[UNLOCK][ROOT][TWRP][UNBRICK] Fire HD 10 2017 (suez)

Search This thread

k4y0z

Senior Member
Nov 27, 2015
1,468
1,984
If it doesn't work in hacked fastboot, I'm not sure there is much I can do unfortunately.
I think Amazon removed the command entirely, after it was used to root ford initially.
 
  • Like
Reactions: Sus_i and ggow

pascal009

Member
Jul 18, 2021
36
7
You need another method for gaining temporary root access:
Hooray!

I was able to finish up the process at the top of this thread and my suez is now rooted and TWRP-ed.
It appears the mtk-su vulnerability had been patch in my device. k4y0z kindly pointed me to an alternative method for rooting the suez devices. I followed this method to root my device and then returned to step-1 script at the top of this thread. I still had to open the back cover to disconnect the battery during the execution of step-2.sh. This was the hardest part for me to do without breaking the glass or the case. Then step-2 script pick up and finished with the TWRP interface.

My heartfelt thanks go out to k4y0z for pointing me to an alternative rooting method and to smartypantsuk for the marvelously detailed and clear guide for it


Peace,
pascal009
 
I still had to open the back cover to disconnect the battery during the execution of step-2.sh. This was the hardest part for me to do without breaking the glass or the case. Then step-2 script pick up and finished with the TWRP interface.
Hm, I had thought per the OP "NOTE: If you are on firmware 5.6.4.0 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all). If you chose the brick option, you don't need to run step-2.sh below"
 

pascal009

Member
Jul 18, 2021
36
7
You are correct. What I meant is the second command after bricking the device, i.e. "sudo ./bootrom-step-minimal.sh".
Sorry, my bad. I was too excited.
 

Klenz39

Member
Sep 25, 2020
23
2
Sorry if this is unrelated. What happen if in the recovery I used ubuntu image for raspberry pi?
1. Will i overwrite the TWRP?
2. If the TWRP corrupted or deleted, will it be possible for me to install it again?
 

pascal009

Member
Jul 18, 2021
36
7
Stuck at Preloader. Seeking help.

Fire HD 10 7th Gen (suez), Fire OS Fire OS 5.6.8.0.

Step 1 ran successfully. Because of the firmware version it suggested bricking the device to which I entered YES.
I have stopped and disabled ModemManager.
I disconnected the device ran bootrom-step-minimal.sh. At the "Waiting for bootrom" prompt I connected the device and the script starting doing its thing. It finished with a message "reboot into 'hacked fastboot' mode".
I rebooted the device - it went into a boot loop with the white Amazon logo. I tried rebooting it a few times but it still went
into a boot loop.

At this point I followed the OP to unbricking the device per the guide by @retyre


I disassembled the device, unplugged the LCD and unscrewed the PCB. I grounded the point per the diagram, plugged the USB cable into the Ubuntu box. Then I started "sudo ./bootrom-step.sh" and at the prompt removed the short and hit enter. This worked on the third attempt.
The script finished with a message to reboot into "hacked fastboot" mode. Out of curiosity I ran "adb devices", the output was
GXXXXXXXX recovery.

I rebooted device but the screen remained black. Upon close inspection I noticed that I didn't press flat the tiny clamp fixing the LCD cable in its socket. I fixed it and tried to turn it on again. Device emitted a weak "ding" but nothing else.

The output of lsusb is as follows:

~/Downloads/FireHD9/amonet-suez/amonet$ lsusb
Bus 001 Device 044: ID 0e8d:2000 MediaTek Inc. MT65xx Preloader
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 002 Device 002: ID 045e:0084 Microsoft Corp. Basic Optical Mouse
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

The output of dmesg is as follows:

[ 551.724195] usb 1-1: new high-speed USB device number 35 using ehci-pci
[ 551.883109] usb 1-1: New USB device found, idVendor=0e8d, idProduct=2000, bcdDevice= 1.00
[ 551.883164] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 551.883186] usb 1-1: Product: MT65xx Preloader
[ 551.883200] usb 1-1: Manufacturer: MediaTek

