[UNLOCK][ROOT][TWRP][UNBRICK] Fire HD 10 2017 (suez)

Search This thread

pascal009

Member
Jul 18, 2021
36
7
The guide says (just behind the bootrom-step thing):

Then run the fastboot-step... :)
I have gone through the process like a dozen times, carefully following the OPs. The more I repeated it the less I understood the

workings.

I started with the disassembled device, the battery and the LCD ribbon cable disconnected.

Run
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager

sudo ./bootrom-step.sh
... Waiting for ROM ...

I ground the test point on the PCB and connect the USB cable

... Remove the short and press Enter ...

On the Linux side everything looks good. The command ends with the message "Now it should reboot into a hacked fastboot mode".

Disconnect the USB cable. Reassemble (well, partially) the PCB, LCD ribbon and the battery. Press Power, device emits the familiar sound
as if it's going to boot up. The screen remains black. Nothing happens.

Notwithstanding, I connect the device to Linux box. Run "sudo ./fastboot-step.sh". Again, everything looks good on the Linux side.
The command ends with "Now device should reboot into TWRP interface". Nothing happens. The Power button does not respond to pressing in

any way possible. The screen remains black. "lsusb" does not show anything Android. "adb devices" does not see anything.

During the execution of bootrom-step.sh dmesg seems to recognize product as Android/omni_suez/MT65xx Preloader.

During fastboot-step.sh is shows product only as MT65xx Preloader.

For all practical purposes the device is not booting up.

[ 2259.075596] usb 1-1: new high-speed USB device number 22 using ehci-pci
[ 2259.386003] usb 1-1: New USB device found, idVendor=1949, idProduct=0280, bcdDevice= 1.00
[ 2259.386068] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 2259.386088] usb 1-1: Product: Android
[ 2259.386105] usb 1-1: Manufacturer: Amazon
[ 2259.386120] usb 1-1: SerialNumber: G000N60774740RS8
[ 2355.673227] usb 1-1: USB disconnect, device number 22
[ 2358.447579] usb 1-1: new high-speed USB device number 23 using ehci-pci
[ 2358.606457] usb 1-1: New USB device found, idVendor=0e8d, idProduct=2000, bcdDevice= 1.00
[ 2358.606508] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 2358.606528] usb 1-1: Product: MT65xx Preloader
[ 2358.606543] usb 1-1: Manufacturer: MediaTek
[ 2358.674055] cdc_acm 1-1:1.0: Zero length descriptor references
[ 2358.674192] cdc_acm: probe of 1-1:1.0 failed with error -22
[ 2358.754600] cdc_acm 1-1:1.1: ttyACM0: USB ACM device
[ 2361.118925] usb 1-1: USB disconnect, device number 23
[ 2367.031602] usb 1-1: new high-speed USB device number 24 using ehci-pci
[ 2367.334886] usb 1-1: New USB device found, idVendor=1949, idProduct=0280, bcdDevice= 1.00
[ 2367.334934] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 2367.334954] usb 1-1: Product: Android
[ 2367.334970] usb 1-1: Manufacturer: Amazon
[ 2367.334985] usb 1-1: SerialNumber: G000N60774740RS8
[ 2488.044101] perf: interrupt took too long (6680 > 6555), lowering kernel.perf_event_max_sample_rate to 29750
[ 2489.967861] usb 1-1: USB disconnect, device number 24
[ 2492.747571] usb 1-1: new high-speed USB device number 25 using ehci-pci
[ 2492.906387] usb 1-1: New USB device found, idVendor=0e8d, idProduct=2000, bcdDevice= 1.00
[ 2492.906439] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 2492.906460] usb 1-1: Product: MT65xx Preloader
[ 2492.906479] usb 1-1: Manufacturer: MediaTek
[ 2492.990902] cdc_acm 1-1:1.0: Zero length descriptor references
[ 2492.991000] cdc_acm: probe of 1-1:1.0 failed with error -22
[ 2493.071691] cdc_acm 1-1:1.1: ttyACM0: USB ACM device
[ 2495.416086] usb 1-1: USB disconnect, device number 25
[ 2505.979601] usb 1-1: new high-speed USB device number 26 using ehci-pci
[ 2506.172727] usb 1-1: New USB device found, idVendor=18d1, idProduct=d001, bcdDevice=ff.ff
[ 2506.172794] usb 1-1: New USB device strings: Mfr=2, Product=3, SerialNumber=4
[ 2506.172813] usb 1-1: Product: omni_suez
[ 2506.172832] usb 1-1: Manufacturer: Amazon
[ 2506.172848] usb 1-1: SerialNumber: G000N60774740RS8
[ 2509.785038] usb 1-1: USB disconnect, device number 26
[ 2510.135576] usb 1-1: new high-speed USB device number 27 using ehci-pci
[ 2510.335671] usb 1-1: New USB device found, idVendor=18d1, idProduct=4ee2, bcdDevice=ff.ff
[ 2510.335727] usb 1-1: New USB device strings: Mfr=2, Product=3, SerialNumber=4
[ 2510.335747] usb 1-1: Product: omni_suez
[ 2510.335762] usb 1-1: Manufacturer: Amazon
[ 2510.335775] usb 1-1: SerialNumber: G000N60774740RS8
[ 2519.213823] usb 1-1: USB disconnect, device number 27
[ 2521.979642] usb 1-1: new high-speed USB device number 28 using ehci-pci
[ 2522.138391] usb 1-1: New USB device found, idVendor=0e8d, idProduct=2000, bcdDevice= 1.00
[ 2522.138444] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 2522.138479] usb 1-1: Product: MT65xx Preloader
[ 2522.138493] usb 1-1: Manufacturer: MediaTek
[ 2522.222793] cdc_acm 1-1:1.0: Zero length descriptor references
[ 2522.222888] cdc_acm: probe of 1-1:1.0 failed with error -22
[ 2522.303377] cdc_acm 1-1:1.1: ttyACM0: USB ACM device
[ 2524.647729] usb 1-1: USB disconnect, device number 28

