[UNLOCK][ROOT][TWRP][UNBRICK][DOWNGRADE] Fire 7 (ford and austin).

k4y0z

Senior Member
Nov 27, 2015
1,392
1,780
143
Read this whole guide before starting.

This is for the 5th gen Fire and 7th gen Fire

Current Version
5th gen: amonet-ford-v1.4.1.zip
7th gen: amonet-austin-v1.4.1.zip

What you need:
  • A Linux installation or live-system
  • A micro-USB cable

If your Fire is on a newer preloader-version (or a 7th gen) you may also need:
  • Something conductive (paperclip, tweezers etc)
  • Something to open the tablet.

There is an alternative for opening the tablet (only 5th gen), which is described below.

Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work:
Code:
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial adb fastboot
Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager

NOTE: If you have issues running the scripts, you might have to run them using sudo.
Also try using different USB-ports (preferably USB-2.0-ports)


If you're lucky and have an old preloader (Up to FireOS 5.3.2, thanks @MontysEvilTwin), you can just hold the left volume button while plugging the device in.
If you're on a newer preloader, there are two options:
  1. Open the device and short the pin marked in the attached photo to ground while plugging in.
  2. (Only 5th gen) Downgrade to 5.0.1 firmware via adb sideload in Amazon recovery, then proceed to use the left volume button to enter boot-rom.

NOTE: Using option two will brick your device until you have successfully finished the process.

1. Extract the attached zip-file "amonet-ford-v1.4.1.zip" (use "amonet-austin-v1.4.1.zip" for 7th gen) and open a terminal in that directory.
2. start the script:
Code:
sudo ./bootrom-step.sh
It should now say Waiting for bootrom.

3. If you have an old preloader or used option 2 above:
Hold the left volume-button and plug the device in.
If you chose option 1, short the device according to the attached photo and plug it in.

NOTE: Make sure the device is powered off, before plugging it in.

NOTE: If you have issues getting a 7th gen into bootrom, read this post by @hwmod

NOTE: For hints, how to access the pins on a 7th gen without removing the shield, check Post 1075 by @shelleyfrank

NOTE:

In lsusb the boot-rom shows up as:
Code:
Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone
If it shows up as:
Code:
Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader
instead, you are in preloader-mode, try again.

dmesg lists the correct device as:
Code:
[ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00

4. When the script asks you to remove the short, remove the short and press enter.

5. Wait for the script to finish.
If it stalls at some point, stop it and restart the process from step 2.

6. Your device should now reboot into unlocked fastboot state.

7. Run
Code:
sudo ./fastboot-step.sh
8. Wait for the device to reboot into TWRP.

9. Use TWRP to flash custom ROM, Magisk or SuperSU

To return back to stock, Go into hacked fastboot-mode, then run
Code:
sudo ./stock-recovery.sh
Your device should reboot into amazon recovery. Use adb sideload to install stock image from there.

NOTE:
Only ever flash boot/recovery images using TWRP, if you use FlashFire or other methods that are not aware of the exploit,
your device will likely not boot anymore (unless you flashed a signed image).
TWRP will patch recovery/boot-images on the fly.


NOTE:
fastboot-step flashes the 5.6.3 boot.img, if your device hangs at the orange fire logo, try wiping cache first.
If that doesn't help, your system is probably incompatible with that image, just flash the right boot.img via TWRP.


NOTE:
This process does not disable OTA or does any other modifications to your system.
You will have to do that according to the other guides in this forum.


Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Thanks also to @ANDROID2468 and @bibikalka for testing things.
Thanks to @mateo121212 and @hwmod for debugging 7th gen.
Thanks to @MontysEvilTwin for figuring out volume-button access works up to FireOS 5.3.2, and for figuring out that 5.3.2 PL/TZ fix prime video.
 

Attachments

Last edited:

k4y0z

Senior Member
Nov 27, 2015
1,392
1,780
143
Features.

  • Uses 5.3.2 Preloader/TZ for easy access to bootrom (using left volume button/only 5th gen)
  • Uses 5.6.3 LK for full compatibility with newer kernels.
  • Hacked fastboot mode lets you use all fastboot commands (flash etc).
  • Boots custom/unsigned kernel-images (need to be patched)
  • Sets androidboot.unlocked_kernel=true (enables adb root-shell)
  • For the devs: sets printk.disable_uart=0 (enables debug-output over UART).

NOTE: Hacked fastboot can be reached via TWRP.

NOTE: Hacked fastboot won't patch your boot/recovery-images, so you can easily go back to stock.
Use TWRP for autopatching.
 

