New Fire HD10 2019 Bootless Root Method + Bootloader Unlock Brainstorming

Search This thread

JJ2017

Senior Member
Jan 7, 2017
87
51
Huawei P20 Pro
you can't enter to bootrom after 7.3.1.0

:(
If the 9th Gen HD10 was manufactured in 2019 it is probably vulnerable to the kamakiri hack and can be rolled back. I (and others on here) have done it.
Amazon managed to patch the bootrom in later devices - the Lot No. printed on the back of the case gives a clue to the manufacture year. I have a J936 which can be hacked and a J045 which can't. This was discussed a lot previously in this thread. The thinking is J9xx = 2019 and J0xx = 2020.
If the device is vulnerable it is probably necessary to also remove the rear cover and disconnect battery to enter bootrom mode . I haven't tested that myself tho' - I just took the back off following the guidance of others on here.

TL;DR - should've mentioned in my post above: device must be manufactured in 2019 & rear cover (probably) needs to come off so battery can be disconnected. These are essential requirements to run the exploits.
 

789mod

Senior Member
I thinking your device product before 2020
If the 9th Gen HD10 was manufactured in 2019 it is probably vulnerable to the kamakiri hack and can be rolled back. I (and others on here) have done it.
Amazon managed to patch the bootrom in later devices - the Lot No. printed on the back of the case gives a clue to the manufacture year. I have a J936 which can be hacked and a J045 which can't. This was discussed a lot previously in this thread. The thinking is J9xx = 2019 and J0xx = 2020.
If the device is vulnerable it is probably necessary to also remove the rear cover and disconnect battery to enter bootrom mode . I haven't tested that myself tho' - I just took the back off following the guidance of others on here.

TL;DR - should've mentioned in my post above: device must be manufactured in 2019 & rear cover (probably) needs to come off so battery can be disconnected. These are essential requirements to run the exploits.
You mean j9 that is searl number ?
 

rdpeake

Member
Jul 6, 2022
14
3
If the 9th Gen HD10 was manufactured in 2019 it is probably vulnerable to the kamakiri hack and can be rolled back. I (and others on here) have done it.
Amazon managed to patch the bootrom in later devices - the Lot No. printed on the back of the case gives a clue to the manufacture year. I have a J936 which can be hacked and a J045 which can't. This was discussed a lot previously in this thread. The thinking is J9xx = 2019 and J0xx = 2020.
If the device is vulnerable it is probably necessary to also remove the rear cover and disconnect battery to enter bootrom mode . I haven't tested that myself tho' - I just took the back off following the guidance of others on here.

TL;DR - should've mentioned in my post above: device must be manufactured in 2019 & rear cover (probably) needs to come off so battery can be disconnected. These are essential requirements to run the exploits.
the lot number is j940 - and it is already in boot rom mode on usb connection - as that is where it fails in the initialization process... i'm ultimately just trying to get it to boot again, in preference into a normal OS version. at the moment it is just an expensive paper weight.
 

789mod

Senior Member
the lot number is j940 - and it is already in boot rom mode on usb connection - as that is where it fails in the initialization process... i'm ultimately just trying to get it to boot again, in preference into a normal OS version. at the moment it is just an expensive paper weight.
i can ran it agein , but can't enter it to bootrom , i will pm you ok ?
 
  • Like
Reactions: StonedEngineer97

fastness2020

New member
Dec 7, 2020
3
3
try to downgrade HD 10 gen9, with a Windows 10
got "Protection disabled" with bypass_utility .
But the MS windows 10 shows bluescreen and reboots, for Stop code: WDF_VIOLATION.
 
  • Like
Reactions: 789mod

fastness2020

New member
Dec 7, 2020
3
3
Got "Protection disabled" with bypass_utility under [FireISO]
1, download the fireiso-2.0.0-amd64.iso from https://github.com/amonet-kamakiri/fireiso/releases,
2, burn the the iso image to a blank DVD. boot the computer into fireiso liveCD, with an DVD drive .
3, load all the files to a USB flash drive, USB32GB, mounted automatically at /run/media/root/USB32GB/
4, bypass_utility-v.1.4.2 is unzipped, saved in a USB flashdrive, in the folder /bypass, mounted as /run/media/root/USB32GB/bypass/
5, exploits_collection-1.6.zip is unzipped, saved in the folder /bypass too

