[Thor][Apollo] Unlocking bootloader with any firmware

Search This thread

thecharlie654

New member
Mar 2, 2021
1
0
Steps unlock bootloader and needed files

this is the details step for unlocking bootloader for the 2013 Kindle HDX 7 (Thor) and HDX 8.9 (Apollo). Becarefull the 2014 HDX 8.9 (Saturn) doesn't work! These steps are done in Windows 10, successfully checked by myselft!
i don't take any credits, just collect all the steps in one post of the whole process.

Download the needed files are in the attachment, just download them all + the TWRP for your device from this thread: TWRP 3.1.1-1
You do NOT need root for these steps!

1. Install the adb-setup-1.4.3 into a folder (for example: C:/adb), extract dd-0.5.zip + unlock.zip + aboot-xxx.zip, put dd.exe + get_code.bat + unlock.bat + twrp image (for your device) + aboot_vuln.mbn (for your device) into that folder. After that install the kindle_fire_usb_driver.
2. Turn on ADB-Debuging Mode in Developer Mod by tapping 7 times the build numbers in settings and connect to your computer + trust your device.
3. Excecute "get_code.bat" in the folder above, you will get a new file: unlock.code in the folder.
4. Open CMD in the folder and run "adb reboot bootloader", the Kindle will reboot to bootloader with "[ fastboot ]" on the display
5. On the Computer go to Device-Manager and change driver in "Other Android" to "Fire Devices - Android Adb Composite Driver" . It should say "Ready" on the Kindle.
6. Now we need to enter Bulk-Mode like the instruction in this thread: Bulk Mode
Type:






7. When done, hold down the power button until it reboots. Now you will be at Bootloader with [Fastboot] sign on the screen. Change the drive in Device-Manager again if needed.
8. Run the "unlock.bat" in the folder and you should get a green line: "unlock code is correct". Congrats your Kindle now has an unlocked bootloader.
9. Now hold power button again to shut down the device, then hold both "power button + Volume UP" and keep them for 3-5 seconds after you see the "kindle fire" logo. Then you will get into the TWRP and flash your desire things.

i hope this post will help others new member to free our beautifull devices!

Cheers and happy flashing :D


Hi. I've just attempted these steps on my thor Kindle Fire HDX 7. I completed up to step 8 successfully, however, when I ran the "get_code.bat" file in step 3, I didn't realise that it didn't create the unlock code correctly, and it resulted in a blank unlock.code file.
Therefore running the unlock.bat file results in 'unlock code not correct' and I cannot unlock the bootloader. I am stuck in fastboot, cannot access adb, therefore is there any way to get a new unlock code from the device's current state?
 

DB126

Senior Member
Oct 15, 2013
15,298
10,068
Hi. I've just attempted these steps on my thor Kindle Fire HDX 7. I completed up to step 8 successfully, however, when I ran the "get_code.bat" file in step 3, I didn't realise that it didn't create the unlock code correctly, and it resulted in a blank unlock.code file.
Therefore running the unlock.bat file results in 'unlock code not correct' and I cannot unlock the bootloader. I am stuck in fastboot, cannot access adb, therefore is there any way to get a new unlock code from the device's current state?
Install (flash) an older TWRP build and ROM and then use that to generate a proper unlock code/file. Don't bother with GApps, Magisk, etc. I have seen some posts claiming Lineage 14.1 will install on devices with locked bootloader (can't enable root). I prefer nexus as it goes in clean. Good luck.
 

PokeFan919

Member
May 21, 2017
11
1
Xiaomi Mi A2 Lite
Install (flash) an older TWRP build and ROM and then use that to generate a proper unlock code/file. Don't bother with GApps, Magisk, etc. I have seen some posts claiming Lineage 14.1 will install on devices with locked bootloader (can't enable root). I prefer nexus as it goes in clean. Good luck.
Hey, I had the same issue as the person you replied to but which version of twrp and the ROM do I download ? I flashed the thor-twrp-3.0.0-0.img( after trying the latest TWRP build )but it boots to the grey kindle logo and then to fastboot mode.
 
Last edited:

DB126

Senior Member
Oct 15, 2013
15,298
10,068
Old post, old device; have moved on. As I recall, TWRP 2.8.x.x was the go-to build for older HDX ROMs
 

hangvupro

New member
Nov 10, 2021
1
0
Edit: for anyone else who runs into the "no -i option" error, you can just drop the "-i 0x1949" and continue with the other steps.
i do this with kindle 8.9 2014 saturn. now my cmd is not working. someone help me what to do. Thanks
Screenshot 2021-11-02 225425.png
Screenshot 2021-11-08 224932.png
 

exokinetic

Member
Nov 29, 2013
15
4
Got it! The original post did not mention that we need to copy 'cuber' file from the 'unlock' directory into the 'adb' folder. Rest works as instructed. Running Lineage OS 14.1 now. Thanks a lot to all the contributors of this thread!
Hello Friends!
Some specs:
Kindle Fire HDX 8.9 (3rd Generation)
Device: Apollo
Model: KFAPWI
Current OS: Fire OS 4.5.5.3


So, I also followed the instructions found on page #51 of this thread: https://forum.xda-developers.com/t/...oader-with-any-firmware.3463982/post-75284993

I followed them EXACTLY...

Which means I had the same error as TheZenGuy above, but I ignored the cuber fails, and moved through the rest of the steps.

