Rapid Temporary Root for HD 8 & HD 10

Search This thread

Michajin

Senior Member
Oct 23, 2012
1,296
519
I've got a Fire HD 10 (7th Gen) but its running Fire OS 5.7.0.0 - Build Date 19 Feb 2022

When i run step-1.sh i get the following error.

Failed Critical Init Step 4
This Firmware Cannot be Supported.

Is there a way around this through software? If not,would the recovery method where you pull the back off work?

Thanks
i believe there are multlple ways to root the device. the mtk-su root wont work. If you get root, you can continue, or go to the hard way of shorting (not recommended)
 

likwidchz

Member
May 14, 2022
37
10
you need to get root another way mtk-su is blocked....
Thank you, I cross posted this and got a link to



This worked for me with the ROOT section included, it's only a handful of steps.

Now I have two tablets running the May 2022 version of Lineage.
 

BruceWayne54

Senior Member
Apr 12, 2015
170
35
Austin, Tx
Hey there, my Fire HD 8 (douglas) is currently running Fire OS 5.7.0. I saw on the OP's post that this method only works up to Fire OS 5.6.4. I've been scouring the internet trying to find a way to downgrade my firmware or find a root for my Fire OS version. Is there anything I can do or is it a lost cause?
 

likwidchz

Member
May 14, 2022
37
10
Hey there, my Fire HD 8 (douglas) is currently running Fire OS 5.7.0. I saw on the OP's post that this method only works up to Fire OS 5.6.4. I've been scouring the internet trying to find a way to downgrade my firmware or find a root for my Fire OS version. Is there anything I can do or is it a lost cause?
Hi Bruce,
read the post above that I made.
Once you get root on the device run the steps to get the firmware loaded for lineage. You dont need to downgrade.
 
  • Like
Reactions: BruceWayne54

likwidchz

Member
May 14, 2022
37
10
Hi Bruce,
No, they are here.

You pretty much do the root method above I linked with the github account. Once the exploit runs make sure you type "SU" if you see # you have root.
Quit adb shell and follow the steps in the URL i posted here.

I've done 3 already.

You pretty much do "Step1.sh and brick the device.
Then you "bootrom-step-minimal.sh" What I found on the tablet, hold the power button for like 10 seconds and watch your linux session, it should justpop up with disconnect short.. "Which technically doesn't exist because well, you dont have to take this apart. Read read and more reading. The instructions on the post could be tweaked a little in my opinion.. Perhaps the main post should have the github link someone else informed me about and they should get credit for solving my issue.
 

BruceWayne54

Senior Member
Apr 12, 2015
170
35
Austin, Tx
Hi Bruce,
No, they are here.

You pretty much do the root method above I linked with the github account. Once the exploit runs make sure you type "SU" if you see # you have root.
Quit adb shell and follow the steps in the URL i posted here.

I've done 3 already.

You pretty much do "Step1.sh and brick the device.
Then you "bootrom-step-minimal.sh" What I found on the tablet, hold the power button for like 10 seconds and watch your linux session, it should justpop up with disconnect short.. "Which technically doesn't exist because well, you dont have to take this apart. Read read and more reading. The instructions on the post could be tweaked a little in my opinion.. Perhaps the main post should have the github link someone else informed me about and they should get credit for solving my issue.
Awesome, thank you. One last question-- the guides you sent are for HD 10, I have an HD 8... will the root tutorial on github still work for my device?
 

likwidchz

Member
May 14, 2022
37
10
Not sure... I haven't been able to find a guide on how to do it. Do I just download the tool off Google and run it?
I'd say keep searching its there.

You ADB push the mtk-su package over to the tablet in a temp directory.
adb shell into that temp directory.
change permissions of the mtk-su executable.
run it
you should see stuff dump to the terminal.
your $ goes to # -- thats root.


That is just testing the exploit, its not persistent. The actual guide for it includes a bunch more steps to make sure after the tablet reboots you can still get root.


Additionally,
someone else can correct me on this. but as far as I know or can guess, as long as you can get root on these tablets you can always flash the twrp and custom firmwares. Unless amazon changes something where after a specific version of the tablet prevents you, not sure why not.

With these tablets the flashing method involves bricking the tablet and you have to short some pins on the back side to allow you to bring it back to life... ebay is your friend for tablet replacements they are pretty inexpensive to be honest. Great little displays for projects or whatever else.
 
