[UNLOCK][ROOT][TWRP][UNBRICK] Fire HD 10 2017 (suez)

Search This thread

k4v7uk

New member
Oct 19, 2021
4
2
You need a different root method.
I've just put Lineage 12.1 on my Fire HD10 with firmware 5.6.9.0. It was straight forward with no issues but I got the same error you did.

Instead of the root method used in this post, use SuperSu instead then come back here and carry on with the rest of the process.
This sounds promising. Is there any documentation on here to get SuperSu on the Fire? It would be great if i could get this method to work. I really dont want to open the thing. Thanx for your help.
 

smartypantsuk

New member
Oct 24, 2021
2
9
This sounds promising. Is there any documentation on here to get SuperSu on the Fire? It would be great if i could get this method to work. I really dont want to open the thing. Thanx for your help.
You'll need a linux distrubution to work from, a live boot cd/usb will work fine.
Don't use WSL (Subsystem for Linux) on Windows 10 as usb support doesn't work properly, or at all, for anything other than usb storage devices.

This guide was part of a larger guide on Github, adapted from Retyre's XDA Guide.

Root on Fire HD10 2017 5.6.9.0 (not tried on other systems)

  1. Download the root exploit code (alternate link SHA256 8bfc3d5c75964e5fa28c8ffa39a87249ba10ea4180f55f546b2dcc286a585ea8) and Super_SU18+ (alternate link SHA256 b572c1a982d1e0baeb571d3bc0df7f6be11b14553c181c9e0bf737cc4a4fbbfd).
    wget -c "http://myphone-download.wondershare.cc/mgroot/20165195.zip" "http://myphone-download.wondershare.cc/mgroot/SuperSU_18+.zip"
  2. Unzip them both to a 20165195 directory.
    unzip -u 20165195.zip -d 20165195 && unzip -u SuperSU_18+.zip -d 20165195
  3. Check the 20165195 directory contains all the needed files.
    $ ls -1 20165195
    Matrix
    Superuser.apk
    ddexe
    debuggerd
    fileWork
    install-recovery.sh
    krdem
    mount
    patch_boot.sh
    pidof
    push_root.sh
    start_wssud.sh
    su
    su_arm64
    supersu.zip
    supolicy
    toolbox
    wsroot.sh
  4. Push the directory to the tablet.
    adb push 20165195 /data/local/tmp
  5. Login to the tablet.
    adb shell
  6. Make the files executable.
    chmod 755 /data/local/tmp/20165195/*
  7. Run the exploit. You should see a lot of output while it runs.
    /data/local/tmp/20165195/Matrix /data/local/tmp/20165195 2
    If the script executes successfully, the final lines of output should display the memory location that was exploited (may be different than 0x7fab64c000) and a value of 0 for <Exploit> and <Done>. If it fails, check the Troubleshooting section:
  8. exploited 0x7fab64c000=f97cff8c
    end!!!!!!!
    <WSRoot><Exploit>0</Exploit></WSRoot>
    <WSRoot><Done>0</Done></WSRoot>

  9. You can verify root with su.
    [email protected]:/ $ su
    su
    [email protected]:/ #
  10. Back on your computer, download SuperSU 2.82 SR5 apk (alternate link SHA256 2c7be9795a408d6fc74bc7286658dfe12252824867c3a2b726c1f3c78cee918b) and install it to the tablet with adb.
    adb install "eu.chainfire.supersu_2.82-SR5-282_minAPI9(nodpi)_apkmirror.com.apk"
  11. Open up the SuperSU app on the tablet, tap Get Started, then tap Continue and select Normal to update the app. Select Reboot after it is done installing to reboot the tablet.
  12. After the tablet reboots, open SuperSU app again, tap on Settings tab, then tap Default access, then choose Grant.
  13. Log in to your tablet.
    adb shell
  14. Switch to superuser and delete directories /data/data-lib/com.wondershare.DashRoot and /data/data-lib/wondershare.
    su
    rm -r /data/data-lib/com.wondershare.DashRoot /data/data-lib/wondershare

