• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Unbrick Fire HD 6/7 via preloader [EASY SUCCESS!!!]:

Search This thread

regxhack

New member
Jan 30, 2018
1
0
Could use a little help

Ok, So I started with a Fire HD6 gen4 at 5.6.0.1.

I tried to use the linked procedure here https://forum.xda-developers.com/fire-hd/general/2017-root-kindle-fire-hd-6-4th-gen-t3677600 to downgrade and root the device.

When I ran the kingroot, it would not root the device. At one point on a second attempt, I was working the problem with kingroot open on the screen.
I walked away for a moment and came back to black screen, no power, no nada.

Next, I went to the ISO method of unbricking.
I can get the handshake, I get all the parts read, it says option A, so I use option A.

Note that while writing the option A back, it usually hangs once or twice. I am able to reset and get the write going again, but I have not gotten it to write complete from start to finish without a hang.

Anyway, once the write completes, I hold the volume up, run the complete.sh script and it boots amazon, and then fire. TWRP never appears.
After a few moments of FireOS running, it goes to lunch and I am back where I started.

I have not been able to get back into adb at any point.

Any suggestions? Guidance? A complimentary blade to fall on?

Thanx
 

jbdman

New member
Apr 11, 2015
4
0
Parts

Good Evening All:

I've attached my part files from windows, I ran the linux live, and there was no option determined. Any help would be greatly appreciated!

Thanks So Much,
Josh
 
Last edited:

blakegriplingph

Senior Member
May 13, 2011
977
146
Amazon Fire
Realme C3
I'm sure this can be adapted to work on non-Amazon MTK devices, right? I've got a Nabi SE demo unit which I tried to convert to retail some time ago. Flashed a backup of the demo ROM using the retail scatter/partition layout (I used addon.img and system.img from retail as the demo ones are too big) and ended up getting stuck at the boot logo (not the boot animation). And when I tried to roll back to the old demo ROM dump (ROM_0) using write memory, it got knackered i.e. no screen output, and no longer responds to pressing volume up to force USB Serial Device mode. The preloader device is still available upon connecting it though.
 

zeroepoch

Senior Member
Dec 30, 2010
313
214
San Jose, CA
www.zeroepoch.com
I'm sure this can be adapted to work on non-Amazon MTK devices, right? I've got a Nabi SE demo unit which I tried to convert to retail some time ago. Flashed a backup of the demo ROM using the retail scatter/partition layout (I used addon.img and system.img from retail as the demo ones are too big) and ended up getting stuck at the boot logo (not the boot animation). And when I tried to roll back to the old demo ROM dump (ROM_0) using write memory, it got knackered i.e. no screen output, and no longer responds to pressing volume up to force USB Serial Device mode. The preloader device is still available upon connecting it though.

Yes it should work to edit partition contents on the flash memory if it uses a MTK preloader. The mmc device address might be different though if it's not the same or similar SOC. Try reading the start of the boot.img partition. I should have the word Android I believe.
 
  • Like
Reactions: blakegriplingph

blakegriplingph

Senior Member
May 13, 2011
977
146
Amazon Fire
Realme C3
Yes it should work to edit partition contents on the flash memory if it uses a MTK preloader. The mmc device address might be different though if it's not the same or similar SOC. Try reading the start of the boot.img partition. I should have the word Android I believe.
It's running off an MT8127, which AFAIK is the similar to the one used on the 5th gen Fire. It has an unlockable bootloader, but I forgot to poke into that prior, and I didn't expect it to be an arse compared to the LeapFrog Epic which shared the same SOC but is easily unbrickable for as long as you have a backup at hand.

If it's any consolation, I made a complete backup of both my friend's retail Nabi SE and my demo unit. Maybe someone could help with looking into it, and I am more than willing to test if any adaptations to the unbrick script are done.
 

CandyAngel

Member
Mar 10, 2018
5
0
Update [Nov 23, 2016] : Notice that in FireOS 5.3.1 this functionality has been disabled, so nothing happens as people try to read/write memory :(
Just tried to use the ISO to recover a Fire HD6 that was given to me and I could get the handshake to work and the device to stay on/connected, but running "reader.sh" does nothing. It's very likely it is 5.3.1 or later as it was on auto-update before it was broken.

Permanent brick or something else I can try, maybe? Thankies!
 

bibikalka

Senior Member
May 14, 2015
1,370
1,090
Just tried to use the ISO to recover a Fire HD6 that was given to me and I could get the handshake to work and the device to stay on/connected, but running "reader.sh" does nothing. It's very likely it is 5.3.1 or later as it was on auto-update before it was broken.

Permanent brick or something else I can try, maybe? Thankies!

I presume stock recovery with sideloading does not work either? I am afraid, you may be out of luck here ...
 

exdeeei

New member
Apr 21, 2018
4
1
./reader.sh Has no response at all

Is this method will work on my device? :confused:
I'm still at ./reader.sh following the linux os tut.
Edit: My device is fire hd 6 4th gen
My pc is win 7
 
