Root New Fire HD 8 (2018 ONLY)

Search This thread

bardell3600

Senior Member
Dec 14, 2011
59
48
Issaquah, WA
NOT For Everyone it is a HARDWARE type Hack
(although a simple hardware hack - no disassembly other than the back cover and no soldering, etc.)
REQUIRES
1. Opening the Tablet
2. Shorting one of the CPU test points
3. Linux​

CREDIT xyz`, Member on 27th January 2019, 10:04 AM
See Fire HD 8 (2018 ONLY) unbrick, downgrade, unlock & root


Some on xyz's Thread have indicated success completing this this using a Windows PC by way of a Linux emulator or booting from a LIVE CD or USB Stick. I happened to have a perfectly good (but non UEFI) motherboard and CPU laying around from my Win 10 upgrade. Umbuntu seemed like a good reuse.

All I have done is add some clarification and added instructions to make the tablet useful

Make sure to read this guide completely before starting. It requires you to open the tablet, however you don't need to solder or use any advanced tools.

This is only for Fire HD 8, 8th generation, also known as karnak or KFKAWI. It's now confirmed to work on both 16GB and 32GB models.

You will lose all data on the tablet, make a backup of important data before you start. If you've enabled encryption, it's probably a good idea to disable it before you proceed with the guide.

What you need:
- a Linux installation. Since xyz had to rush it, his guide is only for Linux.
- microusb cable to connect your tablet to the PC
- some way to open the tablet (pry tool, opening picks, etc)
- something conductive (metal tweezers, a paper clip, a piece of wire, etc)
- amonet.tar.gz (http://forum.xda-developers.com/attachment.php?attachmentid=4696148&d=1548790448)
- 6300.zip: https://mega.nz/#!FI1HSI5T!2zUAeiW9I...ilSnNYgOG9YPNE
- Magisk-v18.0.zip: https://github.com/topjohnwu/Magisk/...gisk-v18.0.zip
- finalize.zip (http://forum.xda-developers.com/attachment.php?attachmentid=4694754&d=1548611833)

Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work "sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot".

Extract amonet.tar.gz, open a terminal and navigate to it.

You will need to run the scripts on your Linux under sudo.

0. Shut your device down and disconnect it from USB! Also, disconnect all other Android devices you might have connected from your PC. Also, if you have ModemManager installed, you MUST disable or uninstall it before you begin

NOTE1: Ubuntu 18.04.2 LTS default configuration comes with ModemManager
a) adb shell
b) sudo apt-get remove modemmanager
c) quit
d) RESTART LINUX

1. Use a pry tool to remove the back shell from the tablet (or if you are a male and have strong, longer thumbnails - that and a credit card or two works well). Start at the bottom and work your way up. There are no cables between the back shell and the motherboard
2. On the left side of the board there are 4 test points labeled DAT0, RST, CMD, CLK. We only care about the bottom one, CLK
3. Plug in one end of the microusb cable, either to the PC or to the tablet, whatever's more convenient.
4. On your PC, run `./bootrom-step.sh`. It should print "Waiting for the bootrom".
5. Using your conductive apparatus, short the CLK test point to the ground. This means you should connect one side of your paperclip to the CLK pin and the other to the metallic shield or a side of the PCB. Firmly hold it in place so that there is connection. (See https://i.imgur.com/7BXIb2y.jpg)
6. Plug in the other end of the microusb cable.
7. You should see a new device appear on your PC
This *must* be the device you see. If you see a "preloader" device instead, you didn't hold the paperclip strong enough. Unplug it, shut down your Fire (pull out USB cord and wait; if it doesn't shut down, you might have to disconnect the battery) and try again starting at step 4.

