[TUT] ROOT HD8(2018) via Magisk + [TWRP] + [Xposed]

Search This thread

bibikalka

Senior Member
May 14, 2015
1,426
1,112
Update - September 7th, 2019.

There is a more convenient method now by @k4y0z that can achieve the same unlocking objectives with fewer user commands. Please head over to this thread to achieve unlocking.

Thanks again to all who used the original method below, and hopefully you are enjoying your unlocked device!



The original post using lots of terminal commands in order to unlock


We are there! We have several fully successful attempts by @glate and @daymz (in addition to 3 partial successes earlier - thanks to @leakcheck, @spdqbr, @ShayBox). I have updated the instructions for further clarity. Please report back if there are issues. Still, be prepared to remove the back cover as described in this link in the rather unlikely case things go wrong.

First of all, full credit to @xyz` and @diplomatic, since the approach here 100% relies on their great work!

Motivation for this post: make obtaining root on Fire HD8 2018 simpler, without removing the back cover of your tablet. You will also preserve your current FireOS version, and all your user apps and settings (meaning, no Factory Reset).

Skill level required: moderate - since you will need to work with Linux and Python. HD8 2018 has Android version 7, and therefore will use Magisk for root management.

Legalese, or the standard disclaimer: While every effort had been made to ensure the instructions accuracy, any and all risk you take with this procedure is entirely yours. Please pay attention, and proceed with care! Happy unlocking!!!

Notice. If you already have a working TWRP from a prior effort, you should start at Step 11 or 12 depending on what you need to do! With TWRP, the tablet is already under your full control! Unlocking is a one time thing! Post on XDA what you are trying to do, and you will be helped!

Here we go:
  1. Get access to Linux, install Linux tools required as per the original work by @xyz` in this link (click Thanks there!!!). Specifically, on Debian/Ubuntu do this "sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot". Download attached amonet-lite.zip to Linux.
  2. Download attached unlock_images.zip, unpack it, place the individual image files into /sdcard/00 folder on your tablet (create /sdcard/00 folder on your tablet if it does not exist - "adb shell mkdir /sdcard/00")
  3. Download attached finalize_no_ota.zip to /sdcard/00 on your tablet
  4. Download Magisk to /sdcard/00 from here: Magisk-v18.0.zip If you like to live on the bleeding edge, and will be itching to upgrade, also download the latest and greatest Magisk zip - link (at present -version 18.1).
  5. Noob protection: drain tablet battery to some low number, ~3% (this is a safety measure, in case you later get a freeze while in BootRom). Use Fast Discharge app from the Google Play Store if you are impatient. If you do get a freeze in BootRom, your Fire will discharge about ~1% per hour. The battery has to discharge to 0% for the device to exit the BootRom mode. So for battery at 50% you will be waiting ~2 days.
  6. Get an adb root shell via mtk-su (arm version, not arm64), follow this method by @diplomatic (click Thanks there while you are doing it!!!) You may not get a proper full root on the very first try. Specifically, if ls command fails, exit shell via exit command, and run mtk-su again.
  7. In this root shell, obtained in the previous step, first, and foremost, please verify that your prompt looks something like this : [karnak:/data/local/tmp #]. Specifically, that your device is really a karnak (i.e., HD8 2018). If you have a different device, MISSION ABORT, and do refer to the original rooting thread for instructions on how to permanently root YOUR type of device. If you do have a karnak, proceed to do the following operations.

    Run the following commands
    Code:
    dd if=/dev/block/platform/soc/11230000.mmc/by-name/boot of=/sdcard/00/boot_orig.img
    dd if=/dev/block/platform/soc/11230000.mmc/by-name/lk of=/sdcard/00/orig_lk.bin
    dd if=/dev/block/platform/soc/11230000.mmc/by-name/tee1 of=/sdcard/00/orig_tz.bin
    dd if=/dev/block/mmcblk0boot0 of=/sdcard/00/orig_boot0.bin
    dd if=/dev/zero of=/dev/block/platform/soc/11230000.mmc/by-name/recovery
    dd if=/sdcard/00/unlock_recovery-inj.img of=/dev/block/platform/soc/11230000.mmc/by-name/recovery
    md5sum /sdcard/00/unlock_lk.bin; md5sum /sdcard/00/unlock_tz.bin; md5sum /dev/block/platform/soc/11230000.mmc/by-name/recovery
    Make sure the above commands run without any errors!!! If there are errors, check if you perhaps did not put the image files into /sdcard/00. Below in red are the checksums you should see, take a moment to ensure that they match!!! If the checksums don't match, mission ABORT! Come back here and paste your output. You can disconnect your tablet for the time being.
    Code:
    [COLOR="Red"]
    90ee125c08abc999f78325d30e26a388  /sdcard/00/unlock_lk.bin
    982513e70d6de114ed4a9058a86de848  /sdcard/00/unlock_tz.bin
    faae811e229f0a7780fd130a286d3c47  /dev/block/platform/soc/11230000.mmc/by-name/recovery
    [/COLOR]
    If everything looks good, proceed with updating the rest, and wiping the preloader which will enable the BootRom mode:
    Code:
    dd if=/sdcard/00/unlock_lk.bin of=/dev/block/platform/soc/11230000.mmc/by-name/lk
    dd if=/sdcard/00/unlock_tz.bin of=/dev/block/platform/soc/11230000.mmc/by-name/tee1
    dd if=/sdcard/00/unlock_tz.bin of=/dev/block/platform/soc/11230000.mmc/by-name/tee2
    dd if=/sdcard/00/unlock_recovery-inj.img of=/dev/block/platform/soc/11230000.mmc/by-name/boot
    dd if=/sdcard/00/unlock_recovery-inj.img of=/dev/block/platform/soc/11230000.mmc/by-name/recovery
    echo 0 > /sys/block/mmcblk0boot0/force_ro
    dd if=/dev/zero of=/dev/block/mmcblk0boot0
    echo 'EMMC_BOOT' > /dev/block/mmcblk0boot0
    md5sum /dev/block/mmcblk0boot0
    (Thanks to @k4y0z, @Rortiz2, @retyre, @hwmod for figuring out the last step!!!)
  8. You are now in a properly bricked state. Disconnect the USB cable, turn off your tablet. It's a nice brick ;)
  9. On Linux, you will now finish all the work required to unlock your tablet.

