[UNLOCK][ROOT][TWRP][UNBRICK][DOWNGRADE] Fire 7 (ford and austin).
- Thread starter k4y0z
- Start date
Anyone have a tip for getting the short working on the 7th gen? I've got it open, put a dollop of solder on the pad, and still I only get lsusb to show up as "preloader". Is there a preferred short point? Should I disconnect the battery?
root@ubuntu:~/Desktop/fire7-2015/amonet-ford-v1.4.1/amonet# '/root/Desktop/fire7-2015/amonet-ford-v1.4.1/amonet/bootrom-step.sh'
[2021-07-19 02:26:47.356615] Waiting for bootrom
[2021-07-19 02:27:06.539664] Found port = /dev/ttyACM0
[2021-07-19 02:27:06.543788] Handshake
[2021-07-19 02:27:06.551767] Disable watchdog
* * * Remove the short and press Enter * * *
[2021-07-19 02:27:06.559937] Init crypto engine
[2021-07-19 02:27:06.975389] Disable caches
[2021-07-19 02:27:06.981383] Disable bootrom range checks
[2021-07-19 02:27:07.164145] Load payload from ../brom-payload/build/payload.bin = 0x45D0 bytes
[2021-07-19 02:27:07.165496] Send payload
[2021-07-19 02:27:15.982870] Let's rock
[2021-07-19 02:27:15.990997] Wait for the payload to come online...
[2021-07-19 02:27:16.600913] all good
[2021-07-19 02:27:16.601150] Check GPT
[2021-07-19 02:27:16.916273] gpt_parsed = {'KB': (2048, 2048), 'DKB': (4096, 2048), 'EXPDB': (6144, 35584), 'UBOOT': (41728, 2048), 'boot': (43776, 32768), 'recovery': (76544, 32768), 'MISC': (109312, 1024), 'LOGO': (110336, 7168), 'TEE1': (117504, 10240), 'TEE2': (127744, 10240), 'system': (137984, 2457600), 'cache': (2595584, 512000), 'userdata': (3107584, 27428063), '': (0, 1)}
[2021-07-19 02:27:16.916400] Check boot0
[2021-07-19 02:27:17.125485] Check rpmb
[2021-07-19 02:27:17.336931] Clear preloader header
[8 / 8]
[2021-07-19 02:27:17.753350] Downgrade rpmb
[2021-07-19 02:27:17.759387] Recheck rpmb
Traceback (most recent call last):
File "main.py", line 156, in <module>
main()
File "main.py", line 114, in main
raise RuntimeError("downgrade failure, giving up")
RuntimeError: downgrade failure, giving up
[2021-07-19 02:26:47.356615] Waiting for bootrom
[2021-07-19 02:27:06.539664] Found port = /dev/ttyACM0
[2021-07-19 02:27:06.543788] Handshake
[2021-07-19 02:27:06.551767] Disable watchdog
* * * Remove the short and press Enter * * *
[2021-07-19 02:27:06.559937] Init crypto engine
[2021-07-19 02:27:06.975389] Disable caches
[2021-07-19 02:27:06.981383] Disable bootrom range checks
[2021-07-19 02:27:07.164145] Load payload from ../brom-payload/build/payload.bin = 0x45D0 bytes
[2021-07-19 02:27:07.165496] Send payload
[2021-07-19 02:27:15.982870] Let's rock
[2021-07-19 02:27:15.990997] Wait for the payload to come online...
