Thanx a lot, just what i was looking for.
There are links in this forum to newer versions, all from https://fireos-tablet-src.s3.amazonaws.com, up to v5.6.3.0. Do you think i can flash them also? Or should i stay with (v 5.3.7.3) you mentioned?
I think (but can't recall the exact version numbers) that v5.3.7.3 = v5.6.3.0. Amazon screwed up the version numbers at some point and caused massive confusion about which version was which & which version was the latest.
As far as I'm aware, the version for download on the Amazon website (which is presumably v5.3.7.3 still) *is* the latest. Those versions you find elsewhere with later version numbers, are most likely BEFORE they changed the numbering and so are actually *older* than the one on the Amazon website.
Providing you have TWRP & are rooted, you can flash the FireOS version from Amazon. I strongly suggest that after flashing, you wipe Caches, reboot to TWRP Recovery (not to System!) then finally reboot again but to System - this may help ensure Amazon doesn't do something to overwrite your TWRP Recovery partition.
You can then flash Magisk (I think I included details of how to do that in my post). And then use Fire Toolbox to debloat (don't OVER debloat as removing some essential process can stop your FireHD10 booting & you will then have to start over by reflashing FireOS again).
Ah, ok. Mine is on 5.7.0.0, with 659662020. That's exactly the number of that one linked by you to amazon website (v5.3.7.3).
I succeeded with this post by @smartypantsuk to gain root. Now going up to twrp ...
Last edited:
May I ask why you chose that way to install magisk? Is there any problem with installing the usual way (zip in twrp & apk in running system)?
I tried Zip in TWRP & apk which all seemed to work, but when I then launched Magisk app, I think it told me Magisk wasn't installed & when I chose to install Magisk from within the Magisk app, the only method presented was to patch the boot.img
Anyway, patching the boot.img using the latest Magisk worked flawlessly & gave no problems - so seems like a good solution to me.
I'm not sure upgrading TWRP to the very latest version is a good idea, I'm sure I've read that it causes problems. I recommend sticking with a working version (I can't recall what version mine is, but 3.6.9_1.2 seems familiar, or is it 3.6.1_9.2? sorry, can't recall the right version number).
If your TWRP isn't broken then don't try fixing it by upgrading to a newer version.
I flashed Magisk zip in Twrp, then renamed it with twrp file manager to apk and copied it to /system. After system boot Magisk Manager App was not installed completely, but starting it downloaded some missing files. Afterwards it runs without probs.
When trying to temporary bricking the device I get the following error. Which version is required?
Code:
sudo ./bootrom-step-minimal.sh
[2023-07-09 22:36:36.674250] Waiting for bootrom
[2023-07-09 22:36:47.738967] Found port = /dev/ttyACM0
[2023-07-09 22:36:47.776022] Handshake
[2023-07-09 22:36:47.796982] Disable watchdog
b''
b'\x00\x01'
Traceback (most recent call last):
File "/home/laurens/Dokumente/suez/amonet/modules/main.py", line 192, in <module>
main()
File "/home/laurens/Dokumente/suez/amonet/modules/main.py", line 82, in main
handshake(dev)
File "/home/laurens/Dokumente/suez/amonet/modules/handshake.py", line 11, in handshake
dev.write32(0x10007000, 0x22000000)
File "/home/laurens/Dokumente/suez/amonet/modules/common.py", line 163, in write32
self.check(self.dev.read(2), b'\x00\x01') # arg check
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/laurens/Dokumente/suez/amonet/modules/common.py", line 90, in check
raise RuntimeError("ERROR: Serial protocol mismatch")
RuntimeError: ERROR: Serial protocol mismatch
CFKod
Senior Member
Could simply mean the short was not applied correctly, you will have to keep pressing the power button to turn on then turn off the tablet and start again.
Last edited:
If I want to go back to stock, can I just download FireOS 5.6.2.0 bin file and use twrp to flash it?
Or do I really need to first flash back the original recovery image? I tried this: fastboot flash recovery bin/recovery.img, but it says my bootloader is locked.
Or do I really need to first flash back the original recovery image? I tried this: fastboot flash recovery bin/recovery.img, but it says my bootloader is locked.
Hello,
Revisiting hacking my Fire HD 10 after giving up in 2020 (I thought I killed it during the downgrade brick). Turns out I didn't and the tablet now displays the Amazon logo and the text "=> HACKED FASTBOOT mode: (0) - xyz, k40z" on screen. Where should I go from here?