    First make sure to uninstall/disable ModemManager (very mission critical!!!) [on Ubuntu: "sudo apt-get remove modemmanager"]. Next, run these commands:
    Code:
    unzip amonet-lite.zip
    cd amonet-lite
    chmod 755 ./bootrom-step.sh
    sudo su
    ./bootrom-step.sh
    Attach your properly bricked tablet to your Linux computer with a USB cable, do try to use a pure USB2 port on your PC (if you have it). Your tablet should come up in the BootRom mode, and start interacting with the bootrom-step.sh script above (watch the output in the Linux terminal). The tablet screen will be off and you won't see anything. Follow the bootrom-step.sh script instructions. When the script prompts "Remove the short and press Enter", just press Enter (there is no short in this method!). Hopefully, everything works. If it freezes before finishing, disconnect the tablet, and let it sit for few hours (please report back if you had to wait for battery to drain here - mainly for statistics). The battery should drain, and the tablet will leave the BootRom mode. Try again in a few hours by re-running bootrom-step.sh, and connecting your bricked tablet to your Linux computer.
  10. Here your tablet should have rebooted to TWRP. The screen might be blank, try to hit Power button twice to wake TWRP up. If you still don't see anything, try to turn the tablet off by holding the Power button. If nothing works, wait for the battery to drain, and then re-try.
  11. Once TWRP comes up, go to "Install/Install Image", and install /sdcard/00/boot_orig.img to boot partition (here we are returning your original boot image to it's proper partition)
  12. In TWRP, go to "Install", select Magisk zip from /sdcard/00, and install. Version 18.0 is known to be rock solid, the newer 18.1 may or may not work OK. If you do flash 18.1, please watch for TWRP installation errors.
  13. In TWRP, go to "Install", select finalize_no_ota.zip from /sdcard/00,and install. You only need to do this once per new system image, to make sure OTA is disabled. Don't need to repeat this if you did not upgrade/sideload a fresh ROM. It will give an error message if it was already run before - in such a case ignore the error.
  14. In TWRP, reboot
  15. You should now be back in FireOS, but with Magisk for root. If you don't see Magisk Manager in your app list, install it via apk downloaded from this link. If you are bootlooping due to Magisk, reboot to TWRP using Pwr+Vol buttons, and start at Step 11 but using 18.0 Magisk this time.
  16. If you would like to install Xposed, proceed to this post #2.
  17. If your FireOS is not the latest version (6.3.0.1 at present), use instructions in post #3 to upgrade.

Notice. If you modify your tablet to the point of an unrecoverable bootloop, check if you can still boot TWRP. If you can, then you are still unlocked, and have simple ways to recover!!! Do not rush into doing a Factory Reset, reloading your OS, sideloading the stock Amazon ROM, repeating the full above procedure, etc. Come back here, ask questions, and wait for a competent answer. If TWRP is available, everything is relatively easy to fix!!!

TWRP system restore warning: Avoid backing up & restoring your system via TWRP. Unless you fully understand the current HD8 unlocking hack, unpleasant bricks may result! You are better off re-loading the fresh stock back (/system + /boot only) via TWRP, and then immediately re-applying Magisk and finalize zip. This way if you get into a bootloop, your TWRP is still there.

Q&A :
Q: How is this different from the approach by @xyz`? A: No need to remove the back cover. Also, the modified amonet script writes only ~4% of the data in the BootRom mode compared to the original method, thus reducing the chances of a freeze in case BootRom access is flaky. Finally, the battery pre-drain should enable BootRom to die reasonably quickly if it does freeze.


Want to say thanks by clicking the "Thanks" button ? ;)
1452654044767407_animate.gif
 

Attachments

  • unlock_images.zip
    15.5 MB · Views: 8,572
  • finalize_no_ota.zip
    1.1 KB · Views: 7,372
  • amonet-lite.zip
    108 KB · Views: 7,495
Last edited:

bibikalka

Senior Member
May 14, 2015
1,426
1,112
Magisk modules, and, Xposed in particular

In this post I shall cover the installation of Magisk modules and Xposed since this operation had presented certain challenges in the past.

Once you have Magisk up and running, install a couple of useful modules first.
  1. Busybox-1.29.2-YDS-ARM.zip. You can flash it either via Magisk, or in TWRP. It does limited modifications to the system, and is very benign, in terms of potentially causing any bootloop issues (pretty much unheard of!).
  2. Magisk Manager for Recovery Mode (mm). Please download this zip to /sdcard/00, and flash via TWRP. Run it in TWRP, and familiarize yourself fully with its features. Specifically, try to disable the above Busybox module, reboot to OS, and observe that the Busybox module is disabled. This module is your ticket out of any bootloop when you try to install more aggressive Magisk modules!