>.<

This is what I saw:
c:\adb>get_code
cannot stat 'cuber': No such file or directory
Unable to open /data/local/tmp/cuber: No such file or directory
0x000045 0x251b3b67
/system/bin/sh: /data/local/tmp/cuber: not found
rm failed for /data/local/tmp/cuber, No such file or directory
Press any key to continue . . .

This definitely seemed "off", but the instructions said that step should generate a file:
"unlock.code"
...and it would be in the folder you had just created.

And that file WAS generated, so I assumed all was good, and moved on (**** me...)
I have attached the unlock.code that was generated by the above get_code.bat

I have now opened this unlock.code with notepad++ and it is blank, no text.
I am pretty sure a blank entry is NOT going to unlock the bootloader...

spoiler alert: it doesn't

So I continue;

c:\adb>adb reboot bootloader
c:\adb>fastboot -i 0x1949 erase aboot
erasing 'aboot'...
OKAY [ 0.052s]
finished. total time: 0.054s

...GULP...

c:\adb>fastboot -i 0x1949 reboot
rebooting...

finished. total time: 0.022s

Well, that looks right...
c:\adb>dd of=\\?\Device\Harddisk1\Partition6 if=emmc_appsboot-14.3.2.3.2_user_323001720.mbn
rawwrite dd for windows version 0.5.
Written by John Newbigin <[email protected]>
This program is covered by the GPL. See copying.txt for details
Error reading file: 87 The parameter is incorrect
677+1 records in
677+1 records out

c:\adb>dd of=\\?\Device\Harddisk1\Partition18 if=apollo-twrp-3.5.0_9-1.img
rawwrite dd for windows version 0.5.
Written by John Newbigin <[email protected]>
This program is covered by the GPL. See copying.txt for details
19128+0 records in
19128+0 records out

And that also appears to go as planned, I got the predicted Error reading file: 87 The parameter is incorrect, smooth sailing...?
c:\adb>unlock
error: device '(null)' not found
target reported max download size of 1073741824 bytes
sending 'unlock' (0 KB)...
FAILED ()
finished. total time: 0.003s
Press any key to continue . . .

Fuuuuuuuuuuuuuuuuu
/fail
[fastboot] - bootloop - softbricked
Power Button + Volume Up will NOT boot in to TWRP (unsuprising given the bootloader is still locked)

For reference, this is what I see on the Kindles screen:

getvar:partition-type:unlock...Ok.
getvar:max-download-size...[[ 0x40000000 ]].
Ready.

Firstly;

error: device '(null)' not found

???

This is what I see in device manager;
Screenshot (265).png


Secondly;

I noticed that there was a file in the attached archives that I was NOT instructed to move to the working adb folder that had a name I had seen when doing the cmd line operations:

CUBER

So, I searched this thread for 'cuber' and my suspicions were confirmed, cuber was SUPPOSED to be copied into the working adb folder (for future reference, are any of the OTHER files in the attached archives ALSO supposed to be in the working adb folder? like get_code.sh and unlock.sh?)

-it would just seem like common sense that ALL the files on those attached archives should have been placed into the working adb folder, but you know, the intructions were pretty explicit about what files should be copied into the folder

"1. Install the adb-setup-1.4.3 into a folder (for example: C:/adb), extract dd-0.5.zip + unlock.zip + aboot-xxx.zip, put dd.exe + get_code.bat + unlock.bat + twrp image (for your device) + aboot_vuln.mbn (for your device) into that folder."

Install the adb-setup-1.4.3 into a folder (for example: C:/adb)

Okay, folder C:\adb\ created and it contains:

adb.exe
AdbWinApi.dll
AdbWinUsbApi.dll
fastboot.exe

extract dd-0.5.zip + unlock.zip + aboot-xxx.zip

Okay, extracted to folders with the same name, waiting for further instructions (it does not say WHERE to extract them TO)

put dd.exe + get_code.bat + unlock.bat + twrp image (for your device) + aboot_vuln.mbn (for your device) into that folder.

Okay, 5 explicitly referenced files are placed into THAT folder. (it seems impled that ONLY THOSE files should be copied into THAT folder)

In my case the folder now contains:
adb.exe
AdbWinApi.dll
AdbWinUsbApi.dll
fastboot.exe
dd.exe
get_code.bat
unlock.bat
apollo-twrp-3.5.0_9-1.img
emmc_appsboot-14.3.2.3.2_user_323001720.mbn


As a last attempt to save my ass, after reading the quoted post about cuber, I moved cuber into my adb folder and tried to fire off another get_code.bat:

c:\adb>get_code
error: device '(null)' not found
error: device '(null)' not found
error: device '(null)' not found
error: device '(null)' not found
error: device '(null)' not found
Press any key to continue . . .

/EPIC FAIL

^^^Kindle is booted into fastboot bootloader, device manager correctly seeing the fire device and with the right driver assigned as per the screenshot above

additionally, the command:

fastboot -i 0x1949 reboot

works perfectly fine and re-boots the device, suggesting the device is absolutely not '(null)'


So, currently soft bricked, and stuck in a fastboot bootloop.

Theoretical ideas:

Is it ridiculous to think I could attempt to use someone elses unlock.code file? (it seems to me this was going to be some kind of a uniquely generated hash, but I certainly dont know)

If I could get out of this bootloop and load back into FireOS it would seem like I could fire off another get_code.bat (with CUBER in the adb folder!) and get this baby flashing like TheZenGuy thankfully managed...

