Not sure, but it's probably best to unplug before testing a new point.
Yeah, it's likely the tablet will not fully boot without a battery attached.
For accessing bootrom that shouldn't matter though.
Probably antenna-connectors.
New Fire HD10 2019 Bootless Root Method + Bootloader Unlock Brainstorming
- Thread starter Kctucka
- Start date
For accessing bootrom that shouldn't matter though.
Probably antenna-connectors.
can i ask a dumzb question - when ur guys open up the tab n pull the MB out, is there a "CLK" marked like this from @xyz`
when i searched for MTK bootrom online, someone posted an exploit using the same CLK test point. it was not specified which tab but MTK8163 was in the Fire HD 8 2018. so they hired a summer intern; probably told him to read up @xyz` and @k4y0z exploit. Their hack only worked like 1 out of 5 times but wrote up a nice "disclosure" and sent it off to MediaTek.
research.nccgroup.com
i love the part MediaTek ignored them at first ("dude its old news - ppl been using it to hack our biggest customer, Amazon's tab!") most of the timing discussion went over my head but it was an interesting read nonetheless.
based on the report date and MediaTek's response, it doesnt sound like any patch would be on the HF10 2019's MT8183 chip. so i think the chance is good that the right test point can get us in Bootrom here.
when i searched for MTK bootrom online, someone posted an exploit using the same CLK test point. it was not specified which tab but MTK8163 was in the Fire HD 8 2018. so they hired a summer intern; probably told him to read up @xyz` and @k4y0z exploit. Their hack only worked like 1 out of 5 times but wrote up a nice "disclosure" and sent it off to MediaTek.
There’s A Hole In Your SoC: Glitching The MediaTek BootROM
This research was conducted by our intern Ilya Zhuravlev, who has returned to school but will be rejoining our team after graduation, and was advised by Jeremy Boone of NCC Group’s Hardware &…
research.nccgroup.com
i love the part MediaTek ignored them at first ("dude its old news - ppl been using it to hack our biggest customer, Amazon's tab!") most of the timing discussion went over my head but it was an interesting read nonetheless.
based on the report date and MediaTek's response, it doesnt sound like any patch would be on the HF10 2019's MT8183 chip. so i think the chance is good that the right test point can get us in Bootrom here.
can i ask a dumzb question - when ur guys open up the tab n pull the MB out, is there a "CLK" marked like this from @xyz`
when i searched for MTK bootrom online, someone posted an exploit using the same CLK test point. it was not specified which tab but MTK8163 was in the Fire HD 8 2018. so they hired a summer intern; probably told him to read up @xyz` and @k4y0z exploit. Their hack only worked like 1 out of 5 times but wrote up a nice "disclosure" and sent it off to MediaTek.
There’s A Hole In Your SoC: Glitching The MediaTek BootROM
This research was conducted by our intern Ilya Zhuravlev, who has returned to school but will be rejoining our team after graduation, and was advised by Jeremy Boone of NCC Group’s Hardware &…
i love the part MediaTek ignored them at first ("dude its old news - ppl been using it to hack our biggest customer, Amazon's tab!") most of the timing discussion went over my head but it was an interesting read nonetheless.
based on the report date and MediaTek's response, it doesnt sound like any patch would be on the HF10 2019's MT8183 chip. so i think the chance is good that the right test point can get us in Bootrom here.
I didn't see anything labeled but there were 4 test points on the bottom right (on the side with the battery connector) that seemed like they were for debug
can i ask a dumzb question - when ur guys open up the tab n pull the MB out, is there a "CLK" marked like this from @xyz`
when i searched for MTK bootrom online, someone posted an exploit using the same CLK test point. it was not specified which tab but MTK8163 was in the Fire HD 8 2018. so they hired a summer intern; probably told him to read up @xyz` and @k4y0z exploit. Their hack only worked like 1 out of 5 times but wrote up a nice "disclosure" and sent it off to MediaTek.
There’s A Hole In Your SoC: Glitching The MediaTek BootROM
This research was conducted by our intern Ilya Zhuravlev, who has returned to school but will be rejoining our team after graduation, and was advised by Jeremy Boone of NCC Group’s Hardware &…
i love the part MediaTek ignored them at first ("dude its old news - ppl been using it to hack our biggest customer, Amazon's tab!") most of the timing discussion went over my head but it was an interesting read nonetheless.
based on the report date and MediaTek's response, it doesnt sound like any patch would be on the HF10 2019's MT8183 chip. so i think the chance is good that the right test point can get us in Bootrom here.
That picture is from karnak (Amazon Fire HD 8 - 2018). Unfortunately one of the few Amazon devices, that have labeled testpoints.
The blogpost you linked to is a different (and rather sophisticated) attack on the bootrom.
Of the few posters who have tried this exploit, only one has been able to reach BootROM. Given there are only a few points on the board to test, we can rule out user error. When did each poster purchase the device? Perhaps we can identify the range of serial numbers that (won't) work.