Once rooted, you can start the main guide on here for TWRP installation and skip past the root part.
Notes: At stage 7, running the exploit, you may find get an error instead of a successful output like above.
If you get this or similar, try rebooting your Fire HD and try again:

<WSRoot><Exploit>0x00000332</Exploit></WSRoot>
check done
sched_setaffinity: Function not implemented<WSRoot><Exploit>0x00000382</Exploit></WSRoot>
FAIL : load1 --> /sepolicy
<WSRoot><Exploit>0x00000341</Exploit></WSRoot>
<WSRoot><Exploit>0x00000881</Exploit></WSRoot>
<WSRoot><Done>0x00000172</Done></WSRoot>

I had to reboot once to get it to work. It's also worth noting that, even though it was successful the second time, i still received a function not implemented error, but it still worked. This is the part that you're looking for to be sucessful:

<WSRoot><Exploit>0</Exploit></WSRoot>
<WSRoot><Done>0</Done></WSRoot>
 
D

Deleted member 11949391

Guest
Hi together,

i am new at this forum and trying to bring a lineageos on my Fire HD 10.
But i got stuck at this point:
"NOTE: If you are on firmware 5.6.4.0 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)"
Furthermore i don't understand "After you have confirmed the bricking by typing "YES",

How can i temporarily brick the device to get to the next steps?
Where can i confirm a bricking procedure?

Thanks in advance
Chris
 

anon/droid

Member
Jan 30, 2019
22
4
Ruhrgebiet
How can i temporarily brick the device to get to the next steps?
Where can i confirm a bricking procedure?
IIRC the script will guide you through the whole process. It will determine the FireOS version and, if needed, will suggest to perform the "bricking procedure" which it will ask you to confirm by typing "YES", as it is you who is in charge.

Perhaps you should read the full set of instructions a few times and then it may become a bit clearer.
 
D

Deleted member 11949391

Guest
IIRC the script will guide you through the whole process. It will determine the FireOS version and, if needed, will suggest to perform the "bricking procedure" which it will ask you to confirm by typing "YES", as it is you who is in charge.

Perhaps you should read the full set of instructions a few times and then it may become a bit clearer.

Thank you!
But if step-1.sh is meant when you talking about IIRC, this script show me the following lines in a loop.

Failed critical init step 4
This firmware cannot be supported

Regards
Christian
 

anon/droid

Member
Jan 30, 2019
22
4
Ruhrgebiet
Failed critical init step 4
This firmware cannot be supported
You might be out of luck then and your FireOS version might be too new. Amazon does close such holes eventually. But then again I am not an expert, there might still be a way, but unfortunately I am not up to date regarding this topic anymore as I have already given up on my old 2017 tablets. Sorry!
 

yeonwoo1

New member
Jan 18, 2022
1
0
This might be a stupid question (I'm a newbie) but I have successfully rooted the device with magisk, now how can I go back to TWRP to flash lineageOS. I'm on version 5.6.9.0
 

Deizelds

Senior Member
Nov 10, 2017
84
5
Hey what's up, hoping someone might be able to assist. Decided to review my tablet and things were going good but at some point of my travels, I must have messed up the gpt table, because now everytime I boot my tablet, it tells me there's an internal error. I tried going back to rerun the step scripts and when I try to run #1, it tells me the user partition is not the last parittion, and jumps out of the script. I cannot figure out how to look at the gpt to possibly rectify the issue and when I'm in TWRP and I go into format, there are two storage at the end and when I try to wipe them, it says they cannot be formatted.
 
You need a different root method.
I've just put Lineage 12.1 on my Fire HD10 with firmware 5.6.9.0. It was straight forward with no issues but I got the same error you did.

Instead of the root method used in this post, use SuperSu instead then come back here and carry on with the rest of the process.
Can you please elaborate on what you did to use the SuperSU method, and provide any pertinent links?

TIA.
 
  • Like
Reactions: luk2009

smashedpumpkins

Senior Member
Mar 12, 2009
63
5
You'll need a linux distrubution to work from, a live boot cd/usb will work fine.
Don't use WSL (Subsystem for Linux) on Windows 10 as usb support doesn't work properly, or at all, for anything other than usb storage devices.