I tried to run bootrom-step.sh and got the following error message:

~/Downloads/FireHD9/amonet-suez/amonet$ sudo ./bootrom-step.sh
[2022-04-26 00:08:46.311111] Waiting for bootrom
[2022-04-26 00:09:51.437565] Found port = /dev/ttyACM0
[2022-04-26 00:09:51.466105] Handshake
[2022-04-26 00:09:51.488426] Disable watchdog
b''
b'\x00\x01'
Traceback (most recent call last):
File "main.py", line 192, in <module>
main()
File "main.py", line 82, in main
handshake(dev)
File "/home/bigbang/Downloads/FireHD9/amonet-suez/amonet/modules/handshake.py", line 11, in handshake
dev.write32(0x10007000, 0x22000000)
File "/home/bigbang/Downloads/FireHD9/amonet-suez/amonet/modules/common.py", line 163, in write32
self.check(self.dev.read(2), b'\x00\x01') # arg check
File "/home/bigbang/Downloads/FireHD9/amonet-suez/amonet/modules/common.py", line 90, in check
raise RuntimeError("ERROR: Serial protocol mismatch")
RuntimeError: ERROR: Serial protocol mismatch
~/Downloads/FireHD9/amonet-suez/amonet$

I tried to run bootrom-step-minimal.sh and got the following error message:

~/Downloads/FireHD9/amonet-suez/amonet$ sudo ./bootrom-step-minimal.sh
[2022-04-26 00:04:58.659839] Waiting for bootrom
[2022-04-26 00:05:15.785442] Found port = /dev/ttyACM0
[2022-04-26 00:05:15.813667] Handshake
[2022-04-26 00:05:15.835803] Disable watchdog
b''
b'\x00\x01'
Traceback (most recent call last):
File "main.py", line 192, in <module>
main()
File "main.py", line 82, in main
handshake(dev)
File "/home/bigbang/Downloads/FireHD9/amonet-suez/amonet/modules/handshake.py", line 11, in handshake
dev.write32(0x10007000, 0x22000000)
File "/home/bigbang/Downloads/FireHD9/amonet-suez/amonet/modules/common.py", line 163, in write32
self.check(self.dev.read(2), b'\x00\x01') # arg check
File "/home/bigbang/Downloads/FireHD9/amonet-suez/amonet/modules/common.py", line 90, in check
raise RuntimeError("ERROR: Serial protocol mismatch")
RuntimeError: ERROR: Serial protocol mismatch
~/Downloads/FireHD9/amonet-suez/amonet$

This is where I am now. Device does not power on, the screen is black.

I would appreciate any help!
 

Sus_i

Senior Member
Apr 9, 2013
1,660
708
Stuck at Preloader. Seeking help.

Fire HD 10 7th Gen (suez), Fire OS Fire OS 5.6.8.0.

Step 1 ran successfully. Because of the firmware version it suggested bricking the device to which I entered YES.
I have stopped and disabled ModemManager.
I disconnected the device ran bootrom-step-minimal.sh. At the "Waiting for bootrom" prompt I connected the device and the script starting doing its thing. It finished with a message "reboot into 'hacked fastboot' mode".
I rebooted the device - it went into a boot loop with the white Amazon logo. I tried rebooting it a few times but it still went
into a boot loop.
Reboot to hacked fastboot means that you need to run sudo./fastboot-step.sh

At this point I followed the OP to unbricking the device per the guide by @retyre


I disassembled the device, unplugged the LCD and unscrewed the PCB. I grounded the point per the diagram, plugged the USB cable into the Ubuntu box. Then I started "sudo ./bootrom-step.sh" and at the prompt removed the short and hit enter. This worked on the third attempt.
The script finished with a message to reboot into "hacked fastboot" mode. Out of curiosity I ran "adb devices", the output was
GXXXXXXXX recovery.
You may do this again, open it up and so on...
but don't forget to do the steps from this guide, i.e. all steps incl. to short the mentioned point...
-> make sure you run sudo ./bootrom-step.sh at step 6.
If you get a note about hacked fastboot, you need to run the sudo ./fastboot-step.sh
In twrp install a new rom (before any reboot), then wipe data.