Now that you are familiar with ways to disable bootloop-y Magisk modules via TWRP, proceed to install Xposed. Thanks to @delessio100 (link) for helping me to sort things out on my first attempt!
  1. Download the attached Xposed_Framework_(SDK_25)-89.3_(Systemless).zip to /sdcard/00
  2. Reboot to TWRP, and flash it
  3. Reboot to OS, and be prepared to wait good 10-15 minutes. The first boot is unusually long, where it looks like things are in bootloop. Things may be fine, just slow, wait!!! Most likely, you shall boot into FireOS, just have patience.
  4. If the bootloop is continuing for more than 20 minutes, turn the tablet off via the long Power button press, and reboot to TWRP (Vol buttons + Power together). Run the above mm module (in TWRP terminal, type either mm, or /data/media/mm). Disable Xposed, and reboot to OS. You should boot back into OS without issues. Report your failure back to XDA, and wait for advice.
  5. Install XposedInstaller_3.1.5-Magisk.apk from this link, and verify that the Xposed framework (Systemless) is active.
  6. Install some modules from the list below, activate them in Xposed Installer/Modules, and reboot
In case you get into bootloop while installing other Magisk modules, simply disable those via mm. Then search for solutions on XDA ;)

My favourite Xposed modules

  1. App Settings, version 1.15. This module helps to control misc per app settings. My main use - make Chrome tabs look like those on cell phone, without tabs on top, see this link for examples. AppSettings for Chrome on HD8 to trigger the cell phone look: DPI 240, screen(dp) - 320x480.
  2. Gravity Box - add a network traffic indicator to the status bar, I like to see how much data is coming in/leaving. Also, change battery color.
  3. No Play Games. This will stop bugging you about Google Play Games installation for certain games
  4. Per App Hacking - more options to change settings for a single app
  5. XVolume30 - improve volume control, with more steps
 

Attachments

  • Xposed_Framework_(SDK_25)-89.3_(Systemless).zip
    15.8 MB · Views: 1,896
Last edited:

bibikalka

Senior Member
May 14, 2015
1,426
1,112
How to upgrade FireOS version:

At this moment 6.3.0.1 is the latest version. If you have something older, just flash the 6301 zip file from this link in TWRP. After the flash, re-apply Magisk and its modules. Clear cache & dalvik in TWRP before reboot.
 
Last edited:

leakcheck

Member
Apr 28, 2014
14
8
Is it required to create the sdcard/00 ? I cant seem to find the folder at least in the internal storage when connected over usb to it.
 
  • Like
Reactions: bibikalka

leakcheck

Member
Apr 28, 2014
14
8
So far so good I am at reboot to unlock fastboot!

---------- Post added 03-03-2019 at 12:01 AM ---------- Previous post was 02-03-2019 at 11:56 PM ----------

Hmm things looked good but now darkness lol
It had finished and said reboot to unlock fastboot but now nothing, power button does nothing.
 
  • Like
Reactions: bibikalka

bibikalka

Senior Member
May 14, 2015
1,426
1,112
So far so good I am at reboot to unlock fastboot!

---------- Post added 03-03-2019 at 12:01 AM ---------- Previous post was 02-03-2019 at 11:56 PM ----------

Hmm things looked good but now darkness lol
It had finished and said reboot to unlock fastboot but now nothing, power button does nothing.

OK. It may be still stuck in BootRom? If the cover is removed, could you disconnect the battery? Could you post the Linux log here?
 

leakcheck

Member
Apr 28, 2014
14
8
OK. It may be still stuck in BootRom? If the cover is removed, could you disconnect the battery? Could you post the Linux log here?

[email protected]:~$ cd /home/admin/Downloads
[email protected]:~/Downloads$ cd /home/admin/Downloads/amonet-lite
[email protected]:~/Downloads/amonet-lite$ chmod 755 ./[email protected]:~/Downloads/amonet-lite$ sudo su
[email protected]:/home/admin/Downloads/amonet-lite# .bootrom-step.sh
.bootrom-step.sh: command not found
[email protected]:/home/admin/Downloads/amonet-lite# ./bootrom-step.sh
[2019-03-02 17:54:19.837131] Waiting for bootrom
[2019-03-02 17:54:34.187944] Found port = /dev/ttyACM0
[2019-03-02 17:54:34.188213] Handshake
[2019-03-02 17:54:34.188569] Disable watchdog

* * * Remove the short and press Enter * * *


[2019-03-02 17:55:56.007937] Init crypto engine
[2019-03-02 17:55:56.029801] Disable caches
[2019-03-02 17:55:56.030372] Disable bootrom range checks
[2019-03-02 17:55:56.044687] Load payload from ../brom-payload/build/payload.bin = 0x4690 bytes
[2019-03-02 17:55:56.049490] Send payload
[2019-03-02 17:55:56.588729] Let's rock
[2019-03-02 17:55:56.589343] Wait for the payload to come online...
[2019-03-02 17:55:57.321067] all good
[2019-03-02 17:55:57.321628] Check GPT
[2019-03-02 17:55:57.660554] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216), 'kb': (16384, 2048), 'dkb': (18432, 2048), 'lk': (20480, 2048), 'tee1': (22528, 10240), 'tee2': (32768, 10240), 'metadata': (43008, 80896), 'MISC': (123904, 1024), 'reserved': (124928, 16384), 'boot': (141312, 32768), 'recovery': (174080, 40960), 'system': (215040, 6354944), 'vendor': (6569984, 460800), 'cache': (7030784, 1024000), 'userdata': (8054784, 22722527)}
[2019-03-02 17:55:57.660890] Check boot0
[2019-03-02 17:55:57.906247] Check rpmb
[2019-03-02 17:55:58.115712] Downgrade rpmb
[2019-03-02 17:55:58.117623] Recheck rpmb
[2019-03-02 17:55:59.012188] rpmb downgrade ok
[2019-03-02 17:55:59.012691] Inject microloader
[4 / 4]
[2019-03-02 17:55:59.343207] Flash lk-payload
[4 / 4]
[2019-03-02 17:55:59.709695] Flash preloader
[288 / 288]
[2019-03-02 17:56:11.854171] Reboot to unlocked fastboot