This guide was part of a larger guide on Github, adapted from Retyre's XDA Guide.

Root on Fire HD10 2017 5.6.9.0 (not tried on other systems)

  1. Download the root exploit code (alternate link SHA256 8bfc3d5c75964e5fa28c8ffa39a87249ba10ea4180f55f546b2dcc286a585ea8) and Super_SU18+ (alternate link SHA256 b572c1a982d1e0baeb571d3bc0df7f6be11b14553c181c9e0bf737cc4a4fbbfd).
    wget -c "http://myphone-download.wondershare.cc/mgroot/20165195.zip" "http://myphone-download.wondershare.cc/mgroot/SuperSU_18+.zip"
  2. Unzip them both to a 20165195 directory.
    unzip -u 20165195.zip -d 20165195 && unzip -u SuperSU_18+.zip -d 20165195
  3. Check the 20165195 directory contains all the needed files.
    $ ls -1 20165195
    Matrix
    Superuser.apk
    ddexe
    debuggerd
    fileWork
    install-recovery.sh
    krdem
    mount
    patch_boot.sh
    pidof
    push_root.sh
    start_wssud.sh
    su
    su_arm64
    supersu.zip
    supolicy
    toolbox
    wsroot.sh
  4. Push the directory to the tablet.
    adb push 20165195 /data/local/tmp
  5. Login to the tablet.
    adb shell
  6. Make the files executable.
    chmod 755 /data/local/tmp/20165195/*
  7. Run the exploit. You should see a lot of output while it runs.
    /data/local/tmp/20165195/Matrix /data/local/tmp/20165195 2
    If the script executes successfully, the final lines of output should display the memory location that was exploited (may be different than 0x7fab64c000) and a value of 0 for <Exploit> and <Done>. If it fails, check the Troubleshooting section:
  8. exploited 0x7fab64c000=f97cff8c
    end!!!!!!!
    <WSRoot><Exploit>0</Exploit></WSRoot>
    <WSRoot><Done>0</Done></WSRoot>

  9. You can verify root with su.
    [email protected]:/ $ su
    su
    [email protected]:/ #
  10. Back on your computer, download SuperSU 2.82 SR5 apk (alternate link SHA256 2c7be9795a408d6fc74bc7286658dfe12252824867c3a2b726c1f3c78cee918b) and install it to the tablet with adb.
    adb install "eu.chainfire.supersu_2.82-SR5-282_minAPI9(nodpi)_apkmirror.com.apk"
  11. Open up the SuperSU app on the tablet, tap Get Started, then tap Continue and select Normal to update the app. Select Reboot after it is done installing to reboot the tablet.
  12. After the tablet reboots, open SuperSU app again, tap on Settings tab, then tap Default access, then choose Grant.
  13. Log in to your tablet.
    adb shell
  14. Switch to superuser and delete directories /data/data-lib/com.wondershare.DashRoot and /data/data-lib/wondershare.
    su
    rm -r /data/data-lib/com.wondershare.DashRoot /data/data-lib/wondershare

Once rooted, you can start the main guide on here for TWRP installation and skip past the root part.
Notes: At stage 7, running the exploit, you may find get an error instead of a successful output like above.
If you get this or similar, try rebooting your Fire HD and try again:

<WSRoot><Exploit>0x00000332</Exploit></WSRoot>
check done
sched_setaffinity: Function not implemented<WSRoot><Exploit>0x00000382</Exploit></WSRoot>
FAIL : load1 --> /sepolicy
<WSRoot><Exploit>0x00000341</Exploit></WSRoot>
<WSRoot><Exploit>0x00000881</Exploit></WSRoot>
<WSRoot><Done>0x00000172</Done></WSRoot>

I had to reboot once to get it to work. It's also worth noting that, even though it was successful the second time, i still received a function not implemented error, but it still worked. This is the part that you're looking for to be sucessful:

<WSRoot><Exploit>0</Exploit></WSRoot>
<WSRoot><Done>0</Done></WSRoot>
Thanks, this worked perfectly on my fully updated 5.6.9.0.
 