Good luck ;)
 

pascal009

Member
Jul 18, 2021
36
7
Reboot to hacked fastboot means that you need to run sudo./fastboot-step.sh


You may do this again, open it up and so on...
but don't forget to do the steps from this guide, i.e. all steps incl. to short the mentioned point...
-> make sure you run sudo ./bootrom-step.sh at step 6.
If you get a note about hacked fastboot, you need to run the sudo ./fastboot-step.sh
In twrp install a new rom (before any reboot), then wipe data.

Good luck ;)
Thank you Sus-i! Much obliged. You always give me hope I CAN beat it.
I am glad I left the device disassembled (just a couple of screws on PCB and the battery.
A question, though - if I get a note about hacked fastboot after sudo ./bootrom-step.sh in step 6, can I run sudo ./fastboot-step.sh with the battery and LCD disconnected?
 

Jemus

Senior Member
Jun 5, 2012
99
13
I flashed a few devices back in the days so I am not new to that but need a little help how to get LineageOS flashed on my Fire HD 10 2017 running 5.7.0.0. I read the OP in the ROM thread and it linked to this guide here, telling that before flashing the ROM, the bootloader has to ne hacked. I am a little bit confused, are these the right steps?:


1) Enable ADB on tablet and connect it to linux installation
2) Download and unpack "amonet-suez-v1.1.2.zip"
3)
cd into the unzipped folder and run sudo ./step-1.sh
4) As I am on 5.7.0.0 I would proceed by sudo systemctl stop ModemManager and sudo systemctl disable ModemManager, type "yes" and disconnect
5) run sudo ./bootrom-step-minimal.sh, plug the device back in
6) run sudo ./fastboot-step.sh, reenable ADB
7) run sudo ./step-2.sh, even though I understood that this was not necessary as I was on a newer OS than 5.6.4.0 and therefore did steps 4-6??


Now I might have installed TWRP and an unlocked device and could cony the ROMs zip on a USB drive, connect that to the Fire HD 10, boot into TWRP and flash the ROM?
 

Sus_i

Senior Member
Apr 9, 2013
1,660
708
if I get a note about hacked fastboot after sudo ./bootrom-step.sh in step 6, can I run sudo ./fastboot-step.sh with the battery and LCD disconnected?
The guide says (just behind the bootrom-step thing):
If the script succeeded, put the device back together.
When you turn it on, it should start in hacked fastboot mode.
Then run the fastboot-step... :)
 

Sus_i

Senior Member
Apr 9, 2013
1,660
708
I flashed a few devices back in the days so I am not new to that but need a little help how to get LineageOS flashed on my Fire HD 10 2017 running 5.7.0.0. I read the OP in the ROM thread and it linked to this guide here, telling that before flashing the ROM, the bootloader has to ne hacked. I am a little bit confused, are these the right steps?:


1) Enable ADB on tablet and connect it to linux installation
2) Download and unpack "amonet-suez-v1.1.2.zip"
3) cd into the unzipped folder and run sudo ./step-1.sh
4) As I am on 5.7.0.0 I would proceed by sudo systemctl stop ModemManager and sudo systemctl disable ModemManager, type "yes" and disconnect
5) run sudo ./bootrom-step-minimal.sh, plug the device back in
6) run sudo ./fastboot-step.sh, reenable ADB
No need to reenable adb after #6, device will boot into twrp with adb always enabled...
7) run sudo ./step-2.sh, even though I understood that this was not necessary as I was on a newer OS than 5.6.4.0 and therefore did steps 4-6??
No, don't to run step-2
Now I might have installed TWRP and an unlocked device and could cony the ROMs zip on a USB drive, connect that to the Fire HD 10, boot into TWRP and flash the ROM?
Yes.

