[Thor][Apollo] Unlocking bootloader with any firmware

[thecharlie654]

Steps unlock bootloader and needed files

this is the details step for unlocking bootloader for the 2013 Kindle HDX 7 (Thor) and HDX 8.9 (Apollo). Becarefull the 2014 HDX 8.9 (Saturn) doesn't work! These steps are done in Windows 10, successfully checked by myselft!
i don't take any credits, just collect all the steps in one post of the whole process.

Download the needed files are in the attachment, just download them all + the TWRP for your device from this thread: TWRP 3.1.1-1
You do NOT need root for these steps!

1. Install the adb-setup-1.4.3 into a folder (for example: C:/adb), extract dd-0.5.zip + unlock.zip + aboot-xxx.zip, put dd.exe + get_code.bat + unlock.bat + twrp image (for your device) + aboot_vuln.mbn (for your device) into that folder. After that install the kindle_fire_usb_driver.
2. Turn on ADB-Debuging Mode in Developer Mod by tapping 7 times the build numbers in settings and connect to your computer + trust your device.
3. Excecute "get_code.bat" in the folder above, you will get a new file: unlock.code in the folder.
4. Open CMD in the folder and run "adb reboot bootloader", the Kindle will reboot to bootloader with "[ fastboot ]" on the display
5. On the Computer go to Device-Manager and change driver in "Other Android" to "Fire Devices - Android Adb Composite Driver" . It should say "Ready" on the Kindle.
6. Now we need to enter Bulk-Mode like the instruction in this thread: Bulk Mode
Type:






7. When done, hold down the power button until it reboots. Now you will be at Bootloader with [Fastboot] sign on the screen. Change the drive in Device-Manager again if needed.
8. Run the "unlock.bat" in the folder and you should get a green line: "unlock code is correct". Congrats your Kindle now has an unlocked bootloader.
9. Now hold power button again to shut down the device, then hold both "power button + Volume UP" and keep them for 3-5 seconds after you see the "kindle fire" logo. Then you will get into the TWRP and flash your desire things.

i hope this post will help others new member to free our beautifull devices!

Cheers and happy flashing

Hi. I've just attempted these steps on my thor Kindle Fire HDX 7. I completed up to step 8 successfully, however, when I ran the "get_code.bat" file in step 3, I didn't realise that it didn't create the unlock code correctly, and it resulted in a blank unlock.code file.
Therefore running the unlock.bat file results in 'unlock code not correct' and I cannot unlock the bootloader. I am stuck in fastboot, cannot access adb, therefore is there any way to get a new unlock code from the device's current state?

 

[DB126]

Hi. I've just attempted these steps on my thor Kindle Fire HDX 7. I completed up to step 8 successfully, however, when I ran the "get_code.bat" file in step 3, I didn't realise that it didn't create the unlock code correctly, and it resulted in a blank unlock.code file.
Therefore running the unlock.bat file results in 'unlock code not correct' and I cannot unlock the bootloader. I am stuck in fastboot, cannot access adb, therefore is there any way to get a new unlock code from the device's current state?

Install (flash) an older TWRP build and ROM and then use that to generate a proper unlock code/file. Don't bother with GApps, Magisk, etc. I have seen some posts claiming Lineage 14.1 will install on devices with locked bootloader (can't enable root). I prefer nexus as it goes in clean. Good luck.

 

[harlansgs]

fastboot -i 0x1949 erase aboot
fastboot -i 0x1949 reboot

Edit: for anyone else who runs into the "no -i option" error, you can just drop the "-i 0x1949" and continue with the other steps.

 

[PokeFan919]

Install (flash) an older TWRP build and ROM and then use that to generate a proper unlock code/file. Don't bother with GApps, Magisk, etc. I have seen some posts claiming Lineage 14.1 will install on devices with locked bootloader (can't enable root). I prefer nexus as it goes in clean. Good luck.

Hey, I had the same issue as the person you replied to but which version of twrp and the ROM do I download ? I flashed the thor-twrp-3.0.0-0.img( after trying the latest TWRP build )but it boots to the grey kindle logo and then to fastboot mode.

 

[DB126]

Old post, old device; have moved on. As I recall, TWRP 2.8.x.x was the go-to build for older HDX ROMs

 

[hangvupro]

Edit: for anyone else who runs into the "no -i option" error, you can just drop the "-i 0x1949" and continue with the other steps.

i do this with kindle 8.9 2014 saturn. now my cmd is not working. someone help me what to do. Thanks

 

[exokinetic]

Got it! The original post did not mention that we need to copy 'cuber' file from the 'unlock' directory into the 'adb' folder. Rest works as instructed. Running Lineage OS 14.1 now. Thanks a lot to all the contributors of this thread!