The 7.3.1.2 I have, I bought brand new through Amazon last month so it's possible there was a hardware revision but don't know why the os wouldn't have been updated as well
The 7.3.1.5 I got off eBay (the one used for testing) I'm not really sure but it had a sticker on the inside with a date of November 2018 which I assume is a date manufacture for that part
I have successfully downgraded from 7.3.1.7 to 7.3.1.0. with @k4y0z guiding me through. I am currently updating my other tablet (from 7.3.1.1 to current) to identify how i was able to get into the bootrom. I will follow up in the next day or two..
Ok.. Just updated from 7.3.1.1 to 7.3.1.8 = May the Android Gawds be looking out...
Not sure this was needed. You just need to open up your device and confirm you can short the EMMC to get into BootROM mode and, if so, locate the point on the PCB. Odds are you should be able to since your initial FireOS version suggests an SoC with older BootROM code that would allow BootROM access via USB.
@StonedEngineer97Ok.. Just updated from 7.3.1.1 to 7.3.1.8 = May the Android Gawds be looking out...
Turns out no shorting is needed... the battery being disconnected with power up will get you into bootrom, but you cant write without the battery... You plug in the battery, it goes to preloader. We wiped the preloader then we can flash.... Work in progress...
OK, open the device
disconnect battery connector (remove the tape piece)
plug device in
disconnect battery connector (remove the tape piece)
plug device in
shorting isnt required. Seems you have to dc battery to access bootrom, but you cant write to emmc without the battery connected, when you connect to battery, it goes into preloader. We wiped the preloader then you can stay in bootrom and flash... Working on the step by step....
Interesting, i had the battery disconnected but was only getting pid:2000 and stuck at "trying to crash preloader" before getting status 7024
If the battery is the only thing that needs to be disconnected it may be possible there were hardware revisions since release.
Hopefully your success gets more people to give it a try
all of mine where purchased the first couple months of the release. I ran the main.py in windows and volume up with battery disconnected then plugged in, and right into bootrom it went ... then wiped the preloader, to make it easier. then flashed in sp tools, then ran the kamakari script on fireISO.
Like @StonedEngineer97 , im also not able to get into bootrom when disconnecting the battery, even when holding volume+/volume- button (tried both).
Im running Fire HD 10 (9th gen) with 7.3.1.2 (Serial number: G001 1J06 0356 04PE).
Edit: bought mine in october 2020.
Im running Fire HD 10 (9th gen) with 7.3.1.2 (Serial number: G001 1J06 0356 04PE).
Edit: bought mine in october 2020.
If I understood correctly, the trick was to have the battery disconnected and hold volume up while plugging in.
Then again, there should also be a way to short EMMC, and if that hasn't worked for you it's possible BROM-DL-Mode is disabled on yours.
EDIT:
@StonedEngineer97 you also mentioned that during your testing on some of the testpoints the device didn't boot up at all.
Do you remember which these where? If BROM-DL-Mode is indeed disabled, that's exactly what would happen if EMMC is shorted.
Last edited:
I know when I was shorting it with aluminum foil it would reboot into bootloader also, but I was not shorting to the shield it was pin to pin with aluminum foil. The picture where i was shorting is earlier in the thread. I was leaving usb plugged in, battery disconnected and shorting the pins and i would see the bootloader also. I thought this might have what caused my initial brick. When i was bricked, and the battery was plugged in, i would get preloader for like 2 seconds then nothing and no device.
yeah, mine goes into the same boot loop with the battery disconnected. I had a look at both of mine and they have lot codes J0xx so testing with older models could narrow down when the revision was made
I dont remember the exact points but they were in the area you had circled initially after referencing suez. could anything be done to reverse this change if we could narrow down what was changed?
sounds like we're experiencing different behavior with the same setup, will be interesting to see some tests with early 2020 models
What happens, if you press only the vol + button without shorting anything (with battery disconnected)?
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
1111mtk-su for OS 7.3.1.0
I just uploaded the latest mtk-su (a thing that gives you temp root) in the Temp root thread. It only supports the original OS. No solution yet for the updated version, but hoping a downgrade or unlock method will be found.11I have repacked and reuploaded maverick-downgrade-7.0_PS7310_940N.zip
It contains FireOS 7.0/PS7310/940N, scatter file and kamakiri for RPMB downgrade.
Apparently there are multiple versions of 7.3.1.0 and the files originally uploaded here are from version 7.0/PS7310/939N.
Also lk was incomplete.
Thanks again to @Kramar111 for the files8
AmznUser444,
I’m actually going to respectfully ask you to stop responding to my posts and stop asking me for anything. I will no longer reply to your posts other than to make this request.8Thanks to @Kramar111, we now have a full dump of 7.3.1.0:
1.1 GB file on MEGA
mega.nz
And a little present from me, minimal kamakiri for maverick.
All it does is downgrade RPMB, flashing can be done with SP Flash.
Thanks again to @bengris32 for testing.