---------- Post added at 12:24 AM ---------- Previous post was at 12:17 AM ----------

I tried pulling the battery and now I get this when I try to connect via bootrom-step

[email protected]3:/home/admin/Downloads/amonet-lite# sudo ./bootrom-step.sh
[2019-03-02 18:12:58.394533] Waiting for bootrom
^[[B[2019-03-02 18:13:06.513079] Found port = /dev/ttyACM0
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 265, in open
self.fd = os.open(self.portstr, os.O_RDWR | os.O_NOCTTY | os.O_NONBLOCK)
FileNotFoundError: [Errno 2] No such file or directory: '/dev/ttyACM0'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "main.py", line 123, in <module>
main()
File "main.py", line 51, in main
dev.find_device()
File "/home/admin/Downloads/amonet-lite/modules/common.py", line 80, in find_device
self.dev = serial.Serial(port, BAUD, timeout=TIMEOUT)
File "/usr/lib/python3/dist-packages/serial/serialutil.py", line 240, in __init__
self.open()
File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 268, in open
raise SerialException(msg.errno, "could not open port {}: {}".format(self._port, msg))
serial.serialutil.SerialException: [Errno 2] could not open port /dev/ttyACM0: [Errno 2] No such file or directory: '/dev/ttyACM0'
 
  • Like
Reactions: bibikalka

bibikalka

Senior Member
May 14, 2015
1,426
1,112

OK. Thank you for your valuable service!!! I will carefully check my procedure.

I think you are now coming up in the preloader mode, since preloader is now appears to be working fine. Disconnect the battery, and attempt to short the contacts, following the original procedure here: https://forum.xda-developers.com/hd...fire-hd-8-2018-downgrade-unlock-root-t3894256

My procedure is a one shot option, once the preloader is restored, you are back to shorting contacts.
 

leakcheck

Member
Apr 28, 2014
14
8
Awesome ok now the shorting contact method worked, however I am not sure what I am suppose to do from here, the directions say I can use fastboot devices to check to see if its good to start( alledgedly should see an amazon logo) the fastboo-stept.sh process. I am not seeing the logo, do you know if this is a long process ?
 
  • Like
Reactions: bibikalka

bibikalka

Senior Member
May 14, 2015
1,426
1,112
I think I have it! Took me several tries and many reboots! Thanks for all the help!

Great! I've updated instructions to have some quality control along the way as to avoid some critical user errors. I have also kept amonet script as close to the original as possible. Will be asking for more volunteers :D
 

diplomatic

Senior Member
Mar 12, 2017
1,410
1,921
Nice guide, @bibikalka!

Although I can't help but think this could be made easier. If you guys update the LK exploit for the latest FW, then you won't need to reboot to the bootrom. If I understand correctly, the only reason that's necessary is to downgrade. Otherwise, everything could be flashed from the OS. And even if there is no way around clearing the RPMB, I'm pretty sure the crypto stuff could be done from the OS as root too.
 
Last edited:
  • Like
Reactions: bibikalka

bibikalka

Senior Member
May 14, 2015
1,426
1,112
Nice guide, @bibikalka!

Although I can't help but think this could be made easier. If you guys update the LK exploit for the latest FW, then you won't need to reboot to the bootrom. If I understand correctly, the only reason that's necessary is to downgrade. Otherwise, everything could be flashed from the OS. And even if there is no way around clearing the RPMB, I'm pretty sure the crypto stuff could be done from the OS as root too.

Excellent points! I raised them before. And, there are a few practical challenges to consider ;)

Updating LK exploits is very time consuming. It's easier to have people install Linux, and clear RPMB, than to hack every new LK version.

For example, I could not convince @xyz` yet to even fix his current exploit. As is, it writes at 2Mb offset into boot0 which is only 1Mb in size. So no easy dd access to the exploit address for now ...

Also, the approach presented here is quite generic, if HD10 gained an unlock, one could again clear RPMB, and use whatever LK was hacked.I

A few people could get by without clearing rpmb, but these would always be in minority ... So the current foolproof method is more complex, but also more general as well. It's a compromise! :D
 
  • Like
Reactions: DB126

spdqbr

Member
Dec 1, 2011
10
3
I made it to bootrom-step.sh, and that appears to have run successfully. However now when I try
Code:
fastboot reboot recovery
I get the usage message for fastboot:

Code:
# ./bootrom-step.sh 
[2019-03-04 00:27:18.798732] Waiting for bootrom
[2019-03-04 00:27:26.336656] Found port = /dev/ttyACM0
[2019-03-04 00:27:26.336890] Handshake
[2019-03-04 00:27:26.337276] Disable watchdog