[ 2924.255596] usb 1-1: new high-speed USB device number 29 using ehci-pci
[ 2924.414454] usb 1-1: New USB device found, idVendor=0e8d, idProduct=2000, bcdDevice= 1.00
[ 2924.414512] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 2924.414532] usb 1-1: Product: MT65xx Preloader
[ 2924.414549] usb 1-1: Manufacturer: MediaTek
[ 2924.479086] cdc_acm 1-1:1.0: Zero length descriptor references
[ 2924.479179] cdc_acm: probe of 1-1:1.0 failed with error -22
[ 2924.559936] cdc_acm 1-1:1.1: ttyACM0: USB ACM device
[ 2926.924193] usb 1-1: USB disconnect, device number 29
[ 2942.347588] usb 1-1: new high-speed USB device number 30 using ehci-pci
[ 2942.506266] usb 1-1: New USB device found, idVendor=0e8d, idProduct=2000, bcdDevice= 1.00
[ 2942.506347] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 2942.506369] usb 1-1: Product: MT65xx Preloader
[ 2942.506385] usb 1-1: Manufacturer: MediaTek
[ 2942.589902] cdc_acm 1-1:1.0: Zero length descriptor references
[ 2942.590002] cdc_acm: probe of 1-1:1.0 failed with error -22
[ 2942.670717] cdc_acm 1-1:1.1: ttyACM0: USB ACM device
[ 2945.014756] usb 1-1: USB disconnect, device number 30
[ 2960.611573] usb 1-1: new high-speed USB device number 31 using ehci-pci
[ 2960.770458] usb 1-1: New USB device found, idVendor=0e8d, idProduct=2000, bcdDevice= 1.00
[ 2960.770511] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 2960.770535] usb 1-1: Product: MT65xx Preloader
[ 2960.770552] usb 1-1: Manufacturer: MediaTek
[ 2960.842289] cdc_acm 1-1:1.0: Zero length descriptor references
[ 2960.842429] cdc_acm: probe of 1-1:1.0 failed with error -22
[ 2960.922930] cdc_acm 1-1:1.1: ttyACM0: USB ACM device
[ 2963.287088] usb 1-1: USB disconnect, device number 31
[ 2978.603591] usb 1-1: new high-speed USB device number 32 using ehci-pci
[ 2978.762469] usb 1-1: New USB device found, idVendor=0e8d, idProduct=2000, bcdDevice= 1.00
[ 2978.762525] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 2978.762545] usb 1-1: Product: MT65xx Preloader
[ 2978.762561] usb 1-1: Manufacturer: MediaTek
[ 2978.838220] cdc_acm 1-1:1.0: Zero length descriptor references
[ 2978.838358] cdc_acm: probe of 1-1:1.0 failed with error -22
[ 2978.918826] cdc_acm 1-1:1.1: ttyACM0: USB ACM device
[ 2981.283134] usb 1-1: USB disconnect, device number 32
[ 2990.083596] usb 1-1: new high-speed USB device number 33 using ehci-pci
[ 2990.242457] usb 1-1: New USB device found, idVendor=0e8d, idProduct=2000, bcdDevice= 1.00
[ 2990.242506] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 2990.242529] usb 1-1: Product: MT65xx Preloader
[ 2990.242544] usb 1-1: Manufacturer: MediaTek
[ 2990.330160] cdc_acm 1-1:1.0: Zero length descriptor references
[ 2990.330302] cdc_acm: probe of 1-1:1.0 failed with error -22
[ 2990.410858] cdc_acm 1-1:1.1: ttyACM0: USB ACM device
[ 2992.755118] usb 1-1: USB disconnect, device number 33
[ 3008.216874] usb 1-1: new high-speed USB device number 34 using ehci-pci
[ 3008.374491] usb 1-1: New USB device found, idVendor=0e8d, idProduct=2000, bcdDevice= 1.00
[ 3008.374569] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 3008.374594] usb 1-1: Product: MT65xx Preloader
[ 3008.374610] usb 1-1: Manufacturer: MediaTek
[ 3008.458288] cdc_acm 1-1:1.0: Zero length descriptor references
[ 3008.458431] cdc_acm: probe of 1-1:1.0 failed with error -22
[ 3008.538900] cdc_acm 1-1:1.1: ttyACM0: USB ACM device
[ 3010.883266] usb 1-1: USB disconnect, device number 34
[ 3026.291580] usb 1-1: new high-speed USB device number 35 using ehci-pci
[ 3026.450353] usb 1-1: New USB device found, idVendor=0e8d, idProduct=2000, bcdDevice= 1.00
[ 3026.450417] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 3026.450433] usb 1-1: Product: MT65xx Preloader
[ 3026.450448] usb 1-1: Manufacturer: MediaTek
[ 3026.538207] cdc_acm 1-1:1.0: Zero length descriptor references
[ 3026.538344] cdc_acm: probe of 1-1:1.0 failed with error -22
[ 3026.619078] cdc_acm 1-1:1.1: ttyACM0: USB ACM device
[ 3028.963032] usb 1-1: USB disconnect, device number 35
~/Downloads/FireHD9/amonet-suez/amonet$
 