So, from my current position, do I try re-installing the "vulnerable" aboot from the instructions attachments and see if I can get it to boot into FireOS so I can start over again? (seem unlikely given theOS version mis-match)

Do I try re-installing some other aboot file that is relative to my apollo hardware and current 4.5.5.3 Fire OS?
^*scratching cheek* anyone got any links?^

Does anyone have any ideas for me to get back into FireOS so I can start over?


And as an asside;

I messaged Draxie earlier today for a link to their "1 Click Bootload Unlock" VM Script; and it is suggested over there that it has worked on fire devices that were in a soft brick state, so perhaps, even if I can not make any progress from here, all is not lost?


Thank you for reading this wall of a post, any help would be greatly appreciated!

/Exo
 

exokinetic

Member
Nov 29, 2013
15
4
Power Button + Volume Up will NOT boot in to TWRP (unsuprising given the bootloader is still locked)
Okay, upon noticing most users were doing this with TWRP 3.1.1.1;

"the needed files are in the attachment, just download them all + the TWRP for your device from this thread: link"

^^^
It would be nice if that explicitly stated to grab the 3.1.1.1 version for your device (apollo vs thor)

I restarted from bulk mode + dd'd the vuln_aboot and twrp 3.1.1.1

One step forward...

Now I CAN boot into TWRP with the Power + Volume Up combination;

Now if I have been following along like a good little student, then;

All I need to do now is grab -any- ROM image that does NOT require an unlocked bootload to flash through TWRP?

Flash any vanilla ROM, boot into ROM, adb get_code.bat (WITH CUBER IN THE DAMN FOLDER), verify unlock.code is 256 bytes

/PROFIT

Now, there was a user that was helping multiple users through this SAME ISSUE, and part of the solution involved posting up a link for a Nexus ROM that had been developed FOR the Fire HDX, which did NOT require an unlocked bootloader...

Unfortunatly, those links are all dead now. /sadface

Am I correct in understanding that -any- AEX or Nexus flavored ROM should work for the same purpose?

...one way to find out...

/Exo
 
  • Like
Reactions: zekzekzek

exokinetic

Member
Nov 29, 2013
15
4
Okay friends!

keyword: cuber

Now that I have a nice fresh instance of Lineage-16 running on my HDX, thanks to the brilliant and helpful minds floating around here...

A huge thank you to Draxie for holding my hand through this, and a big thank you to everyone who has worked on this development.

I thought I would share how I managed to make it through!

So, to begin; the orriginal instructions that most people will find referenced for "unlocking the bootloader" on your Kindle Fire HDX 8.9 are -almost- perfect;

Step 1.

This line:

1. Install the adb-setup-1.4.3 into a folder (for example: C:/adb), extract dd-0.5.zip + unlock.zip + aboot-xxx.zip, put dd.exe + get_code.bat + unlock.bat + twrp image (for your device) + aboot_vuln.mbn (for your device) into that folder.

Is missing one file (cuber) that needs to be placed "into that folder" (the folder you install adb into, from the example C:\adb )

The line SHOULD READ:

1. Install the adb-setup-1.4.3 into a folder (for example: C:/adb), extract dd-0.5.zip + unlock.zip + aboot-xxx.zip, put dd.exe + get_code.bat + unlock.bat + cuber + twrp image (for your device) + aboot_vuln.mbn (for your device) into that folder.

(can a Moderator please edit post
#1,006 to reflect the above change? as in, ADD "+ cuber" -so no one else has to get stuck here)

Cuber -must- be in the adb folder you use for this set of instructions, or you will encounter an.... ERROR!


So, lets say you fell into the n0-cuber trap...

How do you get out of your now softbrick state?

Well, you had BETTER HOPE you still have your console open where you attempted to complete the instructions.
(I dont know if a log-file of command prompt history gets saved anywhere in Windows, if it does, you are in luck, and you MUST find this in order to follow my particular set of bread crumbs)

The information you are going to need (hash text) actually came back as a return in the command prompt window you were working in when you attempted step 3.

Specifically:

Step 3.

3. Excecute "get_code.bat" in the folder above, you will get a new file: unlock.code in the folder.

When you do that WITHOUT cuber in your adb folder, you will get a return that look SIMILAR to this:

C:\adb>get_code
cannot stat 'cuber': No such file or directory
Unable to open /data/local/tmp/cuber: No such file or directory
0x000045 0x251b3b67
/system/bin/sh: /data/local/tmp/cuber: not found
rm failed for /data/local/tmp/cuber, No such file or directory
Press any key to continue . . .

(coloring/ bolding added for clarity, your console will display all this text as the same color/formating)

That bold/green text is your key out of softboot purgatory, this is why you MUST have the console you orriginally attempted the instructions in still open, or have a backup/ log-file history saved somewhere
(I have no idea if windows does this automatically -I would assume not...)

You WILL generate a file called "unlock.code" -EXCEPT, it will have a size of 0kb (exceedingly useless)
-your unlock.code -should- have a filesize of: 256 Bytes

Unsuprisingly, when you get to the last step:

Step 8.

8. Run the "unlock.bat" in the folder and you should get a green line: "unlock code is correct". Congrats your Kindle now has an unlocked bootloader.