 * * * Remove the short and press Enter * * * 


[2019-03-04 00:27:56.377687] Init crypto engine
[2019-03-04 00:27:56.395798] Disable caches
[2019-03-04 00:27:56.399726] Disable bootrom range checks
[2019-03-04 00:27:56.410763] Load payload from ../brom-payload/build/payload.bin = 0x4690 bytes
[2019-03-04 00:27:56.412639] Send payload
[2019-03-04 00:27:57.074721] Let's rock
[2019-03-04 00:27:57.075569] Wait for the payload to come online...
[2019-03-04 00:27:57.807523] all good
[2019-03-04 00:27:57.807917] Check GPT
[2019-03-04 00:27:58.164678] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216), 'kb': (16384, 2048), 'dkb': (18432, 2048), 'lk': (20480, 2048), 'tee1': (22528, 10240), 'tee2': (32768, 10240), 'metadata': (43008, 80896), 'MISC': (123904, 1024), 'reserved': (124928, 16384), 'boot': (141312, 32768), 'recovery': (174080, 40960), 'system': (215040, 6354944), 'vendor': (6569984, 460800), 'cache': (7030784, 1024000), 'userdata': (8054784, 22480863)}
[2019-03-04 00:27:58.164880] Check boot0
[2019-03-04 00:27:58.410125] Check rpmb
[2019-03-04 00:27:58.619520] Downgrade rpmb
[2019-03-04 00:27:58.621743] Recheck rpmb
[2019-03-04 00:27:59.515990] rpmb downgrade ok
[2019-03-04 00:27:59.516232] Flash lk-payload
[4 / 4]
[2019-03-04 00:27:59.847318] Flash preloader
[288 / 288]
[2019-03-04 00:28:06.291277] Inject microloader
[4 / 4]
[2019-03-04 00:28:06.623363] Reboot to unlocked fastboot
[email protected]/amonet-lite# fastboot reboot recovery
usage: fastboot [ <option> ] <command>

commands:
  update <filename>                        Reflash device from update.zip.
  flashall                                 Flash boot, system, vendor, and --
                                           if found -- recovery.
  flash <partition> [ <filename> ]         Write a file to a flash partition.
  flashing lock                            Locks the device. Prevents flashing.
...

A few things I was able to try:

At this point I have the amazon logo on a black screen:
Holding down the power button shuts off the tablet.
Issuing
Code:
fastboot reboot
reboots the tablet to the Amazon logo
Issuing
Code:
fastboot reboot-bootloader
reboots the table and I get a black screen with just
Code:
=> FASTBOOT mode...
at the bottom

If I shut down the tablet, and rerun the script, I get the following:
Code:
# ./bootrom-step.sh 
[2019-03-04 00:39:41.574553] Waiting for bootrom
[2019-03-04 00:39:51.413047] Found port = /dev/ttyACM0
[2019-03-04 00:39:51.413639] Handshake
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 537, in write
    n = os.write(self.fd, d)
OSError: [Errno 5] Input/output error

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "main.py", line 121, in <module>
    main()
  File "main.py", line 54, in main
    handshake(dev)
  File "/home/spdqbr/Fire HD 8 2018/amonet-lite/modules/handshake.py", line 9, in handshake
    dev.handshake()
  File "/home/spdqbr/Fire HD 8 2018/amonet-lite/modules/common.py", line 97, in handshake
    c = self._writeb(b'\xa0')
  File "/home/spdqbr/Fire HD 8 2018/amonet-lite/modules/common.py", line 91, in _writeb
    self.dev.write(out_str)
  File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 571, in write
    raise SerialException('write failed: {}'.format(e))
serial.serialutil.SerialException: write failed: [Errno 5] Input/output error

I appear to be stuck from this point. Do you have any suggestions?
 
  • Like
Reactions: bibikalka

ktdt00

Senior Member
May 23, 2006
142
33
@spdqbr - Sounds like your fastboot is out of date. Several of the mainstream repos have this problem. The reboot recovery option didn't come along until more recently. Try updating manually from sdk or Google for one of the updates you can wget and copy over the existing.
 
  • Like
Reactions: bibikalka

bibikalka

Senior Member
May 14, 2015
1,426
1,112
I made it to bootrom-step.sh, and that appears to have run successfully. However now when I try
Code:
fastboot reboot recovery
I get the usage message for fastboot:
...
I appear to be stuck from this point. Do you have any suggestions?

Ok, I think you have made it! You are success case #1 !!! :D

Turn the tablet off, and boot recovery by holding Vol buttons when you press Power to turn it on (the usual deal). I think I shall remove the unlocked fastboot flashing from amonet, since it only creates issues.

@spdqbr - Sounds like your fastboot is out of date. Several of the mainstream repos have this problem. The reboot recovery option didn't come along until more recently. Try updating manually from sdk or Google for one of the updates you can wget and copy over the existing.

Interesting. Indeed then, it's another option - updating fastboot on Linux/Windows.
 
Last edited:

glate

Senior Member
Apr 27, 2011
70
14
I've got a 2018 HD8 that's just sitting here with its battery dead waiting for this exact moment; however, my machine runs Windows (I know, I know).

Is there a LiveCD that you'd recommend to complete this task? Just straight up Ubuntu I assume? Haven't run Linux as my daily driver in a few years so thought I'd double check before downloading anything. For ModemManager I'd assume it would just be `sudo apt-get remove modemmanager` correct?

Thanks!
 

ShayBox

Senior Member
Jul 4, 2015
75
21
shaybox.com
Moto G Stylus 5G
I've gotten through all the steps, but i'm stuck at fastboot reboot recovery, I am running on arch and have the latest android-tools, so it shouldn't be an out of date problem unless its a feature that hasn't hit actual release yet, holding volume when turning on doesn't do anything.

EDIT: Turns out the package is out of date, because google split adb and fastboot into seperate packages, I got the command working, but it doesn't reboot into twrp it just goes to the amazon logo again, and I never downloaded a twrp image as far as I know.