Sus_i

Senior Member
Apr 9, 2013
1,663
710
I started with the disassembled device, the battery and the LCD ribbon cable disconnected.
You may have damaged something, the ribbon or something else...
Run
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager

sudo ./bootrom-step.sh
... Waiting for ROM ...

I ground the test point on the PCB and connect the USB cable

... Remove the short and press Enter ...

On the Linux side everything looks good. The command ends with the message "Now it should reboot into a hacked fastboot mode".
Thats fine
Disconnect the USB cable. Reassemble (well, partially) the PCB, LCD ribbon and the battery. Press Power, device emits the familiar sound
as if it's going to boot up. The screen remains black. Nothing happens.

Notwithstanding, I connect the device to Linux box. Run "sudo ./fastboot-step.sh". Again, everything looks good on the Linux side.
The command ends with "Now device should reboot into TWRP interface".
If you've got no flash errors at the fastboot-step, thats fine also.
Nothing happens. The Power button does not respond to pressing in

any way possible. The screen remains black.
The black screen doesn't mean that the tablet isn't booting.
For all practical purposes the device is not booting up.

[ 2259.075596] usb 1-1: new high-speed USB device number 22 using ehci-pci
[ 2259.386003] usb 1-1: New USB device found, idVendor=1949, idProduct=0280, bcdDevice= 1.00
[ 2259.386068] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 2259.386088] usb 1-1: Product: Android
[ 2259.386105] usb 1-1: Manufacturer: Amazon
[ 2259.386120] usb 1-1: SerialNumber: G000N60774740RS8
This shows clearly that the Android Kernel is up and running...
Problem isn't on the linux side or about the unlock scripts...

Take a close look at the ribbon and so on...
Try to use the boot-recovery script, then take a look if you can use adb shell and check lsusb again.
 