[2021-07-19 02:27:16.600913] all good
[2021-07-19 02:27:16.601150] Check GPT
[2021-07-19 02:27:16.916273] gpt_parsed = {'KB': (2048, 2048), 'DKB': (4096, 2048), 'EXPDB': (6144, 35584), 'UBOOT': (41728, 2048), 'boot': (43776, 32768), 'recovery': (76544, 32768), 'MISC': (109312, 1024), 'LOGO': (110336, 7168), 'TEE1': (117504, 10240), 'TEE2': (127744, 10240), 'system': (137984, 2457600), 'cache': (2595584, 512000), 'userdata': (3107584, 27428063), '': (0, 1)}
[2021-07-19 02:27:16.916400] Check boot0
[2021-07-19 02:27:17.125485] Check rpmb
[2021-07-19 02:27:17.336931] Clear preloader header
[8 / 8]
[2021-07-19 02:27:17.753350] Downgrade rpmb
[2021-07-19 02:27:17.759387] Recheck rpmb
Traceback (most recent call last):
File "main.py", line 156, in <module>
main()
File "main.py", line 114, in main
raise RuntimeError("downgrade failure, giving up")
RuntimeError: downgrade failure, giving up
Wow, thank you so much for this!! Talk about breathing new life into this aging tablet. Hated the FireOS with a passion! LineageOS is fairly buttery on this tablet, I was pleasantly surprised!
Couldn't get the bootloader using the highlighted pin on the 7th gen (Austin) after about 10 attempts, but got it first time with the two surface mount caps highlighted in another picture in the thread (just "east" of pin). Also made the mistake of doing an install of Magisk BL from within the app once booted up, and got a boot loop and had to start all over in TWRP. You can install the magisk app, and enable super user, but do not install magisk bootloader (first option) from within the app. Download a new magisk apk, rename to a zip file and flash it from TWRP. I've turned "check for updates" off in Magisk app.
Still seeing the auto-rotate issue in LineageOS, is there a fix for that? It stinks cause there's no manual override either. I wouldn't mind if I could just set it to portrait or landscape, it doesn't have to be automatic. Oh well, still way better than before! I might try out Ultimate Rotation Control or something to see if I can override?
Couldn't get the bootloader using the highlighted pin on the 7th gen (Austin) after about 10 attempts, but got it first time with the two surface mount caps highlighted in another picture in the thread (just "east" of pin). Also made the mistake of doing an install of Magisk BL from within the app once booted up, and got a boot loop and had to start all over in TWRP. You can install the magisk app, and enable super user, but do not install magisk bootloader (first option) from within the app. Download a new magisk apk, rename to a zip file and flash it from TWRP. I've turned "check for updates" off in Magisk app.
Still seeing the auto-rotate issue in LineageOS, is there a fix for that? It stinks cause there's no manual override either. I wouldn't mind if I could just set it to portrait or landscape, it doesn't have to be automatic. Oh well, still way better than before! I might try out Ultimate Rotation Control or something to see if I can override?
Thanks so much for this!!! Tried 10 times with highlighted pin with no luck. Used your picture and worked first time!! This is post #1815 in this thread. The 7th gen picture on the first post should be updated with this. Also, both pictures attached in the first post are titled as the same generation, so its even more confusing.
I had the same problem. So I decided to use Ubuntu (just took the latest version) and it just worked (used MXLinux before but this not working for what ever reason)
I only applied "sudo apt install python3 python3-serial adb fastboot" cause the rest is already included!
Maybe this hint should be added to the OP?
Initial post didnt work for my fire 7" 5th gen (Ford). I had to disconnect the battery before shortening the described pin. After that everything worked perfectly.
I had to search a lot of posts in this threat before finding the hint. Would be nice if this could be incorporated in the original post.
jba
I had to search a lot of posts in this threat before finding the hint. Would be nice if this could be incorporated in the original post.
jba
I had gotten to the "remove short" step a couple months ago, but didn't have time to work on it. Now that I'm trying it again, nothing happens at all. Could it be that the battery no longer has charge? Does the battery need to be charged to do this? If so, how can I charge it? I left it in to charge overnight but still no change
Hello, I'm new here, I'm currently having an issue, I've made it past the first step, (option 2) and my device is currently black, and plugged in.
I'm not sure what this error is, or why it happened, but I would like to know where I can go from here. Is my device softbricked for now? Or is this worse than a softbrick, thank you.