Edit:
Gonna add some important info I forgot. I remeber the last thing I did years ago was being able to root, then perform the brick. My VM lost connection with the device, which lead me into thinking I killed it. Decided to try it out again, starting at the step where you type "sudo ./bootrom-step-minimal.sh." and the following step.
Thanks!
Revisiting hacking my Fire HD 10 after giving up in 2020 (I thought I killed it during the downgrade brick). Turns out I didn't and the tablet now displays the Amazon logo and the text "=> HACKED FASTBOOT mode: (0) - xyz, k40z" on screen. Where should I go from here?
Edit:
Gonna add some important info I forgot. I remeber the last thing I did years ago was being able to root, then perform the brick. My VM lost connection with the device, which lead me into thinking I killed it. Decided to try it out again, starting at the step where you type "sudo ./bootrom-step-minimal.sh." and the following step.
Thanks!
Last edited:
I guess i'd install adb and fastboot on a pc if you already haven't, connect the device with usb, then flash the recovery of the tablet with twrp by entering these commands in a command prompt:
fastboot flash recovery /path/to/twrp.img
You can get twrp for suez from ggow's lineageos 16 thread.
If you manage to flash twrp then you can go on with installing LOS 12/14/16 by booting into twrp. To boot into twrp recovery turn the tablet on, and keep holding the power button + the Volume key next to the headphone jack until it boots into recovery.
So I've installed adb and fastboot, and i tried this command but it just says "waiting for device." Using lsusb does see a device called "Device 007: (ID no.) MediaTek Inc. Wireless_Device. I'm now out of the brick but if I recall I had to go that route because my OS version was too new. I don't recall ever completing the downgrade or installing twrp either.
seems the tablet isn't connected in fastboot mode then. You can check with "fastboot devices" command too. Or try "adb devices" and if it shows up there use "adb reboot bootloader".
I think the kay0z scripts install a twrp version too, you could try to retry to execute some part of the script, maybe the second step, but i'm not sure, did this too long ago
Edit: Reread the first post i'd say. It says to use hacked fastboot mode just for flashing recovery with twrp by:
fastboot flash recovery bin/recovery.img
Last edited:
I have a weird situation, let me explain.
[Please refer to EDIT 3]
[Please refer to EDIT 1 and EDIT 2 as well]
1. I executed the script provided here https://forum.xda-developers.com/t/...ck-fire-hd-10-2017-suez.3913639/post-79169422 by k4y0z everything went fine, without any issues
2. I installed Lineage OS 16 from TWRP (have not flashed gapps or magisk yet), after installing Lineage OS I was trying to execute cleanup script by psi78 but it was not recognizing the script by giving file not found error. Even after trying to mount system, it failed to execute the script. At this point I thought the issue is with TWRP (as I could not even see the external SD card/storage), so I decided to flash TWRP again.
3. I downloaded TWRP_suez-180918 and flashed this img to recovery from Install option in TWRP, which messed up my TWRP recovery and my device now is not able to get into TWRP. (I select flash image, then selected the img file and selected recovery from the two options we get boot/recovery).
4. After flashing TWRP as in step 3, it rebooted and showed on the bottom left corner "recovery" but would not enter the TWRP. It kept boot looping between booting up and trying to enter TWRP recovery and would failed to do so.
5. Luckily as I had flashed Lineage OS I am able to boot into Lineage OS. Here I enabled USB debugging and tried to enter bootloader mode to flash recovery. While being in the Lineage OS, I can see my device under "adb devices" and I could issue "adb reboot bootloader" and the device was in bootloader mode (on the left bottom corner I can see "bootloader" mentioned), however when I try "fastboot devices" it would not show any device. [Please refer Edit 1 below]
Questions:
a) I am not sure if I am getting into the right bootloader, from what I searched I need to be under hacked bootloader to flash TWRP?
b) If yes, please let me know how can I get into that bootloader to flash TWRP again.
Or
Please let me know how can I fix my situation to flash TWRP.
Note: Currently, the device is able to boot normally into Lineage OS, which is without Gapps and does NOT have root access
EDIT 1: Seems like there was some issue with my USB drivers, had to reboot my PC a couple of times for device to get recognized in fastboot mode.
Now, when I try to flash twrp in fastboot, it says "FAILED (remote: the command you input is restricted on locked hw)"
EDIT 2: Did some more search in this thread and found out how to enter hacked bootloader, basically we need to use the script "boot-fastboot.sh" run the script while the device is off and connect the device to the PC which would boot the device and put the device into hacked bootloader mode. In this mode I did flash the TWRP image with "fastboot flash recovery_x twrp.img", then I issued the command "fastboot oem reboot-recovery", it seemed it tried to enter the TWRP recovery but it failed and booted into Lineage.