You will NOT receive "unlock code is correct" (you will not pass go, and you will not collect $200)
-sad face

What you WILL receive will look SIMILAR to this:

C:\adb>unlock
error: device '(null)' not found
target reported max download size of 1073741824 bytes
sending 'unlock' (0 KB)...
FAILED ()
finished. total time: 0.003s
Press any key to continue . . .

And you will be a sad panda.


So, how did I make out of this epic fail?

Enter @draxie

I let draxie know I needed a little help, and after reading my orriginal post, they spotted the necessesary information to generate a GOOD unlock.code file:

This is the response I got from @draxie:
I saw the relevant info printed in one of your recent
very detailed forum posts: 0x000045 0x251b3b67.

That's really _all_ you need and a version of `cuber` that runs on _some_ HW
you have access to. Both C and Python implementations have been posted.

BUT, the attachment should save you the trouble of searching and compiling...



So, Draxie was a champ, and compiled the unlock.code file FOR ME :D -thank you Draxie!

But, if you have been following along;

You need:

-The two hash's YOU got from the first time you attempted get_code.bat
(I believe these will absolutely be unique to your individual device, no one elses unlock.code will work for your device -someone please correct me if I am wrong here)

-Any version of cuber and hardware (like, a laptop) to run it on in order to compile the unlock.code

-The understanding of how to tell cuber to use YOUR hash text to compile a new unlock.code file
(if anyone that knows how to do this wants to provide exact instructions for the above, it would probably help someone)

Once you generate the new /GOOD unlock.code using cuber and your hash text (and replace the /BAD one in your /adb folder), boot the device back into fastboot and fire off the unlock.bat again.

-GOOD LUCK!-

--------------------------------------------------------------------------------------------------------------------------------------

Alternatly: (I have no idea how to do this from the current fastboot bootloop state you will be stuck in) you need to get a stock factory Kindle Fire HDX image (actually, -any- ROM you can get flashed and boot in to will work) flashed back onto your device so you can boot into the OS.

If you can get it to boot back into -ANY- OS (I read that some custom ROM's wont require an unlocked bootloader in order to flash onto the Fire HDX, for example) then, while the device is booted into the OS, you can run get_code.bat again (with cuber in your adb folder this time!) in order to generate a good unlock.code.

--------------------------------------------------------------------------------------------------------------------------------------

Once you have you unlocked bootloader, (gasp!)...

I followed the instruction found here -EXACTLY- in order to install a rather stable version of LineageOS-16 onto my Fire HDX.

Call me one happy camper.

In case I haven't done it enough in this post... -THANK YOU DRAXIE!


/Exo
 
Last edited:

daftfool

New member
Jan 2, 2013
3
0
Amazon Kindle Fire
Can anyone point me in the direction of upgrading TWRP / Installed v3.x for this device?

I am attempting to install TWRP image downloaded from post #1006 in this thread, but it states that the partition is not large enough. Every advice I can find simply states I have the wrong version of TWRP, but that isn't the case.

I have twrp installed, but it is an old v 2.8.5 and I cannot find a way to upgrade it.
 
Hi Guys,
i´m using the instructions from posting 1006 for my apollo. it´s running until the bulk-mode
this 2 commands are not running:
dd of=\\?\Device\HarddiskX\Partition6 if=aboot_vuln.mbn
dd of=\\?\Device\HarddiskX\Partition18 if=twrp_cubed.img

"Error native opening file: 0"

now didnt have access -can i reinstall the original rom and start again ?
I cannot restart - or with a special combination of buttons?

thx a lot
cosmic
 
Last edited:

skdubg

Senior Member
Feb 9, 2010
1,110
323
your error says that it cannot open the file.

Either the name is wrong, or the files are not in the same folder as dd.exe.
 
your error says that it cannot open the file.

Either the name is wrong, or the files are not in the same folder as dd.exe.
Thx, i didnt wrote the result of wmic partition where index=22 get diskindex
wmic partition where (index=17 and numberofblocks=20480) get diskindex
wmic partition where (index=5 and numberofblocks

NOW i ve no acces... Hmm other ideas?
 
Steps unlock bootloader and needed files

this is the details step for unlocking bootloader for the 2013 Kindle HDX 7 (Thor) and HDX 8.9 (Apollo). Becarefull the 2014 HDX 8.9 (Saturn) doesn't work! These steps are done in Windows 10, successfully checked by myselft!
i don't take any credits, just collect all the steps in one post of the whole process...
Thanks so much for this!!! Aside from windows being picky about drivers and having to try my luck with different fastboot versions, this guide worked wonders for getting my friend's HDX 7 3rdGen unlocked and running LOS14.1
 

firefan33

New member
Mar 8, 2022
1
0
Steps unlock bootloader and needed files

this is the details step for unlocking bootloader for the 2013 Kindle HDX 7 (Thor) and HDX 8.9 (Apollo). Becarefull the 2014 HDX 8.9 (Saturn) doesn't work! These steps are done in Windows 10, successfully checked by myselft!
i don't take any credits, just collect all the steps in one post of the whole process.

Download the needed files are in the attachment, just download them all + the TWRP for your device from this thread: TWRP 3.1.1-1
You do NOT need root for these steps!