Last edited:

exdeeei

New member
Apr 21, 2018
4
1
read_mmc.py 0x0000000 0x1000 0x0000000.part
read_mmc.py 0x0080000 0x1000 0x0080000.part
read_mmc.py 0x0100000 0x1000 0x0100000.part
read_mmc.py 0x0180000 0x1000 0x0180000.part
read_mmc.py 0x0200000 0x1000 0x0200000.part
read_mmc.py 0x0280000 0x1000 0x0280000.part
read_mmc.py 0x0300000 0x1000 0x0300000.part
read_mmc.py 0x0380000 0x1000 0x0380000.part
read_mmc.py 0x0400000 0x1000 0x0400000.part
read_mmc.py 0x0480000 0x1000 0x0480000.part
read_mmc.py 0x0500000 0x1000 0x0500000.part
read_mmc.py 0x0580000 0x1000 0x0580000.part
read_mmc.py 0x0600000 0x1000 0x0600000.part
read_mmc.py 0x0680000 0x1000 0x0680000.part
read_mmc.py 0x0700000 0x1000 0x0700000.part
read_mmc.py 0x0780000 0x1000 0x0780000.part
read_mmc.py 0x0800000 0x1000 0x0800000.part
read_mmc.py 0x0880000 0x1000 0x0880000.part
read_mmc.py 0x0900000 0x1000 0x0900000.part
read_mmc.py 0x0980000 0x1000 0x0980000.part
read_mmc.py 0x0a00000 0x1000 0x0a00000.part
read_mmc.py 0x0a80000 0x1000 0x0a80000.part
read_mmc.py 0x0b00000 0x1000 0x0b00000.part
read_mmc.py 0x0b80000 0x1000 0x0b80000.part
read_mmc.py 0x0c00000 0x1000 0x0c00000.part
read_mmc.py 0x0c80000 0x1000 0x0c80000.part
read_mmc.py 0x0d00000 0x1000 0x0d00000.part
read_mmc.py 0x0d80000 0x1000 0x0d80000.part
read_mmc.py 0x0e00000 0x1000 0x0e00000.part
read_mmc.py 0x0e80000 0x1000 0x0e80000.part
read_mmc.py 0x0f00000 0x1000 0x0f00000.part
read_mmc.py 0x0f80000 0x1000 0x0f80000.part
read_mmc.py 0x1000000 0x1000 0x1000000.part
read_mmc.py 0x1080000 0x1000 0x1080000.part
read_mmc.py 0x1100000 0x1000 0x1100000.part
read_mmc.py 0x1180000 0x1000 0x1180000.part
read_mmc.py 0x1200000 0x1000 0x1200000.part
read_mmc.py 0x1280000 0x1000 0x1280000.part
read_mmc.py 0x1300000 0x1000 0x1300000.part
read_mmc.py 0x1380000 0x1000 0x1380000.part
read_mmc.py 0x1400000 0x1000 0x1400000.part
read_mmc.py 0x1480000 0x1000 0x1480000.part
read_mmc.py 0x1500000 0x1000 0x1500000.part
read_mmc.py 0x1580000 0x1000 0x1580000.part
read_mmc.py 0x1600000 0x1000 0x1600000.part
read_mmc.py 0x1680000 0x1000 0x1680000.part
read_mmc.py 0x1700000 0x1000 0x1700000.part
read_mmc.py 0x1780000 0x1000 0x1780000.part
read_mmc.py 0x1800000 0x1000 0x1800000.part
read_mmc.py 0x1880000 0x1000 0x1880000.part
read_mmc.py 0x1900000 0x1000 0x1900000.part
read_mmc.py 0x1980000 0x1000 0x1980000.part
read_mmc.py 0x1a00000 0x1000 0x1a00000.part
read_mmc.py 0x1a80000 0x1000 0x1a80000.part
read_mmc.py 0x1b00000 0x1000 0x1b00000.part
read_mmc.py 0x1b80000 0x1000 0x1b80000.part
read_mmc.py 0x1c00000 0x1000 0x1c00000.part
read_mmc.py 0x1c80000 0x1000 0x1c80000.part
read_mmc.py 0x1d00000 0x1000 0x1d00000.part
read_mmc.py 0x1d80000 0x1000 0x1d80000.part
read_mmc.py 0x1e00000 0x1000 0x1e00000.part
read_mmc.py 0x1e80000 0x1000 0x1e80000.part
read_mmc.py 0x1f00000 0x1000 0x1f00000.part
read_mmc.py 0x1f80000 0x1000 0x1f80000.part
read_mmc.py 0x2000000 0x1000 0x2000000.part
read_mmc.py 0x2080000 0x1000 0x2080000.part
read_mmc.py 0x2100000 0x1000 0x2100000.part
read_mmc.py 0x2180000 0x1000 0x2180000.part
read_mmc.py 0x2200000 0x1000 0x2200000.part
read_mmc.py 0x2280000 0x1000 0x2280000.part
read_mmc.py 0x2300000 0x1000 0x2300000.part
read_mmc.py 0x2380000 0x1000 0x2380000.part
read_mmc.py 0x2400000 0x1000 0x2400000.part
read_mmc.py 0x2480000 0x1000 0x2480000.part
read_mmc.py 0x2500000 0x1000 0x2500000.part
read_mmc.py 0x2580000 0x1000 0x2580000.part
read_mmc.py 0x2600000 0x1000 0x2600000.part
read_mmc.py 0x2680000 0x1000 0x2680000.part
read_mmc.py 0x2700000 0x1000 0x2700000.part
read_mmc.py 0x2780000 0x1000 0x2780000.part
read_mmc.py 0x2800000 0x1000 0x2800000.part
read_mmc.py 0x2880000 0x1000 0x2880000.part
read_mmc.py 0x2900000 0x1000 0x2900000.part
read_mmc.py 0x2980000 0x1000 0x2980000.part
read_mmc.py 0x2a00000 0x1000 0x2a00000.part
read_mmc.py 0x2a80000 0x1000 0x2a80000.part
read_mmc.py 0x2b00000 0x1000 0x2b00000.part
read_mmc.py 0x2b80000 0x1000 0x2b80000.part
read_mmc.py 0x2c00000 0x1000 0x2c00000.part
read_mmc.py 0x2c80000 0x1000 0x2c80000.part
read_mmc.py 0x0400000 0x4000 0x00a.part
read_mmc.py 0x0408000 0x4000 0xPRO_INFOa.part
read_mmc.py 0x0500000 0x4000 0xPMTa.part
read_mmc.py 0x0900000 0x1000 0xTEE1a.part
read_mmc.py 0x1300000 0x1000 0xUBOOTa.part
read_mmc.py 0x0780000 0x4000 0x00b.part
read_mmc.py 0x0788000 0x4000 0xPRO_INFOb.part
read_mmc.py 0x0880000 0x4000 0xPMTb.part
read_mmc.py 0x0c80000 0x1000 0xTEE1b.part
read_mmc.py 0x1680000 0x1000 0xUBOOTb.part
read_mmc.py 0x0a00000 0x4000 0x00c.part
read_mmc.py 0x0a08000 0x4000 0xPRO_INFOc.part
read_mmc.py 0x0b00000 0x4000 0xPMTc.part
read_mmc.py 0x0f00000 0x1000 0xTEE1c.part
read_mmc.py 0x1900000 0x1000 0xUBOOTc.part
Sorry to ask this. Should i copy that Exact codes and paste them on terminal command after handshake or what? :confused:
 