Last edited:

likwidchz

Senior Member
May 14, 2022
53
11
Hiya everyone,

I'm having a weird time trying this. I have two tablets **Both FIRE HD-10's 2017 editions
Tablet 1 = firmware 5.3.7.0 Nov 17th 650601220
Tablet 2 = firmware5.6.6.0 May 14th 654620620

I'm trying to execute the mtk-su exploit. Ive tried the R22 and R23 releases and all of them spit out
Both of the tablets do exactly the same thing, see the output below.


[email protected]:/usr/src/suez/amonet/r22/arm64$ adb push mtk-su /data/local/tmp
mtk-su: 1 file pushed. 3.7 MB/s (65216 bytes in 0.017s)
[email protected]:/usr/src/suez/amonet/r22/arm64$ adb shell
[email protected]:/ $ cd data/local/tmp
[email protected]:/data/local/tmp $ chmod 755 mtk-su
[email protected]:/data/local/tmp $ ./mtk-su
Failed critical init step 4
1|[email protected]:/data/local/tmp $


What's the scoop with the exploit? Let me know if I'm doing something weird.

Thank you,
Take care.
 

pascal009

Member
Jul 18, 2021
36
7
Hiya everyone,

I'm having a weird time trying this. I have two tablets **Both FIRE HD-10's 2017 editions
Tablet 1 = firmware 5.3.7.0 Nov 17th 650601220
Tablet 2 = firmware5.6.6.0 May 14th 654620620

I'm trying to execute the mtk-su exploit. Ive tried the R22 and R23 releases and all of them spit out
Both of the tablets do exactly the same thing, see the output below.


[email protected]:/usr/src/suez/amonet/r22/arm64$ adb push mtk-su /data/local/tmp
mtk-su: 1 file pushed. 3.7 MB/s (65216 bytes in 0.017s)
[email protected]:/usr/src/suez/amonet/r22/arm64$ adb shell
[email protected]:/ $ cd data/local/tmp
[email protected]:/data/local/tmp $ chmod 755 mtk-su
[email protected]:/data/local/tmp $ ./mtk-su
Failed critical init step 4
1|[email protected]:/data/local/tmp $


What's the scoop with the exploit? Let me know if I'm doing something weird.

Thank you,
Take care.
Been there. The mtk-su vulnerability most likely was patched for these versions. You need to use a different method to get a temporary root before executing step-1.sh. Look here (just the "Root the tablet" part).


Once you get a temporary root successfully go back to beginning of the amonet OP.

Good luck!
 
  • Like
Reactions: Sus_i

likwidchz

Senior Member
May 14, 2022
53
11
Been there. The mtk-su vulnerability most likely was patched for these versions. You need to use a different method to get a temporary root before executing step-1.sh. Look here (just the "Root the tablet" part).


Once you get a temporary root successfully go back to beginning of the amonet OP.

Good luck!
Thanks! It appears to have gotten root now. I'll try the steps on the main page now :) Cheers!
 

pascal009

Member
Jul 18, 2021
36
7
a big thanks to the author of the topic, this old stuff now got installed android 9, root and twrp, a new life for a thing with 2 GB RAM :D
Interesting. The last Fire OS firmware for the suez was 5.7.0.0, which is based on Android 5.1.1 (Lollipop). Could you point us to the Android 9 ROM you used? I might consider playing with it on one of my Fire HD 10 7th Gen. Is your Android 9 a 32-bit or 64-bit architecture? I know that while the CPU on this tablet is 64-bit the userspace is still 32-bit and you can't install arm64-v8a apks on it.

Thank you
 

pascal009

Member
Jul 18, 2021
36
7
Greetings,

A new version of Magisk (25.0) has been released recently

In the words of its developer it is "Another major release! A lot of the changes aren't visible at the surface, but v25 is actually a really substantial upgrade!"

Can one of the experts here on the forum tell whether it is safe to flash this new version over the previous one (24.3) on the TWRP'ed
and rooted giza?