Last edited:

mhump711

Member
Apr 16, 2015
5
2
You'll need a linux distrubution to work from, a live boot cd/usb will work fine.
Don't use WSL (Subsystem for Linux) on Windows 10 as usb support doesn't work properly, or at all, for anything other than usb storage devices.

This guide was part of a larger guide on Github, adapted from Retyre's XDA Guide.

Root on Fire HD10 2017 5.6.9.0 (not tried on other systems)

  1. Download the root exploit code (alternate link SHA256 8bfc3d5c75964e5fa28c8ffa39a87249ba10ea4180f55f546b2dcc286a585ea8) and Super_SU18+ (alternate link SHA256 b572c1a982d1e0baeb571d3bc0df7f6be11b14553c181c9e0bf737cc4a4fbbfd).
    wget -c "http://myphone-download.wondershare.cc/mgroot/20165195.zip" "http://myphone-download.wondershare.cc/mgroot/SuperSU_18+.zip"
  2. Unzip them both to a 20165195 directory.
    unzip -u 20165195.zip -d 20165195 && unzip -u SuperSU_18+.zip -d 20165195
  3. Check the 20165195 directory contains all the needed files.
    $ ls -1 20165195
    Matrix
    Superuser.apk
    ddexe
    debuggerd
    fileWork
    install-recovery.sh
    krdem
    mount
    patch_boot.sh
    pidof
    push_root.sh
    start_wssud.sh
    su
    su_arm64
    supersu.zip
    supolicy
    toolbox
    wsroot.sh
  4. Push the directory to the tablet.
    adb push 20165195 /data/local/tmp
  5. Login to the tablet.
    adb shell
  6. Make the files executable.
    chmod 755 /data/local/tmp/20165195/*
  7. Run the exploit. You should see a lot of output while it runs.
    /data/local/tmp/20165195/Matrix /data/local/tmp/20165195 2
    If the script executes successfully, the final lines of output should display the memory location that was exploited (may be different than 0x7fab64c000) and a value of 0 for <Exploit> and <Done>. If it fails, check the Troubleshooting section:
  8. exploited 0x7fab64c000=f97cff8c
    end!!!!!!!
    <WSRoot><Exploit>0</Exploit></WSRoot>
    <WSRoot><Done>0</Done></WSRoot>

  9. You can verify root with su.
    [email protected]:/ $ su
    su
    [email protected]:/ #
  10. Back on your computer, download SuperSU 2.82 SR5 apk (alternate link SHA256 2c7be9795a408d6fc74bc7286658dfe12252824867c3a2b726c1f3c78cee918b) and install it to the tablet with adb.
    adb install "eu.chainfire.supersu_2.82-SR5-282_minAPI9(nodpi)_apkmirror.com.apk"
  11. Open up the SuperSU app on the tablet, tap Get Started, then tap Continue and select Normal to update the app. Select Reboot after it is done installing to reboot the tablet.
  12. After the tablet reboots, open SuperSU app again, tap on Settings tab, then tap Default access, then choose Grant.
  13. Log in to your tablet.
    adb shell
  14. Switch to superuser and delete directories /data/data-lib/com.wondershare.DashRoot and /data/data-lib/wondershare.
    su
    rm -r /data/data-lib/com.wondershare.DashRoot /data/data-lib/wondershare

Once rooted, you can start the main guide on here for TWRP installation and skip past the root part.
Notes: At stage 7, running the exploit, you may find get an error instead of a successful output like above.
If you get this or similar, try rebooting your Fire HD and try again:

<WSRoot><Exploit>0x00000332</Exploit></WSRoot>
check done
sched_setaffinity: Function not implemented<WSRoot><Exploit>0x00000382</Exploit></WSRoot>
FAIL : load1 --> /sepolicy
<WSRoot><Exploit>0x00000341</Exploit></WSRoot>
<WSRoot><Exploit>0x00000881</Exploit></WSRoot>
<WSRoot><Done>0x00000172</Done></WSRoot>

I had to reboot once to get it to work. It's also worth noting that, even though it was successful the second time, i still received a function not implemented error, but it still worked. This is the part that you're looking for to be sucessful:

<WSRoot><Exploit>0</Exploit></WSRoot>
<WSRoot><Done>0</Done></WSRoot>

Confirmed working on HD10 version 5.6.8.0. FYI for anyone installing Lineage OS, first boot got stuck on the loading screen, going back to recovery mode and doing a factory reset fixed it.

