New Fire HD10 2019 Bootless Root Method + Bootloader Unlock Brainstorming

MrZaku086 · Jul 10, 2021

stickfiretv2020 said:
I'm currently looking into two methods for the HD 10, still brainstorming it and not tried it on my own units yet - I have working downgrade method to 7.3.1.0 for this device I think, thats if it wasn't a hardware patch on this device. Needs testing, but problem is exploit is major computing exploit not just Android exploit.... Working out what to do about it generally as something I've discovered.

Second method, which doesn't involve a downgrade, is using fbtool on this device. This is likely to be able to turned into a software based fastboot cable. Still ironing out details here:

https://xdaforums.com/t/fire-7-2020-mustang-brainstorming.4295541/

Would need to locate or work out how to produce a patch for fbtool for the HD's SoC, though. Anyone know any githubs which contain MTK Board tools source (i.e. fbtool source) for this SoC?

hey do you thin this would work?

Mediatek (MTK) Auto TWRP recovery porter by Team Hovatek

If you wish to root your Mediatek Android phone, we'd dropped a guide on rooting using Magisk and stock boot.img at https://www.hovatek.com/forum/thread-21427.html , no custom recovery is required. Se

forum.hovatek.com

this device have the same mtk chip and a custom twrp

BQ Aquaris M8

Disclaimer:Team Win strives to provide a quality product. However, it is your decision to install our software on your device. Team Win takes no ...

twrp.me

or

Android One Second Generation MTK

Disclaimer:Team Win strives to provide a quality product. However, it is your decision to install our software on your device. Team Win takes no ...

twrp.me

or

MT8163

Device trees for mt8163 Processors for amazon and other devices. - MT8163

github.com

or

GitHub - marex/u-boot-mtk: U-Boot MTK mirror

U-Boot MTK mirror. Contribute to marex/u-boot-mtk development by creating an account on GitHub.

github.com

something of this help?

PD: sorry if dont help you but i really want to this device have a lineage os xD

Khiem Tran · Jul 17, 2021

k4y0z said:
You will need to wipe preloader in SP Flash (or enter BROM by shorting) for mmc-write to work in kamakiri.

Then use the attached kamakiri, which instead of just clearing RPMB will flash the missing partitions that couldn't be flashed with SP Flash (Unfortunately it's quite slow compared to SP Flash)

I wiped preloader on 7.3.1.8 and device frozen at bootrom. Can anyone upload preloader 7.3.1.8 file?

Michajin · Jul 17, 2021

Khiem Tran said:
I wiped preloader on 7.3.1.8 and device frozen at bootrom. Can anyone upload preloader 7.3.1.8 file?

You need to downgrade to 7.3.1.0, you can get root access.

Khiem Tran · Jul 17, 2021

Michajin said:
You need to downgrade to 7.3.1.0, you can get root access.

I tried using SPFlash to downgrade but I can't write EMMC. It is stopped as shown below.

k4y0z · Jul 17, 2021

Khiem Tran said:
I tried using SPFlash to downgrade but I can't write EMMC. It is stopped as shown below.View attachment 5364197

View attachment 5364201

Try selecting USB mode instead of Serial if you're on Windows.
Also you won't be able to flash all of the partitions using SPFT, the ones that don't work will need to be flashed using kamakiri.
You'll have to rerun the bypass after every action in SPFT.

Khiem Tran · Jul 17, 2021

k4y0z said:
Try selecting USB mode instead of Serial if you're on Windows.
Also you won't be able to flash all of the partitions using SPFT, the ones that don't work will need to be flashed using kamakiri.
You'll have to rerun the bypass after every action in SPFT.

I have done the following

Step1: Plug out battery. Then, hold volume up to bootrom
Step2: Run bypass and format preloader with SPFlash (length 0x100000)
Step3: Plugin battery. Run bypass and flash boot, recovey, vendor, system with SPFlash.
Step4: Run bootrom-step.sh in kamakiri folder.

What should I do next?

Do I have to flash preloader, lk, tee1, tee2m spmfw, sspm_1, cam_vpu1, cam_vpu2, cam_vpu3 using SPFlash?

k4y0z · Jul 17, 2021

Khiem Tran said:
I have done the following

Step1: Plug out battery. Then, hold volume up to bootrom
Step2: Run bypass and format preloader with SPFlash (length 0x100000)
Step3: Plugin battery. Run bypass and flash boot, recovey, vendor, system with SPFlash.
Step4: Run bootrom-step.sh in kamakiri folder.

What should I do next?

Do I have to flash preloader, lk, tee1, tee2m spmfw, sspm_1, cam_vpu1, cam_vpu2, cam_vpu3 using SPFlash?

The latest kamakiri version that I posted somewhere here in this thread, should flash all the partitions, that can't be flashed using SPFT.

Khiem Tran · Jul 18, 2021

k4y0z said:
The latest kamakiri version that I posted somewhere here in this thread, should flash all the partitions, that can't be flashed using SPFT.