Also unless this changes this, the HD 8 can not boot to recovery with vol buttons, so removing the fastboot part may not be a great idea, at-least if I understand it right.

EDIT2: I figured it out, I had to download the non-lite amonet because it contained an extra fastboot shell script that actually flashed the recovery, amonet-lite didn't

EDIT3: TWRP cant find the boot_orig.bin file, it finds unlock_recovery-inj.img but not bin files, in both image and zip mode
Also flashing magisk worked, but flashing finalize_no_ota.zip errored with code 1, then any following attempts with code 255

EDIT4: I just ended up doing the rest of the instructions on the original guide, I had to factory reset but that's alright. Thanks, this worked and I never had to open my device! Tester #2 (or 3)

I can't wait to see roms for this, get rid of this amazon garbage
 
Last edited:
  • Like
Reactions: bibikalka

Top Liked Posts

  • There are no posts matching your filters.
  • 95
    Update - September 7th, 2019.

    There is a more convenient method now by @k4y0z that can achieve the same unlocking objectives with fewer user commands. Please head over to this thread to achieve unlocking.

    Thanks again to all who used the original method below, and hopefully you are enjoying your unlocked device!



    The original post using lots of terminal commands in order to unlock


    We are there! We have several fully successful attempts by @glate and @daymz (in addition to 3 partial successes earlier - thanks to @leakcheck, @spdqbr, @ShayBox). I have updated the instructions for further clarity. Please report back if there are issues. Still, be prepared to remove the back cover as described in this link in the rather unlikely case things go wrong.

    First of all, full credit to @xyz` and @diplomatic, since the approach here 100% relies on their great work!

    Motivation for this post: make obtaining root on Fire HD8 2018 simpler, without removing the back cover of your tablet. You will also preserve your current FireOS version, and all your user apps and settings (meaning, no Factory Reset).

    Skill level required: moderate - since you will need to work with Linux and Python. HD8 2018 has Android version 7, and therefore will use Magisk for root management.

    Legalese, or the standard disclaimer: While every effort had been made to ensure the instructions accuracy, any and all risk you take with this procedure is entirely yours. Please pay attention, and proceed with care! Happy unlocking!!!

    Notice. If you already have a working TWRP from a prior effort, you should start at Step 11 or 12 depending on what you need to do! With TWRP, the tablet is already under your full control! Unlocking is a one time thing! Post on XDA what you are trying to do, and you will be helped!

    Here we go:
    1. Get access to Linux, install Linux tools required as per the original work by @xyz` in this link (click Thanks there!!!). Specifically, on Debian/Ubuntu do this "sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot". Download attached amonet-lite.zip to Linux.
    2. Download attached unlock_images.zip, unpack it, place the individual image files into /sdcard/00 folder on your tablet (create /sdcard/00 folder on your tablet if it does not exist - "adb shell mkdir /sdcard/00")
    3. Download attached finalize_no_ota.zip to /sdcard/00 on your tablet
    4. Download Magisk to /sdcard/00 from here: Magisk-v18.0.zip If you like to live on the bleeding edge, and will be itching to upgrade, also download the latest and greatest Magisk zip - link (at present -version 18.1).
    5. Noob protection: drain tablet battery to some low number, ~3% (this is a safety measure, in case you later get a freeze while in BootRom). Use Fast Discharge app from the Google Play Store if you are impatient. If you do get a freeze in BootRom, your Fire will discharge about ~1% per hour. The battery has to discharge to 0% for the device to exit the BootRom mode. So for battery at 50% you will be waiting ~2 days.
    6. Get an adb root shell via mtk-su (arm version, not arm64), follow this method by @diplomatic (click Thanks there while you are doing it!!!) You may not get a proper full root on the very first try. Specifically, if ls command fails, exit shell via exit command, and run mtk-su again.
    7. In this root shell, obtained in the previous step, first, and foremost, please verify that your prompt looks something like this : [karnak:/data/local/tmp #]. Specifically, that your device is really a karnak (i.e., HD8 2018). If you have a different device, MISSION ABORT, and do refer to the original rooting thread for instructions on how to permanently root YOUR type of device. If you do have a karnak, proceed to do the following operations.