Thanks smartypantsuk and k4v7uk and everyone else who worked on this.
 

PatchWorkH

Member
Feb 22, 2022
10
2
Confirmed working on HD10 version 5.6.8.0. FYI for anyone installing Lineage OS, first boot got stuck on the loading screen, going back to recovery mode and doing a factory reset fixed it.

Thanks smartypantsuk and k4v7uk and everyone else who worked on this.
I think I mostly follow how to do this. Just regarding step 7. How do you run the exploit? Do you just copy this "/data/local/tmp/20165195/Matrix /data/local/tmp/20165195 2" into the terminal or do I go to that folder on the tablet and run it there?

And once this is done does it require the step of bricking/downgrading the firmware (5.6.9.0.)?

Sorry, I'm clueless with things like this.
 
Last edited:

mhump711

Member
Apr 16, 2015
5
2
I think I mostly follow how to do this. Just regarding step 7. How do you run the exploit? Do you just copy this "/data/local/tmp/20165195/Matrix /data/local/tmp/20165195 2" into the terminal or do I go to that folder on the tablet and run it there?

And once this is done does it require the step of bricking/downgrading the firmware (5.6.9.0.)?

Sorry, I'm clueless with things like this.
You have to extract both zip into that folder. This is step 2 and 3. Then type in "/data/local/tmp/20165195/Matrix /data/local/tmp/20165195 2" without the quotes. Then the cmd prompt goes weeeee.

I had to do the downgrade part then step-1.sh.
 

PatchWorkH

Member
Feb 22, 2022
10
2
Okay, just an update for future readers. I managed to follow smartypantsuk's guide to root my 7th gen fire hd 10 on firmware 5.6.9.0. and then followed the guide on page 1.

Required a bit of troubleshooting during the firmware downgrade (just reading the comments in this thread). But I got it working in the end.

I have Lineage OS on it now and everything seems to be working.

--
Edit: Well after spending a day with Lineage OS 16, I decided to go back to Fire OS. There were a couple issues that just made it not worth it for me right now. Perhaps in the future. But at least I was able to get rid of the Fire Launcher.
--

Thanks
 
Last edited:
...

Current version: amonet-suez-v1.1.2.zip
...

NOTE: If you are on firmware 5.6.4.0 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
If you chose the brick option, you don't need to run step-2.sh below:



Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager

After you have confirmed the bricking by typing "YES", you will need disconnect the device and run
Code:
sudo ./bootrom-step-minimal.sh
Then plug the device back in.

It will then boot into "hacked fastboot" mode.
Then run
Code:
sudo ./fastboot-step.sh


NOTE: When you are back at initial setup, you can skip registration by selecting a WiFi-Network, then pressing "Cancel" and then "Not Now"
NOTE: Make sure you re-enable ADB after Factory Reset.
Is the "brick option" built into the step-1.sh script -- or is it to be done via the commands in the hidden section showed above, or by using the shell script brick.sh in brick-suez.zip?
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    I know it's weird, but it says remote: the command you input is restricted on locked hw.
    My bootloader should be unlocked when I installed lineageos before, right?
    You need to use amonets
    Code:
    sudo ./boot-fastboot.sh
    in order to boot into hacked fastboot.
    Run the command above, then connect the tablet (make sure its powered off infront the connect).
    Then the fastboot flash works... or you can also use the fastboot-step if you like, will flash twrp and boot into it.
    1
    You need to use amonets
    Code:
    sudo ./boot-fastboot.sh
    in order to boot into hacked fastboot.
    Run the command above, then connect the tablet (make sure its powered off infront the connect).
    Then the fastboot flash works... or you can also use the fastboot-step if you like, will flash twrp and boot into it.