There is a step you missed somehow (place it infront of a connect device to your PC), lets call it 1a:
You need a working superuser install in order to get the scripts from OP working, i.e. you need to root the OS with 'kingo root' or 'kingroot' or the offline root method from here:
Reason is that the 'Rapid Temporary Root for HD 8 & HD 10' a.k.a. MTK SU root is patched and no longer working.
 

Jemus

Senior Member
Jun 5, 2012
99
13
@Sus_i
I thought I got all the needed programms on the linux system by sudo apt install python3 python3-serial adb fastboot dos2unix. But you are right, I didn't mention that step. So concluding from what you wrote I would do the following steps. Or do I have to run through the whole offline rooting tutorial before starting with my mentioned steps?:

1) sudo apt install python3 python3-serial adb fastboot dos2unix
2) Enable ADB on tablet and connect it to linux installation
3) Download and unpack "amonet-suez-v1.1.2.zip"
4) cd into the unzipped folder and run sudo ./step-1.sh
5) As I am on 5.7.0.0 I would proceed by sudo systemctl stop ModemManager and sudo systemctl disable ModemManager, type "yes" and disconnect
6) run sudo ./bootrom-step-minimal.sh, plug the device back in
7) run sudo ./fastboot-step.sh
 

Sus_i

Senior Member
Apr 9, 2013
1,660
708
@Sus_i
I thought I got all the needed programms on the linux system by sudo apt install python3 python3-serial adb fastboot dos2unix. But you are right, I didn't mention that step. So concluding from what you wrote I would do the following steps. Or do I have to run through the whole offline rooting tutorial before starting with my mentioned steps?:

1) sudo apt install python3 python3-serial adb fastboot dos2unix
2) Enable ADB on tablet and connect it to linux installation
3) Download and unpack "amonet-suez-v1.1.2.zip"
4) cd into the unzipped folder and run sudo ./step-1.sh
5) As I am on 5.7.0.0 I would proceed by sudo systemctl stop ModemManager and sudo systemctl disable ModemManager, type "yes" and disconnect
6) run sudo ./bootrom-step-minimal.sh, plug the device back in
7) run sudo ./fastboot-step.sh
You are still missing the step I have mentioned in my last posting.
You see, in order to get the step-1 script to work, the tablet must have root access... in earlier fireOS versions that was possible via temp mtk-su but amaz. patched it. But there are some other root methods you can do instead, like the offline root method I've linked above or kingoroot. The step1 script will only work, if you are able to call su in adb shell. If that is too much of a hassle, open it up and go the shorting way...
 

kmsi

Member
Jul 20, 2014
17
2
Hello, i accidentally flashed TWRP recovery image via flashify app on lineageos, and I can't boot into recovery mode now (but still can boot into lineageos). I tried to follow this thread to reinstall TWRP, but ./step_1.sh didn't work, maybe because my device is on lineageos, not fireos. Any idea to reinstall TWRP to my device?

I think backing up recovery.img in flashify app from other unlocked device, and flashing that image would help, as it seems I accidentally blown up some bootloader-related hack. Can someone provide backed-up recovery.img for me? 😉

* Recovery.img back up procedure: Install "Official TWRP App", and run "Backup existing recovery" menu
 

Sus_i

Senior Member
Apr 9, 2013
1,660
708
Any idea to reinstall TWRP to my device?
You can download the amonet zip from OP, grab the twrp.img out of the bin folder and flash it with hacked fastboot:
Code:
fastboot flash recovery_x bin/twrp.img
If your tablet is rooted, you can flash the image also with dd via adb shell.
 

kmsi

Member
Jul 20, 2014
17
2
You can download the amonet zip from OP, grab the twrp.img out of the bin folder and flash it with hacked fastboot:
Code:
fastboot flash recovery_x bin/twrp.img
If your tablet is rooted, you can flash the image also with dd via adb shell.

I know it's weird, but it says remote: the command you input is restricted on locked hw.
My bootloader should be unlocked when I installed lineageos before, right?