8. The script you ran in step 4 should now tell you to remove the short. a) Remove the paperclip and b) press Enter as instructed
9. The script will now proceed to downgrade your device and flash some essential files. Just let it be, it will take about 4 minutes. You should see the following output:


[2019-01-26 23:30:02.157670] Waiting for bootrom
[2019-01-26 23:30:20.438333] Found port = /dev/ttyACM0
[2019-01-26 23:30:20.439362] Handshake
[2019-01-26 23:30:20.441693] Disable watchdog

* * * Remove the short and press Enter * * *


[2019-01-26 23:30:22.636037] Init crypto engine
[2019-01-26 23:30:22.661832] Disable caches
[2019-01-26 23:30:22.662505] Disable bootrom range checks
[2019-01-26 23:30:22.685773] Load payload from ../brom-payload/build/payload.bin = 0x4690 bytes
[2019-01-26 23:30:22.693170] Send payload
[2019-01-26 23:30:23.527965] Let's rock
[2019-01-26 23:30:23.528832] Wait for the payload to come online...
[2019-01-26 23:30:24.260602] all good
[2019-01-26 23:30:24.261069] Check GPT
[2019-01-26 23:30:24.596346] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216), 'kb': (16384, 2048), 'dkb': (18432, 2048), 'lk': (20480, 2048), 'tee1': (22528, 10240), 'tee2': (32768, 10240), 'metadata': (43008, 80896), 'MISC': (123904, 1024), 'reserved': (124928, 16384), 'boot': (141312, 32768), 'recovery': (174080, 40960), 'system': (215040, 6354944), 'vendor': (6569984, 460800), 'cache': (7030784, 1024000), 'userdata': (8054784, 22722527)}
[2019-01-26 23:30:24.596619] Check boot0
[2019-01-26 23:30:24.841858] Check rpmb
[2019-01-26 23:30:25.051079] Downgrade rpmb
[2019-01-26 23:30:25.052924] Recheck rpmb
[2019-01-26 23:30:25.949978] rpmb downgrade ok
[2019-01-26 23:30:25.950284] Flash lk-payload
[5 / 5]
[2019-01-26 23:30:26.471797] Flash preloader
[288 / 288]
[2019-01-26 23:30:44.845804] Flash tz
[6732 / 6732]
[2019-01-26 23:33:08.502134] Flash lk
[685 / 685]
[2019-01-26 23:33:23.337460] Inject microloader
[4 / 4]
[2019-01-26 23:33:23.667547] Reboot to unlocked fastboot


If the script freezes at some point, you will have to restart it. Terminate the script, unplug USB, and try again starting at step 4. If after unplugging USB cable the device doesn't shut down, you might have to disconnect the battery. You can keep it disconnected until the script succeeds, but once it's done you must reconnect it before booting to fastboot

9a. You should see a success message: "Reboot to unlocked fastboot". Only proceed if you see the message.
10. Once the device boots to fastboot (check with "fastboot devices". You should see Amazon logo on the screen.), you can run "./fastboot-step.sh". Then, flip the device over so that you can see the display

NOTE2: CAN run "./fastboot-step.sh"?? I took is as MUST run "./fastboot-step.sh"

11. At this point the device should boot into recovery, however it's possible that the screen will be off by default. Just press the power button twice and the screen should turn on.

NOTE3: if/when it doesn’t boot into Recovery use
“fastboot reboot”
OR
“fastboot reboot” and then
“adb reboot recovery”
OR
SHUT DOWN and then
Power Button PLUS Volume Down Button to STARTUP

12. We'll now upload required files to the recovery. On your PC, do:

adb push 6300.zip /sdcard
adb push Magisk-v18.0.zip /sdcard
adb push finalize.zip /sdcard​

NOTE4: The above commands will not work in fastboot. You need to get into recovery
NOTE4a: You are probably in the /Downloads/amonet directory. These files should be in /Downloads
Use “cd ..”