nicktm

Member
Feb 2, 2011
6
2
I presume stock recovery with sideloading does not work either? I am afraid, you may be out of luck here ...
I have the same issue
reader.sh stack forever
I am able to login to stock recovery and run adb sideload update-kindle-20.4.5.3.bin and got this error
E:failed to mount /cache
E:failed to set up expected mounts for install; aborting
is there any way to fix ?
 
Sep 9, 2018
2
0
Need special .sh files

Reader.sh
ReaderSpecialOptionA.sh
ReaderSpecialOptionB.sh

I am performing this in an atypical manner as i could not boot from special ArchLinux distro included in this build were the aforementioned .sh script files

DOES ANYONE HAVE A COPY OF THESE?

Appreciated
 

Miller94

New member
Jun 12, 2015
2
0
cant read mmc

hi,i have a bricked amazon kindle fire hd 7 2014,and i cant read mmc.... :confused::confused::confused: handshake is ok,but when i start a command to read mmc,i am wait a loooong time (12 hours) and nothing happens (( The line of the command that I launched still remains without any changes.
Not strong in python, but a lot of things were flashed and rebuilt others devices. Pyserial.py has bin install correctly, Py2exe too. What line do I need to get dumps? (I entered 'read_mmc.py 0x0000000 0x1000 0x0000000.part')
I can prepend access to the TeamViewer for manipulations))Thanks :) I hope all will be ok
 
Last edited:

ZenIsBestWolf

New member
Apr 6, 2019
1
0
Hi! I know this thread is REALLY old, but was wondering if anyone could not get the handshake to work? My Kindle Fire HD 6 4th gen bricked after trying to root and does not get to the Amazon screen at all.
 

mr.knowbody

New member
Dec 8, 2019
2
0
fire hd 8 5th

Parts
Dear bibikalka
I have a fire HD 8 5th gen that bricked because of downgrade from last update 5.6.3.4 to 5.2.2 by adb sideload commands (No fastboot , No recovery mode available).
fortunately handshake complete and I can read_emmc in ubuntu 18.04.
I'm curious to know is there any way to find offset address and relive my device?
I want to see if there is an option (A,B,C or need try new option) for me.[/QUOTE]

sorry I unable to attach my files:( .
 

mr.knowbody

New member
Dec 8, 2019
2
0
Write MMC files

Parts
Dear bibikalka
I have a fire HD 8 5th gen that bricked because of downgrade from last update 5.6.3.4 to 5.2.2 by adb sideload commands (No fastboot , No recovery mode available).
fortunately handshake complete and I can read_emmc in ubuntu 18.04.
I'm curious to know is there any way to find offset address and relive my device?
I want to see if there is an option (A,B,C or need try new option) for me.

I found the addresses ,but now can I use this files "453p_xxx.img" for fire hd 5th generation too?:confused:
 

Shadowwolf218

New member
Jun 7, 2009
4
0
Motorola Atrix 4G
AT&T LG G3
I hate to poke at an ancient thread, but it seems worse to start a new one when the solution is already 95% covered already.

Long story short, I got a bricked HD8 (2015, KFMEWI) from a friend, thinking I could resurrect it. But on connection to the pc, all I can get is the MT65xx preloader stuff.

Using the methods from this thread, and the super helpful linux iso from the related thread linked in the first post, I was able to connect and complete the handshake. But, since all of this is for the HD6/7, I'm stuck with a lot of .part files and some hex to sift through...and that leaves me out of my depth.

I've attached what I believe to be the relevant files...do I have any hope with this, or is it a paperweight already?
 

Attachments

  • part.tar
    740 KB · Views: 9

bibikalka

Senior Member
May 14, 2015
1,370
1,090
Using the methods from this thread, and the super helpful linux iso from the related thread linked in the first post, I was able to connect and complete the handshake. But, since all of this is for the HD6/7, I'm stuck with a lot of .part files and some hex to sift through...and that leaves me out of my depth.

I've attached what I believe to be the relevant files...do I have any hope with this, or is it a paperweight already?
Are you still chasing this brick? Or gave up?
 