Hello Friends!
Some specs:
Kindle Fire HDX 8.9 (3rd Generation)
Device: Apollo
Model: KFAPWI
Current OS: Fire OS 4.5.5.3


So, I also followed the instructions found on page #51 of this thread: https://forum.xda-developers.com/t/...oader-with-any-firmware.3463982/post-75284993

I followed them EXACTLY...

Which means I had the same error as TheZenGuy above, but I ignored the cuber fails, and moved through the rest of the steps.

>.<

This is what I saw:
c:\adb>get_code
cannot stat 'cuber': No such file or directory
Unable to open /data/local/tmp/cuber: No such file or directory
0x000045 0x251b3b67
/system/bin/sh: /data/local/tmp/cuber: not found
rm failed for /data/local/tmp/cuber, No such file or directory
Press any key to continue . . .

This definitely seemed "off", but the instructions said that step should generate a file:
"unlock.code"
...and it would be in the folder you had just created.

And that file WAS generated, so I assumed all was good, and moved on (**** me...)
I have attached the unlock.code that was generated by the above get_code.bat

I have now opened this unlock.code with notepad++ and it is blank, no text.
I am pretty sure a blank entry is NOT going to unlock the bootloader...

spoiler alert: it doesn't

So I continue;

c:\adb>adb reboot bootloader
c:\adb>fastboot -i 0x1949 erase aboot
erasing 'aboot'...
OKAY [ 0.052s]
finished. total time: 0.054s

...GULP...

c:\adb>fastboot -i 0x1949 reboot
rebooting...

finished. total time: 0.022s

Well, that looks right...
c:\adb>dd of=\\?\Device\Harddisk1\Partition6 if=emmc_appsboot-14.3.2.3.2_user_323001720.mbn
rawwrite dd for windows version 0.5.
Written by John Newbigin <[email protected]>
This program is covered by the GPL. See copying.txt for details
Error reading file: 87 The parameter is incorrect
677+1 records in
677+1 records out

c:\adb>dd of=\\?\Device\Harddisk1\Partition18 if=apollo-twrp-3.5.0_9-1.img
rawwrite dd for windows version 0.5.
Written by John Newbigin <[email protected]>
This program is covered by the GPL. See copying.txt for details
19128+0 records in
19128+0 records out

And that also appears to go as planned, I got the predicted Error reading file: 87 The parameter is incorrect, smooth sailing...?
c:\adb>unlock
error: device '(null)' not found
target reported max download size of 1073741824 bytes
sending 'unlock' (0 KB)...
FAILED ()
finished. total time: 0.003s
Press any key to continue . . .

Fuuuuuuuuuuuuuuuuu
/fail
[fastboot] - bootloop - softbricked
Power Button + Volume Up will NOT boot in to TWRP (unsuprising given the bootloader is still locked)

For reference, this is what I see on the Kindles screen:

getvarartition-type:unlock...Ok.
getvar:max-download-size...[[ 0x40000000 ]].
Ready.

Firstly;

error: device '(null)' not found

???

This is what I see in device manager;

Secondly;

I noticed that there was a file in the attached archives that I was NOT instructed to move to the working adb folder that had a name I had seen when doing the cmd line operations:

CUBER

So, I searched this thread for 'cuber' and my suspicions were confirmed, cuber was SUPPOSED to be copied into the working adb folder (for future reference, are any of the OTHER files in the attached archives ALSO supposed to be in the working adb folder? like get_code.sh and unlock.sh?)

-it would just seem like common sense that ALL the files on those attached archives should have been placed into the working adb folder, but you know, the intructions were pretty explicit about what files should be copied into the folder

"1. Install the adb-setup-1.4.3 into a folder (for example: C:/adb), extract dd-0.5.zip + unlock.zip + aboot-xxx.zip, put dd.exe + get_code.bat + unlock.bat + twrp image (for your device) + aboot_vuln.mbn (for your device) into that folder."

Install the adb-setup-1.4.3 into a folder (for example: C:/adb)

Okay, folder C:\adb\ created and it contains:

adb.exe
AdbWinApi.dll
AdbWinUsbApi.dll
fastboot.exe

extract dd-0.5.zip + unlock.zip + aboot-xxx.zip

Okay, extracted to folders with the same name, waiting for further instructions (it does not say WHERE to extract them TO)

put dd.exe + get_code.bat + unlock.bat + twrp image (for your device) + aboot_vuln.mbn (for your device) into that folder.