[[email protected] ~]# python3 --version
Python 3.9.1
[[email protected] ~]# python3 -m pip --version
pip 20.3.1 from /usr/lib/python3.9/site-packages/pip (python 3.9)
[[email protected] ~]# python3 -m ensurepip --default-pip
Looking in links: /tmp/tmpdmgv09oh
Requirement already satisfied: setuptools in /usr/lib/python3.9/site-packages (53.0.0)
Requirement already satisfied: pip in /usr/lib/python3.9/site-packages (20.3.1)
[[email protected] ~]# python3 -m pip install pyusb pyserial json5
Requirement already satisfied: pyusb in /usr/lib/python3.9/site-packages (1.1.1)
Requirement already satisfied: pyserial in /usr/lib/python3.9/site-packages (3.5)
Requirement already satisfied: json5 in /usr/lib/python3.9/site-packages (0.9.5)
[[email protected] ~]# cd /run/media/root/USB32GB/bypass/
[[email protected] /run/media/root/USB32GB/bypass]# su root
[[email protected] /run/media/root/USB32GB/bypass]# python3 ./main.py
[2022-09-30 20:36:25.552713] Waiting for device
[2022-09-30 20:36:36.062088] Found port = /dev/ttyACM0
[2022-09-30 20:36:36.203511] Device hw code: 0x788
[2022-09-30 20:36:36.309112] Device hw sub code: 0x8a00
[2022-09-30 20:36:36.419109] Device hw version: 0xca00
[2022-09-30 20:36:36.529119] Device sw version: 0x0
[2022-09-30 20:36:36.639113] Device secure boot: True
[2022-09-30 20:36:36.749112] Device serial link authorization: False
[2022-09-30 20:36:36.859110] Device download agent authorization: True
[2022-09-30 20:36:36.969128] Disabling watchdog timer
[2022-09-30 20:36:37.079595] Disabling protection
[2022-09-30 20:36:37.244340] Protection disabled
[[email protected] /run/media/root/USB32GB/bypass]#
[[email protected] /run/media/root/USB32GB/bypass]# cd /run/media/root/USB32GB/SP_Flash_Tool-5.1916_Linux/
[[email protected] /run/media/root/USB32GB/SP_Flash_Tool-5.1916_Linux]# lsusb
...
Bus 003 Device 012: ID 0e8d:0003 MediaTek Inc. MT6227 phone
...

Now, how to run the SP_Flash_Tool-5.1916_Linux with this fireiso liveCD ?
 
  • Like
Reactions: lex66676 and 789mod

789mod

Senior Member
Got "Protection disabled" with bypass_utility under [FireISO]
1, download the fireiso-2.0.0-amd64.iso from https://github.com/amonet-kamakiri/fireiso/releases,
2, burn the the iso image to a blank DVD. boot the computer into fireiso liveCD, with an DVD drive .
3, load all the files to a USB flash drive, USB32GB, mounted automatically at /run/media/root/USB32GB/
4, bypass_utility-v.1.4.2 is unzipped, saved in a USB flashdrive, in the folder /bypass, mounted as /run/media/root/USB32GB/bypass/
5, exploits_collection-1.6.zip is unzipped, saved in the folder /bypass too

[[email protected] ~]# python3 --version
Python 3.9.1
[[email protected] ~]# python3 -m pip --version
pip 20.3.1 from /usr/lib/python3.9/site-packages/pip (python 3.9)
[[email protected] ~]# python3 -m ensurepip --default-pip
Looking in links: /tmp/tmpdmgv09oh
Requirement already satisfied: setuptools in /usr/lib/python3.9/site-packages (53.0.0)
Requirement already satisfied: pip in /usr/lib/python3.9/site-packages (20.3.1)
[[email protected] ~]# python3 -m pip install pyusb pyserial json5
Requirement already satisfied: pyusb in /usr/lib/python3.9/site-packages (1.1.1)
Requirement already satisfied: pyserial in /usr/lib/python3.9/site-packages (3.5)
Requirement already satisfied: json5 in /usr/lib/python3.9/site-packages (0.9.5)
[[email protected] ~]# cd /run/media/root/USB32GB/bypass/
[[email protected] /run/media/root/USB32GB/bypass]# su root
[[email protected] /run/media/root/USB32GB/bypass]# python3 ./main.py
[2022-09-30 20:36:25.552713] Waiting for device
[2022-09-30 20:36:36.062088] Found port = /dev/ttyACM0
[2022-09-30 20:36:36.203511] Device hw code: 0x788
[2022-09-30 20:36:36.309112] Device hw sub code: 0x8a00
[2022-09-30 20:36:36.419109] Device hw version: 0xca00
[2022-09-30 20:36:36.529119] Device sw version: 0x0
[2022-09-30 20:36:36.639113] Device secure boot: True
[2022-09-30 20:36:36.749112] Device serial link authorization: False
[2022-09-30 20:36:36.859110] Device download agent authorization: True
[2022-09-30 20:36:36.969128] Disabling watchdog timer
[2022-09-30 20:36:37.079595] Disabling protection
[2022-09-30 20:36:37.244340] Protection disabled
[[email protected] /run/media/root/USB32GB/bypass]#
[[email protected] /run/media/root/USB32GB/bypass]# cd /run/media/root/USB32GB/SP_Flash_Tool-5.1916_Linux/
[[email protected] /run/media/root/USB32GB/SP_Flash_Tool-5.1916_Linux]# lsusb
...
Bus 003 Device 012: ID 0e8d:0003 MediaTek Inc. MT6227 phone
...