EDIT 3: After some more searching I figured I need to execute "boot-recovery" script, I ran that script and finally entered TWRP with that, and I was all happy about it and then......... However, after the reboot from TWRP, all I am seeing is a boot loop, now both scripts "boot-fastboot" or "boot-recovery" are not useful, neither its entering recovery or hacked bootloader, also it is NOT able to go past Amazon logo and boot into Lineage OS, I do not know what happened suddenly, it is basically in a boot loop. How do I fix this, please let me know?
[Please refer to EDIT 3]
[Please refer to EDIT 1 and EDIT 2 as well]
1. I executed the script provided here https://forum.xda-developers.com/t/...ck-fire-hd-10-2017-suez.3913639/post-79169422 by k4y0z everything went fine, without any issues
2. I installed Lineage OS 16 from TWRP (have not flashed gapps or magisk yet), after installing Lineage OS I was trying to execute cleanup script by psi78 but it was not recognizing the script by giving file not found error. Even after trying to mount system, it failed to execute the script. At this point I thought the issue is with TWRP (as I could not even see the external SD card/storage), so I decided to flash TWRP again.
3. I downloaded TWRP_suez-180918 and flashed this img to recovery from Install option in TWRP, which messed up my TWRP recovery and my device now is not able to get into TWRP. (I select flash image, then selected the img file and selected recovery from the two options we get boot/recovery).
4. After flashing TWRP as in step 3, it rebooted and showed on the bottom left corner "recovery" but would not enter the TWRP. It kept boot looping between booting up and trying to enter TWRP recovery and would failed to do so.
5. Luckily as I had flashed Lineage OS I am able to boot into Lineage OS. Here I enabled USB debugging and tried to enter bootloader mode to flash recovery. While being in the Lineage OS, I can see my device under "adb devices" and I could issue "adb reboot bootloader" and the device was in bootloader mode (on the left bottom corner I can see "bootloader" mentioned), however when I try "fastboot devices" it would not show any device. [Please refer Edit 1 below]
Questions:
a) I am not sure if I am getting into the right bootloader, from what I searched I need to be under hacked bootloader to flash TWRP?
b) If yes, please let me know how can I get into that bootloader to flash TWRP again.
Or
Please let me know how can I fix my situation to flash TWRP.
Note: Currently, the device is able to boot normally into Lineage OS, which is without Gapps and does NOT have root access
EDIT 1: Seems like there was some issue with my USB drivers, had to reboot my PC a couple of times for device to get recognized in fastboot mode.
Now, when I try to flash twrp in fastboot, it says "FAILED (remote: the command you input is restricted on locked hw)"
EDIT 2: Did some more search in this thread and found out how to enter hacked bootloader, basically we need to use the script "boot-fastboot.sh" run the script while the device is off and connect the device to the PC which would boot the device and put the device into hacked bootloader mode. In this mode I did flash the TWRP image with "fastboot flash recovery_x twrp.img", then I issued the command "fastboot oem reboot-recovery", it seemed it tried to enter the TWRP recovery but it failed and booted into Lineage.
EDIT 3: After some more searching I figured I need to execute "boot-recovery" script, I ran that script and finally entered TWRP with that, and I was all happy about it and then......... However, after the reboot from TWRP, all I am seeing is a boot loop, now both scripts "boot-fastboot" or "boot-recovery" are not useful, neither its entering recovery or hacked bootloader, also it is NOT able to go past Amazon logo and boot into Lineage OS, I do not know what happened suddenly, it is basically in a boot loop. How do I fix this, please let me know?
Last edited:
I was on 5.6.8.0 Suez and got this to work, much obliged.
The mtk-su trick to get root didn't work though, so I followed this first;
forum.xda-developers.com
Then I went back to here from step 3 and eventually got Lineage 14.1 installed and working, with all the play store stuff installed. It worked fine, but video wasn't playing in anything except the Chrome browser.
Afterwards, I upgraded to 16.0 Lineage and then had to install google apps with NikGapps Core, as the Open Gapps package didn't work due to some system storage bug. Everything seems to work, video plays everywhere. I use Firefox Beta as my browser with uBlock, and youtube works. Revanced YouTube presumably works as this is Android 9 as well.