  • Like
Reactions: sd_shadow

Akshat120

New member
Sep 23, 2021
3
0

Top Liked Posts

  • There are no posts matching your filters.
  • 13
    Update [Nov 23, 2016] :
    powerpoint45 made a separate thread, so please use his method first from this link. Notice that in FireOS 5.3.1 this functionality has been disabled, so nothing happens as people try to read/write memory :(

    Update [Sep 27, 2016] :
    Thanks to the great effort by powerpoint45, there is now a custom Linux image specifically created to run AFTV2 tools (here). It will even recognize which addresses you have, so no need to upload any binary blocks anymore! Please use it! Also note that a couple of Fire bricks turned out to be unrecoverable, it seems impossible to read/write the memory, so no luck :( If you have one of these, please post and explain how you managed to brick it so much.

    Update [Sep 16, 2016] :
    Thanks to the fantastic effort by powerpoint45 to read UART logs on a bricked FIRE, we now know why downgrades produce dark screen bricks! It looks like the new FireOS 5 bootloaders check the version in eFUSE, and if it's newer than the current, they refuse to boot. Please see this link for details. This is very similar to the issues found on Fire 2015, see this link.

    Update [Aug 14, 2016] :
    The instructions have been extensively cleaned up for more general use. The unbricking was finally successful for the classic "wrong/older bootloader" (black screen) type of Fire HD bricking (thanks to @n3roxda333 for persisting with his brick !!!). Thus the procedure is fully tested to be used by anybody for pretty much any type of recovery. Yey !!! Again, what this means is that even the black screen bricks can be successfully brought back to life.

    Unfortunately, the procedure is somewhat fragile, so you may have to work through various challenges. The key software required : Python 3 (with the pyserial module - "pip install pyserial"), and AFTV2-Tools. If you are on Windows 8/10, make sure to get the proper signed Win 8&10 MediaTek USB VCOM drivers in order to set up the communication between your PC and Fire as quickly as possible. For other OSes, see the posts from @zeroepoch and @hwmod. Very recently, @powerpoint45 has put together an excellent iso with Linux that already has all the necessary software included (see this link, and don't forget to click "Thanks!").

    Once you establish communication with the device (a.k.a. "handshake"), it's important to establish that the read_mmc procedure is stable, and does not hang. If it hangs, you'll have to find another computer that is stable :( There seems to be no other way around this instability issue at the moment. Please see a couple of other key posts on how to get AFTV2 tools working, first from the author of the AFTV2 tools himself - @zeroepoch (link), and then @hwmod who used this method to unbrick Fire 2015 (link).

    Instructions.

    1. Setup Python 3, download the required AFTV2 tools, install the preloader drivers (if needed), and establish the handshake with the device (this is the generic part of the procedure, independent of the specific Amazon device, use the posts by @hwmod (link) and @zeroepoch (link) to understand and fix any issues so that you can handshake successfully):
    Code:
    C:\extra\android\kindle_root\aftv2-tools>handshake.py
    Waiting for preloader...
    
    [COLOR="Red"](now plug in fully turned off Fire HD, it'll get turned on by the USB power, and I already had preloader drivers from the prior bricked 
    Fire HD, so handshake completed just fine). If the device is in the weird state, plug it in, and hold the Power button. At some point it'll start rebooting, and the preloader should handshake if you got all the other prerequisites taken care of[/COLOR]
    
    Found port = COM8
    Handshake complete!
    Note that under Linux sometimes USB ports stop working (when they worked before!), see this link on how to fix such a condition (and click "Thanks!").