Now, how to run the SP_Flash_Tool-5.1916_Linux with this fireiso liveCD ?
You must uninstall MTK drive , or disable sugrediver
 

789mod

Senior Member
Got "Protection disabled" with bypass_utility under [FireISO]
1, download the fireiso-2.0.0-amd64.iso from https://github.com/amonet-kamakiri/fireiso/releases,
2, burn the the iso image to a blank DVD. boot the computer into fireiso liveCD, with an DVD drive .
3, load all the files to a USB flash drive, USB32GB, mounted automatically at /run/media/root/USB32GB/
4, bypass_utility-v.1.4.2 is unzipped, saved in a USB flashdrive, in the folder /bypass, mounted as /run/media/root/USB32GB/bypass/
5, exploits_collection-1.6.zip is unzipped, saved in the folder /bypass too

[[email protected] ~]# python3 --version
Python 3.9.1
[[email protected] ~]# python3 -m pip --version
pip 20.3.1 from /usr/lib/python3.9/site-packages/pip (python 3.9)
[[email protected] ~]# python3 -m ensurepip --default-pip
Looking in links: /tmp/tmpdmgv09oh
Requirement already satisfied: setuptools in /usr/lib/python3.9/site-packages (53.0.0)
Requirement already satisfied: pip in /usr/lib/python3.9/site-packages (20.3.1)
[[email protected] ~]# python3 -m pip install pyusb pyserial json5
Requirement already satisfied: pyusb in /usr/lib/python3.9/site-packages (1.1.1)
Requirement already satisfied: pyserial in /usr/lib/python3.9/site-packages (3.5)
Requirement already satisfied: json5 in /usr/lib/python3.9/site-packages (0.9.5)
[[email protected] ~]# cd /run/media/root/USB32GB/bypass/
[[email protected] /run/media/root/USB32GB/bypass]# su root
[[email protected] /run/media/root/USB32GB/bypass]# python3 ./main.py
[2022-09-30 20:36:25.552713] Waiting for device
[2022-09-30 20:36:36.062088] Found port = /dev/ttyACM0
[2022-09-30 20:36:36.203511] Device hw code: 0x788
[2022-09-30 20:36:36.309112] Device hw sub code: 0x8a00
[2022-09-30 20:36:36.419109] Device hw version: 0xca00
[2022-09-30 20:36:36.529119] Device sw version: 0x0
[2022-09-30 20:36:36.639113] Device secure boot: True
[2022-09-30 20:36:36.749112] Device serial link authorization: False
[2022-09-30 20:36:36.859110] Device download agent authorization: True
[2022-09-30 20:36:36.969128] Disabling watchdog timer
[2022-09-30 20:36:37.079595] Disabling protection
[2022-09-30 20:36:37.244340] Protection disabled
[[email protected] /run/media/root/USB32GB/bypass]#
[[email protected] /run/media/root/USB32GB/bypass]# cd /run/media/root/USB32GB/SP_Flash_Tool-5.1916_Linux/
[[email protected] /run/media/root/USB32GB/SP_Flash_Tool-5.1916_Linux]# lsusb
...
Bus 003 Device 012: ID 0e8d:0003 MediaTek Inc. MT6227 phone
...

Now, how to run the SP_Flash_Tool-5.1916_Linux with this fireiso liveCD ?
Pm me
 
  • Like
Reactions: Michajin

Top Liked Posts

  • There are no posts matching your filters.
  • 11
    mtk-su for OS 7.3.1.0

    I just uploaded the latest mtk-su (a thing that gives you temp root) in the Temp root thread. It only supports the original OS. No solution yet for the updated version, but hoping a downgrade or unlock method will be found.
    10
    I have repacked and reuploaded maverick-downgrade-7.0_PS7310_940N.zip
    It contains FireOS 7.0/PS7310/940N, scatter file and kamakiri for RPMB downgrade.

    Apparently there are multiple versions of 7.3.1.0 and the files originally uploaded here are from version 7.0/PS7310/939N.
    Also lk was incomplete.

    Thanks again to @Kramar111 for the files :)
    8
    Can you take apart (remove back cover) your newest Fire HD 10 and post the motherboard pictures with test point like CLK, DAT0, CMD and removed metal shield.

    AmznUser444,

    I’m actually going to respectfully ask you to stop responding to my posts and stop asking me for anything. I will no longer reply to your posts other than to make this request.
    8
    Thanks to @Kramar111, we now have a full dump of 7.3.1.0:

    And a little present from me, minimal kamakiri for maverick.
    All it does is downgrade RPMB, flashing can be done with SP Flash.
    Thanks again to @bengris32 for testing.
    7
    7.3.1.0 Images

    So here are some images extracted from the stock 7.3.1.0 FW, courtesy of @dr_docdoc. I trimmed the extra partition data. It would be great if @k4y0z or @xyz` could take a look at them.