    Aha, there's separate hacked bootloader, I see. Thanks for the reply.
    Preloader and boot into hacked bootloader worked, but sudo ./boot-fastboot.sh took me into infinite lineageos boot animation and TWRP is still broken. I think broken recovery hack is causing the problem.

    Is there any way to flash recovery hack (I think it's related to bin/boot.payload, but I wonder how can I flash it) with hacked bootloader? Or should I open my device and follow unbrick procedure?

    Edit: Nah, maybe something's broken, and now I got amazon boot loop. I should try unbrick procedure haha.
    Anyway, thank you!
    1
    About the 'AssertionError: the last partition is not userdata, refusing modification' error, it's because your gpt is already modded. You can try to disable the gpt thing in the main.py...
    Better just go straight to step-2.sh
    1
    Hiya everyone,

    I'm having a weird time trying this. I have two tablets **Both FIRE HD-10's 2017 editions
    Tablet 1 = firmware 5.3.7.0 Nov 17th 650601220
    Tablet 2 = firmware5.6.6.0 May 14th 654620620

    I'm trying to execute the mtk-su exploit. Ive tried the R22 and R23 releases and all of them spit out
    Both of the tablets do exactly the same thing, see the output below.


    [email protected]:/usr/src/suez/amonet/r22/arm64$ adb push mtk-su /data/local/tmp
    mtk-su: 1 file pushed. 3.7 MB/s (65216 bytes in 0.017s)
    [email protected]:/usr/src/suez/amonet/r22/arm64$ adb shell
    [email protected]:/ $ cd data/local/tmp
    [email protected]:/data/local/tmp $ chmod 755 mtk-su
    [email protected]:/data/local/tmp $ ./mtk-su
    Failed critical init step 4
    1|[email protected]:/data/local/tmp $


    What's the scoop with the exploit? Let me know if I'm doing something weird.

    Thank you,
    Take care.
    Been there. The mtk-su vulnerability most likely was patched for these versions. You need to use a different method to get a temporary root before executing step-1.sh. Look here (just the "Root the tablet" part).


    Once you get a temporary root successfully go back to beginning of the amonet OP.

    Good luck!
  • 79
    Read this whole guide before starting.

    This is for the 7th gen Fire HD10 (suez).

    Current version: amonet-suez-v1.1.2.zip


    NOTE: This process does not require you to open your device, but should something go horribly wrong, be prepared to do so.


    NOTE: This process will modify the partition-table (GPT) of your device.


    NOTE: Your device will be reset to factory defaults (including internal storage) during this process.


    What you need:
    • A Linux installation or live-system
    • A micro-USB cable

    Install python3, PySerial, adb, fastboot dos2unix. For Debian/Ubuntu something like this should work:
    Code:
    sudo apt update
    sudo add-apt-repository universe
    sudo apt install python3 python3-serial adb fastboot dos2unix

    1. Extract the attached zip-file "amonet-suez-v1.1.2.zip" and open a terminal in that directory.


    NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder


    2. Enable ADB in Developer Settings

    3. Start the script:
    Code:
    sudo ./step-1.sh

    Your device will now reboot into recovery and perform a factory reset.

    NOTE: If you are on firmware 5.6.4.0 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
    If you chose the brick option, you don't need to run step-2.sh below:



    Make sure ModemManager is disabled or uninstalled:
    Code:
    sudo systemctl stop ModemManager
    sudo systemctl disable ModemManager

    After you have confirmed the bricking by typing "YES", you will need disconnect the device and run
    Code:
    sudo ./bootrom-step-minimal.sh
    Then plug the device back in.

    It will then boot into "hacked fastboot" mode.
    Then run
    Code:
    sudo ./fastboot-step.sh



    NOTE: When you are back at initial setup, you can skip registration by selecting a WiFi-Network, then pressing "Cancel" and then "Not Now"
    NOTE: Make sure you re-enable ADB after Factory Reset.


    4. Start the script:
    Code:
    sudo ./step-2.sh

    The exploit will now be flashed and your device will reboot into TWRP.

