IDENTIFYING THE "BRICK" TYPE
This is a raw "unbrick" method ONLY of use to those people that tried to downgrade from 5.1.1 to 5.0.1 and "bricked" their tablet during these attempts. The symptoms of the "brick" I experienced are: tablet seems to be dead, screen never turns on, no ADB and no FASTBOOT available from the USB port.
NOTE: At the moment I could only test this method on the Fire 7 5th Generation tablets, though it is possible that the same procedure could work on other Mediatek SoC.
From a serial console this kind of soft "brick" can be identified by the following output (just the last few lines):
This state reveals that the UBOOT code ("lk.bin" version 5.0.1) is blocked by Amazon enforced [ANTI-ROLLBACK] protection checks. If this is your case I am 100% sure this method can be used to recover your tablet from the soft "brick" (tested twice).
"UNBRICK" METHOD DETAILS
The method makes use of Zeroepoch's Python code used previously to "root" the Amazon Fire TV2 and works very well making it possible to directly and unconditionally write to the EMMC memory space of our Fire 7" 5th Generation tablets. There is no need to sign code, no SHA keys and no certificates involved in the process.
NOTE: Initially I opened my tablet, connected cables + serial break-out board by soldering them directly to the internal UART TX/RX pads on the mainboard. I even ripped off some of the pads. However this is absolutely not necessary for this method, I did that to ensure myself complete control over the tablet and to learn all I could related to this tablet.
All the procedure can be completed through the normal USB cable and a Linux terminal console logged in as the "root" user. I preferred to do everything as the "root" user to exclude permission problems on the devices.
Unfortunately this method is really slow due to the fact that the process is executed through a USB serial connection at 115200 bps and at the moment the proposed code can only write very small chunks of data one after one through a call to a boot loader operation.
I executed the complete process from a Linux system (Fedora 23) but I believe the same could be done from both Windows and Mac OS X. On Windows it would be slightly more difficult since it requires the correct USB drivers and the Python interpreter. On Linux everything should be already available on any distribution. This will make the process much easier by excluding variables like wrong USB drivers or difficult Python installations.
THE REQUISITES
Download the following code archive from Gitlab (thanks to Zeroepoch):
then unzip the downloaded archive in its new folder. The name of the original folder will be something like:
It is possible that you will need to install a Python module called "pyserial" since that is a required dependency. You can do that using the "pip" utility, the command is "pip install pyserial" (the same also for Windows and Mac OS).
THE PROCEDURE
The first step is to ensure the tablet is switched off, then "cd" to the "aftv2-tools" folder that you renamed and execute:
on the next line in the console you will immediately see:
Now the tablet is in the [USBDL] / [USBDOWNLOAD] mode.
NOTE: Do not disconnect the cable until the end of the complete write procedure and only after executing the disconnect command below.
TRAINING WITH A "READ" OPERATION
Before doing more damages and to ensure the setup/environment works, let's use a READ operation as an exercise and make a backup copy of the current UBOOT partition (it will take a while, prepare your coffee).
Knowing that the UBOOT partition starts at 0x1460000 (hex) and that the length of the partition in bytes is 0x100000 (hex) we could read the complete partition with the following command:
The command above would take about 2 hours or more to complete and read the full 16Mbytes , so you may skip that.
Since we know that the size of the original "lk_501.bin" is exactly 406964 bytes it will be enough to read just what we need (40x less read operations thus 40x less time). A bit of math is needed here, we have to find the minimum number of 512 bytes blocks needed to make up a length of at least 406964 bytes. That is 795 * 512 = 407040 so the command will be:
this will create a file slightly larger than the original, but we will trim it down with the next command below.
To double check that everything went fine and knowing that the length in bytes of the original 5.0.1 lk.bin is 406964 (dec) we can compare what we have read from the serial connection with the "lk.bin" taken from the 5.0.1 version of the original Amazon update using the following commands. The first line is to trim down what we read to the same size of the original "lk_501.bin" while the second will calculate the MD5 sum of the two files to ensure they are identical:
The above command will print 2 lines containing the MD5 sum of both files, the 2 hex number should be the same. Don't worry if the numbers are different, it may be due to a different version of 5.0.x that you used to try the downgrade. Actually there where 3 or more 5.0.1 partial updates. However check with an hex editor that the first four bytes of the backup you just made are HEX: 88 16 88 58 and that bytes number 8 and 9 (start counting from 0) are HEX: 4C 4B which correspond to the ASCII string "LK".