I think I messed up something with flashify app, but even ./step-1.sh fails on my lineageos-installed device ;(

This is only for the "suez" - Amazon Fire HD 10 (2017) - , your device is a "lineage_suez"

If I remove device check code, then it says:
Testing root access...
uid=0(root) gid=0(root) groups=0(root) context=u:r:sudaemon:s0

PL version: 5 (5)
LK version: 2 (2)
TZ version: 263 (263)

Your device will be reset to factory defaults...
Press Enter to Continue...

Dumping GPT
34+0 records in
34+0 records out
17408 bytes transferred in 0.002 secs (8704000 bytes/sec)
/data/local/tmp/gpt.bin: 1 file pulled. 5.5 MB/s (17408 bytes in 0.003s)

Modifying GPT
[2022-04-30 13:18:09.374708] Input GPT:
[2022-04-30 13:18:09.375459]
[2022-04-30 13:18:09.375544] Sector size (logical): 512 bytes
[2022-04-30 13:18:09.375614] Disk identifier (GUID): 04EF21A7-28FA-4D1D-A17E-B450CE093E4F
[2022-04-30 13:18:09.375662] Partition table holds up to 128 entries
[2022-04-30 13:18:09.375706] This partition table begins at sector 2 and ends at sector 33
[2022-04-30 13:18:09.375747] First usable sector is 34, last usable sector is 61071326
[2022-04-30 13:18:09.375785] Other partition table is at sector 61071359
[2022-04-30 13:18:09.375822]
[2022-04-30 13:18:09.375902] Number Start (sector) End (sector) Size Name
[2022-04-30 13:18:09.377439] 1 1024 7167 3.00 MiB proinfo
[2022-04-30 13:18:09.377697] 2 7168 16383 4.50 MiB PMT
[2022-04-30 13:18:09.377930] 3 16384 18431 1024.00 KiB kb
[2022-04-30 13:18:09.378036] 4 18432 20479 1024.00 KiB dkb
[2022-04-30 13:18:09.378138] 5 20480 22527 1024.00 KiB lk
[2022-04-30 13:18:09.378236] 6 22528 32767 5.00 MiB tee1
[2022-04-30 13:18:09.378335] 7 32768 43007 5.00 MiB tee2
[2022-04-30 13:18:09.378432] 8 43008 123903 39.50 MiB metadata
[2022-04-30 13:18:09.378529] 9 123904 124927 512.00 KiB MISC
[2022-04-30 13:18:09.378695] 10 124928 141311 8.00 MiB reserved
[2022-04-30 13:18:09.378796] 11 141312 174079 16.00 MiB boot_x
[2022-04-30 13:18:09.378894] 12 174080 208895 17.00 MiB recovery_x
[2022-04-30 13:18:09.378987] 13 208896 3515391 1.58 GiB system
[2022-04-30 13:18:09.379079] 14 3515392 4383743 424.00 MiB cache
[2022-04-30 13:18:09.379173] 15 4383744 60619775 26.82 GiB userdata
[2022-04-30 13:18:09.379268] 16 60619776 60845055 110.00 MiB boot
[2022-04-30 13:18:09.379362] 17 60845056 61070335 110.00 MiB recovery
[2022-04-30 13:18:09.385131]
[2022-04-30 13:18:09.385211] Regenerate primary and backup GPT from input
[2022-04-30 13:18:09.385282] Writing regenerated GPT to gpt/gpt.bin.gpt
[2022-04-30 13:18:09.385352] Writing regenerated backup GPT to gpt/gpt.bin.bak
[2022-04-30 13:18:09.385400] Writing backup GPT offset to gpt/gpt.bin.offset
Traceback (most recent call last):
File "modules/gpt.py", line 323, in <module>
main()
File "modules/gpt.py", line 277, in main
part_list_mod1 = modify_step1(part_list)
File "modules/gpt.py", line 181, in modify_step1
assert partition['name'].decode("utf-16le").rstrip("\x00") == "userdata", "the last partition is not userdata, refusing modification"
AssertionError: the last partition is not userdata, refusing modification

Tried dd if=/sdcard/twrp_suez_3.6.1-9.0.img of=/dev/block/platform/soc/11230000.mmc/by-name/recovery_x via adb shell, but didn't worked. I think it's not an hacked recovery image issue, but somewhat related to bootloader hack.
 