Attachments

Last edited:

k4y0z

Senior Member
Nov 27, 2015
1,392
1,780
143
Version 1.4 (25.03.2019)
  • Update TWRP to twrp-9.0 sources
  • Implement downgrade-protection for LK/PL/TZ
  • Add scripts to enter fastboot/recovery in case of bootloop
  • Automatically restore boot-patch when you boot into recovery

Version 1.3 (20.03.2019)
Version 1.2.1 (17.02.2019)

  • Fix bug in 7th gen.

16.02.2019
  • Now also unlock for the 7th gen :)

Version 1.2 (14.02.2019)
  • Updated TWRP to contain new microloader..
  • Added TWRP shell command reboot-amonet to reboot into hacked fastboot.

Version 1.1 (14.02.2019):
  • Fixed bug, caused when flashing large images via hacked fastboot.
  • Include stock recovery.img and script to flash back.

Source Code:
https://github.com/chaosmaster/amonet
https://github.com/chaosmaster/android_bootable_recovery
 
Last edited:

ANDROID2468

Senior Member
Oct 19, 2016
375
140
53
Nashville
Anyone who wants to update to the latest FW without undoing the unlock you can get it here

I'm also releasing a customized fire os that I'm calling "fire os revamped" ( comes with nova launcher and other enhancements) it will be on xda soon
edit: here it is.
Sent from my VS986 using XDA Labs
 
Last edited:

Pix12

Senior Member
Dec 20, 2015
323
32
58
So I can do this without opening it up if I'm on a newer version?

---------- Post added at 06:44 PM ---------- Previous post was at 06:34 PM ----------

So my 5.1.1 Fire, which I believe was originally on 5.0.1 worked.

---------- Post added at 06:51 PM ---------- Previous post was at 06:44 PM ----------

I mean it worked without having to brick or open it up.
 

hwmod

Senior Member
Dec 12, 2011
309
276
0
Verona
Read this whole guide before starting.
...

@k4y0z awesome work ! My congratulations again for the great achievement and implementation.
Your solution is letting users revive their "bricks" and make them free to use their gadget as they wishes.

There is still some quirk I have on the 7th Gen tablets with the "microloader" code, though it works well
with the 5th Gen, so I am assuming that something can be improved on the 7th Gen and maybe in general.

Your work opens up to new ROMS and other possible use of the tablet for things I have been dreaming about
for long time, having Linux load from µSDCard, from SSD on OTG or from the network (BOOTP/DHCP/NFS ... ).

I know this will take some time and effort but now more than ever I feel the target objective is on sight.
The first thing would be rebuild a completely modular kernel, maybe a more recent one (4.x).

Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager
:rolleyes:
NOTE: If you have issues running the scripts, you might have to run them using sudo.
Also try using different USB-ports (preferably USB-2.0-ports)

...
In all Linux OS the correct way for a normal user to gain read/write access to the serial ports (UARTs) is to make himself a member of the "dialup" group.
You can do this by issuing once the following command (two alternatives given here, use only one):
Code:
sudo adduser MY_USER_NAME dialout
or
Code:
usermod -a -G dialout MY_USER_NAME
This avoids using "sudo" and having to type password several times to gain permission to access the serial device,
it also solved many issues I was having due to multiple concurrent access to the Serial Ports and/or USB Ports from
various software and devices (Bluetooth, Camera, Phones, Digital Signing, Crypto Cards, Prolific/FTDI serial converters ... ).

And this is another suggestion for those continuously testing phones and tablets ...
To avoid trashing the tablet connectors due to continuous connect/disconnect of the USB cables I highly recommend
using the following type of USB Multiport Hub with power switches or similar (there are both USB 2.0 and USB 3.0 versions)
they are inexpensive and really unique in its type having an on/off switch for every port effectively help to avoid damaging connectors.

Have a good hacking night. :good:

.:HWMOD:.

---------- Post added at 02:34 AM ---------- Previous post was at 02:17 AM ----------

So I can do this without opening it up if I'm on a newer version?

---------- Post added at 06:44 PM ---------- Previous post was at 06:34 PM ----------

So my 5.1.1 Fire, which I believe was originally on 5.0.1 worked.

---------- Post added at 06:51 PM ---------- Previous post was at 06:44 PM ----------

I mean it worked without having to brick or open it up.
This is the proof that it was possible to make the hack available to a bigger group of users.
Another big achievement obtained by the awesome @k4y0z though in my tests this is not
always possible yet, more testing will probably reveal the reason and let's improve on that.