13. In the recovery, go to "Install", navigate to "/sdcard" and flash 6300.zip

NOTE5: DO NOT “Go to “Wipe” in step 14.
(There is no “default wipe”)
Use the Wipe cache/dalvik button that appears after step 13 completes

14. Go to "Wipe" and do the default wipe, then reboot
15. At the Fire setup screen, select your language. On the next screen, Wifi setup, select any password-protected network,. Now, back at the wifi setup screen, press "skip" and "skip" in the dialog pop-up again

IMPORTANT
NOTE6: I did the method as described above and when complete had zero Amazon functionality; My Account Crashed, No App Store, No Shopping, No Prime Video, etc
The instructions say, “then instead of entering the password press ‘cancel.’” Instead, go to the next step which is Amazon Registration and complete it. IT WILL AUTOMATICALLY UPDATE – AS OF THIS WRITING (March 7th, 2019) THERE IS ONLY A VERY MINOR UPDATE TO SOME APP.
CAUTION: At some future date there may be an OS Update that could negate this Root Hack.
AFTER REGISTRATION - SHUT DOWN (Power off)
THEN SEE Notes 7 thru 9 below for Launcher, Play Store and Eliminating Lockscreen Ads

16. Hold down the power button and hold volume down to boot into recovery
17. In the recovery, go to "Install", navigate to "/sdcard" and flash Magisk-v18.0.zip
18. Press back, select finalize.zip and flash it
19. Once finalize.zip is flashed, press "Reboot System"
20. Done. The device should now boot into a rooted 6.3.0.0 firmware. You should have Magisk manager installed, and root working. You will be able to boot into recovery by holding volume down.
21. At this point it should be safe to connect to wifi. If everything works okay, assemble your device.



NOTE7: PLAY STORE
I used: (source, https://www.xda-developers.com/amazon-fire-hd-8-google-play-store/)
Google Services Framework 7.1.2
Google Account Manager 7.1.2
Google Play services 14.3.66 64bit nodpi
Google Play Store 11.9.14
INSTALL IN THIS ORDER
1) adb install com.google.android.gsf_7.1.2-25_minAPI25(nodpi)_apkmirror.com.apk
2) adb install com.google.android.gsf.login_7.1.2-25_minAPI23(nodpi)_apkmirror.com.apk
3) adb install com.google.android.gms_14.3.66_(020400-213742215)-14366010_minAPI21(arm64-v8a,armeabi-v7a)(nodpi)_apkmirror.com.apk
4) adb install com.android.vending_11.9.14-all_0_PR_214884739-81191400_minAPI16(armeabi,armeabi-v7a,mips,mips64,x86,x86_64)(240,320,480dpi)_apkmirror.com.apk​

NOTE8: LOCKSCREEN ADVERTISEMENTS
1) adb shell
2) karnak:/ $ su
You’ll get “Permission denied” as the response
i. On the tablet, click on MAGISK to open
ii. Tap the three line Menu symbol on the upper left
iii. Tap Superuser
iv. You should see an app named SHELL wanting Superuser permission
v. Toggle Shell to On​
3) karnak:/ $ su (repeat, it will work this time – you will get karnak:/ # )
4) karnak:/ # pm uninstall -k --user 0 com.amazon.kindle.kso
5) You’ll get back “Success”​

NOTE9: LAUNCHER
1) Install a Launcher app through Play Store normally

3) adb shell
4) karnak:/ $ su

If you get “Permission denied” see NOTE8 above

I used Nova Launcher. You'll need to look in /data/app to find the actual name of the launcher app you installed and enable it as shown below.
5) karnak:/ # pm enable com.teslacoilsw.launcher
6) the response will be “Package com.teslacoilsw.launcher new state: enabled
7) karnak:/ # pm disable com.amazon.firelauncher
8) the response will be “Package com.amazon.firelauncher new state: disabled”​
 
Last edited:
  • Like
Reactions: Jik Sey

ka7znm

New member
Mar 28, 2014
1
0
Thank you

Just a quick THANK YOU to the persons responsible for this root. Seems some effort was required. I am the kind of droid user that cannot be happy with being confined to userspace on my tablet. The ads are gone, my launcher has taken its rightful place, and I can run nmap from the command line. I'm happy with this $50 tab.
 