Your opinion is greatly appreciated.

pascal009
 

Mlinko6

New member
Apr 10, 2020
4
1
Dear All,

I have a following problem. I've managed to get the root access on my fire hd 10 7gen tablet:

check done
sched_setaffinity: Function not implementedmadviseThread() done
procselfmemThread() done
[*] exploited 0x7f78dce000=f97cff8c
end!!!!!!!
<WSRoot><Exploit>0</Exploit></WSRoot>
<WSRoot><Done>0</Done></WSRoot>
[email protected]:/ $ su
[email protected]:/ #

When I try to install the supersu - eu.chainfire.supersu_2.82-SR5-282_minAPI9(nodpi)_apkmirror.com.apk

then I get this error:

C:\platform-tools>adb install "eu.chainfire.supersu_2.82-SR5-282_minAPI9(nodpi)_apkmirror.com.apk"
Performing Push Install
eu.chainfire.supersu_2.82-SR5-282_minAPI9(nodpi)_apkmirror...ile pushed, 0 skipped. 13.5 MB/s (6352731 bytes in 0.448s)
pkg: /data/local/tmp/eu.chainfire.supersu_2.82-SR5-282_minAPI9(nodpi)_apkmirror.com.apk
Failure [INSTALL_FAILED_UPDATE_INCOMPATIBLE]

Would anyone know how to fix this? I can see the icon on the tablet but if start the program it just crashes back to the main "window".

Thank you for your help!

KR
Rok
 

pascal009

Member
Jul 18, 2021
36
7
Dear All,

I have a following problem. I've managed to get the root access on my fire hd 10 7gen tablet:

check done
sched_setaffinity: Function not implementedmadviseThread() done
procselfmemThread() done
[*] exploited 0x7f78dce000=f97cff8c
end!!!!!!!
<WSRoot><Exploit>0</Exploit></WSRoot>
<WSRoot><Done>0</Done></WSRoot>
[email protected]:/ $ su
[email protected]:/ #

When I try to install the supersu - eu.chainfire.supersu_2.82-SR5-282_minAPI9(nodpi)_apkmirror.com.apk

then I get this error:

C:\platform-tools>adb install "eu.chainfire.supersu_2.82-SR5-282_minAPI9(nodpi)_apkmirror.com.apk"
Performing Push Install
eu.chainfire.supersu_2.82-SR5-282_minAPI9(nodpi)_apkmirror...ile pushed, 0 skipped. 13.5 MB/s (6352731 bytes in 0.448s)
pkg: /data/local/tmp/eu.chainfire.supersu_2.82-SR5-282_minAPI9(nodpi)_apkmirror.com.apk
Failure [INSTALL_FAILED_UPDATE_INCOMPATIBLE]

Would anyone know how to fix this? I can see the icon on the tablet but if start the program it just crashes back to the main "window".

Thank you for your help!

KR
Rok
Hi,

What exactly did you use to root your tablet? Judging by the piece of the code above

[email protected]:/ $ su
[email protected]:/ #

your device already have the SU access. What was the point of installing SuperSU?
BTW, did you go through all the necessary steps described at the top of this thread?

pascal009
 

ryny24

Member
Jul 18, 2013
27
2
I'm going nuts opening my tablet several times. Do you guys update TWRP from 3.2.3-0 as included in this binary to the latest available in the LOS thread version 3.6.1-9.2?

The TWRP 3.2.3 seems to have a problem with USB storage for me. I've tried many many sticks, none work. I did an ADB PUSH with the suez twrp 3.6.1 and did an update in TWRP, but this completely corrupts my recovery and I have to unbrick again to get back.

If you don't update TWRP, how can you load the OS images without USB?

Thank you.
 

cellist

Member
Dec 22, 2013
20
5
I'm going nuts opening my tablet several times. Do you guys update TWRP from 3.2.3-0 as included in this binary to the latest available in the LOS thread version 3.6.1-9.2?

The TWRP 3.2.3 seems to have a problem with USB storage for me. I've tried many many sticks, none work. I did an ADB PUSH with the suez twrp 3.6.1 and did an update in TWRP, but this completely corrupts my recovery and I have to unbrick again to get back.

If you don't update TWRP, how can you load the OS images without USB?

Thank you.
Did you try to "adb sideload" the OS image, so you transfer it via cable instead of using an USB storage device?
 