      Run the following commands
      Code:
      dd if=/dev/block/platform/soc/11230000.mmc/by-name/boot of=/sdcard/00/boot_orig.img
      dd if=/dev/block/platform/soc/11230000.mmc/by-name/lk of=/sdcard/00/orig_lk.bin
      dd if=/dev/block/platform/soc/11230000.mmc/by-name/tee1 of=/sdcard/00/orig_tz.bin
      dd if=/dev/block/mmcblk0boot0 of=/sdcard/00/orig_boot0.bin
      dd if=/dev/zero of=/dev/block/platform/soc/11230000.mmc/by-name/recovery
      dd if=/sdcard/00/unlock_recovery-inj.img of=/dev/block/platform/soc/11230000.mmc/by-name/recovery
      md5sum /sdcard/00/unlock_lk.bin; md5sum /sdcard/00/unlock_tz.bin; md5sum /dev/block/platform/soc/11230000.mmc/by-name/recovery
      Make sure the above commands run without any errors!!! If there are errors, check if you perhaps did not put the image files into /sdcard/00. Below in red are the checksums you should see, take a moment to ensure that they match!!! If the checksums don't match, mission ABORT! Come back here and paste your output. You can disconnect your tablet for the time being.
      Code:
      [COLOR="Red"]
      90ee125c08abc999f78325d30e26a388  /sdcard/00/unlock_lk.bin
      982513e70d6de114ed4a9058a86de848  /sdcard/00/unlock_tz.bin
      faae811e229f0a7780fd130a286d3c47  /dev/block/platform/soc/11230000.mmc/by-name/recovery
      [/COLOR]
      If everything looks good, proceed with updating the rest, and wiping the preloader which will enable the BootRom mode:
      Code:
      dd if=/sdcard/00/unlock_lk.bin of=/dev/block/platform/soc/11230000.mmc/by-name/lk
      dd if=/sdcard/00/unlock_tz.bin of=/dev/block/platform/soc/11230000.mmc/by-name/tee1
      dd if=/sdcard/00/unlock_tz.bin of=/dev/block/platform/soc/11230000.mmc/by-name/tee2
      dd if=/sdcard/00/unlock_recovery-inj.img of=/dev/block/platform/soc/11230000.mmc/by-name/boot
      dd if=/sdcard/00/unlock_recovery-inj.img of=/dev/block/platform/soc/11230000.mmc/by-name/recovery
      echo 0 > /sys/block/mmcblk0boot0/force_ro
      dd if=/dev/zero of=/dev/block/mmcblk0boot0
      echo 'EMMC_BOOT' > /dev/block/mmcblk0boot0
      md5sum /dev/block/mmcblk0boot0
      (Thanks to @k4y0z, @Rortiz2, @retyre, @hwmod for figuring out the last step!!!)
    8. You are now in a properly bricked state. Disconnect the USB cable, turn off your tablet. It's a nice brick ;)
    9. On Linux, you will now finish all the work required to unlock your tablet.

      First make sure to uninstall/disable ModemManager (very mission critical!!!) [on Ubuntu: "sudo apt-get remove modemmanager"]. Next, run these commands:
      Code:
      unzip amonet-lite.zip
      cd amonet-lite
      chmod 755 ./bootrom-step.sh
      sudo su
      ./bootrom-step.sh
      Attach your properly bricked tablet to your Linux computer with a USB cable, do try to use a pure USB2 port on your PC (if you have it). Your tablet should come up in the BootRom mode, and start interacting with the bootrom-step.sh script above (watch the output in the Linux terminal). The tablet screen will be off and you won't see anything. Follow the bootrom-step.sh script instructions. When the script prompts "Remove the short and press Enter", just press Enter (there is no short in this method!). Hopefully, everything works. If it freezes before finishing, disconnect the tablet, and let it sit for few hours (please report back if you had to wait for battery to drain here - mainly for statistics). The battery should drain, and the tablet will leave the BootRom mode. Try again in a few hours by re-running bootrom-step.sh, and connecting your bricked tablet to your Linux computer.
    10. Here your tablet should have rebooted to TWRP. The screen might be blank, try to hit Power button twice to wake TWRP up. If you still don't see anything, try to turn the tablet off by holding the Power button. If nothing works, wait for the battery to drain, and then re-try.
    11. Once TWRP comes up, go to "Install/Install Image", and install /sdcard/00/boot_orig.img to boot partition (here we are returning your original boot image to it's proper partition)
    12. In TWRP, go to "Install", select Magisk zip from /sdcard/00, and install. Version 18.0 is known to be rock solid, the newer 18.1 may or may not work OK. If you do flash 18.1, please watch for TWRP installation errors.
    13. In TWRP, go to "Install", select finalize_no_ota.zip from /sdcard/00,and install. You only need to do this once per new system image, to make sure OTA is disabled. Don't need to repeat this if you did not upgrade/sideload a fresh ROM. It will give an error message if it was already run before - in such a case ignore the error.
    14. In TWRP, reboot
    15. You should now be back in FireOS, but with Magisk for root. If you don't see Magisk Manager in your app list, install it via apk downloaded from this link. If you are bootlooping due to Magisk, reboot to TWRP using Pwr+Vol buttons, and start at Step 11 but using 18.0 Magisk this time.
    16. If you would like to install Xposed, proceed to this post #2.
    17. If your FireOS is not the latest version (6.3.0.1 at present), use instructions in post #3 to upgrade.

    Notice. If you modify your tablet to the point of an unrecoverable bootloop, check if you can still boot TWRP. If you can, then you are still unlocked, and have simple ways to recover!!! Do not rush into doing a Factory Reset, reloading your OS, sideloading the stock Amazon ROM, repeating the full above procedure, etc. Come back here, ask questions, and wait for a competent answer. If TWRP is available, everything is relatively easy to fix!!!

    TWRP system restore warning: Avoid backing up & restoring your system via TWRP. Unless you fully understand the current HD8 unlocking hack, unpleasant bricks may result! You are better off re-loading the fresh stock back (/system + /boot only) via TWRP, and then immediately re-applying Magisk and finalize zip. This way if you get into a bootloop, your TWRP is still there.

    Q&A :
    Q: How is this different from the approach by @xyz`? A: No need to remove the back cover. Also, the modified amonet script writes only ~4% of the data in the BootRom mode compared to the original method, thus reducing the chances of a freeze in case BootRom access is flaky. Finally, the battery pre-drain should enable BootRom to die reasonably quickly if it does freeze.


    Want to say thanks by clicking the "Thanks" button ? ;)
    1452654044767407_animate.gif
    7
    Magisk modules, and, Xposed in particular

    In this post I shall cover the installation of Magisk modules and Xposed since this operation had presented certain challenges in the past.