1. Install the adb-setup-1.4.3 into a folder (for example: C:/adb), extract dd-0.5.zip + unlock.zip + aboot-xxx.zip, put dd.exe + get_code.bat + unlock.bat + twrp image (for your device) + aboot_vuln.mbn (for your device) into that folder. After that install the kindle_fire_usb_driver.
2. Turn on ADB-Debuging Mode in Developer Mod by tapping 7 times the build numbers in settings and connect to your computer + trust your device.
3. Excecute "get_code.bat" in the folder above, you will get a new file: unlock.code in the folder.
4. Open CMD in the folder and run "adb reboot bootloader", the Kindle will reboot to bootloader with "[ fastboot ]" on the display
5. On the Computer go to Device-Manager and change driver in "Other Android" to "Fire Devices - Android Adb Composite Driver" . It should say "Ready" on the Kindle.
6. Now we need to enter Bulk-Mode like the instruction in this thread: Bulk Mode
Type:






7. When done, hold down the power button until it reboots. Now you will be at Bootloader with [Fastboot] sign on the screen. Change the drive in Device-Manager again if needed.
8. Run the "unlock.bat" in the folder and you should get a green line: "unlock code is correct". Congrats your Kindle now has an unlocked bootloader.
9. Now hold power button again to shut down the device, then hold both "power button + Volume UP" and keep them for 3-5 seconds after you see the "kindle fire" logo. Then you will get into the TWRP and flash your desire things.

i hope this post will help others new member to free our beautifull devices!

Cheers and happy flashing :D

I have a problem - after following these steps my hdx7 cannot boot regularly:

I exactly followed the steps described from ReichMann in #1006. Then i installed LineageOS 16 as described here:

Unfortunately my Fire HDX7 (3rd gen) is only able to boot in recovery mode (TWRP) and fastboot mode.
The first time i installed LineageOS via TWRP everything seemed fine.
But after rebooting the device the start screen from LIneage appeared only for a few seconds, went black and appeared again for a few seconds, and so on until i turned it off (long-pressed power button).
I re-flashed the image.
But now after rebooting immediately the recovery (TWRP) is started. And Fastboot is working, too. So i have two possible modes left ;-) recovery mode and fastboot mode... wonderful - but the regular mode has gone...

Do you think there is any way to get my hdx work again?

Thank you very much !
 

dnt83

Member
Dec 13, 2014
18
2
Hà Nội
Hello. At first, I did not invent anything new, just checked some my guess on a other motherboard. All thanks and credits to our great developers. As always, all at your own risk.
It does not work on the Fire HDX 8.9 (Saturn)!
All steps in this manual are not necessary but they are present for maximum safety. So I highly recommend do anything exactly in this way. Sorry my English as always =)
Update2 - actual method is https://forum.xda-developers.com/showpost.php?p=75284993&postcount=1006
Update: now you can use updated draxie's utility - http://forum.xda-developers.com/kindle-fire-hdx/general/multi-platform-1-click-bootloader-t3241014

Prerequisites for Installation

- Root
- Installed adb and fastboot drivers - official - https://drive.google.com/open?id=0B2twXJIOgv-UWWdwRl9TQS11b0k (if your system language not English, after fail navigate to "Program Files (x86)\Lab126\drivers" and run dpinst.exe /EL or switch to English =) for x64 need to disable driver signature verification before install ) also you can use pdanet drivers - http://forum.xda-developers.com/showpost.php?p=59268023&postcount=8

Manual:
1. Create unlock file following this instruction - https://forum.xda-developers.com/ki...r-firmware-t3463982/post70881555#post70881555

2. Flash old vulnarable aboot and cubed twrp (just in case). Check that all these commands executed without errors. If you'll get one - read second post below. If your firmware <=13(14)3.2.3.2 skip this step.
Download aboot and twrp for Thor (Kindle Fire HDX 7) https://drive.google.com/open?id=0B2twXJIOgv-UMGxXMUZPZTlZTUk or for Apollo (Kindle Fire HDX 8.9) - https://drive.google.com/open?id=0B2twXJIOgv-URzJDQkczNzRLaHM - and put this two files (twrp_cubed.img and aboot_vuln.mbn) into root of your kindle internal storage.
Run:
Code:
adb shell
su
dd if=/sdcard/twrp_cubed.img of=/dev/block/platform/msm_sdcc.1/by-name/recovery
dd if=/sdcard/aboot_vuln.mbn of=/dev/block/platform/msm_sdcc.1/by-name/aboot
Now you have working twrp recovery. It already works even without unlocked bootloader. You could boot into it by holding volUP during grey kindle logo. But no need to flash anything until unlock. At this point this is just emergency tool if something goes wrong =)

3. Flash unlock file.
Now, if you reboot, you will go straight into fastboot because of old aboot - newest boot.img can't load with it. If your firmware <13(14).4.1.1 you need run "adb reboot bootloader" to boot into fastboot.
Time to flash your unlock file.
Code:
fastboot -i 0x1949 flash unlock 0xmmssssssss.unlock
You must obtain "unlock code is correct".
Grats. You are perfect =)
You can flash:
CM13 - http://forum.xda-developers.com/kin...ment/rom-cm-13-kindle-hdx-2015-11-29-t3259732
CM 12.1 - http://forum.xda-developers.com/kin...ent/rom-cm-12-unofficial-apollo-thor-t3050199
Or stock repacked latest 4.5.5.2 rom - https://drive.google.com/open?id=0B2twXJIOgv-UVFFtN2RYNXNUZ0k (13.x - thor, 14.x - apollo)
Do not flash original stock firmwares.