I mistakenly deleted EMMC_USER Format Length 0x100000. Device frozen at Fire boot logo. LOL

k4y0z · Jul 18, 2021

Khiem Tran said:
I mistakenly deleted EMMC_USER Format Length 0x100000. Device frozen at Fire boot logo. LOL

Then you killed the GPT and part of kb partition.
Try running the gpt-fix.sh script in kamakiri to repair the GPT.

Khiem Tran · Jul 18, 2021

k4y0z said:
Then you killed the GPT and part of kb partition.
Try running the gpt-fix.sh script in kamakiri to repair the GPT.

I access recovery mode to factory reset. It worked successfully.
Thanks all.

MrZaku086 · Jul 18, 2021

Khiem Tran said:
I access recovery mode to factory reset. It worked successfully.
Thanks all.

do you unlock the bootloader? or rooted the tablet?

INetBowser · Jul 20, 2021

Hey guys,

I need some help regarding the root exploit I'm writing currently. If I manage to get it working, Fire HD 10 9th gen on version 7.3.1.2 (and maybe higher, I need to look into that) should be rootable.

Anyone with a rooted Fire HD 10 9th gen, can you please run this command as root

Code:

cat /proc/iomem

and post the output?

Thanks!

Khiem Tran · Jul 21, 2021

MrZaku086 said:
do you unlock the bootloader? or rooted the tablet?

I downgraded the firmware to 7.3.1.0 to root. Currently, I have not found a way to unlock the bootloader. Root is restricted, cannot remove system app such as Silk browser, FreeTime...

blaacksheep · Jul 21, 2021

Khiem Tran said:
I downgraded the firmware to 7.3.1.0 to root. Currently, I have not found a way to unlock the bootloader. Root is restricted, cannot remove system app such as Silk browser, FreeTime...

Unfortunately, Amazon has locked down FireOS pretty firmly. You can disable those apps though. Have you checked out Fire Toolbox?

Michajin · Jul 21, 2021

blaacksheep said:
Unfortunately, Amazon has locked down FireOS pretty firmly. You can disable those apps though. Have you checked out Fire Toolbox?

With root access you can use a app disabler. Root works fine. Just can't modify the system apps. I use package disabler with root access to quickly disabled app. Full root would be better, and unlocking would be awesome. We will see, seems development had picked up lately.

MrZaku086 · Jul 22, 2021

Michajin said:
With root access you can use a app disabler. Root works fine. Just can't modify the system apps. I use package disabler with root access to quickly disabled app. Full root would be better, and unlocking would be awesome. We will see, seems development had picked up lately.

well the 2017 model took many years and in the end you need to some hardware hackery to unlock the bootloader and be free.... maybe that is the route to this tablet some hardware thing to acess to factory mode or something like that and unblock the boatloader is very trashy to amazon bloking the bootloader using a android fork.

Michajin · Jul 23, 2021

MrZaku086 said:
well the 2017 model took many years and in the end you need to some hardware hackery to unlock the bootloader and be free.... maybe that is the route to this tablet some hardware thing to acess to factory mode or something like that and unblock the boatloader is very trashy to amazon bloking the bootloader using a android fork.

I have found the shorting method on it, but amazon/mediatek made a hardware change that disable the bootrom. It has been found on anything as of about January of 2020 had the bootrom disabled. The exploit would have to be a totally new route.

MrZaku086 · Jul 23, 2021

Michajin said:
I have found the shorting method on it, but amazon/mediatek made a hardware change that disable the bootrom. It has been found on anything as of about January of 2020 had the bootrom disabled. The exploit would have to be a totally new route.

i think that is on part of amazon, tyou can hack very easy another tablets with the same chip.

lewmur · Jul 31, 2021

MrZaku086 said:
well the 2017 model took many years and in the end you need to some hardware hackery to unlock the bootloader and be free.... maybe that is the route to this tablet some hardware thing to acess to factory mode or something like that and unblock the boatloader is very trashy to amazon bloking the bootloader using a android fork.

You have to realize that Amazon tablets are very inexpensive because of all the advertising built into them. From their view point, rooting the tablet to get rid of their bloat, is cheating. So, of course, they are going to do their best to prevent it. I do my best to eliminate their bloat, but I don't find their efforts to stop me to be "trashy".

Sherl · Jul 31, 2021

mozgoeb said:
I guess that sooner or later I will need root (for example for tasker). And I'll have to try to downgrade. =(
"remove short" == "release buttons"???

Did you end up doing it? I have a Blue Fire HD10 with lot P041. SO wondering can I root mine

New Fire HD10 2019 Bootless Root Method + Bootloader Unlock Brainstorming

Senior Member

Member

Senior Member

Member

Senior Member

Member

Senior Member

Member

Senior Member

Member

Senior Member

Member

Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Similar threads

Top Liked Posts