    Once you have Magisk up and running, install a couple of useful modules first.
    1. Busybox-1.29.2-YDS-ARM.zip. You can flash it either via Magisk, or in TWRP. It does limited modifications to the system, and is very benign, in terms of potentially causing any bootloop issues (pretty much unheard of!).
    2. Magisk Manager for Recovery Mode (mm). Please download this zip to /sdcard/00, and flash via TWRP. Run it in TWRP, and familiarize yourself fully with its features. Specifically, try to disable the above Busybox module, reboot to OS, and observe that the Busybox module is disabled. This module is your ticket out of any bootloop when you try to install more aggressive Magisk modules!

    Now that you are familiar with ways to disable bootloop-y Magisk modules via TWRP, proceed to install Xposed. Thanks to @delessio100 (link) for helping me to sort things out on my first attempt!
    1. Download the attached Xposed_Framework_(SDK_25)-89.3_(Systemless).zip to /sdcard/00
    2. Reboot to TWRP, and flash it
    3. Reboot to OS, and be prepared to wait good 10-15 minutes. The first boot is unusually long, where it looks like things are in bootloop. Things may be fine, just slow, wait!!! Most likely, you shall boot into FireOS, just have patience.
    4. If the bootloop is continuing for more than 20 minutes, turn the tablet off via the long Power button press, and reboot to TWRP (Vol buttons + Power together). Run the above mm module (in TWRP terminal, type either mm, or /data/media/mm). Disable Xposed, and reboot to OS. You should boot back into OS without issues. Report your failure back to XDA, and wait for advice.
    5. Install XposedInstaller_3.1.5-Magisk.apk from this link, and verify that the Xposed framework (Systemless) is active.
    6. Install some modules from the list below, activate them in Xposed Installer/Modules, and reboot
    In case you get into bootloop while installing other Magisk modules, simply disable those via mm. Then search for solutions on XDA ;)

    My favourite Xposed modules

    1. App Settings, version 1.15. This module helps to control misc per app settings. My main use - make Chrome tabs look like those on cell phone, without tabs on top, see this link for examples. AppSettings for Chrome on HD8 to trigger the cell phone look: DPI 240, screen(dp) - 320x480.
    2. Gravity Box - add a network traffic indicator to the status bar, I like to see how much data is coming in/leaving. Also, change battery color.
    3. No Play Games. This will stop bugging you about Google Play Games installation for certain games
    4. Per App Hacking - more options to change settings for a single app
    5. XVolume30 - improve volume control, with more steps
    4
    Hi, first of all, thanks for your tutorial. I managed to get root access right away on the first try without issues. Pretty well explained.

    However, I could not be able to install Xposed Framework. Followed the steps from post #2 and no success. After the install of the Systemless xposed zip, my fire did take around 5 minutos to boot up, but then the OS was the same as before, nothing had changed. Also tried installing xposed installer from here and it showed that Xposed Framework was not installed. Tried this on versions 6.3.0.0 and 6.3.0.1 with the same results.

    Any help is welcome, thanks! :good:


    Open Magisk Manager/Modules, and see if Xposed module is active. If it is, all you need is the Xposed Installer For Magisk apk (the regular one won't work!!!):
    https://forum.xda-developers.com/xposed/unofficial-systemless-xposed-t3388268

    There will be more stuff once you install modules, as is, there is nothing you will see. The Xposed zip does not install apk.

    And, thanks for trying the procedure!!! Based on your feedback, I added additional steps to post #2 to ensure that there is less confusion.

    Oops... Turns out I've got a 2017, and it is now a brick, any way to reflash using a usb-serial converter, I've got a 1.8v one from doing my paperwhite. Any suggestions would be appreciated.

    Yep, there is a thread for debricking 2017 HD8. You will be opening your case, and shorting the contacts:
    https://forum.xda-developers.com/hd...nt/fire-hd8-2017-amonet-debrick-root-t3897841
    Btw, do you see anything at all? Like Amazon logo, or such? Potentially, you may see at least a bit of life.

    :(, anyone tried to root Fire HD 8 6th gen with this method??.
    My fire is HD 8 6th gen with FireOS ver. 5.4.0.0.

    All you need is to get temp root, and convert it to SuperSu. No need for a complicated procedure:
    https://forum.xda-developers.com/hd8-hd10/general/tut-fire-hd-10-7th-gen-2017-root-box-t3726443
    4
    I solved the problem. I had written a disable modmanger code before the initial try, but after using "sudo apt-get remove modemmanager" it ran successfully!

    I am happy you had some problems ! They build character !!! If you didn't, you never would have registered on XDA! :D Don't forget to thank all key enablers with the Thanks button!

    It's amazing how many creative ways folks found to misunderstand instructions - but that gave me an opportunity to clarify the instructions. Murphy law still rulez - "Anything that can go wrong, will go wrong".
    3
    @bibikalka,
    the following simple procedure is an alternative method to avoid OTA updates. On the long run, it might be that this method would be preferred over the one removing the applications from the Fire OS.

    Removing the directory in "/sdcard/Android/data/com.amazon.device.software.ota/files" and replacing it with a file named with the same name ("files") does achieve the objective.

    So from an "adb shell" terminal the procedure will be:
    Code:
    cd /sdcard/Android/data/com.amazon.device.software.ota/
    rmdir files
    touch files
    I tested this on all the Fire devices I owned: 7" 5th Gen, 7" 7th Gen, HD8 8th Gen, TV Stick Basic.
    Now, by just removing that file named "files" one enables OTA updates again without extra intervention.

    I leave to you and the users the decision on what to use to block OTA updates I just wanted to share the neat trick.
    This is the kind of tricks that may be used in other circumstances where one need to fool code checks or conditionals like these.

    .:HWMOD:.