Last edited:

Sus_i

Senior Member
Apr 9, 2013
1,660
708
I know it's weird, but it says remote: the command you input is restricted on locked hw.
My bootloader should be unlocked when I installed lineageos before, right?
You need to use amonets
Code:
sudo ./boot-fastboot.sh
in order to boot into hacked fastboot.
Run the command above, then connect the tablet (make sure its powered off infront the connect).
Then the fastboot flash works... or you can also use the fastboot-step if you like, will flash twrp and boot into it.
 
  • Like
Reactions: kmsi

kmsi

Member
Jul 20, 2014
17
2
You need to use amonets
Code:
sudo ./boot-fastboot.sh
in order to boot into hacked fastboot.
Run the command above, then connect the tablet (make sure its powered off infront the connect).
Then the fastboot flash works... or you can also use the fastboot-step if you like, will flash twrp and boot into it.

Aha, there's separate hacked bootloader, I see. Thanks for the reply.
Preloader and boot into hacked bootloader worked, but sudo ./boot-fastboot.sh took me into infinite lineageos boot animation and TWRP is still broken. I think broken recovery hack is causing the problem.

Is there any way to flash recovery hack (I think it's related to bin/boot.payload, but I wonder how can I flash it) with hacked bootloader? Or should I open my device and follow unbrick procedure?

Edit: Nah, maybe something's broken, and now I got amazon boot loop. I should try unbrick procedure haha.
Anyway, thank you!
 
Last edited:
  • Like
Reactions: Sus_i

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Btw, since a few people had the same "RuntimeError: read fail" issue when bootrom-step-minimal tries to check the GPT: At least for me that read was just a bit flaky and I was able to add a retry to successfully move on. Some details over here:


    Oddly I retried about 15-20 times before, so it seemed to be relatively consistent.
  • 79
    Read this whole guide before starting.

    This is for the 7th gen Fire HD10 (suez).

    Current version: amonet-suez-v1.1.2.zip


    NOTE: This process does not require you to open your device, but should something go horribly wrong, be prepared to do so.


    NOTE: This process will modify the partition-table (GPT) of your device.


    NOTE: Your device will be reset to factory defaults (including internal storage) during this process.


    What you need:
    • A Linux installation or live-system
    • A micro-USB cable

    Install python3, PySerial, adb, fastboot dos2unix. For Debian/Ubuntu something like this should work:
    Code:
    sudo apt update
    sudo add-apt-repository universe
    sudo apt install python3 python3-serial adb fastboot dos2unix

    1. Extract the attached zip-file "amonet-suez-v1.1.2.zip" and open a terminal in that directory.


    NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder


    2. Enable ADB in Developer Settings

    3. Start the script:
    Code:
    sudo ./step-1.sh

    Your device will now reboot into recovery and perform a factory reset.

    NOTE: If you are on firmware 5.6.4.0 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
    If you chose the brick option, you don't need to run step-2.sh below:



    Make sure ModemManager is disabled or uninstalled:
    Code:
    sudo systemctl stop ModemManager
    sudo systemctl disable ModemManager

    After you have confirmed the bricking by typing "YES", you will need disconnect the device and run
    Code:
    sudo ./bootrom-step-minimal.sh
    Then plug the device back in.

    It will then boot into "hacked fastboot" mode.
    Then run
    Code:
    sudo ./fastboot-step.sh



    NOTE: When you are back at initial setup, you can skip registration by selecting a WiFi-Network, then pressing "Cancel" and then "Not Now"
    NOTE: Make sure you re-enable ADB after Factory Reset.


    4. Start the script:
    Code:
    sudo ./step-2.sh

    The exploit will now be flashed and your device will reboot into TWRP.

    You can now install Magisk from there.


