• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[Root] Kindle Fire HDX 8.9 14.3.1

Search This thread

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,331
15,773
Sequim WA
Please do not donate to me for this, it is not my original work. If you want to donate, I suggest finding a way to donate to fi01 (not aware of a way or if he accepts them) or donating to a charity. It is the holiday times, maybe a toys for tots or something similar. I know a lot of ppl dislike the salvation army, and I can't stand up with some of the things they do, but their toy donation program is good and they do get the toys to kids who really have no other option, maybe drop off some new toys? May be food to a food bank?

Source: https://github.com/hiikezoe/android_run_root_shell

Vuln:
https://www.codeaurora.org/projects...hecks-putusergetuser-kernel-api-cve-2013-6282

Exploit Source:
https://github.com/fi01/libput_user_exploit

Beaups compiled it at my request for you guys.

adb push su /data/local/tmp/
adb push rootme.sh /data/local/tmp/
adb push exploit /data/local/tmp/
adb shell chmod 755 /data/local/tmp/rootme.sh
adb shell chmod 755 /data/local/tmp/exploit
adb shell /data/local/tmp/exploit -c "/data/local/tmp/rootme.sh"
 

Attachments

  • kindlehdx_root.zip
    259.6 KB · Views: 22,018
Last edited:

GSLEON3

Retired Senior Moderator
Bomb! You are the man!

Bro, I am going to PM you shortly. I would like to thank you & fi01. I will donate to both of you, or if you both prefer, I will donate my original pledge of $150 for root in your names to whatever charity you think is appropriate. If this leads to an unlocked BL, I will double my donation, to the $300 I originally stated in the General/Kernel thread.

If you notice my signature, I have an issue I have become intimately involved in, so if there is something near & dear to your two hearts, just let me know.

PROOF OF ROOT:
IMG_20131125_102749.jpg

IMG_20131125_102829.jpg
 
Last edited:

Maverick777

Senior Member
May 16, 2008
754
100
Bomb! You are the man!

Bro, I am going to PM you shortly. I would like to thank you & fi01. I will donate to both of you, or if you both prefer, I will donate my original pledge of $300 in your names to whatever charity you think is appropriate.

If you notice my signature, I have an issue I have become intimately involved in, so if there is something near & dear to your two hearts, just let me know.

PROOF OF ROOT:
IMG_20131125_102749.jpg

IMG_20131125_102829.jpg

Awesome! How did you flash it? Is there a stock recovery mode or did you have to use ADB? I'm not familiar with ADB at all, so I'm hoping for a simple way of flashing this. Did you have the Fire OS update installed when you rooted it?
 
Last edited:

Epedemic

Senior Member
Apr 4, 2007
384
30
Guess it does not work on 7" (fire os 3.1 updated, ver 13.3.1.0):

Device detected: KFTHWI (JDQ39)

Try to find address in memory...
Attempt msm_cameraconfig exploit...
Detected kernel physical address at 0x00008000 form iomem

Attempt fb_mem exploit...
Detected kernel physical address at 0x00008000 form iomem
You need to manage to get remap_pfn_range addresses.
Failed to get prepare_kernel_cred addresses.
Failed to get commit_creds addresses.
Failed to get ptmx_fops addresses.
KFTHWI (JDQ39) is not supported.
Failed to setup variables.

Have hopes it will be possible soon enough though :)
 

GSLEON3

Retired Senior Moderator
Awesome! How did you flash it? Is there a stock recovery mode or did you have to use ADB? I'm not familiar with ADB at all, so I'm hoping for a simple way of flashing this.

I am going to tak as many questions as possible, but will probably do something in the Q&A section to keep this clean. Right now, this is a manual adb exploit, though if you have a rooted device & USB OTG, you can use root transmission. Currently, it is fairly easy & straight forward, but you will need adb to utilize this root method. jcase said we could package it into a one click, but that is going to take some time.

At this point, there are no custome roms & there are no custom recoveries, just root access. I also have the Play Store working, which was just a matter of changing the ro.build.host to point to Google. Again, no easy way to do it yet. Since you are asking about "flashing" this, I would suggest you wait. Either that, or go back & read about some of the old root methods & how to use ADB. There is no flashing this file. You use ADB to push the files, & shell to change owner/permissions. You then run a script (again via adb) that moves the SU binary into xbin. Currently, there is still a bit of a trick to get SU going, but it is pretty easy if you understand the basics of ADB.

Really, what this means is that now the gates have been cracked & it is possible to start building recoveries, roms & all that good stuff.

---------- Post added at 11:21 AM ---------- Previous post was at 11:17 AM ----------

Guess it does not work on 7" (fire os 3.1 updated, ver 13.3.1.0):

Device detected: KFTHWI (JDQ39)

Try to find address in memory...
Attempt msm_cameraconfig exploit...
Detected kernel physical address at 0x00008000 form iomem

Attempt fb_mem exploit...
Detected kernel physical address at 0x00008000 form iomem
You need to manage to get remap_pfn_range addresses.
Failed to get prepare_kernel_cred addresses.
Failed to get commit_creds addresses.
Failed to get ptmx_fops addresses.
KFTHWI (JDQ39) is not supported.
Failed to setup variables.