Last edited:
  • Like
Reactions: pascal009

nathanzachary

Senior Member
Mar 3, 2010
69
7
Well, I bricked my tablet and can't seem to get anything to display on the screen any longer. I would greatly appreciate some help. When I plug it in, it shows up in lsusb:

Bash:
$ lsusb | grep MT6227
Bus 007 Device 046: ID 0e8d:0003 MediaTek Inc. MT6227 phone

but it doesn't stay that way indefinitely, and eventually disappears with dmesg showing the disconnect:

Code:
[1755854.330741] usb 7-3: new full-speed USB device number 46 using xhci_hcd
[1755854.464885] usb 7-3: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00
[1755854.464889] usb 7-3: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[1755894.040452] usb 7-3: USB disconnect, device number 46

I have tried the bootrom-step.sh script, but it just hangs at 'Waiting for bootrom' and never displays anything else.

I was running 5.7.0.0, and used the instructions to get SuperSU installed (by using adb to install the APK). I then ran the 'step-1.sh', confirmed that I wanted to brick the device by typing 'YES' , but alas, that's when I got the black screen, and I tried to continue with the 'bootrom-step-minimal.sh' but didn't get any sign of life. :(

Thank you preemptively for your help.

EDIT: I think that the device is bootlooping as lsusb shows the device for ~40 seconds, then it goes away and takes ~24 seconds to come back. That cycle repeats endlessly when the device is plugged in via USB.
 
Last edited:

pascal009

Member
Jul 18, 2021
36
7
Well, I bricked my tablet and can't seem to get anything to display on the screen any longer. I would greatly appreciate some help. When I plug it in, it shows up in lsusb:

Bash:
$ lsusb | grep MT6227
Bus 007 Device 046: ID 0e8d:0003 MediaTek Inc. MT6227 phone

but it doesn't stay that way indefinitely, and eventually disappears with dmesg showing the disconnect:

Code:
[1755854.330741] usb 7-3: new full-speed USB device number 46 using xhci_hcd
[1755854.464885] usb 7-3: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00
[1755854.464889] usb 7-3: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[1755894.040452] usb 7-3: USB disconnect, device number 46

I have tried the bootrom-step.sh script, but it just hangs at 'Waiting for bootrom' and never displays anything else.

I was running 5.7.0.0, and used the instructions to get SuperSU installed (by using adb to install the APK). I then ran the 'step-1.sh', confirmed that I wanted to brick the device by typing 'YES' , but alas, that's when I got the black screen, and I tried to continue with the 'bootrom-step-minimal.sh' but didn't get any sign of life. :(

Thank you preemptively for your help.

EDIT: I think that the device is bootlooping as lsusb shows the device for ~40 seconds, then it goes away and takes ~24 seconds to come back. That cycle repeats endlessly when the device is plugged in via USB.
It looks you have to remove the back cover to disconnect the battery before executing "sudo ./bootrom-step-minimal.sh".
See my post https://forum.xda-developers.com/t/...hd-10-2017-suez.3913639/page-75#post-86690371 and the 2 following posts...
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Btw, since a few people had the same "RuntimeError: read fail" issue when bootrom-step-minimal tries to check the GPT: At least for me that read was just a bit flaky and I was able to add a retry to successfully move on. Some details over here:


    Oddly I retried about 15-20 times before, so it seemed to be relatively consistent.
  • 79
    Read this whole guide before starting.

    This is for the 7th gen Fire HD10 (suez).

    Current version: amonet-suez-v1.1.2.zip


    NOTE: This process does not require you to open your device, but should something go horribly wrong, be prepared to do so.


    NOTE: This process will modify the partition-table (GPT) of your device.


    NOTE: Your device will be reset to factory defaults (including internal storage) during this process.


    What you need:
    • A Linux installation or live-system
    • A micro-USB cable

    Install python3, PySerial, adb, fastboot dos2unix. For Debian/Ubuntu something like this should work:
    Code:
    sudo apt update
    sudo add-apt-repository universe
    sudo apt install python3 python3-serial adb fastboot dos2unix

    1. Extract the attached zip-file "amonet-suez-v1.1.2.zip" and open a terminal in that directory.


    NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder


    2. Enable ADB in Developer Settings

    3. Start the script:
    Code:
    sudo ./step-1.sh

    Your device will now reboot into recovery and perform a factory reset.

    NOTE: If you are on firmware 5.6.4.0 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
    If you chose the brick option, you don't need to run step-2.sh below:



    Make sure ModemManager is disabled or uninstalled:
    Code:
    sudo systemctl stop ModemManager
    sudo systemctl disable ModemManager

    After you have confirmed the bricking by typing "YES", you will need disconnect the device and run
    Code:
    sudo ./bootrom-step-minimal.sh
    Then plug the device back in.