  • Like
Reactions: BruceWayne54

Michajin

Senior Member
Oct 23, 2012
1,296
519
I'd say keep searching its there.

You ADB push the mtk-su package over to the tablet in a temp directory.
adb shell into that temp directory.
change permissions of the mtk-su executable.
run it
you should see stuff dump to the terminal.
your $ goes to # -- thats root.


That is just testing the exploit, its not persistent. The actual guide for it includes a bunch more steps to make sure after the tablet reboots you can still get root.


Additionally,
someone else can correct me on this. but as far as I know or can guess, as long as you can get root on these tablets you can always flash the twrp and custom firmwares. Unless amazon changes something where after a specific version of the tablet prevents you, not sure why not.

With these tablets the flashing method involves bricking the tablet and you have to short some pins on the back side to allow you to bring it back to life... ebay is your friend for tablet replacements they are pretty inexpensive to be honest. Great little displays for projects or whatever else.
if the tablet was bought after january 2020 the bootrom got disabled. If it was bought before that, you can easily open it and use the shorting method. Easiest shorting method ever...
 

targa

Senior Member
Not sure... I haven't been able to find a guide on how to do it. Do I just download the tool off Google and run it?
just FYI, I managed to root/brick/unbrick my Fire HD10/suez/5.7.0.0 and after that flash to Lineage 16 using the guides here in the forum, let me know if you need assistance still.
For rooting I needed to use the "old offline" method, as mtk-su wouldn't work:
 
just FYI, I managed to root/brick/unbrick my Fire HD10/suez/5.7.0.0 and after that flash to Lineage 16 using the guides here in the forum, let me know if you need assistance still.
For rooting I needed to use the "old offline" method, as mtk-su wouldn't work:
I too have a HD10 running 5.7.0.0 which I'd like to root, install TWRP, and then flash Lineage 16 -- but I have a hard time picking out from the various relevant threads on rooting the steps that are applicable and current for my device HW/OS so as to "stitch together" a coherent and complete step-by-step process for my particular HW/OS version. So, it would be great if you can enumerate (or better yet cut & paste) all the steps you had taken from the pertinent threads into one single integrated guide.
 

likwidchz

Member
May 14, 2022
37
10
Digi,

Step 1.
Follow this method to get root.
Start at 'Root the tablet"-- Follow all the instructions they work just fine. Then once you verify you can get root by the # on the ADB shell then follow the normal method on the beginning of this thread to install lineage.

Step 2.
*Not when you are at the step that says bootrom step minimal, when you run that on your linux shell, on the tablet you just hold the power button for a couple moments ~10 seconds or so should be enough, the shell will kick into life, then put the tablet down "you can remove your finger from the power button" Just dont unplug it or mess with the usb cable.

I have done 4 tablets with this method.
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 148
    Software root method for Mediatek MT816x, MT817x and MT67xx!
    A tool that gives you a temporary root shell with Selinux permissive to do with as you please​

    STATUS
    Confirmed Working
    Fire HD 8 8th gen (2018) (thanks @xyz`) -- up to Fire OS 6.3.0.1 only
    Fire HD 8 7th gen (2017) -- up to Fire OS 5.6.4.0 build 636558520 only
    Fire HD 8 6th gen (2016) (thanks @bibikalka) -- up to Fire OS 5.3.6.4 build 626536720
    Fire HD 10 7th gen (2017) (thanks @bibikalka) -- up to Fire OS 5.6.4.0 build 636558520 only
    Fire TV 2 2015 (mt8173-based) (thanks @el7145) -- up to Fire OS 5.2.6.9 only
    Fire 7 9th gen (2019) (thanks @Michajin) -- up to Fire OS 6.3.1.2 build 0002517050244 only
    Fire HD 10 9th gen (2019) -- up to Fire OS 7.3.1.0 only
    Various phones and tablets up to Android 9.x (see link below for full list)
    Note that for Fire OS 5, OS version 5.3.x.x is newer than 5.6.x.x.

    Amazing Temp Root for MediaTek ARMv8: expanded thread covering all compatible MTK devices

    DISCLAIMER
    Anything you do that is described in this thread is at your own risk. No one else is responsible for any data loss, corruption or damage of your device, including that which results from bugs in this software.