Regards and thank to all - @dpeddi, @vortox, @draxie, @ggow, @Ralekdev, @jcase, @Hashcode
And greatest thanks for motherboard for my experiments to @MahmudS !
Hello
I forgot to get_code before, so can I unbrick it? Thank you
 
sigh.

I have a Kindle Fire HDX Thor. I went through post 1006 and thought I followed everything to the T. Looks like I messed up with the unlock code being 0 KB just like what happened to user @exokinetic. Unfortunately, I did not execute "get_code.bat" from CMD but rather directly from windows explorer. I also did not notice that "unlock.code" is 0 KB.

So here is where we are - softbricked. No unique hashes and stuck on fastboot.

I have noticed that I can see the kindle when it is turned on. It shows up as Android ADB Interface.
Screenshot 2022-04-05 191022.png


I can open up CMD and run unlock.bat and I see on my kindle fastboot screen that it receives the unlock code and states its incorrect. So I can somewhat communicate with the Kindle.
1649200447941.png


Looking at unlock.bat I see that this command [fastboot -i 0x1949 flash unlock unlock.code] is working in sending data to the kindle and the kindle is responding. Albeit with nothing useful from what I can tell but responding nevertheless.

Wondering if I can use the below command with some variation to get a different type of response and get out of softbrick hell. I'm very curious now.
fastboot -i 0x1949

UPDATE 1:
While thinking about the above command, I was wondering why I can't run get_code.bat and then continued to read @exokinetic in his post #1208 and figured it was worth a shot. I followed these steps:
I restarted from bulk mode + dd'd the vuln_aboot and twrp 3.1.1.1

I also specifically got TWRP 3.1.1-1.

1649208322473.png


And success at getting TWRP loaded!! There is hope after all!

UPDATE 2:
So now I have TWRP and it loads just fine with Power Button and Volume Up. I thought the next step would be to try and get a ROM that does not need an unlocked bootloader but have had no luck finding the Nexus ROM.

I did notice on a German forum (that google translated to english for me) that there were commands for people to get manfid and serial (which is the goal to be able to unlock!) and I tried them in a command prompt with ADB. No luck. (maybe I could have tried with fastboot)

1649341778022.png


However!
TWRP has a terminal option. Like on the kindle itself. So I manually typed the same commands below into TWRP terminal and voila!! It worked! Who knew. Not this guy.

1649341886986.jpeg


Code:
cat /sys/block/mmcblk0/device/manfid
cat /sys/block/mmcblk0/device/serial

So now I have my manfid and serial! Almost there! Now I just need to feed it into get_code.bat or unlock.bat so I can have a proper unlock.code file.

I did try to run get_code,bat using fastboot (and ensuring cuber was in the adb and folder) but I don't know what command to use here and the ones I tried haven't worked. Just ruling this out.

UPDATE 3: Unlock success!
Whoever said being impatient is a bad thing.
I knew I needed to manually pass the manfid and serial to be able to get a generated unlock.code file. So I was digging around in XDA and came across this thread by @yujikaido79 which was a great guiding post:

I did both these steps (although GMPY2 might not be needed):
get Python 2.7 for windows and install it >>https://www.python.org/download/releases/2.7/
btw I installed the 64 bit edition for both

get GMPY2 for Python 2.7 https://code.google.com/p/gmpy/downloads/list

I then followed the thread to get cuberHDX.py (which I realized I didn't need) over here by the great @draxie :

** SIMPLER UNLOCK CODE GENERATION ON (ANY) WINDOWS **

  • If you don't have python installed, download and install your preferred Python version
  • Download and extract tools.zip
  • Open a command shell (cmd.exe) and navigate to the directory where you extracted the archive
  • To generate your unlock code type
    Code:
    py cublock.py 0xmm 0xssssssss

NB: the filename of the unlock code is 'unlock.img',
as opposed to the '0xmmssssssss.unlock' pattern that cuberHDX.py used to generate,
but the contents are the same and the unlock code is flashed the same way.

Since I had my manfid and serial, these instructions seemed like exactly what I was searching for. Once I was done with the above instructions, I had a unlock.img file.

Since I was going to be using fastboot, I copied the unlock.img file into my adb folder and simply ran this command and it worked like a charm.
Code:
fastboot -i 0x1949 flash unlock unlock.img

Success!
IMG_8451.JPG


Overarching Edit: I'm going to keep editing my post as I find and have useful information in my journey so everything is in one place for my own reference.
 
Last edited:
  • Like
Reactions: dnt83

skeptic1007

Senior Member
Jul 24, 2010
298
51
Hello. I have another problem with running the procedure at post 1006 above: get_code does not stop. The command at adb push cuber ... does not terminate. Any idea where I may be wrong?