    It will then boot into "hacked fastboot" mode.
    Then run
    Code:
    sudo ./fastboot-step.sh



    NOTE: When you are back at initial setup, you can skip registration by selecting a WiFi-Network, then pressing "Cancel" and then "Not Now"
    NOTE: Make sure you re-enable ADB after Factory Reset.


    4. Start the script:
    Code:
    sudo ./step-2.sh

    The exploit will now be flashed and your device will reboot into TWRP.

    You can now install Magisk from there.


    Going back to stock

    Extract the attached zip-file "amonet-suez-v1.1-return-to-stock.zip" into the same folder where you extracted "amonet-suez-v1.1.2.zip" and open a terminal in that directory.
    You can go back to stock without restoring the original partition-table, so you can go back to unlocked without wiping data.
    Just use hacked fastboot to
    Code:
    fastboot flash recovery bin/recovery.img

    If you want to go back completely (including restoring your GPT):
    Code:
    sudo ./return-to-stock.sh

    Your device should reboot into Amazon Recovery. Use adb sideload to install stock image from there. (Make sure to use FireOS 5.6.3.0 or newer, otherwise you may brick your device)

    Important information


    In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
    TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.

    Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)

    Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.

    TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

    For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

    It is still advised to disable OTA.


    Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
    Special thanks also to @retyre for porting the bootrom-exploit and for testing.
    Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
    Thanks also to @bibikalka and everyone who donated :)
    Thanks to @TheRealIntence and @b1u3m3th for confirming it also works on the 64GB model.
    12
    Unbricking

    If Recovery OR FireOS are still accessible there are other means of recovery, don't continue.

    If your device shows one of the following symptoms:
    1. It doesn't show any life (screen stays dark)
    2. You see the white amazon logo, but cannot access Recovery or FireOS.

    If you have a Type 1 brick, you may not have to open the device, if your device comes up in bootrom-mode (See Checking USB connection below).
    1. Make sure the device is powered off, by holding the power-button for 20+ seconds
    2. Start bootrom-step.sh
    3. Plug in USB

    In all other cases you will have to open the device and partially take it apart.
    Follow this guide by @retyre until (including) step 8..
    At Step 6. you will replace
    Code:
    sudo ./bootrom.sh
    with
    Code:
    sudo ./bootrom-step.sh
    Should the script stall at some point, restart it and replug the USB-cable (Shorting it again should not be necessary unless the script failed at the very beginning).

    If the script succeeded, put the device back together.
    When you turn it on, it should start in hacked fastboot mode.
    You can now use
    Code:
    sudo ./fastboot-step.sh
    This will flash TWRP and reset your device to factory defaults, then reboot into TWRP.


    Checking USB connection
    In lsusb the boot-rom shows up as:
    Code:
    Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone

    If it shows up as:
    Code:
    Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader
    instead, you are in preloader-mode, try again.

    dmesg lists the correct device as:
    Code:
    [ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00
    10
    Changelog
    Version 1.1.2 (26.03.2019)
    • Fix regenerating GPT from temp GPT

    Version 1.1.1 (26.03.2019)
    • Fix unbricking procedure

    Version 1.1 (25.03.2019)
    • Update TWRP-sources to twrp-9.0 branch
    • TWRP uses kernel compiled from source
    • Add scripts to use handshake2.py to enter fastboot/recovery

    Features.

    • Uses 5.6.3 LK for full compatibility with newer kernels.
    • Hacked fastboot mode lets you use all fastboot commands (flash etc).
    • Boots custom/unsigned kernel-images (no patching needed)
    • TWRP protects from downgrading PL/TZ/LK
    • For the devs: sets printk.disable_uart=0 (enables debug-output over UART).

    NOTE: Hacked fastboot can be reached via TWRP.

    NOTE: Hacked fastboot doesn't remap partition names, so you can easily go back to stock
    9
    Just uploaded version 1.1.
    If you are already unlocked you can just install the zip-file from TWRP to update.