    2. On each 2014 Fire HD the partitions we need to write into have unique offsets relative to 0x0. So before writing anything it's necessary to figure out what this unique offset is. A way to do is to read a bunch of blocks, and then determine in a hex editor which are meaningful. This allows to determine the correct unique offset. Run the following read commands to get the data blocks, zip all of the *part files, and post it here. In this step you will also find out if your setup is stable. If the read commands hang, that is a bad sign, you will need another computer (or perhaps a different OS on the same hardware, as in dual boot Linux on a Windows machine)
    Code:
    read_mmc.py  0x0000000  0x1000  0x0000000.part
    read_mmc.py  0x0080000  0x1000  0x0080000.part
    read_mmc.py  0x0100000  0x1000  0x0100000.part
    read_mmc.py  0x0180000  0x1000  0x0180000.part
    read_mmc.py  0x0200000  0x1000  0x0200000.part
    read_mmc.py  0x0280000  0x1000  0x0280000.part
    read_mmc.py  0x0300000  0x1000  0x0300000.part
    read_mmc.py  0x0380000  0x1000  0x0380000.part
    read_mmc.py  0x0400000  0x1000  0x0400000.part
    read_mmc.py  0x0480000  0x1000  0x0480000.part
    read_mmc.py  0x0500000  0x1000  0x0500000.part
    read_mmc.py  0x0580000  0x1000  0x0580000.part
    read_mmc.py  0x0600000  0x1000  0x0600000.part
    read_mmc.py  0x0680000  0x1000  0x0680000.part
    read_mmc.py  0x0700000  0x1000  0x0700000.part
    read_mmc.py  0x0780000  0x1000  0x0780000.part
    read_mmc.py  0x0800000  0x1000  0x0800000.part
    read_mmc.py  0x0880000  0x1000  0x0880000.part
    read_mmc.py  0x0900000  0x1000  0x0900000.part
    read_mmc.py  0x0980000  0x1000  0x0980000.part
    read_mmc.py  0x0a00000  0x1000  0x0a00000.part
    read_mmc.py  0x0a80000  0x1000  0x0a80000.part
    read_mmc.py  0x0b00000  0x1000  0x0b00000.part
    read_mmc.py  0x0b80000  0x1000  0x0b80000.part
    read_mmc.py  0x0c00000  0x1000  0x0c00000.part
    read_mmc.py  0x0c80000  0x1000  0x0c80000.part
    read_mmc.py  0x0d00000  0x1000  0x0d00000.part
    read_mmc.py  0x0d80000  0x1000  0x0d80000.part
    read_mmc.py  0x0e00000  0x1000  0x0e00000.part
    read_mmc.py  0x0e80000  0x1000  0x0e80000.part
    read_mmc.py  0x0f00000  0x1000  0x0f00000.part
    read_mmc.py  0x0f80000  0x1000  0x0f80000.part
    read_mmc.py  0x1000000  0x1000  0x1000000.part
    read_mmc.py  0x1080000  0x1000  0x1080000.part
    read_mmc.py  0x1100000  0x1000  0x1100000.part
    read_mmc.py  0x1180000  0x1000  0x1180000.part
    read_mmc.py  0x1200000  0x1000  0x1200000.part
    read_mmc.py  0x1280000  0x1000  0x1280000.part
    read_mmc.py  0x1300000  0x1000  0x1300000.part
    read_mmc.py  0x1380000  0x1000  0x1380000.part
    read_mmc.py  0x1400000  0x1000  0x1400000.part
    read_mmc.py  0x1480000  0x1000  0x1480000.part
    read_mmc.py  0x1500000  0x1000  0x1500000.part
    read_mmc.py  0x1580000  0x1000  0x1580000.part
    read_mmc.py  0x1600000  0x1000  0x1600000.part
    read_mmc.py  0x1680000  0x1000  0x1680000.part
    read_mmc.py  0x1700000  0x1000  0x1700000.part
    read_mmc.py  0x1780000  0x1000  0x1780000.part
    read_mmc.py  0x1800000  0x1000  0x1800000.part
    read_mmc.py  0x1880000  0x1000  0x1880000.part
    read_mmc.py  0x1900000  0x1000  0x1900000.part
    read_mmc.py  0x1980000  0x1000  0x1980000.part
    read_mmc.py  0x1a00000  0x1000  0x1a00000.part
    read_mmc.py  0x1a80000  0x1000  0x1a80000.part
    read_mmc.py  0x1b00000  0x1000  0x1b00000.part
    read_mmc.py  0x1b80000  0x1000  0x1b80000.part
    read_mmc.py  0x1c00000  0x1000  0x1c00000.part
    read_mmc.py  0x1c80000  0x1000  0x1c80000.part
    read_mmc.py  0x1d00000  0x1000  0x1d00000.part
    read_mmc.py  0x1d80000  0x1000  0x1d80000.part
    read_mmc.py  0x1e00000  0x1000  0x1e00000.part
    read_mmc.py  0x1e80000  0x1000  0x1e80000.part
    read_mmc.py  0x1f00000  0x1000  0x1f00000.part
    read_mmc.py  0x1f80000  0x1000  0x1f80000.part
    read_mmc.py  0x2000000  0x1000  0x2000000.part
    read_mmc.py  0x2080000  0x1000  0x2080000.part
    read_mmc.py  0x2100000  0x1000  0x2100000.part
    read_mmc.py  0x2180000  0x1000  0x2180000.part
    read_mmc.py  0x2200000  0x1000  0x2200000.part
    read_mmc.py  0x2280000  0x1000  0x2280000.part
    read_mmc.py  0x2300000  0x1000  0x2300000.part
    read_mmc.py  0x2380000  0x1000  0x2380000.part
    read_mmc.py  0x2400000  0x1000  0x2400000.part
    read_mmc.py  0x2480000  0x1000  0x2480000.part
    read_mmc.py  0x2500000  0x1000  0x2500000.part
    read_mmc.py  0x2580000  0x1000  0x2580000.part
    read_mmc.py  0x2600000  0x1000  0x2600000.part
    read_mmc.py  0x2680000  0x1000  0x2680000.part
    read_mmc.py  0x2700000  0x1000  0x2700000.part
    read_mmc.py  0x2780000  0x1000  0x2780000.part
    read_mmc.py  0x2800000  0x1000  0x2800000.part
    read_mmc.py  0x2880000  0x1000  0x2880000.part
    read_mmc.py  0x2900000  0x1000  0x2900000.part
    read_mmc.py  0x2980000  0x1000  0x2980000.part
    read_mmc.py  0x2a00000  0x1000  0x2a00000.part
    read_mmc.py  0x2a80000  0x1000  0x2a80000.part
    read_mmc.py  0x2b00000  0x1000  0x2b00000.part
    read_mmc.py  0x2b80000  0x1000  0x2b80000.part
    read_mmc.py  0x2c00000  0x1000  0x2c00000.part
    read_mmc.py  0x2c80000  0x1000  0x2c80000.part
    read_mmc.py  0x0400000  0x4000              0x00a.part
    read_mmc.py  0x0408000  0x4000        0xPRO_INFOa.part
    read_mmc.py  0x0500000  0x4000             0xPMTa.part
    read_mmc.py  0x0900000  0x1000            0xTEE1a.part
    read_mmc.py  0x1300000  0x1000           0xUBOOTa.part
    read_mmc.py  0x0780000  0x4000              0x00b.part
    read_mmc.py  0x0788000  0x4000        0xPRO_INFOb.part
    read_mmc.py  0x0880000  0x4000             0xPMTb.part
    read_mmc.py  0x0c80000  0x1000            0xTEE1b.part
    read_mmc.py  0x1680000  0x1000           0xUBOOTb.part
    read_mmc.py  0x0a00000  0x4000              0x00c.part
    read_mmc.py  0x0a08000  0x4000        0xPRO_INFOc.part
    read_mmc.py  0x0b00000  0x4000             0xPMTc.part
    read_mmc.py  0x0f00000  0x1000            0xTEE1c.part
    read_mmc.py  0x1900000  0x1000           0xUBOOTc.part

    If you are skilled with binary editors, you can examine these *.part files using Appendix 1 as a reference, and if you find a match for LK partition, choose the respective option in Appendix 1.