    Going back to stock

    Extract the attached zip-file "amonet-suez-v1.1-return-to-stock.zip" into the same folder where you extracted "amonet-suez-v1.1.2.zip" and open a terminal in that directory.
    You can go back to stock without restoring the original partition-table, so you can go back to unlocked without wiping data.
    Just use hacked fastboot to
    Code:
    fastboot flash recovery bin/recovery.img

    If you want to go back completely (including restoring your GPT):
    Code:
    sudo ./return-to-stock.sh

    Your device should reboot into Amazon Recovery. Use adb sideload to install stock image from there. (Make sure to use FireOS 5.6.3.0 or newer, otherwise you may brick your device)

    Important information


    In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
    TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.

    Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)

    Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.

    TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

    For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

    It is still advised to disable OTA.


    Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
    Special thanks also to @retyre for porting the bootrom-exploit and for testing.
    Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
    Thanks also to @bibikalka and everyone who donated :)
    Thanks to @TheRealIntence and @b1u3m3th for confirming it also works on the 64GB model.
    12
    Unbricking

    If Recovery OR FireOS are still accessible there are other means of recovery, don't continue.

    If your device shows one of the following symptoms:
    1. It doesn't show any life (screen stays dark)
    2. You see the white amazon logo, but cannot access Recovery or FireOS.

    If you have a Type 1 brick, you may not have to open the device, if your device comes up in bootrom-mode (See Checking USB connection below).
    1. Make sure the device is powered off, by holding the power-button for 20+ seconds
    2. Start bootrom-step.sh
    3. Plug in USB

    In all other cases you will have to open the device and partially take it apart.
    Follow this guide by @retyre until (including) step 8..
    At Step 6. you will replace
    Code:
    sudo ./bootrom.sh
    with
    Code:
    sudo ./bootrom-step.sh
    Should the script stall at some point, restart it and replug the USB-cable (Shorting it again should not be necessary unless the script failed at the very beginning).

    If the script succeeded, put the device back together.
    When you turn it on, it should start in hacked fastboot mode.
    You can now use
    Code:
    sudo ./fastboot-step.sh
    This will flash TWRP and reset your device to factory defaults, then reboot into TWRP.


    Checking USB connection
    In lsusb the boot-rom shows up as:
    Code:
    Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone

    If it shows up as:
    Code:
    Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader
    instead, you are in preloader-mode, try again.

    dmesg lists the correct device as:
    Code:
    [ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00
    10
    Changelog
    Version 1.1.2 (26.03.2019)
    • Fix regenerating GPT from temp GPT

    Version 1.1.1 (26.03.2019)
    • Fix unbricking procedure

    Version 1.1 (25.03.2019)
    • Update TWRP-sources to twrp-9.0 branch
    • TWRP uses kernel compiled from source
    • Add scripts to use handshake2.py to enter fastboot/recovery

    Features.

    • Uses 5.6.3 LK for full compatibility with newer kernels.
    • Hacked fastboot mode lets you use all fastboot commands (flash etc).
    • Boots custom/unsigned kernel-images (no patching needed)
    • TWRP protects from downgrading PL/TZ/LK
    • For the devs: sets printk.disable_uart=0 (enables debug-output over UART).

    NOTE: Hacked fastboot can be reached via TWRP.

    NOTE: Hacked fastboot doesn't remap partition names, so you can easily go back to stock
    9
    Just uploaded version 1.1.
    If you are already unlocked you can just install the zip-file from TWRP to update.

    Version 1.1 (25.03.2019)
    • Update TWRP-sources to twrp-9.0 branch
    • TWRP uses kernel compiled from source
    • Add scripts to use handshake2.py to enter fastboot/recovery
    8
    This sounds promising. Is there any documentation on here to get SuperSu on the Fire? It would be great if i could get this method to work. I really dont want to open the thing. Thanx for your help.
    You'll need a linux distrubution to work from, a live boot cd/usb will work fine.
    Don't use WSL (Subsystem for Linux) on Windows 10 as usb support doesn't work properly, or at all, for anything other than usb storage devices.