    You can now install Magisk from there.


    Going back to stock

    Extract the attached zip-file "amonet-suez-v1.1-return-to-stock.zip" into the same folder where you extracted "amonet-suez-v1.1.2.zip" and open a terminal in that directory.
    You can go back to stock without restoring the original partition-table, so you can go back to unlocked without wiping data.
    Just use hacked fastboot to
    Code:
    fastboot flash recovery bin/recovery.img

    If you want to go back completely (including restoring your GPT):
    Code:
    sudo ./return-to-stock.sh

    Your device should reboot into Amazon Recovery. Use adb sideload to install stock image from there. (Make sure to use FireOS 5.6.3.0 or newer, otherwise you may brick your device)

    Important information


    In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
    TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.

    Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)

    Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.

    TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

    For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

    It is still advised to disable OTA.


    Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
    Special thanks also to @retyre for porting the bootrom-exploit and for testing.
    Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
    Thanks also to @bibikalka and everyone who donated :)
    Thanks to @TheRealIntence and @b1u3m3th for confirming it also works on the 64GB model.
    12
    Unbricking

    If Recovery OR FireOS are still accessible there are other means of recovery, don't continue.

    If your device shows one of the following symptoms:
    1. It doesn't show any life (screen stays dark)
    2. You see the white amazon logo, but cannot access Recovery or FireOS.

    If you have a Type 1 brick, you may not have to open the device, if your device comes up in bootrom-mode (See Checking USB connection below).
    1. Make sure the device is powered off, by holding the power-button for 20+ seconds
    2. Start bootrom-step.sh
    3. Plug in USB

    In all other cases you will have to open the device and partially take it apart.
    Follow this guide by @retyre until (including) step 8..
    At Step 6. you will replace
    Code:
    sudo ./bootrom.sh
    with
    Code:
    sudo ./bootrom-step.sh
    Should the script stall at some point, restart it and replug the USB-cable (Shorting it again should not be necessary unless the script failed at the very beginning).

    If the script succeeded, put the device back together.
    When you turn it on, it should start in hacked fastboot mode.
    You can now use
    Code:
    sudo ./fastboot-step.sh
    This will flash TWRP and reset your device to factory defaults, then reboot into TWRP.


    Checking USB connection
    In lsusb the boot-rom shows up as:
    Code:
    Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone

    If it shows up as:
    Code:
    Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader
    instead, you are in preloader-mode, try again.

    dmesg lists the correct device as:
    Code:
    [ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00
    10
    Changelog
    Version 1.1.2 (26.03.2019)
    • Fix regenerating GPT from temp GPT

    Version 1.1.1 (26.03.2019)
    • Fix unbricking procedure

    Version 1.1 (25.03.2019)
    • Update TWRP-sources to twrp-9.0 branch
    • TWRP uses kernel compiled from source
    • Add scripts to use handshake2.py to enter fastboot/recovery

    Features.

    • Uses 5.6.3 LK for full compatibility with newer kernels.
    • Hacked fastboot mode lets you use all fastboot commands (flash etc).
    • Boots custom/unsigned kernel-images (no patching needed)
    • TWRP protects from downgrading PL/TZ/LK
    • For the devs: sets printk.disable_uart=0 (enables debug-output over UART).

    NOTE: Hacked fastboot can be reached via TWRP.

    NOTE: Hacked fastboot doesn't remap partition names, so you can easily go back to stock
    9
    Just uploaded version 1.1.
    If you are already unlocked you can just install the zip-file from TWRP to update.

    Version 1.1 (25.03.2019)
    • Update TWRP-sources to twrp-9.0 branch
    • TWRP uses kernel compiled from source
    • Add scripts to use handshake2.py to enter fastboot/recovery
    8
    This sounds promising. Is there any documentation on here to get SuperSu on the Fire? It would be great if i could get this method to work. I really dont want to open the thing. Thanx for your help.
    You'll need a linux distrubution to work from, a live boot cd/usb will work fine.
    Don't use WSL (Subsystem for Linux) on Windows 10 as usb support doesn't work properly, or at all, for anything other than usb storage devices.