I have unlocked my Kindle Fire and installed an Android OS some years ago. Have restored the original Fire OS since. Now I would like to repeat the Android OS procedure. Is the bootloader still unlocked?
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 54
    Hello. At first, I did not invent anything new, just checked some my guess on a other motherboard. All thanks and credits to our great developers. As always, all at your own risk.
    It does not work on the Fire HDX 8.9 (Saturn)!
    All steps in this manual are not necessary but they are present for maximum safety. So I highly recommend do anything exactly in this way. Sorry my English as always =)
    Update2 - actual method is https://forum.xda-developers.com/showpost.php?p=75284993&postcount=1006
    Update: now you can use updated draxie's utility - http://forum.xda-developers.com/kindle-fire-hdx/general/multi-platform-1-click-bootloader-t3241014

    Prerequisites for Installation
    - Root
    - Installed adb and fastboot drivers - official - https://drive.google.com/open?id=0B2twXJIOgv-UWWdwRl9TQS11b0k (if your system language not English, after fail navigate to "Program Files (x86)\Lab126\drivers" and run dpinst.exe /EL or switch to English =) for x64 need to disable driver signature verification before install ) also you can use pdanet drivers - http://forum.xda-developers.com/showpost.php?p=59268023&postcount=8

    Manual:
    1. Create unlock file following this instruction - https://forum.xda-developers.com/ki...r-firmware-t3463982/post70881555#post70881555

    2. Flash old vulnarable aboot and cubed twrp (just in case). Check that all these commands executed without errors. If you'll get one - read second post below. If your firmware <=13(14)3.2.3.2 skip this step.
    Download aboot and twrp for Thor (Kindle Fire HDX 7) https://drive.google.com/open?id=0B2twXJIOgv-UMGxXMUZPZTlZTUk or for Apollo (Kindle Fire HDX 8.9) - https://drive.google.com/open?id=0B2twXJIOgv-URzJDQkczNzRLaHM - and put this two files (twrp_cubed.img and aboot_vuln.mbn) into root of your kindle internal storage.
    Run:
    Code:
    adb shell
    su
    dd if=/sdcard/twrp_cubed.img of=/dev/block/platform/msm_sdcc.1/by-name/recovery
    dd if=/sdcard/aboot_vuln.mbn of=/dev/block/platform/msm_sdcc.1/by-name/aboot
    Now you have working twrp recovery. It already works even without unlocked bootloader. You could boot into it by holding volUP during grey kindle logo. But no need to flash anything until unlock. At this point this is just emergency tool if something goes wrong =)

    3. Flash unlock file.
    Now, if you reboot, you will go straight into fastboot because of old aboot - newest boot.img can't load with it. If your firmware <13(14).4.1.1 you need run "adb reboot bootloader" to boot into fastboot.
    Time to flash your unlock file.
    Code:
    fastboot -i 0x1949 flash unlock 0xmmssssssss.unlock
    You must obtain "unlock code is correct".
    Grats. You are perfect =)
    You can flash:
    CM13 - http://forum.xda-developers.com/kin...ment/rom-cm-13-kindle-hdx-2015-11-29-t3259732
    CM 12.1 - http://forum.xda-developers.com/kin...ent/rom-cm-12-unofficial-apollo-thor-t3050199
    Or stock repacked latest 4.5.5.2 rom - https://drive.google.com/open?id=0B2twXJIOgv-UVFFtN2RYNXNUZ0k (13.x - thor, 14.x - apollo)
    Do not flash original stock firmwares.

    Regards and thank to all - @dpeddi, @vortox, @draxie, @ggow, @Ralekdev, @jcase, @Hashcode
    And greatest thanks for motherboard for my experiments to @MahmudS !
    31
    Steps unlock bootloader and needed files

    this is the details step for unlocking bootloader for the 2013 Kindle HDX 7 (Thor) and HDX 8.9 (Apollo). Becarefull the 2014 HDX 8.9 (Saturn) doesn't work! These steps are done in Windows 10, successfully checked by myselft!
    i don't take any credits, just collect all the steps in one post of the whole process.

    Download the needed files are in the attachment, just download them all + the TWRP for your device from this thread: TWRP 3.1.1-1
    You do NOT need root for these steps!

    1. Install the adb-setup-1.4.3 into a folder (for example: C:/adb), extract dd-0.5.zip + unlock.zip + aboot-xxx.zip, put dd.exe + get_code.bat + unlock.bat + twrp image (for your device) + aboot_vuln.mbn (for your device) into that folder. After that install the kindle_fire_usb_driver.
    2. Turn on ADB-Debuging Mode in Developer Mod by tapping 7 times the build numbers in settings and connect to your computer + trust your device.
    3. Excecute "get_code.bat" in the folder above, you will get a new file: unlock.code in the folder.
    4. Open CMD in the folder and run "adb reboot bootloader", the Kindle will reboot to bootloader with "[ fastboot ]" on the display
    5. On the Computer go to Device-Manager and change driver in "Other Android" to "Fire Devices - Android Adb Composite Driver" . It should say "Ready" on the Kindle.
    6. Now we need to enter Bulk-Mode like the instruction in this thread: Bulk Mode
    Type:
    Code:
    fastboot -i 0x1949 erase aboot
    fastboot -i 0x1949 reboot

    NB: this will be scary as you'll lose 'fastboot' and only see a black screen.
    Your device should reboot into "bulk mode" resulting in a number of pop-up
    windows asking to format all the partitions that get exposed (at least, on Windows 10).
    DO NOT format anything! Follow the above instructions instead.

    Open a command window (cmd) and run the following commands:

    Code:
    wmic partition where index=22 get diskindex
    wmic partition where (index=17 and numberofblocks=20480) get diskindex
    wmic partition where (index=5 and numberofblocks=4096) get diskindex

    All three of the above commands should return the same DiskIndex. Let's call that index X.