Jik Sey

Member
Jan 21, 2019
36
10
Thanks for the work on this guide. I have just got a new Fire 8 2018. I have not let the tablet update and the Firmware is version 6.3.0.0. I am unsure if I need to take the back off to short with this version. If I do not need to do this please can someone explain where in the guide I should begin if I do not need to install the 6300.zip. I previously rooted my Fire 7 2015 with the pin method, I am just hoping I can do this one without taking the case off. Thanks in advance for any help.
 

mbol8309

New member
Oct 1, 2013
2
0
6300.zip error

the file 6300.zip mega.nz says the cypher key is invalid. can upload the file to another site please or via torrent or something. thanks in advance
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    NOT For Everyone it is a HARDWARE type Hack
    (although a simple hardware hack - no disassembly other than the back cover and no soldering, etc.)
    REQUIRES
    1. Opening the Tablet
    2. Shorting one of the CPU test points
    3. Linux​

    CREDIT xyz`, Member on 27th January 2019, 10:04 AM
    See Fire HD 8 (2018 ONLY) unbrick, downgrade, unlock & root


    Some on xyz's Thread have indicated success completing this this using a Windows PC by way of a Linux emulator or booting from a LIVE CD or USB Stick. I happened to have a perfectly good (but non UEFI) motherboard and CPU laying around from my Win 10 upgrade. Umbuntu seemed like a good reuse.

    All I have done is add some clarification and added instructions to make the tablet useful

    Make sure to read this guide completely before starting. It requires you to open the tablet, however you don't need to solder or use any advanced tools.

    This is only for Fire HD 8, 8th generation, also known as karnak or KFKAWI. It's now confirmed to work on both 16GB and 32GB models.

    You will lose all data on the tablet, make a backup of important data before you start. If you've enabled encryption, it's probably a good idea to disable it before you proceed with the guide.

    What you need:
    - a Linux installation. Since xyz had to rush it, his guide is only for Linux.
    - microusb cable to connect your tablet to the PC
    - some way to open the tablet (pry tool, opening picks, etc)
    - something conductive (metal tweezers, a paper clip, a piece of wire, etc)
    - amonet.tar.gz (http://forum.xda-developers.com/attachment.php?attachmentid=4696148&d=1548790448)
    - 6300.zip: https://mega.nz/#!FI1HSI5T!2zUAeiW9I...ilSnNYgOG9YPNE
    - Magisk-v18.0.zip: https://github.com/topjohnwu/Magisk/...gisk-v18.0.zip
    - finalize.zip (http://forum.xda-developers.com/attachment.php?attachmentid=4694754&d=1548611833)

    Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work "sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot".

    Extract amonet.tar.gz, open a terminal and navigate to it.

    You will need to run the scripts on your Linux under sudo.

    0. Shut your device down and disconnect it from USB! Also, disconnect all other Android devices you might have connected from your PC. Also, if you have ModemManager installed, you MUST disable or uninstall it before you begin

    NOTE1: Ubuntu 18.04.2 LTS default configuration comes with ModemManager
    a) adb shell
    b) sudo apt-get remove modemmanager
    c) quit
    d) RESTART LINUX

    1. Use a pry tool to remove the back shell from the tablet (or if you are a male and have strong, longer thumbnails - that and a credit card or two works well). Start at the bottom and work your way up. There are no cables between the back shell and the motherboard
    2. On the left side of the board there are 4 test points labeled DAT0, RST, CMD, CLK. We only care about the bottom one, CLK
    3. Plug in one end of the microusb cable, either to the PC or to the tablet, whatever's more convenient.
    4. On your PC, run `./bootrom-step.sh`. It should print "Waiting for the bootrom".
    5. Using your conductive apparatus, short the CLK test point to the ground. This means you should connect one side of your paperclip to the CLK pin and the other to the metallic shield or a side of the PCB. Firmly hold it in place so that there is connection. (See https://i.imgur.com/7BXIb2y.jpg)
    6. Plug in the other end of the microusb cable.
    7. You should see a new device appear on your PC
    This *must* be the device you see. If you see a "preloader" device instead, you didn't hold the paperclip strong enough. Unplug it, shut down your Fire (pull out USB cord and wait; if it doesn't shut down, you might have to disconnect the battery) and try again starting at step 4.