    This guide was part of a larger guide on Github, adapted from Retyre's XDA Guide.

    Root on Fire HD10 2017 5.6.9.0 (not tried on other systems)

    1. Download the root exploit code (alternate link SHA256 8bfc3d5c75964e5fa28c8ffa39a87249ba10ea4180f55f546b2dcc286a585ea8) and Super_SU18+ (alternate link SHA256 b572c1a982d1e0baeb571d3bc0df7f6be11b14553c181c9e0bf737cc4a4fbbfd).
      wget -c "http://myphone-download.wondershare.cc/mgroot/20165195.zip" "http://myphone-download.wondershare.cc/mgroot/SuperSU_18+.zip"
    2. Unzip them both to a 20165195 directory.
      unzip -u 20165195.zip -d 20165195 && unzip -u SuperSU_18+.zip -d 20165195
    3. Check the 20165195 directory contains all the needed files.
      $ ls -1 20165195
      Matrix
      Superuser.apk
      ddexe
      debuggerd
      fileWork
      install-recovery.sh
      krdem
      mount
      patch_boot.sh
      pidof
      push_root.sh
      start_wssud.sh
      su
      su_arm64
      supersu.zip
      supolicy
      toolbox
      wsroot.sh
    4. Push the directory to the tablet.
      adb push 20165195 /data/local/tmp
    5. Login to the tablet.
      adb shell
    6. Make the files executable.
      chmod 755 /data/local/tmp/20165195/*
    7. Run the exploit. You should see a lot of output while it runs.
      /data/local/tmp/20165195/Matrix /data/local/tmp/20165195 2
      If the script executes successfully, the final lines of output should display the memory location that was exploited (may be different than 0x7fab64c000) and a value of 0 for <Exploit> and <Done>. If it fails, check the Troubleshooting section:
    8. exploited 0x7fab64c000=f97cff8c
      end!!!!!!!
      <WSRoot><Exploit>0</Exploit></WSRoot>
      <WSRoot><Done>0</Done></WSRoot>

    9. You can verify root with su.
      shell[email protected]:/ $ su
      su
      [email protected]:/ #
    10. Back on your computer, download SuperSU 2.82 SR5 apk (alternate link SHA256 2c7be9795a408d6fc74bc7286658dfe12252824867c3a2b726c1f3c78cee918b) and install it to the tablet with adb.
      adb install "eu.chainfire.supersu_2.82-SR5-282_minAPI9(nodpi)_apkmirror.com.apk"
    11. Open up the SuperSU app on the tablet, tap Get Started, then tap Continue and select Normal to update the app. Select Reboot after it is done installing to reboot the tablet.
    12. After the tablet reboots, open SuperSU app again, tap on Settings tab, then tap Default access, then choose Grant.
    13. Log in to your tablet.
      adb shell
    14. Switch to superuser and delete directories /data/data-lib/com.wondershare.DashRoot and /data/data-lib/wondershare.
      su
      rm -r /data/data-lib/com.wondershare.DashRoot /data/data-lib/wondershare

    Once rooted, you can start the main guide on here for TWRP installation and skip past the root part.
    Notes: At stage 7, running the exploit, you may find get an error instead of a successful output like above.
    If you get this or similar, try rebooting your Fire HD and try again:

    <WSRoot><Exploit>0x00000332</Exploit></WSRoot>
    check done
    sched_setaffinity: Function not implemented<WSRoot><Exploit>0x00000382</Exploit></WSRoot>
    FAIL : load1 --> /sepolicy
    <WSRoot><Exploit>0x00000341</Exploit></WSRoot>
    <WSRoot><Exploit>0x00000881</Exploit></WSRoot>
    <WSRoot><Done>0x00000172</Done></WSRoot>

    I had to reboot once to get it to work. It's also worth noting that, even though it was successful the second time, i still received a function not implemented error, but it still worked. This is the part that you're looking for to be sucessful:

    <WSRoot><Exploit>0</Exploit></WSRoot>
    <WSRoot><Done>0</Done></WSRoot>