python3 --version
Python 3.9.1
[[email protected] ~]# python3 -m pip --version
pip 20.3.1 from /usr/lib/python3.9/site-packages/pip (python 3.9)
[[email protected] ~]# python3 -m ensurepip --default-pip
Looking in links: /tmp/tmpdmgv09oh
Requirement already satisfied: setuptools in /usr/lib/python3.9/site-packages (53.0.0)
Requirement already satisfied: pip in /usr/lib/python3.9/site-packages (20.3.1)
[[email protected] ~]# python3 -m pip install pyusb pyserial json5
Requirement already satisfied: pyusb in /usr/lib/python3.9/site-packages (1.1.1)
Requirement already satisfied: pyserial in /usr/lib/python3.9/site-packages (3.5)
Requirement already satisfied: json5 in /usr/lib/python3.9/site-packages (0.9.5)
[[email protected] ~]# cd /run/media/root/USB32GB/bypass/
[[email protected] /run/media/root/USB32GB/bypass]# su root
[[email protected] /run/media/root/USB32GB/bypass]# python3 ./main.py
[2022-09-30 20:36:25.552713] Waiting for device
[2022-09-30 20:36:36.062088] Found port = /dev/ttyACM0
[2022-09-30 20:36:36.203511] Device hw code: 0x788
[2022-09-30 20:36:36.309112] Device hw sub code: 0x8a00
[2022-09-30 20:36:36.419109] Device hw version: 0xca00
[2022-09-30 20:36:36.529119] Device sw version: 0x0
[2022-09-30 20:36:36.639113] Device secure boot: True
[2022-09-30 20:36:36.749112] Device serial link authorization: False
[2022-09-30 20:36:36.859110] Device download agent authorization: True
[2022-09-30 20:36:36.969128] Disabling watchdog timer
[2022-09-30 20:36:37.079595] Disabling protection
[2022-09-30 20:36:37.244340] Protection disabled
[[email protected] /run/media/root/USB32GB/bypass]#
[[email protected] /run/media/root/USB32GB/bypass]# cd /run/media/root/USB32GB/SP_Flash_Tool-5.1916_Linux/
[[email protected] /run/media/root/USB32GB/SP_Flash_Tool-5.1916_Linux]# lsusb
...
Bus 003 Device 012: ID 0e8d:0003 MediaTek Inc. MT6227 phone
...
Now, how to run the SP_Flash_Tool-5.1916_Linux with this fireiso liveCD ?
1, download the fireiso-2.0.0-amd64.iso from https://github.com/amonet-kamakiri/fireiso/releases,
2, burn the the iso image to a blank DVD. boot the computer into fireiso liveCD, with an DVD drive .
3, load all the files to a USB flash drive, USB32GB, mounted automatically at /run/media/root/USB32GB/
4, bypass_utility-v.1.4.2 is unzipped, saved in a USB flashdrive, in the folder /bypass, mounted as /run/media/root/USB32GB/bypass/
5, exploits_collection-1.6.zip is unzipped, saved in the folder /bypass too
[[email protected] ~]# python3 --version
Python 3.9.1
[[email protected] ~]# python3 -m pip --version
pip 20.3.1 from /usr/lib/python3.9/site-packages/pip (python 3.9)
[[email protected] ~]# python3 -m ensurepip --default-pip
Looking in links: /tmp/tmpdmgv09oh
Requirement already satisfied: setuptools in /usr/lib/python3.9/site-packages (53.0.0)
Requirement already satisfied: pip in /usr/lib/python3.9/site-packages (20.3.1)
[[email protected] ~]# python3 -m pip install pyusb pyserial json5
Requirement already satisfied: pyusb in /usr/lib/python3.9/site-packages (1.1.1)
Requirement already satisfied: pyserial in /usr/lib/python3.9/site-packages (3.5)
Requirement already satisfied: json5 in /usr/lib/python3.9/site-packages (0.9.5)
[[email protected] ~]# cd /run/media/root/USB32GB/bypass/
[[email protected] /run/media/root/USB32GB/bypass]# su root
[[email protected] /run/media/root/USB32GB/bypass]# python3 ./main.py
[2022-09-30 20:36:25.552713] Waiting for device
[2022-09-30 20:36:36.062088] Found port = /dev/ttyACM0
[2022-09-30 20:36:36.203511] Device hw code: 0x788
[2022-09-30 20:36:36.309112] Device hw sub code: 0x8a00
[2022-09-30 20:36:36.419109] Device hw version: 0xca00
[2022-09-30 20:36:36.529119] Device sw version: 0x0
[2022-09-30 20:36:36.639113] Device secure boot: True
[2022-09-30 20:36:36.749112] Device serial link authorization: False
[2022-09-30 20:36:36.859110] Device download agent authorization: True
[2022-09-30 20:36:36.969128] Disabling watchdog timer
[2022-09-30 20:36:37.079595] Disabling protection
[2022-09-30 20:36:37.244340] Protection disabled
[[email protected] /run/media/root/USB32GB/bypass]#
[[email protected] /run/media/root/USB32GB/bypass]# cd /run/media/root/USB32GB/SP_Flash_Tool-5.1916_Linux/
[[email protected] /run/media/root/USB32GB/SP_Flash_Tool-5.1916_Linux]# lsusb
...