Okay, 5 explicitly referenced files are placed into THAT folder. (it seems impled that ONLY THOSE files should be copied into THAT folder)

In my case the folder now contains:
adb.exe
AdbWinApi.dll
AdbWinUsbApi.dll
fastboot.exe
dd.exe
get_code.bat
unlock.bat
apollo-twrp-3.5.0_9-1.img
emmc_appsboot-14.3.2.3.2_user_323001720.mbn


As a last attempt to save my ass, after reading the quoted post about cuber, I moved cuber into my adb folder and tried to fire off another get_code.bat:

c:\adb>get_code
error: device '(null)' not found
error: device '(null)' not found
error: device '(null)' not found
error: device '(null)' not found
error: device '(null)' not found
Press any key to continue . . .

/EPIC FAIL

^^^Kindle is booted into fastboot bootloader, device manager correctly seeing the fire device and with the right driver assigned as per the screenshot above

additionally, the command:

fastboot -i 0x1949 reboot

works perfectly fine and re-boots the device, suggesting the device is absolutely not '(null)'


So, currently soft bricked, and stuck in a fastboot bootloop.

Theoretical ideas:

Is it ridiculous to think I could attempt to use someone elses unlock.code file? (it seems to me this was going to be some kind of a uniquely generated hash, but I certainly dont know)

If I could get out of this bootloop and load back into FireOS it would seem like I could fire off another get_code.bat (with CUBER in the adb folder!) and get this baby flashing like TheZenGuy thankfully managed...

So, from my current position, do I try re-installing the "vulnerable" aboot from the instructions attachments and see if I can get it to boot into FireOS so I can start over again? (seem unlikely given theOS version mis-match)

Do I try re-installing some other aboot file that is relative to my apollo hardware and current 4.5.5.3 Fire OS?
^*scratching cheek* anyone got any links?^

Does anyone have any ideas for me to get back into FireOS so I can start over?


And as an asside;

I messaged Draxie earlier today for a link to their "1 Click Bootload Unlock" VM Script; and it is suggested over there that it has worked on fire devices that were in a soft brick state, so perhaps, even if I can not make any progress from here, all is not lost?


Thank you for reading this wall of a post, any help would be greatly appreciated!

/Exo

 

[exokinetic]

Power Button + Volume Up will NOT boot in to TWRP (unsuprising given the bootloader is still locked)

Okay, upon noticing most users were doing this with TWRP 3.1.1.1;

"the needed files are in the attachment, just download them all + the TWRP for your device from this thread: link"

^^^It would be nice if that explicitly stated to grab the 3.1.1.1 version for your device (apollo vs thor)

I restarted from bulk mode + dd'd the vuln_aboot and twrp 3.1.1.1

One step forward...

Now I CAN boot into TWRP with the Power + Volume Up combination;

Now if I have been following along like a good little student, then;

All I need to do now is grab -any- ROM image that does NOT require an unlocked bootload to flash through TWRP?

Flash any vanilla ROM, boot into ROM, adb get_code.bat (WITH CUBER IN THE DAMN FOLDER), verify unlock.code is 256 bytes

/PROFIT

Now, there was a user that was helping multiple users through this SAME ISSUE, and part of the solution involved posting up a link for a Nexus ROM that had been developed FOR the Fire HDX, which did NOT require an unlocked bootloader...

Unfortunatly, those links are all dead now. /sadface

Am I correct in understanding that -any- AEX or Nexus flavored ROM should work for the same purpose?

...one way to find out...

/Exo

 

[exokinetic]

Okay friends!

keyword: cuber

Now that I have a nice fresh instance of Lineage-16 running on my HDX, thanks to the brilliant and helpful minds floating around here...

A huge thank you to Draxie for holding my hand through this, and a big thank you to everyone who has worked on this development.

I thought I would share how I managed to make it through!

So, to begin; the orriginal instructions that most people will find referenced for "unlocking the bootloader" on your Kindle Fire HDX 8.9 are -almost- perfect;

Step 1.

This line:

1. Install the adb-setup-1.4.3 into a folder (for example: C:/adb), extract dd-0.5.zip + unlock.zip + aboot-xxx.zip, put dd.exe + get_code.bat + unlock.bat + twrp image (for your device) + aboot_vuln.mbn (for your device) into that folder.

Is missing one file (cuber) that needs to be placed "into that folder" (the folder you install adb into, from the example C:\adb )

The line SHOULD READ:

1. Install the adb-setup-1.4.3 into a folder (for example: C:/adb), extract dd-0.5.zip + unlock.zip + aboot-xxx.zip, put dd.exe + get_code.bat + unlock.bat + cuber + twrp image (for your device) + aboot_vuln.mbn (for your device) into that folder.