    3. After the correct addresses have been figured out, use the supplied addresses to read the partition headers, and save these just in case (before you do the reading again in Step 5 !!!). The read commands will be provided to you once you upload the zip file. Here is an example of what this will look like :
    Code:
    [strike]
    read_mmc.py  0x0400000  0x4000              00.part
    read_mmc.py  0x0408000  0x4000        PRO_INFO.part
    read_mmc.py  0x0500000  0x4000             PMT.part
    read_mmc.py  0x0900000  0x4000            TEE1.part
    read_mmc.py  0x0e00000  0x4000            TEE2.part
    read_mmc.py  0x1300000  0x4000           UBOOT.part
    read_mmc.py  0x1380000  0x4000            boot.part
    read_mmc.py  0x1b80000  0x4000        recovery.part
    read_mmc.py  0x2380000  0x4000              KB.part
    read_mmc.py  0x2480000  0x4000             DKB.part
    read_mmc.py  0x2580000  0x4000            MISC.part
    read_mmc.py  0x2600000  0x4000    persisbackup.part
    read_mmc.py  0x3600000  0x4000          system.part
    read_mmc.py  0x4e600000  0x4000           cache.part
    read_mmc.py  0x85600000  0x4000        userdata.part
    [/strike]

    4. Download 453_padded_img.zip from below and unpack. These are zero padded 4.5.3 bootloaders + TWRP. I had to pad them with zeroes since AFTV2 tools will discard the last chunk of the file if it's not in blocks of 256 bytes (?).
    To restore 4.5.3 bootloaders & TWRP, you will run commands similar to the ones below (will take from 30-40 minutes to 5-6 hours in total). Again, do note that your addresses will be different, so do not use the commands below as is, before getting the unique offset for your Fire HD which will be provided after you post the zip file from Step 2 !!! If you try to figure out these addresses yourself, and do it incorrectly, you may permanently brick, and this time without ANY recovery
    Code:
    [strike]write_mmc.py 0x0900000 453p_tee1.img
    write_mmc.py 0x1300000 453p_uboot.img
    write_mmc.py 0x1b80000 453p_twrp.img[/strike]
    (if you are getting this message "...Already done", you need to delete lastaddr.txt file in the aftv2-tools folder, thanks to @Kramar111 for pointing this out !!! )

    5. Repeat the read commands from Step 3, save the outputs (again, using your unique addresses provided to you in this thread !). Make sure you are not overwriting the outputs from Step 3.

    6. Send the command to disconnect, and hopefully the device will reboot. Hold the "Vol+" button to get into TWRP. Then either flash the proper bootloaders in TWRP (to make whatever ROM you already have installed bootable again), or replace the entire ROM as per these instructions (link). If you choose the wrong bootloaders again, you will have to repeat Step 4 to get TWRP back (!!!)
    Code:
    C:\extra\android\kindle_root\aftv2-tools>read32.py 0 1
    1: 0xd1
    4: 0x00 0x00 0x00 0x00
    4: 0x00 0x00 0x00 0x01
    [COLOR="Red"]
    (and the device turns off here, and will reboot)[/COLOR]

    7. Once you reboot to TWRP, proceed to the post discussing how to install rooted FireOS via TWRP:
    http://forum.xda-developers.com/fire-hd/general/how-to-upgrade-to-lollipop-root-gapps-t3163950

    Appendix 1
    These are currently known addresses (so if you are skilled, you can try to use a HEX editor to figure out if your UBOOT (LK) partition matches any of these). In general, LK is the easiest to identify. If not, post the blocks in the forum, and the addresses will be supplied to you. Remember, your addresses could end up being different from the choices provided below !!!

    Option A. LK @ 0x1300000

    Reading the partitions for quality control :
    Code:
    read_mmc.py  0x0400000  0x4000              00.part
    read_mmc.py  0x0408000  0x4000        PRO_INFO.part
    read_mmc.py  0x0500000  0x4000             PMT.part
    read_mmc.py  0x0900000  0x4000            TEE1.part
    read_mmc.py  0x0e00000  0x4000            TEE2.part
    read_mmc.py  0x1300000  0x4000           UBOOT.part
    read_mmc.py  0x1380000  0x4000            boot.part
    read_mmc.py  0x1b80000  0x4000        recovery.part
    read_mmc.py  0x2380000  0x4000              KB.part
    read_mmc.py  0x2480000  0x4000             DKB.part
    read_mmc.py  0x2580000  0x4000            MISC.part
    read_mmc.py  0x2600000  0x4000    persisbackup.part
    And writing TWRP & related :
    Code:
    write_mmc.py  0x0900000  453p_tee1.img
    write_mmc.py  0x1300000 453p_uboot.img
    write_mmc.py  0x1b80000  453p_twrp.img