Bus 003 Device 012: ID 0e8d:0003 MediaTek Inc. MT6227 phone
...
Now, how to run the SP_Flash_Tool-5.1916_Linux with this fireiso liveCD ?
Ok im mad confused when its comes to this.
Fireiso 2.00 doesn't launch into XFCe I had to revert to using Fire ISO 1.00.
Any issues with using that version?
Also not sure after running the spflash to flashing the recovery , boot vendor & system. Do I need to power the device off and run the bypass again before connecting it to a device with Fireiso so I can run the scripts?
*do i really need to remove the battery?
Fireiso 2.00 doesn't launch into XFCe I had to revert to using Fire ISO 1.00.
Any issues with using that version?
Also not sure after running the spflash to flashing the recovery , boot vendor & system. Do I need to power the device off and run the bypass again before connecting it to a device with Fireiso so I can run the scripts?
*do i really need to remove the battery?
Not sure about all of this, pulling the battery gets you into bootrom, but access to the preloader you need the battery. From what I experienced when we developed the downgrade.... Been a while to remember all the details though. I don't think the version is matters. All this is going to do is give you a temp root access. Not a unlock....
@k4y0z sir, I'm really sorry to mention u....would u be kind enough to let me know if downgrading to 7.3.2.6 is possible..
Mine says Lot J036 in back
Last edited:
Late to the game here, ty for all the work so far. I have 2 mavericks , one virgin, one bricked. The 2nd seems to boot loop at the boot of preloader stage. I can access it with mtkclient and flash the partitions. But the ./bootrom-step and gpt scripts both fail at the 2nd stage loader with errror 5. Bypass works without the battery connected but flash_tool doesn't connect after the battery is connected. I think the partitions table is messed up somehow. Could someone list ALL the tables and what is flashed in what. Particularly the kb one at the start of the flash. Should it be zeroed out? Thanks.
Last edited:
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
11mtk-su for OS 7.3.1.0
I just uploaded the latest mtk-su (a thing that gives you temp root) in the Temp root thread. It only supports the original OS. No solution yet for the updated version, but hoping a downgrade or unlock method will be found.10I have repacked and reuploaded maverick-downgrade-7.0_PS7310_940N.zip
It contains FireOS 7.0/PS7310/940N, scatter file and kamakiri for RPMB downgrade.
Apparently there are multiple versions of 7.3.1.0 and the files originally uploaded here are from version 7.0/PS7310/939N.
Also lk was incomplete.
Thanks again to @Kramar111 for the files8
AmznUser444,
I’m actually going to respectfully ask you to stop responding to my posts and stop asking me for anything. I will no longer reply to your posts other than to make this request.8Thanks to @Kramar111, we now have a full dump of 7.3.1.0:
1.1 GB file on MEGA
mega.nz
And a little present from me, minimal kamakiri for maverick.
All it does is downgrade RPMB, flashing can be done with SP Flash.
Thanks again to @bengris32 for testing.77.3.1.0 Images
So here are some images extracted from the stock 7.3.1.0 FW, courtesy of @dr_docdoc. I trimmed the extra partition data. It would be great if @k4y0z or @xyz` could take a look at them.