    8. The script you ran in step 4 should now tell you to remove the short. a) Remove the paperclip and b) press Enter as instructed
    9. The script will now proceed to downgrade your device and flash some essential files. Just let it be, it will take about 4 minutes. You should see the following output:


    [2019-01-26 23:30:02.157670] Waiting for bootrom
    [2019-01-26 23:30:20.438333] Found port = /dev/ttyACM0
    [2019-01-26 23:30:20.439362] Handshake
    [2019-01-26 23:30:20.441693] Disable watchdog

    * * * Remove the short and press Enter * * *


    [2019-01-26 23:30:22.636037] Init crypto engine
    [2019-01-26 23:30:22.661832] Disable caches
    [2019-01-26 23:30:22.662505] Disable bootrom range checks
    [2019-01-26 23:30:22.685773] Load payload from ../brom-payload/build/payload.bin = 0x4690 bytes
    [2019-01-26 23:30:22.693170] Send payload
    [2019-01-26 23:30:23.527965] Let's rock
    [2019-01-26 23:30:23.528832] Wait for the payload to come online...
    [2019-01-26 23:30:24.260602] all good
    [2019-01-26 23:30:24.261069] Check GPT
    [2019-01-26 23:30:24.596346] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216), 'kb': (16384, 2048), 'dkb': (18432, 2048), 'lk': (20480, 2048), 'tee1': (22528, 10240), 'tee2': (32768, 10240), 'metadata': (43008, 80896), 'MISC': (123904, 1024), 'reserved': (124928, 16384), 'boot': (141312, 32768), 'recovery': (174080, 40960), 'system': (215040, 6354944), 'vendor': (6569984, 460800), 'cache': (7030784, 1024000), 'userdata': (8054784, 22722527)}
    [2019-01-26 23:30:24.596619] Check boot0
    [2019-01-26 23:30:24.841858] Check rpmb
    [2019-01-26 23:30:25.051079] Downgrade rpmb
    [2019-01-26 23:30:25.052924] Recheck rpmb
    [2019-01-26 23:30:25.949978] rpmb downgrade ok
    [2019-01-26 23:30:25.950284] Flash lk-payload
    [5 / 5]
    [2019-01-26 23:30:26.471797] Flash preloader
    [288 / 288]
    [2019-01-26 23:30:44.845804] Flash tz
    [6732 / 6732]
    [2019-01-26 23:33:08.502134] Flash lk
    [685 / 685]
    [2019-01-26 23:33:23.337460] Inject microloader
    [4 / 4]
    [2019-01-26 23:33:23.667547] Reboot to unlocked fastboot


    If the script freezes at some point, you will have to restart it. Terminate the script, unplug USB, and try again starting at step 4. If after unplugging USB cable the device doesn't shut down, you might have to disconnect the battery. You can keep it disconnected until the script succeeds, but once it's done you must reconnect it before booting to fastboot

    9a. You should see a success message: "Reboot to unlocked fastboot". Only proceed if you see the message.
    10. Once the device boots to fastboot (check with "fastboot devices". You should see Amazon logo on the screen.), you can run "./fastboot-step.sh". Then, flip the device over so that you can see the display

    NOTE2: CAN run "./fastboot-step.sh"?? I took is as MUST run "./fastboot-step.sh"

    11. At this point the device should boot into recovery, however it's possible that the screen will be off by default. Just press the power button twice and the screen should turn on.

    NOTE3: if/when it doesn’t boot into Recovery use
    “fastboot reboot”
    OR
    “fastboot reboot” and then
    “adb reboot recovery”
    OR
    SHUT DOWN and then
    Power Button PLUS Volume Down Button to STARTUP

    12. We'll now upload required files to the recovery. On your PC, do:

    adb push 6300.zip /sdcard
    adb push Magisk-v18.0.zip /sdcard
    adb push finalize.zip /sdcard​

    NOTE4: The above commands will not work in fastboot. You need to get into recovery
    NOTE4a: You are probably in the /Downloads/amonet directory. These files should be in /Downloads
    Use “cd ..”