Have hopes it will be possible soon enough though :)

Most likely, it is going to take a little address rework of the exploit. I am about 100% certain the exploit is there though.
 
Last edited:

Maverick777

Senior Member
May 16, 2008
754
100
I am going to tak as many questions as possible, but will probably do something in the Q&A section to keep this clean. Right now, this is a manual adb exploit, though if you have a rooted device & USB OTG, you can use root transmission. Currently, it is fairly easy & straight forward, but you will need adb to utilize this root method. jcase said we could package it into a one click, but that is going to take some time.

At this point, there are no custome roms & there are no custom recoveries, just root access. I also have the Play Store working, which was just a matter of changing the ro.build.host to point to Google. Again, no easy way to do it yet. Since you are asking about "flashing" this, I would suggest you wait. Either that, or go back & read about some of the old root methods & how to use ADB. There is no flashing this file. You use ADB to push the files, & shell to change owner/permissions. You then run a script (again via adb) that moves the SU binary into xbin. Currently, there is still a bit of a trick to get SU going, but it is pretty easy if you understand the basics of ADB.

Really, what this means is that now the gates have been cracked & it is possible to start building recoveries, roms & all that good stuff.

Awesome. Thanks for the explanation. I will wait for a one click method or recovery to be made unless I get impatient. :D
 

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,331
15,773
Sequim WA
Guess it does not work on 7" (fire os 3.1 updated, ver 13.3.1.0):

Device detected: KFTHWI (JDQ39)

Try to find address in memory...
Attempt msm_cameraconfig exploit...
Detected kernel physical address at 0x00008000 form iomem

Attempt fb_mem exploit...
Detected kernel physical address at 0x00008000 form iomem
You need to manage to get remap_pfn_range addresses.
Failed to get prepare_kernel_cred addresses.
Failed to get commit_creds addresses.
Failed to get ptmx_fops addresses.
KFTHWI (JDQ39) is not supported.
Failed to setup variables.

Have hopes it will be possible soon enough though :)


No but download the update.bin for your firmware from amazon, send me boot.img and system/build.prop and will port it
 

shimp208

Inactive Recognized Contributor
Jan 25, 2011
2,624
3,059
Boston
Congratulations @jcase on the hard work you put in for us. As a freshman computer engineering student it's things like this that make me want to work harder at my studies, put in that extra time studying for that test, seeking out opportunities my professors give, and hopefully being able to give back to XDA as much as you do. I doubt I'll ever get there but it's worth trying , great job again man :highfive:.
 
  • Like
Reactions: davekaz

Epedemic

Senior Member
Apr 4, 2007
384
30
No but download the update.bin for your firmware from amazon, send me boot.img and system/build.prop and will port it

Update is here: http://www.amazon.com/gp/help/customer/display.html/ref=hp_left_v4_sib?ie=UTF8&nodeId=201357190

I extracted build.prop and it can be found here: https://www.dropbox.com/sh/t9wv1aakvopwpyt/r9nQD3x0Ux

Not sure how to extract boot.img, unless the .bin file from amazon is simply an archive. (in that case it will be on the dropbox link shortly ;) )
 
  • Like
Reactions: davekaz

GSLEON3

Retired Senior Moderator

Epedemic

Senior Member
Apr 4, 2007
384
30
BTW i will be going to sleep in a couple of hours at the latest, and then vacation until friday. But i am sure you can find someone else to test the 7" version ;)
 

EniGmA1987

Senior Member
Sep 21, 2010
2,058
804
Thanks for root jcase!
If you really don't want my part of the money I put up for achieving root then I will do as you suggested and donate it to charity
 

quantump8

Senior Member
Jul 27, 2012
167
47
Dude!!! You guys are the best!! I get mine (HDX 7") in December, so I hope by then to have an easy root method and maybe even a rom or two. :good:
 

kholdstare

Member
Oct 30, 2007
28
5
Kansas City
Just in case Amazon fixes the exploit in an update I have blocked the update servers from getting through my router.
The IPs below are the update servers in case anyone else wants to block them.


Code:
72.21.194.208
176.32.100.136
72.21.195.233

If you have a dd-wrt router just add this to your firewall
Code:
iptables -I FORWARD -d 72.21.194.208 -j DROP
iptables -I FORWARD -d 176.32.100.136 -j DROP
iptables -I FORWARD -d 72.21.195.233 -j DROP

Bitcoin Address: 186NWvr3buDGmpa5ECVGub37YX94NMSsLj
 

smirciat

Senior Member
Nov 15, 2013
156
47
Homer, Alaska
Just in case Amazon fixes the exploit in an update I have blocked the update servers from getting through my router.
The IPs below are the update servers in case anyone else wants to block them.