    Option B. LK @ 0x1680000

    Reading the partitions for quality control :
    Code:
    read_mmc.py  0x0780000  0x4000              00.part
    read_mmc.py  0x0788000  0x4000        PRO_INFO.part
    read_mmc.py  0x0880000  0x4000             PMT.part
    read_mmc.py  0x0c80000  0x4000            TEE1.part
    read_mmc.py  0x1180000  0x4000            TEE2.part
    read_mmc.py  0x1680000  0x4000           UBOOT.part
    read_mmc.py  0x1700000  0x4000            boot.part
    read_mmc.py  0x1f00000  0x4000        recovery.part
    read_mmc.py  0x2700000  0x4000              KB.part
    read_mmc.py  0x2800000  0x4000             DKB.part
    read_mmc.py  0x2900000  0x4000            MISC.part
    read_mmc.py  0x2980000  0x4000    persisbackup.part
    And writing TWRP & related :
    Code:
    write_mmc.py  0x0c80000  453p_tee1.img
    write_mmc.py  0x1680000 453p_uboot.img
    write_mmc.py  0x1f00000  453p_twrp.img


    Option C. LK @ 0x1900000

    Reading the partitions for quality control :
    Code:
    read_mmc.py  0x0a00000  0x4000              00.part
    read_mmc.py  0x0a08000  0x4000        PRO_INFO.part
    read_mmc.py  0x0b00000  0x4000             PMT.part
    read_mmc.py  0x0f00000  0x4000            TEE1.part
    read_mmc.py  0x1400000  0x4000            TEE2.part
    read_mmc.py  0x1900000  0x4000           UBOOT.part
    read_mmc.py  0x1980000  0x4000            boot.part
    read_mmc.py  0x2180000  0x4000        recovery.part
    read_mmc.py  0x2980000  0x4000              KB.part
    read_mmc.py  0x2a80000  0x4000             DKB.part
    read_mmc.py  0x2b80000  0x4000            MISC.part
    read_mmc.py  0x2c00000  0x4000    persisbackup.part
    And writing TWRP & related :
    Code:
    write_mmc.py  0x0f00000  453p_tee1.img
    write_mmc.py  0x1900000 453p_uboot.img
    write_mmc.py  0x2180000  453p_twrp.img


    Other stuff of interest:

    On Fire 2015, one could get UART logs from a bricked Fire via the following instructions (by connecting a FT232RL USB-to-TTL-Serial adapter to a 5-pin micro USB plug). Unfortunately, this procedure does not work on Fire HD 2014.
    http://forum.xda-developers.com/showpost.php?p=65585385&postcount=16
    http://forum.xda-developers.com/showpost.php?p=65587440&postcount=17
    http://forum.xda-developers.com/showpost.php?p=65588189&postcount=18

    Here is a sample log from my AFTV2 tools trials on my Fire HD (Windows XP, Python 3.4). And your addresses will be different, so don't write anything just yet (my comments below are in red) :

    C:\extra\android\kindle_root\aftv2-tools>python -m pip install pyserial==3.0.1
    (the latest 3.1.1 pyserial would not work under WinXP)

    C:\extra\android\kindle_root\aftv2-tools>handshake.py
    Waiting for preloader...

    (now plug in fully turned off Fire HD, it'll get turned on by the USB power, and I already had preloader drivers from the prior bricked Fire HD, so handshake completed just fine)

    Found port = COM8
    Handshake complete!

    C:\extra\android\kindle_root\aftv2-tools>read_mmc.py 0x1400000 0x1000 tee2.part

    Addr: 0x1400000
    Addr: 0x1400200
    Addr: 0x1400400
    Addr: 0x1400600
    Addr: 0x1400800
    Addr: 0x1400a00
    Addr: 0x1400c00
    Addr: 0x1400e00

    C:\extra\android\kindle_root\aftv2-tools>write_mmc.py 0x1400000 tee2.part
    Addr: 0x1400000
    Addr: 0x1400200
    Addr: 0x1400400
    Addr: 0x1400600
    Addr: 0x1400800
    Addr: 0x1400a00
    Addr: 0x1400c00
    Addr: 0x1400e00

    C:\extra\android\kindle_root\aftv2-tools>write_mmc.py 0x1400000 tee2.part
    Addr: 0x1400000
    ...Already done
    Addr: 0x1400200
    ...Already done
    Addr: 0x1400400
    ...Already done
    Addr: 0x1400600
    ...Already done
    Addr: 0x1400800
    ...Already done
    Addr: 0x1400a00
    ...Already done
    Addr: 0x1400c00
    ...Already done
    Addr: 0x1400e00
    ...Already done

    (if you are getting this message "...Already done", you need to delete lastaddr.txt file in the aftv2-tools folder, thanks to @Kramar111 for pointing this out !!! )

    C:\extra\android\kindle_root\aftv2-tools>read32.py 0 1
    1: 0xd1
    4: 0x00 0x00 0x00 0x00
    4: 0x00 0x00 0x00 0x01

    (and the device turns off here, and will reboot)



    I've also poked around, and found the Fire HD preloader sitting in /dev/block/mmcblk0boot0 (see the attached file). It does not seem to have any ANTI-ROLLBACK strings, but still bricks. It's definitely smaller than the version from Fire 2015, but the beginning of it looks similar. There is also another partition, /dev/block/mmcblk0boot1, which seems to contain all the key data for the device.