    REQUIREMENTS
    Proficiency with the Thanks button under XDA posts
    A Fire HD tablet based on mt8163 or mt8173 (or another MTK ARMv8 device)
    Either:
    • A PC with ADB installed to interact with your device, or
    • A terminal emulator app
    Familiarity with ADB (if using PC) and basic Linux shell commands

    INSTRUCTIONS
    1. Download the current mtk-su zip file to your PC and unzip it. Inside will be 2 directories: 'arm' & 'arm64' with an 'mtk-su' binary in each. Pick one for your device. Differences between the flavors:
      arm64: 64-bit kernel and userspace
      arm: 32-bit userspace on a 64-bit or 32-bit kernel (will also work in 64-bit userspace)
      The arm64 one is suitable for most devices. The notable devices that need the arm version are the Fire HD 8 2018, Fire 7, and Fire HD 10 2019.
    2. Connect your device to ADB and push mtk-su to your /data/local/tmp folder
      Code:
      adb push path/to/mtk-su /data/local/tmp/
    3. Open an adb shell
      Code:
      adb shell
    4. Change to your tmp directory
      Code:
      cd /data/local/tmp
    5. Add executable permissions to the binary
      Code:
      chmod 755 mtk-su
    6. At this point keep your tablet screen on and don't let it go to sleep. Run the program
      Code:
      ./mtk-su
      If the program gets stuck for more than a few seconds, press Ctrl+C to close it.
      The -v option turns on verbose printing, which is necessary for me to debug any problems.
      It will take several seconds, but using the -v option, you should see output similar to this (with id command added):
      Code:
      $ ./mtk-su -v
      param1: 0x3000, param2: 0x18040, type: 2
      Building symbol table
      kallsyms_addresses pa 0x40bdd500
      kallsyms_num_syms 70337, addr_count 70337
      kallsyms_names pa 0x40c66d00, size 862960
      kallsyms_markers pa 0x40d39800
      kallsyms_token_table pa 0x40d3a100
      kallsyms_token_index pa 0x40d3a500
      Patching credentials
      Parsing current_is_single_threaded
      ffffffc000354868+50: ADRP x0, 0xffffffc000fa2000
      ffffffc000354868+54: ADD xd, x0, 2592
      init_task VA: 0xffffffc000fa2a20
      Potential list_head tasks at offset 0x340
      comm swapper/0 at offset 0x5c0
      Found own task_struct at node 1
      cred VA: 0xffffffc0358ac0c0
      Parsing avc_denied
      ffffffc0002f13bc+24: ADRP x0, 0xffffffc001113000
      ffffffc0002f13bc+28: LDR [x0, 404]
      selinux_enforcing VA: 0xffffffc001113194
      Setting selinux_enforcing
      Switched selinux to permissive
      starting /system/bin/sh
      UID: 0  cap: 3fffffffff  selinux: permissive
      #
      Some other options:
      mtk-su -c <command>: Runs <command> as root. Default command is /system/bin/sh.​
      mtk-su -s: Prints the kernel symbol table​
      If you see any errors other than about unsupported or incompatible platform or don't get a root shell, report it here.

      Important: in rare cases, it may be necessary to run the tool multiple times before you hit UID 0 and get selinux permissive. If you don't achieve root on a particular run, the "UID: N cap: xxxxx...." line will reflect that. If it doesn't say "UID: 0 cap: 3fffffffff selinux: permissive", type exit to close the subshell and try mtk-su again.

    If you succeed in getting temporary root, at that point you might want to install SuperSU for a more permanent root solution. Here is the official guide on which files should be present to kickstart SuperSU from temporary root. They are available in the latest SuperSU zip file. Remember that this only applies to Fire OS 5.

    FIRE OS 5 AND ANDROID 5 USERS: There's an automated SuperSU loader by @Rortiz2 that makes jumpstarting SuperSU quick and easy.

    WARNING FOR FIRE HD 8 2018 AND OTHER FIRE OS 6 DEVICES: If you have achieved root on such a device, do not remount the system partition as read/write. The remount command will probably not work. But forcing it will trigger dm-verity, which will result in a very bad day. Your tablet will become inoperable until you restore the stock system partition. You can accomplish a lot without modifying /system. But if you would like to get persistent root with Magisk by unlocking the bootloader, head on over to @bibikalka's outstanding Unlock/Magisk/TWRP Tutorial.