Code:
72.21.194.208
176.32.100.136
72.21.195.233

If you have a dd-wrt router just add this to your firewall
Code:
iptables -I FORWARD -d 72.21.194.208 -j DROP
iptables -I FORWARD -d 176.32.100.136 -j DROP
iptables -I FORWARD -d 72.21.195.233 -j DROP

Bitcoin Address: 186NWvr3buDGmpa5ECVGub37YX94NMSsLj
Can't Amazon just change the update server addresses to circumvent this? Assuming they care enough about this to patch it quickly, wouldn't they try to get updates through anyway they can? Or do Kindle updates only listen to a specific set of addresses? The HD's allowed a downgrade, do the HDX's prevent downgrade? The mind is ablur with possibilities.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 44
    Please do not donate to me for this, it is not my original work. If you want to donate, I suggest finding a way to donate to fi01 (not aware of a way or if he accepts them) or donating to a charity. It is the holiday times, maybe a toys for tots or something similar. I know a lot of ppl dislike the salvation army, and I can't stand up with some of the things they do, but their toy donation program is good and they do get the toys to kids who really have no other option, maybe drop off some new toys? May be food to a food bank?

    Source: https://github.com/hiikezoe/android_run_root_shell

    Vuln:
    https://www.codeaurora.org/projects...hecks-putusergetuser-kernel-api-cve-2013-6282

    Exploit Source:
    https://github.com/fi01/libput_user_exploit

    Beaups compiled it at my request for you guys.

    adb push su /data/local/tmp/
    adb push rootme.sh /data/local/tmp/
    adb push exploit /data/local/tmp/
    adb shell chmod 755 /data/local/tmp/rootme.sh
    adb shell chmod 755 /data/local/tmp/exploit
    adb shell /data/local/tmp/exploit -c "/data/local/tmp/rootme.sh"
    9
    Bomb! You are the man!

    Bro, I am going to PM you shortly. I would like to thank you & fi01. I will donate to both of you, or if you both prefer, I will donate my original pledge of $150 for root in your names to whatever charity you think is appropriate. If this leads to an unlocked BL, I will double my donation, to the $300 I originally stated in the General/Kernel thread.

    If you notice my signature, I have an issue I have become intimately involved in, so if there is something near & dear to your two hearts, just let me know.

    PROOF OF ROOT:
    IMG_20131125_102749.jpg

    IMG_20131125_102829.jpg
    8
    Awesome! How did you flash it? Is there a stock recovery mode or did you have to use ADB? I'm not familiar with ADB at all, so I'm hoping for a simple way of flashing this.

    I am going to tak as many questions as possible, but will probably do something in the Q&A section to keep this clean. Right now, this is a manual adb exploit, though if you have a rooted device & USB OTG, you can use root transmission. Currently, it is fairly easy & straight forward, but you will need adb to utilize this root method. jcase said we could package it into a one click, but that is going to take some time.

    At this point, there are no custome roms & there are no custom recoveries, just root access. I also have the Play Store working, which was just a matter of changing the ro.build.host to point to Google. Again, no easy way to do it yet. Since you are asking about "flashing" this, I would suggest you wait. Either that, or go back & read about some of the old root methods & how to use ADB. There is no flashing this file. You use ADB to push the files, & shell to change owner/permissions. You then run a script (again via adb) that moves the SU binary into xbin. Currently, there is still a bit of a trick to get SU going, but it is pretty easy if you understand the basics of ADB.

    Really, what this means is that now the gates have been cracked & it is possible to start building recoveries, roms & all that good stuff.

    ---------- Post added at 11:21 AM ---------- Previous post was at 11:17 AM ----------

    Guess it does not work on 7" (fire os 3.1 updated, ver 13.3.1.0):

    Device detected: KFTHWI (JDQ39)

    Try to find address in memory...
    Attempt msm_cameraconfig exploit...
    Detected kernel physical address at 0x00008000 form iomem

    Attempt fb_mem exploit...
    Detected kernel physical address at 0x00008000 form iomem
    You need to manage to get remap_pfn_range addresses.
    Failed to get prepare_kernel_cred addresses.
    Failed to get commit_creds addresses.
    Failed to get ptmx_fops addresses.
    KFTHWI (JDQ39) is not supported.
    Failed to setup variables.

    Have hopes it will be possible soon enough though :)

    Most likely, it is going to take a little address rework of the exploit. I am about 100% certain the exploit is there though.
    8
    Good News Everyone! I made the required changes in source, and recompiled it for the Kindle Fire HDX 7". It worked for me at least! Here it goes:

    http://goo.gl/4gBmq5

    Be sure to rename the file to 'exploit', follow the instructions on the first post, and don't forget to thank jcase and fi01.
    6
    Guess it does not work on 7" (fire os 3.1 updated, ver 13.3.1.0):

    Device detected: KFTHWI (JDQ39)

    Try to find address in memory...
    Attempt msm_cameraconfig exploit...
    Detected kernel physical address at 0x00008000 form iomem

    Attempt fb_mem exploit...
    Detected kernel physical address at 0x00008000 form iomem
    You need to manage to get remap_pfn_range addresses.
    Failed to get prepare_kernel_cred addresses.
    Failed to get commit_creds addresses.
    Failed to get ptmx_fops addresses.
    KFTHWI (JDQ39) is not supported.
    Failed to setup variables.

    Have hopes it will be possible soon enough though :)


    No but download the update.bin for your firmware from amazon, send me boot.img and system/build.prop and will port it