    Version 1.1 (25.03.2019)
    • Update TWRP-sources to twrp-9.0 branch
    • TWRP uses kernel compiled from source
    • Add scripts to use handshake2.py to enter fastboot/recovery
    8
    This sounds promising. Is there any documentation on here to get SuperSu on the Fire? It would be great if i could get this method to work. I really dont want to open the thing. Thanx for your help.
    You'll need a linux distrubution to work from, a live boot cd/usb will work fine.
    Don't use WSL (Subsystem for Linux) on Windows 10 as usb support doesn't work properly, or at all, for anything other than usb storage devices.

    This guide was part of a larger guide on Github, adapted from Retyre's XDA Guide.

    Root on Fire HD10 2017 5.6.9.0 (not tried on other systems)

    1. Download the root exploit code (alternate link SHA256 8bfc3d5c75964e5fa28c8ffa39a87249ba10ea4180f55f546b2dcc286a585ea8) and Super_SU18+ (alternate link SHA256 b572c1a982d1e0baeb571d3bc0df7f6be11b14553c181c9e0bf737cc4a4fbbfd).
      wget -c "http://myphone-download.wondershare.cc/mgroot/20165195.zip" "http://myphone-download.wondershare.cc/mgroot/SuperSU_18+.zip"
    2. Unzip them both to a 20165195 directory.
      unzip -u 20165195.zip -d 20165195 && unzip -u SuperSU_18+.zip -d 20165195
    3. Check the 20165195 directory contains all the needed files.
      $ ls -1 20165195
      Matrix
      Superuser.apk
      ddexe
      debuggerd
      fileWork
      install-recovery.sh
      krdem
      mount
      patch_boot.sh
      pidof
      push_root.sh
      start_wssud.sh
      su
      su_arm64
      supersu.zip
      supolicy
      toolbox
      wsroot.sh
    4. Push the directory to the tablet.
      adb push 20165195 /data/local/tmp
    5. Login to the tablet.
      adb shell
    6. Make the files executable.
      chmod 755 /data/local/tmp/20165195/*
    7. Run the exploit. You should see a lot of output while it runs.
      /data/local/tmp/20165195/Matrix /data/local/tmp/20165195 2
      If the script executes successfully, the final lines of output should display the memory location that was exploited (may be different than 0x7fab64c000) and a value of 0 for <Exploit> and <Done>. If it fails, check the Troubleshooting section:
    8. exploited 0x7fab64c000=f97cff8c
      end!!!!!!!
      <WSRoot><Exploit>0</Exploit></WSRoot>
      <WSRoot><Done>0</Done></WSRoot>

    9. You can verify root with su.
      [email protected]:/ $ su
      su
      [email protected]:/ #
    10. Back on your computer, download SuperSU 2.82 SR5 apk (alternate link SHA256 2c7be9795a408d6fc74bc7286658dfe12252824867c3a2b726c1f3c78cee918b) and install it to the tablet with adb.
      adb install "eu.chainfire.supersu_2.82-SR5-282_minAPI9(nodpi)_apkmirror.com.apk"
    11. Open up the SuperSU app on the tablet, tap Get Started, then tap Continue and select Normal to update the app. Select Reboot after it is done installing to reboot the tablet.
    12. After the tablet reboots, open SuperSU app again, tap on Settings tab, then tap Default access, then choose Grant.
    13. Log in to your tablet.
      adb shell
    14. Switch to superuser and delete directories /data/data-lib/com.wondershare.DashRoot and /data/data-lib/wondershare.
      su
      rm -r /data/data-lib/com.wondershare.DashRoot /data/data-lib/wondershare

    Once rooted, you can start the main guide on here for TWRP installation and skip past the root part.
    Notes: At stage 7, running the exploit, you may find get an error instead of a successful output like above.
    If you get this or similar, try rebooting your Fire HD and try again:

    <WSRoot><Exploit>0x00000332</Exploit></WSRoot>
    check done
    sched_setaffinity: Function not implemented<WSRoot><Exploit>0x00000382</Exploit></WSRoot>
    FAIL : load1 --> /sepolicy
    <WSRoot><Exploit>0x00000341</Exploit></WSRoot>
    <WSRoot><Exploit>0x00000881</Exploit></WSRoot>
    <WSRoot><Done>0x00000172</Done></WSRoot>

    I had to reboot once to get it to work. It's also worth noting that, even though it was successful the second time, i still received a function not implemented error, but it still worked. This is the part that you're looking for to be sucessful:

    <WSRoot><Exploit>0</Exploit></WSRoot>
    <WSRoot><Done>0</Done></WSRoot>