    13. In the recovery, go to "Install", navigate to "/sdcard" and flash 6300.zip

    NOTE5: DO NOT “Go to “Wipe” in step 14.
    (There is no “default wipe”)
    Use the Wipe cache/dalvik button that appears after step 13 completes

    14. Go to "Wipe" and do the default wipe, then reboot
    15. At the Fire setup screen, select your language. On the next screen, Wifi setup, select any password-protected network,. Now, back at the wifi setup screen, press "skip" and "skip" in the dialog pop-up again

    IMPORTANT
    NOTE6: I did the method as described above and when complete had zero Amazon functionality; My Account Crashed, No App Store, No Shopping, No Prime Video, etc
    The instructions say, “then instead of entering the password press ‘cancel.’” Instead, go to the next step which is Amazon Registration and complete it. IT WILL AUTOMATICALLY UPDATE – AS OF THIS WRITING (March 7th, 2019) THERE IS ONLY A VERY MINOR UPDATE TO SOME APP.
    CAUTION: At some future date there may be an OS Update that could negate this Root Hack.
    AFTER REGISTRATION - SHUT DOWN (Power off)
    THEN SEE Notes 7 thru 9 below for Launcher, Play Store and Eliminating Lockscreen Ads

    16. Hold down the power button and hold volume down to boot into recovery
    17. In the recovery, go to "Install", navigate to "/sdcard" and flash Magisk-v18.0.zip
    18. Press back, select finalize.zip and flash it
    19. Once finalize.zip is flashed, press "Reboot System"
    20. Done. The device should now boot into a rooted 6.3.0.0 firmware. You should have Magisk manager installed, and root working. You will be able to boot into recovery by holding volume down.
    21. At this point it should be safe to connect to wifi. If everything works okay, assemble your device.



    NOTE7: PLAY STORE
    I used: (source, https://www.xda-developers.com/amazon-fire-hd-8-google-play-store/)
    Google Services Framework 7.1.2
    Google Account Manager 7.1.2
    Google Play services 14.3.66 64bit nodpi
    Google Play Store 11.9.14
    INSTALL IN THIS ORDER
    1) adb install com.google.android.gsf_7.1.2-25_minAPI25(nodpi)_apkmirror.com.apk
    2) adb install com.google.android.gsf.login_7.1.2-25_minAPI23(nodpi)_apkmirror.com.apk
    3) adb install com.google.android.gms_14.3.66_(020400-213742215)-14366010_minAPI21(arm64-v8a,armeabi-v7a)(nodpi)_apkmirror.com.apk
    4) adb install com.android.vending_11.9.14-all_0_PR_214884739-81191400_minAPI16(armeabi,armeabi-v7a,mips,mips64,x86,x86_64)(240,320,480dpi)_apkmirror.com.apk​

    NOTE8: LOCKSCREEN ADVERTISEMENTS
    1) adb shell
    2) karnak:/ $ su
    You’ll get “Permission denied” as the response
    i. On the tablet, click on MAGISK to open
    ii. Tap the three line Menu symbol on the upper left
    iii. Tap Superuser
    iv. You should see an app named SHELL wanting Superuser permission
    v. Toggle Shell to On​
    3) karnak:/ $ su (repeat, it will work this time – you will get karnak:/ # )
    4) karnak:/ # pm uninstall -k --user 0 com.amazon.kindle.kso
    5) You’ll get back “Success”​

    NOTE9: LAUNCHER
    1) Install a Launcher app through Play Store normally

    3) adb shell
    4) karnak:/ $ su

    If you get “Permission denied” see NOTE8 above

    I used Nova Launcher. You'll need to look in /data/app to find the actual name of the launcher app you installed and enable it as shown below.
    5) karnak:/ # pm enable com.teslacoilsw.launcher
    6) the response will be “Package com.teslacoilsw.launcher new state: enabled
    7) karnak:/ # pm disable com.amazon.firelauncher
    8) the response will be “Package com.amazon.firelauncher new state: disabled”​