    DOWNLOAD
    Current Version
    Release 23

    Past releases & change log live at Amazing Temp Root for MediaTek ARMv8

    FAQ
    I got the error, "This firmware cannot be supported". What do I do?
    This means that your device's firmware is not prone to the mechanism used by mtk-su. Check the firmware version and build number of the OS on your device. If your version is higher than that next to your device on the list above, then mtk-su will no longer work on your device. There may be other ways to achieve root. Check elsewhere on the forum.

    Will this work on the Fire 7?
    No, it is very doubtful this method can be used on the MT8127 chipset. The same also goes for the Fire TV stick.

    After getting a root shell I'm still getting 'permission denied' errors. WTH?
    It may be that selinux is still being enforced. Having root with selinux enabled is somehow more restrictive than a normal shell user. First, check that mtk-su succeeded in setting selinux to permissive by running getenforce. If it says Enforcing, then exit your shell and run mtk-su again.

    Does this thing unlock the bootloader?
    No, it does nothing to unlock the bootloader. But after running mtk-su, you may be able to use @xyz`'s revolutionary LK exploit or derivative works to achieve what is effectively an unlocked bootloader on some devices. Namely, you should be able to flash the specially crafted TWRP image using dd from Android.

    How does this tool work?
    It overwrites the process's credentials & capabilities in the kernel in order to gain privileges. It also turns off selinux enforcement by overwriting the kernel's selinux_enforcing variable. As for how it accesses that memory, I don't think I should discuss that as of yet.

    Will this work on the Fire TV Stick 4K?
    Unfortunately, no. While it has a 64-bit chip, the required vulnerabilities are not present in its OS.

    Can I include mtk-su in my app or meta-tool?
    Generally speaking, you may not distribute any mtk-su zip or binaries with your software. That includes doing any automatic download of those files into your app. You can still use it with your tools. But you should ask your users to visit this thread and download the current release zip themselves. No apps have been permitted to bundle or auto-download mtk-su.

    Why don't you reply to my post?
    I read every post in this thread, and respond to practically every post that warrants a response. Sometimes I will only click a Thanks as an acknowledgement. The reasons I may not answer your question are:
    • It has already been answered in the FAQ or multiple times in the thread.
    • Your post is unrelated to this project. It may be specific to your device, which would make it off topic for this thread.
    • Your question is extremely vague and you appear to be intentionally leaving out basic information (e.g. fishing).
    CREDITS
    • @Supersonic27543 for helping me port it to Fire OS 5 and namely the HD 8 7th gen
    • Thank you to everyone who has donated. You're the best!
    41
    Awesome! I just rooted my HD8 2017

    Try the automated script by @Rortiz2

    Previous instructions:

    For anyone that is confused by the process of manually installing SuperSu, I did the following...

    IMPORTANT: This is for FireOS 5 devices such as HD8 2017. Do not attempt this on HD8 2018

    1. Install SuperSu from Playstore
    2. Download SuperSu and unzip somewhere
    3. adb push arm64/su arm64/supolicy arm64/libsupol.so /data/local/tmp
    4. Follow directions from OP to get a root shell. You should not get permission denied when running ls. If you see permission denied, run exit and try again. Took me a few tries
    5. mount -o remount -rw /system
    6. cp /data/local/tmp/su /system/xbin/su
    7. cp /data/local/tmp/su /system/xbin/daemonsu
    8. cp /data/local/tmp/supolicy /system/xbin/
    9. cp /data/local/tmp/libsupol.so /system/lib/
    10. cp /data/local/tmp/libsupol.so /system/lib64/
    11. chmod 0755 /system/xbin/su
    12. chcon u:eek:bject_r:system_file:s0 /system/xbin/su
    13. chmod 0755 /system/xbin/daemonsu
    14. chcon u:eek:bject_r:system_file:s0 /system/xbin/daemonsu
    15. at this point, running su should work and show a root shell
    16. daemonsu --auto-daemon
    17. Open SuperSu app and allow it to update the su binary

    My tablet hung at the boot logo when I manually installed SuperSu via the linked instructions. Installing the bare minimum and letting the SuperSu app do the rest seems less error-prone