    @moroxoro, @notorious.dds, @CJD14, @DoLooper, @Gimzie, @kirito9, @sd_shadow, @Drevenu, @kyle12345109876, @Kramar111, @zeroepoch, @hwmod
    9
    To @bibikalka and anyone else. I have created a custom bootable ISO image with AFTV2 tools, img files, drivers, adb, fastboot, ghex (hex editor), and other tools to make it easier for people to do this without all the setup required. It is based off of Archbang (32 bit). It can be installed to a usb stick or cd with dd or whatever burning software. Once booted up, type "root" at login and you will be taken to the desktop. AFTV2 files are located in the root home directory "/root" as well as image files. The only issue is that wifi doesn't work on this os. Somehow systemd got messed up. But it's not an issue because everything required is on the os.

    More info and video here: http://forum.xda-developers.com/fir...linux-iso-unbrick-fire-hd6-hd7-t3474999/page1

    You can download the OS here:
    Linux ISO

    If you do not have a US Keyboard layout, please look here: http://wiki.archbang.org/index.php?title=Setting_Your_Keyboard

    ChangeLog:
    Updated 10/5/16:
    *Optomized scripts
    *Added "complete.sh" This reboots the device

    Updated 9/27/16:
    *Added script to auto-detect which unbrick option to use (determineOption.sh)
    *Added scripts to write img files to correct addresses ( unbrickOptionA.sh, unbrickOptionB.sh, and unbrickOptionC.sh)
    *Added scripts to read in and label part files (readerSpecialOptionA.sh, readerSpecialOptionB.sh, and readerSpecialOptionC.sh)
    *Nemo open in terminal fixed
    *.part files set to open with ghex by default

    Updated 9/24/16:
    *Nemo as default file manager
    *Updated html page with instructions from forum


    I will be making a video on unbricking within a couple months or so.
    4
    OK, the key data are the addresses. The info is from these posts :
    http://forum.xda-developers.com/fire-hd/development/uart-port-fire-hd6-t2991474 (thank you @powerpoint45 !!!)
    http://forum.xda-developers.com/fire-hd/help/internal-memory-structure-hidden-t3122246

    So these are hex values for 512 byte sectors :
    Code:
    [PART] 1: 00000100 00000040 'PRO_INFO'
    [PART] 2: 00002000 00000800 'PMT'
    [PART] 3: 00002800 00002800 'TEE1'
    [PART] 4: 00002800 00005000 'TEE2'
    [PART] 5: 00000400 00007800 'UBOOT'
    [PART] 6: 00004000 00007C00 'boot'
    [PART] 7: 00004000 0000BC00 'recovery'
    [PART] 8: 00000800 0000FC00 'KB'
    [PART] 9: 00000800 00010400 'DKB'
    [PART] 10: 00000400 00010C00 'MISC'
    [PART] 11: 00008000 00011000 'persisbackup'
    [PART] 12: 00258000 00019000 'system'
    [PART] 13: 001B8000 00271000 'cache'
    [PART] 14: 018F3FDF 00429000 'userdata'

    This leads to :
    Note, these are not correct, see post #1
    Part Address Length

    TEE1 0x0500000 0x0500000
    UBOOT 0x0F00000 0x0080000
    recovery 0x1780000 0x0800000


    And, these commands should save the partitions (if my math is correct !!!) :

    ./read_mmc.py $((0x0500000)) $((0x0500000)) tee1.part
    ./read_mmc.py $((0x0F00000)) $((0x0080000)) uboot.part
    ./read_mmc.py $((0x1780000)) $((0x0800000)) recovery.part

    One may read only the first few blocks, and see if the addresses are good.
    4
    Well, I just checked my 5.3.1 (with the ancient bootloaders) that I updated via this method :
    http://forum.xda-developers.com/fire-hd/general/how-to-upgrade-to-lollipop-root-gapps-t3163950
    AFTV2 tools seem to work fine.

    So it must be the bootloaders in 5.3.1 that disable this feature. I think another user also reported the same issue after forgetting to flash the older bootloaders along the way.

    In your case if the device never booted up, it did not have a chance to update recovery from TWRP to the stock, so now it's not signed, and cannot boot. The AFTV2 tools became known before 5.3.1, so I wonder if they disabled these both on Fire 2015, and Fire HD 2014.

    So looks like the method is going to be useless with the bricks which have 5.3.1 bootloaders in them ...

    @bibikalka, it's quite likely that Amazon blocked the preloader hack with the latest update. They did that for the AFTV2 on 5.2.1.0+. I did a disassembly of the preloader on the AFTV2 to confirm that they removed the commands we are using. There are only the minimal commands necessary now and unless you have a signed download agent there is nothing you can do. You would still be able to handshake, but you would not be able to read/write anything and it would probably hang with my tools. The preloader and lk are the "bootloader" chain, so if you update those and it's now been disabled you are out of luck. I happen to have 2 Fire 2015s (the kids edition), but I haven't messed with them besides installing Google Play so I couldn't confirm anything myself. They're probably running the latest version though since they auto update at night.
    4
    Just updated the Linux ISO with a big update. See full changelog here: http://forum.xda-developers.com/showpost.php?p=68802463&postcount=294
    @bibikalka
    I mainly just want to point out that this build contains a script that can auto-detect which option to use (A, B, or C). After reading in all the addresses with reader.sh, you can run determineOption.sh and it will tell you which option to use. You can then run readerSpecialOptionA.sh, readerSpecialOptionB.sh, or readerSpecialOptionC.sh. Next Back up those part files to a usb. Finally you can run unbrickOptionA.sh, unbrickOptionB.sh, or unbrickOptionC.sh to write the img files to the correct addresses. If you are trying to use this determineOption.sh script apart from the custom Linux ISO, keep in mind you must have xxd installed.