This is especially annoying on the 7th Gen tablets but I keep hoping a simpler way would help there.
Disconnecting the battery does the difference at times and that means just removing two small screws.

.:HWMOD:.
 

DB126

Senior Member
Oct 15, 2013
15,244
10,033
253
Read this whole guide before starting.

This is for the 5th gen Fire.
It can also be used to root a 7th gen, but there are some differences.
It's best you wait for a separate guide how to use this to root your 7th gen.
:
:
Very special thanks to @xyz' for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Thanks also to @[email protected] and @bibikalka for testing things.
Outstanding contribution. Clear, concise and relevant to a broad community with appropriate acknowledgements. This is what XDA is all about.
 

k4y0z

Senior Member
Nov 27, 2015
1,392
1,780
143
@k4y0z
There is still some quirk I have on the 7th Gen tablets with the "microloader" code, though it works well
with the 5th Gen, so I am assuming that something can be improved on the 7th Gen and maybe in general.
What quirks other than the non-functional screen?
Have you tested what I suggested in the other thread?

In all Linux OS the correct way for a normal user to gain read/write access to the serial ports (UARTs) is to make himself a member of the "dialup" group.
That would be the "correct" way of course, I just assumed people where using live-systems, so sudo seems like the easier solution.
 

hwmod

Senior Member
Dec 12, 2011
309
276
0
Verona
What quirks other than the non-functional screen?
Have you tested what I suggested in the other thread?


That would be the "correct" way of course, I just assumed people where using live-systems, so sudo seems like the easier solution.
Yes I tried to use the file "boot.7th.patched.img" you shared and the UART but the tablet doesn't boot up,
it crashes as soon as the "microloader.bin" is executed, the logs says something like "undefined, aborting"
instead of printing the heading "microloader by xyz. Copyright 2019" as it does with the 5th Gen.
It doesn't print the message "Something went horribly wrong!" that the code print if an error is detected.
It seems the error has to do with a wrong load address, after the error the processor registers are dumped.

Two things I noticed the first shouldn't be a problem but all the image wrappers contains a residual
from the mt8163 platform, the parameters "bootopt=64S3,32N2,32N2". It is present also in "microloader.bin".
I understand that probably it doesn't do anything bad on our Fire mt8127 platform but removing these would
also ensure that possible behaviours are also removed and we don't have that "cmdline" parameter hanging
around without a precise scope.

The second thing is that it seems to me the "boot.7th.patched.img" you shared and asked me to try doesn't
come from version 5.6.3 of the firmware and that may be another point which might break the loading
process and the version mismatches I am seeing on the 7th Gen.

So we don''t have a native "preloader" for the 7th Gen that allow booting images as we have for the 5th Gen so
we are forced to use the one we have from 5th Gen but the we have no matching secondary loader and that
might be another reason we are having a hard time replicating the process that run smoothly on the 5th Gen.

However, even on the 7th we have gained "root" by using the "SuperSu" and also the TWRP seems to be working
well and following that path also the touch screen problems do not show up and everything run natively correct.

Now, what's happen when we face the update route is still unknown, however we will soon learn that since this
evening my 5th Gen downloaded as much as 18 components that needed to be updated on 5.6.3.

I captured them all and have saved the 18 pieces, all are "apk" files, no ".zip" and no ".bin" files.

I am going to download the update version you released today and the patched TWRP and
tomorrow I will restart testing everything again and will let you know if something changes and if there are
further improvements for the 7th Gen.

One request I have is: where can I put more kernel "cmdline" parameters as you did with "printk_disable_uart=0" ?

That's all for now, thank you again for the nice surprises !

.:HWMOD:.
 

k4y0z

Senior Member
Nov 27, 2015
1,392
1,780
143
Yes I tried to use the file "boot.7th.patched.img" you shared and the UART but the tablet doesn't boot up,
it crashes as soon as the "microloader.bin" is executed, the logs says something like "undefined, aborting"
instead of printing the heading "microloader by xyz. Copyright 2019" as it does with the 5th Gen.
It doesn't print the message "Something went horribly wrong!" that the code print if an error is detected.
It seems the error has to do with a wrong load address, after the error the processor registers are dumped.
Ok that shouldn't happen, it should at least get further than that.
You are testing it with the 5th gen preloader/lk correct?
Maybe I messed something up creating the image.
I have attached a new one from the 7th 5.6.3 firmware.
Please use the new version 1.1 of the package I just updated a few minutes ago.
(It uses different addressing).