Code:
# ./bootrom-step.sh
[2021-09-29 09:32:12.933648] Waiting for bootrom
[2021-09-29 09:33:36.744600] Found port = /dev/ttyACM0
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 265, in open
self.fd = os.open(self.portstr, os.O_RDWR | os.O_NOCTTY | os.O_NONBLOCK)
FileNotFoundError: [Errno 2] No such file or directory: '/dev/ttyACM0'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "main.py", line 156, in <module>
main()
File "main.py", line 72, in main
dev.find_device()
File "/home/mint/Desktop/amonet/modules/common.py", line 83, in find_device
self.dev = serial.Serial(port, BAUD, timeout=TIMEOUT)
File "/usr/lib/python3/dist-packages/serial/serialutil.py", line 240, in __init__
self.open()
File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 268, in open
raise SerialException(msg.errno, "could not open port {}: {}".format(self._port, msg))
serial.serialutil.SerialException: [Errno 2] could not open port /dev/ttyACM0: [Errno 2] No such file or directory: '/dev/ttyACM0'I'm not sure what this error is, or why it happened, but I would like to know where I can go from here. Is my device softbricked for now? Or is this worse than a softbrick, thank you.
I doubt it's bricked. first make sure everything is updated, including python 3. I had to try several times to get it to enter bootrom correctly. I ended up shorting out the vdd1 pin instead of com. here is the link that shows the pins.
I resolved this problem. I had this error for two hours, and I tried many times to get it to work, pressing volume and power buttons over and over again, and doing all kinds of things to try to unstick the device. I had a feeling it was stuck in some noncommunicable state, so what I did finally was open the device and disconnect the battery for 30 seconds, then reconnect it and hold down the power button for ten seconds. Then I went through the bootrom step again, and it completed perfectly.
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
124Read this whole guide before starting.
This is for the 5th gen Fire and 7th gen Fire
Current Version
5th gen: amonet-ford-v1.4.1.zip
7th gen: amonet-austin-v1.4.1.zip
What you need:
- A Linux installation or live-system
- A micro-USB cable
If your Fire is on a newer preloader-version (or a 7th gen) you may also need:
- Something conductive (paperclip, tweezers etc)
- Something to open the tablet.
There is an alternative for opening the tablet (only 5th gen), which is described below.
Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work:
Code:sudo apt update sudo add-apt-repository universe sudo apt install python3 python3-serial adb fastboot
Make sure ModemManager is disabled or uninstalled:
Code:sudo systemctl stop ModemManager sudo systemctl disable ModemManager
NOTE: If you have issues running the scripts, you might have to run them using sudo.
Also try using different USB-ports (preferably USB-2.0-ports)
If you're lucky and have an old preloader (Up to FireOS 5.3.2, thanks @MontysEvilTwin), you can just hold the left volume button while plugging the device in.
If you're on a newer preloader, there are two options:
- Open the device and short the pin marked in the attached photo to ground while plugging in.
- (Only 5th gen) Downgrade to 5.0.1 firmware via adb sideload in Amazon recovery, then proceed to use the left volume button to enter boot-rom.
NOTE: Using option two will brick your device until you have successfully finished the process.
1. Extract the attached zip-file "amonet-ford-v1.4.1.zip" (use "amonet-austin-v1.4.1.zip" for 7th gen) and open a terminal in that directory.
2. start the script:
Code:sudo ./bootrom-step.sh
It should now say Waiting for bootrom.
3. If you have an old preloader or used option 2 above:
Hold the left volume-button and plug the device in.
If you chose option 1, short the device according to the attached photo and plug it in.
NOTE: Make sure the device is powered off, before plugging it in.