    This guide was part of a larger guide on Github, adapted from Retyre's XDA Guide.

    Root on Fire HD10 2017 5.6.9.0 (not tried on other systems)

    1. Download the root exploit code (alternate link SHA256 8bfc3d5c75964e5fa28c8ffa39a87249ba10ea4180f55f546b2dcc286a585ea8) and Super_SU18+ (alternate link SHA256 b572c1a982d1e0baeb571d3bc0df7f6be11b14553c181c9e0bf737cc4a4fbbfd).
      wget -c "http://myphone-download.wondershare.cc/mgroot/20165195.zip" "http://myphone-download.wondershare.cc/mgroot/SuperSU_18+.zip"
    2. Unzip them both to a 20165195 directory.
      unzip -u 20165195.zip -d 20165195 && unzip -u SuperSU_18+.zip -d 20165195
    3. Check the 20165195 directory contains all the needed files.
      $ ls -1 20165195
      Matrix
      Superuser.apk
      ddexe
      debuggerd
      fileWork
      install-recovery.sh
      krdem
      mount
      patch_boot.sh
      pidof
      push_root.sh
      start_wssud.sh
      su
      su_arm64
      supersu.zip
      supolicy
      toolbox
      wsroot.sh
    4. Push the directory to the tablet.
      adb push 20165195 /data/local/tmp
    5. Login to the tablet.
      adb shell
    6. Make the files executable.
      chmod 755 /data/local/tmp/20165195/*
    7. Run the exploit. You should see a lot of output while it runs.
      /data/local/tmp/20165195/Matrix /data/local/tmp/20165195 2
      If the script executes successfully, the final lines of output should display the memory location that was exploited (may be different than 0x7fab64c000) and a value of 0 for <Exploit> and <Done>. If it fails, check the Troubleshooting section:
    8. exploited 0x7fab64c000=f97cff8c
      end!!!!!!!
      <WSRoot><Exploit>0</Exploit></WSRoot>
      <WSRoot><Done>0</Done></WSRoot>

    9. You can verify root with su.
      [email protected]:/ $ su
      su
      [email protected]:/ #
    10. Back on your computer, download SuperSU 2.82 SR5 apk (alternate link SHA256 2c7be9795a408d6fc74bc7286658dfe12252824867c3a2b726c1f3c78cee918b) and install it to the tablet with adb.
      adb install "eu.chainfire.supersu_2.82-SR5-282_minAPI9(nodpi)_apkmirror.com.apk"
    11. Open up the SuperSU app on the tablet, tap Get Started, then tap Continue and select Normal to update the app. Select Reboot after it is done installing to reboot the tablet.
    12. After the tablet reboots, open SuperSU app again, tap on Settings tab, then tap Default access, then choose Grant.
    13. Log in to your tablet.
      adb shell
    14. Switch to superuser and delete directories /data/data-lib/com.wondershare.DashRoot and /data/data-lib/wondershare.
      su
      rm -r /data/data-lib/com.wondershare.DashRoot /data/data-lib/wondershare

    Once rooted, you can start the main guide on here for TWRP installation and skip past the root part.
    Notes: At stage 7, running the exploit, you may find get an error instead of a successful output like above.
    If you get this or similar, try rebooting your Fire HD and try again:

    <WSRoot><Exploit>0x00000332</Exploit></WSRoot>
    check done
    sched_setaffinity: Function not implemented<WSRoot><Exploit>0x00000382</Exploit></WSRoot>
    FAIL : load1 --> /sepolicy
    <WSRoot><Exploit>0x00000341</Exploit></WSRoot>
    <WSRoot><Exploit>0x00000881</Exploit></WSRoot>
    <WSRoot><Done>0x00000172</Done></WSRoot>

    I had to reboot once to get it to work. It's also worth noting that, even though it was successful the second time, i still received a function not implemented error, but it still worked. This is the part that you're looking for to be sucessful:

    <WSRoot><Exploit>0</Exploit></WSRoot>
    <WSRoot><Done>0</Done></WSRoot>