Two things I noticed the first shouldn't be a problem but all the image wrappers contains a residual
from the mt8163 platform, the parameters "bootopt=64S3,32N2,32N2". It is present also in "microloader.bin".
I understand that probably it doesn't do anything bad on our Fire mt8127 platform but removing these would
also ensure that possible behaviours are also removed and we don't have that "cmdline" parameter hanging
around without a precise scope.
I don't think that will cause any issues, the kernel should at least load and print something to UART.
It's not even loading the microloader correctly. (which should work, since it works for TWRP)

One request I have is: where can I put more kernel "cmdline" parameters as you did with "printk_disable_uart=0" ?
I will have to think about that, the flags would need to be stored somewhere.
Sadly the 5.6.3 bootloader doesn't suppoert "oem append-cmdline" anymore.
 

Attachments

Last edited:
  • Like
Reactions: Kramar111

hwmod

Senior Member
Dec 12, 2011
309
276
0
Verona
Ok that shouldn't happen, it should at least get further than that.
You are testing it with the 5th gen preloader/lk correct?
Maybe I messed something up creating the image.
I have attached a new one from the 7th 5.6.3 firmware.
Please use the new version 1.1 of the package I just updated a few minutes ago.
(It uses different addressing).


I don't think that will cause any issues, the kernel should at least load and print something to UART.
It's not even loading the microloader correctly. (which should work, since it works for TWRP)


I will have to think about that, the flags would need to be stored somewhere.
Sadly the 5.6.3 bootloader doesn't suppoert "oem append-cmdline" anymore.
What about "fastboot --cmdline" that is in the help of newer version ?
I have never been able to use that. Can that be made to work in some way ?
 

k4y0z

Senior Member
Nov 27, 2015
1,392
1,780
143
What about "fastboot --cmdline" that is in the help of newer version ?
I have never been able to use that. Can that be made to work in some way ?
I haven't tried, my fastboot doesn't support this option.
If the 5.6.3 LK supports it, it should work in hacked fastboot mode.
 

hwmod

Senior Member
Dec 12, 2011
309
276
0
Verona
I haven't tried, my fastboot doesn't support this option.
If the 5.6.3 LK supports it, it should work in hacked fastboot mode.
Here it is !
Taken from Fedora 29 should work on any recent Linux.
See the line I have made in bold in the included help output here.
Seems to indicate that "fastboot" will pass the "cmdline" parameter,
obviously it needs to be implemented in the target platform though.

Code:
# fastboot --help
usage: fastboot [OPTION...] COMMAND...

flashing:
 update ZIP                 Flash all partitions from an update.zip package.
 flashall                   Flash all partitions from $ANDROID_PRODUCT_OUT.
                            On A/B devices, flashed slot is set as active.
                            Secondary images may be flashed to inactive slot.
 flash PARTITION [FILENAME] Flash given partition, using the image from
                            $ANDROID_PRODUCT_OUT if no filename is given.

basics:
 devices [-l]               List devices in bootloader (-l: with device paths).
 getvar NAME                Display given bootloader variable.
 reboot [bootloader]        Reboot device.

locking/unlocking:
 flashing lock|unlock       Lock/unlock partitions for flashing
 flashing lock_critical|unlock_critical
                            Lock/unlock 'critical' bootloader partitions.
 flashing get_unlock_ability
                            Check whether unlocking is allowed (1) or not(0).

advanced:
 erase PARTITION            Erase a flash partition.
 format[:FS_TYPE[:SIZE]] PARTITION
                            Format a flash partition.
 set_active SLOT            Set the active slot.
 oem [COMMAND...]           Execute OEM-specific command.

boot image:
 boot KERNEL [RAMDISK [SECOND]]
                            Download and boot kernel from RAM.
 flash:raw PARTITION KERNEL [RAMDISK [SECOND]]
                            Create boot image and flash it.
[B] --cmdline CMDLINE          Override kernel command line.[/B]
 --base ADDRESS             Set kernel base address (default: 0x10000000).
 --kernel-offset            Set kernel offset (default: 0x00008000).
 --ramdisk-offset           Set ramdisk offset (default: 0x01000000).
 --tags-offset              Set tags offset (default: 0x00000100).
 --page-size BYTES          Set flash page size (default: 2048).
 --header-version VERSION   Set boot image header version.
 --os-version MAJOR[.MINOR[.PATCH]]
                            Set boot image OS version (default: 0.0.0).
 --os-patch-level YYYY-MM-DD
                            Set boot image OS security patch level.