NOW THE "UNBRICK" PART
At this point to "unbrick" the tablet we need to write the 5.1.1 version of "lk.bin" to the UBOOT partition with this command:
Wait for this command to complete it will take some time (may be 5 to 10 minutes).
Now we need to exit the [USBDL] / [USBDOWNLOAD] mode before disconnecting the USB cable.
Use this command to do that, it may print some error on the console but that is the expected behavior:
wait 10 seconds and then pull the USB cable to disconnect it from the PC.
NOTE if you can’t get your device out of [USBDL] / [USBDOWNLOAD] mode at this point then pop the back cover off of the device and remove the battery plug that has 6 wires and the plug lifts straight up. Wait 5 seconds and reconnect the battery and place the cover on the back of your tablet then power it up.
If all went well the device will reboot with a working "UBOOT/lk.bin". You can now boot to recovery and "adb sideload" stock fire os 5.1.1 update to get your device fully working again (not downgraded but fully functional).
Most of the things explained here are also written in the README files contained in the archives you have downloaded (aftv2-tools / fbtool) and in the documents linked in previous posts.
Have to say thanks to Sturmflut for the invaluable Mediatek SoC docs and to Zeroepoch for the Python scripts.
Have fun,
.:HWMOD:.
This is a raw "unbrick" method ONLY of use to those people that tried to downgrade from 5.1.1 to 5.0.1 and "bricked" their tablet during these attempts. The symptoms of the "brick" I experienced are: tablet seems to be dead, screen never turns on, no ADB and no FASTBOOT available from the USB port.
NOTE: At the moment I could only test this method on the Fire 7 5th Generation tablets, though it is possible that the same procedure could work on other Mediatek SoC.
From a serial console this kind of soft "brick" can be identified by the following output (just the last few lines):
Code:
[ANTI-ROLLBACK] Processing anti-rollback data
mmc_rpmb_send_command -> req_type=0x1, type=0x4, blks=0x1
mmc_rpmb_send_command -> req_type=0x2, type=0x4, blks=0x1
[ANTI-ROLLBACK] PL: 2 TEE: 3002 LK: 3
[ANTI-ROLLBACK] Checksum validated
[ANTI-ROLLBACK] LK version mismatch!
[ANTI-ROLLBACK] L: 3 R: 2This state reveals that the UBOOT code ("lk.bin" version 5.0.1) is blocked by Amazon enforced [ANTI-ROLLBACK] protection checks. If this is your case I am 100% sure this method can be used to recover your tablet from the soft "brick" (tested twice).
"UNBRICK" METHOD DETAILS
The method makes use of Zeroepoch's Python code used previously to "root" the Amazon Fire TV2 and works very well making it possible to directly and unconditionally write to the EMMC memory space of our Fire 7" 5th Generation tablets. There is no need to sign code, no SHA keys and no certificates involved in the process.
NOTE: Initially I opened my tablet, connected cables + serial break-out board by soldering them directly to the internal UART TX/RX pads on the mainboard. I even ripped off some of the pads. However this is absolutely not necessary for this method, I did that to ensure myself complete control over the tablet and to learn all I could related to this tablet.
All the procedure can be completed through the normal USB cable and a Linux terminal console logged in as the "root" user. I preferred to do everything as the "root" user to exclude permission problems on the devices.
Unfortunately this method is really slow due to the fact that the process is executed through a USB serial connection at 115200 bps and at the moment the proposed code can only write very small chunks of data one after one through a call to a boot loader operation.
I executed the complete process from a Linux system (Fedora 23) but I believe the same could be done from both Windows and Mac OS X. On Windows it would be slightly more difficult since it requires the correct USB drivers and the Python interpreter. On Linux everything should be already available on any distribution. This will make the process much easier by excluding variables like wrong USB drivers or difficult Python installations.