NOTE: If you have issues getting a 7th gen into bootrom, read this post by @hwmod
NOTE: For hints, how to access the pins on a 7th gen without removing the shield, check Post 1075 by @shelleyfrank
NOTE:
In lsusb the boot-rom shows up as:
Code:Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone
If it shows up as:
instead, you are in preloader-mode, try again.Code:Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader
dmesg lists the correct device as:
Code:[ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00
4. When the script asks you to remove the short, remove the short and press enter.
5. Wait for the script to finish.
If it stalls at some point, stop it and restart the process from step 2.
6. Your device should now reboot into unlocked fastboot state.
7. Run
Code:sudo ./fastboot-step.sh
8. Wait for the device to reboot into TWRP.
9. Use TWRP to flash custom ROM, Magisk or SuperSU
To return back to stock, Go into hacked fastboot-mode, then run
Your device should reboot into amazon recovery. Use adb sideload to install stock image from there.Code:sudo ./stock-recovery.sh
NOTE:
Only ever flash boot/recovery images using TWRP, if you use FlashFire or other methods that are not aware of the exploit,
your device will likely not boot anymore (unless you flashed a signed image).
TWRP will patch recovery/boot-images on the fly.
NOTE:
fastboot-step flashes the 5.6.3 boot.img, if your device hangs at the orange fire logo, try wiping cache first.
If that doesn't help, your system is probably incompatible with that image, just flash the right boot.img via TWRP.
NOTE:
This process does not disable OTA or does any other modifications to your system.
You will have to do that according to the other guides in this forum.
Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Thanks also to @ANDROID2468 and @bibikalka for testing things.
Thanks to @mateo121212 and @hwmod for debugging 7th gen.
Thanks to @MontysEvilTwin for figuring out volume-button access works up to FireOS 5.3.2, and for figuring out that 5.3.2 PL/TZ fix prime video.25Features.
- Uses 5.3.2 Preloader/TZ for easy access to bootrom (using left volume button/only 5th gen)
- Uses 5.6.3 LK for full compatibility with newer kernels.
- Hacked fastboot mode lets you use all fastboot commands (flash etc).
- Boots custom/unsigned kernel-images (need to be patched)
- Sets androidboot.unlocked_kernel=true (enables adb root-shell)
- For the devs: sets printk.disable_uart=0 (enables debug-output over UART).
NOTE: Hacked fastboot can be reached via TWRP.
NOTE: Hacked fastboot won't patch your boot/recovery-images, so you can easily go back to stock.
Use TWRP for autopatching.19To avoid damage to heat shield use
For future reference, here are some photo's to indicate the positions of easily accessible shorting points, CMD and VDD1, and how to short them using flex wire (audio cable etc.) so as to avoid having to remove, or prying open, the heat shield.
I did two tablets, one using the CMD pin and the other one using the VDD1 pin for the shorting routine with success. In addition, I had to try different usb ports on my laptop, and also unscrew the battery plug of the tablet to detach it occasionally. A typical successful process would be, detach battery, reconnect battery, apply short, connect usb, wait for script. This reply is only for help, it isn't a full guide.14Version 1.4 (25.03.2019)
- Update TWRP to twrp-9.0 sources
- Implement downgrade-protection for LK/PL/TZ
- Add scripts to enter fastboot/recovery in case of bootloop
- Automatically restore boot-patch when you boot into recovery
Version 1.3 (20.03.2019)
Fix Prime Video for ford (5th gen), thanks @MontysEvilTwin (See Post #537 for more info).
Fix bug in 7th gen.
16.02.2019
- Now also unlock for the 7th gen
Version 1.2 (14.02.2019)
- Updated TWRP to contain new microloader..
- Added TWRP shell command reboot-amonet to reboot into hacked fastboot.
Version 1.1 (14.02.2019):
- Fixed bug, caused when flashing large images via hacked fastboot.
- Include stock recovery.img and script to flash back.
Source Code:
https://github.com/chaosmaster/amonet
https://github.com/chaosmaster/android_bootable_recovery8
Outstanding contribution. Clear, concise and relevant to a broad community with appropriate acknowledgements. This is what XDA is all about.