Android Things:
 stage IN_FILE              Sends given file to stage for the next command.
 get_staged OUT_FILE        Writes data staged by the last command to a file.

options:
 -w                         Wipe userdata.
 -s SERIAL                  Specify a USB device.
 -s tcp|udp:HOST[:PORT]     Specify a network device.
 -S SIZE[K|M|G]             Break into sparse files no larger than SIZE.
 --slot SLOT                Use SLOT; 'all' for both slots, 'other' for
                            non-current slot (default: current active slot).
 --set-active[=SLOT]        Sets the active slot before rebooting.
 --skip-secondary           Don't flash secondary slots in flashall/update.
 --skip-reboot              Don't reboot device after flashing.
 --disable-verity           Sets disable-verity when flashing vbmeta.
 --disable-verification     Sets disable-verification when flashing vbmeta.
 --wipe-and-use-fbe         Enable file-based encryption, wiping userdata.
 --unbuffered               Don't buffer input or output.
 --verbose, -v              Verbose output.
 --version                  Display version.
 --help, -h                 Show this message.
.:HWMOD:.
 

Attachments

k4y0z

Senior Member
Nov 27, 2015
1,392
1,780
143
Here it is !
Taken from Fedora 29 should work on any recent Linux.
See the line I have made in bold in the included help output here.
Seems to indicate that "fastboot" will pass the "cmdline" parameter,
obviously it needs to be implemented in the target platform though.
Just noticed in mine there is
-c <cmdline> Override kernel commandline.
I don't think it's supported by LK.

I suppose you could just rebuild a kernel-image with the appropriate cmdline.
 
Last edited:
  • Like
Reactions: Kramar111

hwmod

Senior Member
Dec 12, 2011
309
276
0
Verona
Just noticed in mine there is

I don't think it's supported by LK.

I suppose you could just rebuild a kernel-image with the appropriate cmdline.

Yes that was another form of of passing the same arguments in a previous version of "fastboot".
I am keeping a collection of "fastboot" version and by looking to the "lk" binaries I see there are
still a lot of referrals string related to "cmdline" handling.

If there is a way to still pass some parameter it might be feasible to inject some on the "cmdline".
Another thing I have been exploring is the MISC partition which contains the ENV variable of "lk".
There is a parameter written in the "lk" environment which reside in that MISC partition which is
"off-mode-charge=1", that parameter is followed by a simple CRC sum of the bytes of the string.

I thought that maybe by writing more parameters in MISC it would result to a parameter injection
but I didn't have the success I hoped, maybe I didn't test well enough or failed something, anyway
that MISC partition is almost empty and maybe it can be used too as extra persistent memory should
we need to save something bigger than a couple of kilobytes.

Have fun !

.:HWMOD:.
 

kozyy

Member
Feb 3, 2017
35
2
0
If you're on a newer preloader, there are two options:
Open the device and short the pin marked in the attached photo to ground while plugging in.
Downgrade to 5.0.1 firmware via adb sideload in Amazon recovery, then proceed to use the left volume button to enter boot-rom.
Thanks also to @[email protected]
Wasn't exactly clear on this, so on the 7th gen we can sideload the 5.0.1 firmware (bricking the device) then we're able to enter boot-rom and are able to continue with the rest of the the steps?
 

mateo121212

Senior Member
Apr 6, 2015
177
96
0
@hwmod finally I rooted the fire 7 7th gen! Thanks to @mateo121212 !
with the new files k4y0z posted i am working on streamlining the process to make a simpler method for the 7th gen. also the SU 2.82 sr5 edits the .sh file that rebuilds the recovery. thats why some people lose there recovery even if they flash both system and boot from same FW.
.
 
Last edited:

Rortiz2

Senior Member
Mar 1, 2018
1,995
1,190
113
Barcelona
with the new files k4y0z posted i am working on streamlining the process to make a simpler method for the 7th gen. also the SU 2.82 sr5 edits the .sh file that rebuilds the recovery. thats why some people lose there recovery even if they flash both system and boot from same FW.
.
Ohh ****, now it doesn't power on. Its bootloping in FIRE.
I can't access to recovery and fastboot..

---------- Post added at 03:33 PM ---------- Previous post was at 03:23 PM ----------

Wasn't exactly clear on this, so on the 7th gen we can sideload the 5.0.1 firmware (bricking the device) then we're able to enter boot-rom and are able to continue with the rest of the the steps?
NO! 5.0.1 can't be installed on 7th GEN. You must open the case and remove the shield.
 
  • Like
Reactions: kozyy