THE REQUISITES
Download the following code archive from Gitlab (thanks to Zeroepoch):
then unzip the downloaded archive in its new folder. The name of the original folder will be something like:
aftv2-tools-master-5a6de7663bd7c20c54f59ed10b3a5cec841d6564.zip
Rename the folder to a shorter name like "aftv2-tools" to make it easier and shorter to type and move between folders. There are several files and directories in the unpacked AFTV2 archive. However we will only need 4 of them for our method. They are 4 Python scripts named "handshake.py", "read_mmc.py", "write_mmc.py" and "read32.py".It is possible that you will need to install a Python module called "pyserial" since that is a required dependency. You can do that using the "pip" utility, the command is "pip install pyserial" (the same also for Windows and Mac OS).
THE PROCEDURE
The first step is to ensure the tablet is switched off, then "cd" to the "aftv2-tools" folder that you renamed and execute:
Code:
./handshake.pywaiting for preloader ...
now connect the tablet (ensure it is switched off) to the USB port of your PC and wait a couple of second until the Python script exits and the following appears on the console:Found port = /dev/ttyACM0
Handshake complete!
Handshake complete!
Now the tablet is in the [USBDL] / [USBDOWNLOAD] mode.
NOTE: Do not disconnect the cable until the end of the complete write procedure and only after executing the disconnect command below.
TRAINING WITH A "READ" OPERATION
Before doing more damages and to ensure the setup/environment works, let's use a READ operation as an exercise and make a backup copy of the current UBOOT partition (it will take a while, prepare your coffee).
Knowing that the UBOOT partition starts at 0x1460000 (hex) and that the length of the partition in bytes is 0x100000 (hex) we could read the complete partition with the following command:
Code:
./read_mmc.py $((0x1460000)) $((0x100000)) UBOOT_501_backup.partSince we know that the size of the original "lk_501.bin" is exactly 406964 bytes it will be enough to read just what we need (40x less read operations thus 40x less time). A bit of math is needed here, we have to find the minimum number of 512 bytes blocks needed to make up a length of at least 406964 bytes. That is 795 * 512 = 407040 so the command will be:
Code:
./read_mmc.py $((0x1460000)) $((795*512)) UBOOT_501_backup.partTo double check that everything went fine and knowing that the length in bytes of the original 5.0.1 lk.bin is 406964 (dec) we can compare what we have read from the serial connection with the "lk.bin" taken from the 5.0.1 version of the original Amazon update using the following commands. The first line is to trim down what we read to the same size of the original "lk_501.bin" while the second will calculate the MD5 sum of the two files to ensure they are identical:
Code:
dd if=UBOOT_501_backup.part of=UBOOT_501_backup.bin bs=406964 count=1
md5sum UBOOT_501_backup.bin lk_501.binNOW THE "UNBRICK" PART
At this point to "unbrick" the tablet we need to write the 5.1.1 version of "lk.bin" to the UBOOT partition with this command:
Code:
./write_mmc.py $((0x1460000)) lk_511.binNow we need to exit the [USBDL] / [USBDOWNLOAD] mode before disconnecting the USB cable.
Use this command to do that, it may print some error on the console but that is the expected behavior:
Code:
./read32.py 0 1NOTE if you can’t get your device out of [USBDL] / [USBDOWNLOAD] mode at this point then pop the back cover off of the device and remove the battery plug that has 6 wires and the plug lifts straight up. Wait 5 seconds and reconnect the battery and place the cover on the back of your tablet then power it up.
If all went well the device will reboot with a working "UBOOT/lk.bin". You can now boot to recovery and "adb sideload" stock fire os 5.1.1 update to get your device fully working again (not downgraded but fully functional).
Most of the things explained here are also written in the README files contained in the archives you have downloaded (aftv2-tools / fbtool) and in the documents linked in previous posts.
Have to say thanks to Sturmflut for the invaluable Mediatek SoC docs and to Zeroepoch for the Python scripts.
Have fun,
.:HWMOD:.