(can a Moderator please edit post #1,006 to reflect the above change? as in, ADD "+ cuber" -so no one else has to get stuck here)

Cuber -must- be in the adb folder you use for this set of instructions, or you will encounter an.... ERROR!


So, lets say you fell into the n0-cuber trap...

How do you get out of your now softbrick state?

Well, you had BETTER HOPE you still have your console open where you attempted to complete the instructions.
(I dont know if a log-file of command prompt history gets saved anywhere in Windows, if it does, you are in luck, and you MUST find this in order to follow my particular set of bread crumbs)

The information you are going to need (hash text) actually came back as a return in the command prompt window you were working in when you attempted step 3.

Specifically:

Step 3.

3. Excecute "get_code.bat" in the folder above, you will get a new file: unlock.code in the folder.

When you do that WITHOUT cuber in your adb folder, you will get a return that look SIMILAR to this:

C:\adb>get_code
cannot stat 'cuber': No such file or directory
Unable to open /data/local/tmp/cuber: No such file or directory
0x000045 0x251b3b67
/system/bin/sh: /data/local/tmp/cuber: not found
rm failed for /data/local/tmp/cuber, No such file or directory
Press any key to continue . . .

(coloring/ bolding added for clarity, your console will display all this text as the same color/formating)

That bold/green text is your key out of softboot purgatory, this is why you MUST have the console you orriginally attempted the instructions in still open, or have a backup/ log-file history saved somewhere
(I have no idea if windows does this automatically -I would assume not...)

You WILL generate a file called "unlock.code" -EXCEPT, it will have a size of 0kb (exceedingly useless)
-your unlock.code -should- have a filesize of: 256 Bytes

Unsuprisingly, when you get to the last step:

Step 8.

8. Run the "unlock.bat" in the folder and you should get a green line: "unlock code is correct". Congrats your Kindle now has an unlocked bootloader.

You will NOT receive "unlock code is correct" (you will not pass go, and you will not collect $200)
-sad face

What you WILL receive will look SIMILAR to this:

C:\adb>unlock
error: device '(null)' not found
target reported max download size of 1073741824 bytes
sending 'unlock' (0 KB)...
FAILED ()
finished. total time: 0.003s
Press any key to continue . . .

And you will be a sad panda.


So, how did I make out of this epic fail?

Enter @draxie

I let draxie know I needed a little help, and after reading my orriginal post, they spotted the necessesary information to generate a GOOD unlock.code file:

This is the response I got from @draxie:
I saw the relevant info printed in one of your recent
very detailed forum posts: 0x000045 0x251b3b67.

That's really _all_ you need and a version of `cuber` that runs on _some_ HW
you have access to. Both C and Python implementations have been posted.

BUT, the attachment should save you the trouble of searching and compiling...


So, Draxie was a champ, and compiled the unlock.code file FOR ME -thank you Draxie!

But, if you have been following along;

You need:

-The two hash's YOU got from the first time you attempted get_code.bat
(I believe these will absolutely be unique to your individual device, no one elses unlock.code will work for your device -someone please correct me if I am wrong here)

-Any version of cuber and hardware (like, a laptop) to run it on in order to compile the unlock.code

-The understanding of how to tell cuber to use YOUR hash text to compile a new unlock.code file
(if anyone that knows how to do this wants to provide exact instructions for the above, it would probably help someone)

Once you generate the new /GOOD unlock.code using cuber and your hash text (and replace the /BAD one in your /adb folder), boot the device back into fastboot and fire off the unlock.bat again.

-GOOD LUCK!-

--------------------------------------------------------------------------------------------------------------------------------------

Alternatly: (I have no idea how to do this from the current fastboot bootloop state you will be stuck in) you need to get a stock factory Kindle Fire HDX image (actually, -any- ROM you can get flashed and boot in to will work) flashed back onto your device so you can boot into the OS.

If you can get it to boot back into -ANY- OS (I read that some custom ROM's wont require an unlocked bootloader in order to flash onto the Fire HDX, for example) then, while the device is booted into the OS, you can run get_code.bat again (with cuber in your adb folder this time!) in order to generate a good unlock.code.

--------------------------------------------------------------------------------------------------------------------------------------

Once you have you unlocked bootloader, (gasp!)...

I followed the instruction found here -EXACTLY- in order to install a rather stable version of LineageOS-16 onto my Fire HDX.

Call me one happy camper.

In case I haven't done it enough in this post... -THANK YOU DRAXIE!


/Exo