    In the command window, run the following two commands with the right aboot&twrp files for your device
    (you will need to substitute the DiskIndex X from above in place of the X):


    Code:
    dd of=\\?\Device\HarddiskX\Partition6 if=aboot_vuln.mbn
    dd of=\\?\Device\HarddiskX\Partition18 if=twrp_cubed.img

    This error message on the first command seems normal: "Error reading file: 87 The parameter is incorrect"
    NB: make sure you run both commands! Without TWRP, you'll get a brick.

    Wait a few minutes for good measure; then, keep holding Power + VolUp until your device enters TWRP.

    7. When done, hold down the power button until it reboots. Now you will be at Bootloader with [Fastboot] sign on the screen. Change the drive in Device-Manager again if needed.
    8. Run the "unlock.bat" in the folder and you should get a green line: "unlock code is correct". Congrats your Kindle now has an unlocked bootloader.
    9. Now hold power button again to shut down the device, then hold both "power button + Volume UP" and keep them for 3-5 seconds after you see the "kindle fire" logo. Then you will get into the TWRP and flash your desire things.

    i hope this post will help others new member to free our beautifull devices!

    Cheers and happy flashing :D
    14
    Generate the unlock code on your own Kindle (no python required)

    Prerequisites
    • Platform tools (adb + fastboot) from Google
    • Fire drivers from Amazon
      (if you want something that works with *both* adb *and* fastboot, make sure you hand-pick the 'Android Composite ADB Interface' driver under 'Fire Devices' in Device Manager)
      Update Driver Software... >> Browse my computer for driver software >> Let me pick from a list [...] >> Fire Devices
    • Download and extract unlock.zip (SHA256: e5db0b8d82c8fd2a25a22b0a598014d22a2ec33cef27a8d4b65a36acde08f27a)
      to the same directory that holds the adb and fastboot executables (default: platform-tools)
      unless, of course, you have added that directory to your PATH

    Code Generation & Unlock
    1. Click on get_code.bat in the extracted folder (default: platform-tools)
      --- this replaces step 1 (including *both* 1.1 & 1.2) of the OP ---
      Check that two hex-numbers are printed (manfid+serial) and a new file 'unlock.code' appears in that folder
    2. Perform Step 2 of the OP
    3. Click on unlock.bat in the extracted folder (default: platform-tools)
      --- this replaces step 3 of the OP ---
      if you see < waiting for any device > in the Command window, you'll need to manually select a driver

    That's all folks...
    10
    BULK MODE

    it is all my fault.my device is apollo,nexus4.4.4. when unlocking bootloader,i put the wrong file into interstorage,that is thor's aboot vuln and twrp cube.and then my hdx8.9 cannot enter recovery,bootload and system,only display background light.i can still see its storage in computer,but shows do not find device in adb .so what should i do to save my apollo?i am appreciating for you help..

    Here's a set of instructions that _SHOULD_ work to recover your device.
    We had two recent successful cases, and I've only managed to brick
    one of my test devices experimenting with this.

    Nevertheless, the standard disclaimer still applies: your device, your risk.
    If anything goes wrong, I'm not responsible.


    1. Open a command window (cmd, NOT PowerShell!!) and run the following commands:
      Code:
      wmic partition where index=22 get diskindex
      wmic partition where (index=17 and numberofblocks=20480) get diskindex
      wmic partition where (index=5 and numberofblocks=4096) get diskindex
      All three of the above commands should return the same DiskIndex.
      Let's call that index X.
    2. Download and extract http://www.chrysocome.net/downloads/dd-0.5.zip.
    3. In the command window, change to the directory with the extracted dd.exe
      and run the following two commands with the right aboot&twrp files for your device
      (you will need to substitute the DiskIndex X from above in place of the red X):
      Code:
      dd of=\\?\Device\Harddisk[COLOR="Red"]X[/COLOR]\Partition6 if=aboot_vuln.mbn
      dd of=\\?\Device\Harddisk[COLOR="Red"]X[/COLOR]\Partition18 if=twrp_cubed.img
      This error message on the first command seems normal: "Error reading file: 87 The parameter is incorrect"
      NB: make sure you run both commands! Without TWRP, you'll get a brick.
    4. Wait a few minutes for good measure; then, keep holding Power + VolUp until your device enters TWRP.


    @bluecoyote, @Mr McBoatface (or anyone else starting from fastboot)
    I have all the ingredients for a script, but haven't had time to put it all together.
    The above instructions work, once you put your device into "bulk mode".
    To do so, you'll need to run these two fastboot commands:
    Code:
    fastboot -i 0x1949 erase aboot
    fastboot -i 0x1949 reboot
    NB: this will be scary as you'll lose 'fastboot' and only see a black screen.
    Your device should reboot into "bulk mode" resulting in a number of pop-up
    windows asking to format all the partitions that get exposed (at least, on Windows 10).
    DO NOT format anything! Follow the above instructions instead.

    Oh, and YES: this should also work on any unrooted & locked 3rd gen HDX device.
    You need to enable ADB and run the following command to enter fastboot:
    Code:
    adb reboot bootloader

    This is arguably faster (and less malware-ridden) than trying to root with Kingroot,
    but it's easy to make a small mistake and end up with a brick.
    7
    Although I have registered my 'thanks' on various posts it seems hollow to not explicitly recognize @ONYXis and @draxie for their tremendous contributions supporting this device both past and present. The ability to unlock virtually any rooted 3rd gen HDX is a true game changer that will revive interest in this discontinued gem that still competes nicely with contemporary offerings. Well done, gents!