The mtk-su trick to get root didn't work though, so I followed this first;
HD 10 (2017): Offline rooting
Update: While this still works, there's an easier method here. Please try that first. Disclaimer #1: KingoRoot, dr.fone, and most other one-click rooting tools are characterized as malware. Should you use these tools? That decision is yours and...
forum.xda-developers.com
Then I went back to here from step 3 and eventually got Lineage 14.1 installed and working, with all the play store stuff installed. It worked fine, but video wasn't playing in anything except the Chrome browser.
Afterwards, I upgraded to 16.0 Lineage and then had to install google apps with NikGapps Core, as the Open Gapps package didn't work due to some system storage bug. Everything seems to work, video plays everywhere. I use Firefox Beta as my browser with uBlock, and youtube works. Revanced YouTube presumably works as this is Android 9 as well.
Last edited:
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
84Read this whole guide before starting.
This is for the 7th gen Fire HD10 (suez).
Current version: amonet-suez-v1.1.2.zip
NOTE: This process does not require you to open your device, but should something go horribly wrong, be prepared to do so.
NOTE: This process will modify the partition-table (GPT) of your device.
NOTE: Your device will be reset to factory defaults (including internal storage) during this process.
What you need:
- A Linux installation or live-system
- A micro-USB cable
Install python3, PySerial, adb, fastboot dos2unix. For Debian/Ubuntu something like this should work:
Code:sudo apt update sudo add-apt-repository universe sudo apt install python3 python3-serial adb fastboot dos2unix
1. Extract the attached zip-file "amonet-suez-v1.1.2.zip" and open a terminal in that directory.
NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder
2. Enable ADB in Developer Settings
3. Start the script:
Code:sudo ./step-1.sh
Your device will now reboot into recovery and perform a factory reset.
NOTE: If you are on firmware 5.6.4.0 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
If you chose the brick option, you don't need to run step-2.sh below:
NOTE: When you are back at initial setup, you can skip registration by selecting a WiFi-Network, then pressing "Cancel" and then "Not Now"
NOTE: Make sure you re-enable ADB after Factory Reset.
4. Start the script:
Code:sudo ./step-2.sh
The exploit will now be flashed and your device will reboot into TWRP.
You can now install Magisk from there.
Going back to stock
Extract the attached zip-file "amonet-suez-v1.1-return-to-stock.zip" into the same folder where you extracted "amonet-suez-v1.1.2.zip" and open a terminal in that directory.
You can go back to stock without restoring the original partition-table, so you can go back to unlocked without wiping data.
Just use hacked fastboot to
Code:fastboot flash recovery bin/recovery.img
If you want to go back completely (including restoring your GPT):
Code:sudo ./return-to-stock.sh
Your device should reboot into Amazon Recovery. Use adb sideload to install stock image from there. (Make sure to use FireOS 5.6.3.0 or newer, otherwise you may brick your device)
Important information
In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.
Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)
Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.
TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).
For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).
It is still advised to disable OTA.
Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Special thanks also to @retyre for porting the bootrom-exploit and for testing.
Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
Thanks also to @bibikalka and everyone who donated
Thanks to @TheRealIntence and @b1u3m3th for confirming it also works on the 64GB model.14Unbricking
If Recovery OR FireOS are still accessible there are other means of recovery, don't continue.
If your device shows one of the following symptoms:
- It doesn't show any life (screen stays dark)
- You see the white amazon logo, but cannot access Recovery or FireOS.
If you have a Type 1 brick, you may not have to open the device, if your device comes up in bootrom-mode (See Checking USB connection below).
- Make sure the device is powered off, by holding the power-button for 20+ seconds
- Start bootrom-step.sh
- Plug in USB
In all other cases you will have to open the device and partially take it apart.
Follow this guide by @retyre until (including) step 8..
At Step 6. you will replace
withCode:sudo ./bootrom.sh
Should the script stall at some point, restart it and replug the USB-cable (Shorting it again should not be necessary unless the script failed at the very beginning).Code:sudo ./bootrom-step.sh
If the script succeeded, put the device back together.
When you turn it on, it should start in hacked fastboot mode.
You can now use
This will flash TWRP and reset your device to factory defaults, then reboot into TWRP.Code:sudo ./fastboot-step.sh
Checking USB connection
In lsusb the boot-rom shows up as:
Code:Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone
If it shows up as:
instead, you are in preloader-mode, try again.Code:Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader
dmesg lists the correct device as:
Code:[ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.0011
You'll need a linux distrubution to work from, a live boot cd/usb will work fine.
Don't use WSL (Subsystem for Linux) on Windows 10 as usb support doesn't work properly, or at all, for anything other than usb storage devices.
This guide was part of a larger guide on Github, adapted from Retyre's XDA Guide.
Root on Fire HD10 2017 5.6.9.0 (not tried on other systems)
- Download the root exploit code (alternate link SHA256 8bfc3d5c75964e5fa28c8ffa39a87249ba10ea4180f55f546b2dcc286a585ea8) and Super_SU18+ (alternate link SHA256 b572c1a982d1e0baeb571d3bc0df7f6be11b14553c181c9e0bf737cc4a4fbbfd).
wget -c "http://myphone-download.wondershare.cc/mgroot/20165195.zip" "http://myphone-download.wondershare.cc/mgroot/SuperSU_18+.zip" - Unzip them both to a 20165195 directory.
unzip -u 20165195.zip -d 20165195 && unzip -u SuperSU_18+.zip -d 20165195 - Check the 20165195 directory contains all the needed files.
$ ls -1 20165195
Matrix
Superuser.apk
ddexe
debuggerd
fileWork
install-recovery.sh
krdem
mount
patch_boot.sh
pidof
push_root.sh
start_wssud.sh
su
su_arm64
supersu.zip
supolicy
toolbox
wsroot.sh - Push the directory to the tablet.
adb push 20165195 /data/local/tmp - Login to the tablet.
adb shell - Make the files executable.
chmod 755 /data/local/tmp/20165195/* - Run the exploit. You should see a lot of output while it runs.
/data/local/tmp/20165195/Matrix /data/local/tmp/20165195 2
If the script executes successfully, the final lines of output should display the memory location that was exploited (may be different than 0x7fab64c000) and a value of 0 for <Exploit> and <Done>. If it fails, check the Troubleshooting section: - exploited 0x7fab64c000=f97cff8c
end!!!!!!!
<WSRoot><Exploit>0</Exploit></WSRoot>
<WSRoot><Done>0</Done></WSRoot>
- You can verify root with su.
shell@suez:/ $ su
su
root@suez:/ # - Back on your computer, download SuperSU 2.82 SR5 apk (alternate link SHA256 2c7be9795a408d6fc74bc7286658dfe12252824867c3a2b726c1f3c78cee918b) and install it to the tablet with adb.
adb install "eu.chainfire.supersu_2.82-SR5-282_minAPI9(nodpi)_apkmirror.com.apk" - Open up the SuperSU app on the tablet, tap Get Started, then tap Continue and select Normal to update the app. Select Reboot after it is done installing to reboot the tablet.
- After the tablet reboots, open SuperSU app again, tap on Settings tab, then tap Default access, then choose Grant.
- Log in to your tablet.
adb shell - Switch to superuser and delete directories /data/data-lib/com.wondershare.DashRoot and /data/data-lib/wondershare.
su
rm -r /data/data-lib/com.wondershare.DashRoot /data/data-lib/wondershare
Once rooted, you can start the main guide on here for TWRP installation and skip past the root part.
Notes: At stage 7, running the exploit, you may find get an error instead of a successful output like above.
If you get this or similar, try rebooting your Fire HD and try again:
<WSRoot><Exploit>0x00000332</Exploit></WSRoot>
check done
sched_setaffinity: Function not implemented<WSRoot><Exploit>0x00000382</Exploit></WSRoot>
FAIL : load1 --> /sepolicy
<WSRoot><Exploit>0x00000341</Exploit></WSRoot>
<WSRoot><Exploit>0x00000881</Exploit></WSRoot>
<WSRoot><Done>0x00000172</Done></WSRoot>
I had to reboot once to get it to work. It's also worth noting that, even though it was successful the second time, i still received a function not implemented error, but it still worked. This is the part that you're looking for to be sucessful:
<WSRoot><Exploit>0</Exploit></WSRoot>
<WSRoot><Done>0</Done></WSRoot>10Changelog
Version 1.1.2 (26.03.2019)
- Fix regenerating GPT from temp GPT
Version 1.1.1 (26.03.2019)
- Fix unbricking procedure
Version 1.1 (25.03.2019)
- Update TWRP-sources to twrp-9.0 branch
- TWRP uses kernel compiled from source
- Add scripts to use handshake2.py to enter fastboot/recovery
Features.
- Uses 5.6.3 LK for full compatibility with newer kernels.
- Hacked fastboot mode lets you use all fastboot commands (flash etc).
- Boots custom/unsigned kernel-images (no patching needed)
- TWRP protects from downgrading PL/TZ/LK
- For the devs: sets printk.disable_uart=0 (enables debug-output over UART).
NOTE: Hacked fastboot can be reached via TWRP.
NOTE: Hacked fastboot doesn't remap partition names, so you can easily go back to stock
