• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[UNLOCK][ROOT][TWRP][UNBRICK] Fire HD 8 2016 (giza)

Search This thread

Rortiz2

Senior Member
Mar 1, 2018
2,140
1,411
Barcelona
Amazon Fire HD 8 and HD 10
Read this whole guide before starting.
This is for the 6th gen Fire HD8 (giza).

Current version: amonet-giza-v1.2.zip

NOTE: This process does not require you to open your device, but should something go horribly wrong, be prepared to do so.
NOTE: This process will modify the partition-table (GPT) of your device.

NOTE: Your device will be reset to factory defaults (including internal storage) during this process.

What you need:
  • A Linux installation or live-system
  • A micro-USB cable
Install python3, PySerial, adb, fastboot dos2unix. For Debian/Ubuntu something like this should work:
Code:
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial adb fastboot dos2unix

1. Extract the attached zip-file "amonet-giza-v1.2.zip" and open a terminal in that directory.
NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder

2. Enable ADB in Developer Settings.

3. Start the script:
Code:
sudo ./step-1.sh

Your device will now reboot into recovery and perform a factory reset.

NOTE: If your PL/TZ/LK versions are too new, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
If you chose the brick option, you don't need to run step-2.sh below:


Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager

After you have confirmed the bricking by typing "YES", you will need disconnect the device and run
Code:
sudo ./bootrom-step-minimal.sh

Then plug the device back in.

It will then boot into "hacked fastboot" mode.
Then run
Code:
sudo ./fastboot-step.sh
NOTE: When you are back at initial setup, you can skip registration by selecting a WiFi-Network, then pressing "Cancel" and then "Not Now"
NOTE: Make sure you re-enable ADB after Factory Reset.


4. Start the script:
Code:
sudo ./step-2.sh

The exploit will now be flashed and your device will reboot into TWRP.
You can now install Magisk from there.

Going back to stock
Extract the attached zip-file "amonet-giza-v1.2.zip" and open a terminal in that directory.

You can go back to stock without restoring the original partition-table, so you can go back to unlocked without wiping data.

Just use hacked fastboot to
Code:
sudo fastboot flash recovery bin/recovery.img

If you want to go back completely (including restoring your GPT):
Code:
sudo ./return-to-stock.sh

Your device should reboot into Amazon Recovery. Use adb sideload to install stock image from there.

Important information

In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.

Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)

Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.

TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

It is still advised to disable OTA.

Very special thanks to @xyz` for making all this possible and releasing the original amonet exploit for karnak.
Special thanks also to @k4y0z for making all this possible and porting the exploit to 64 bit devices.
Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
Special thanks also to @lovaduck for all the testing.
 

Attachments

  • amonet-giza-v1.0.zip
    29.3 MB · Views: 49
  • what.jpeg
    what.jpeg
    62.1 KB · Views: 84
  • amonet-giza-v1.1.zip
    29.3 MB · Views: 23
  • amonet-giza-v1.2.zip
    29.4 MB · Views: 16
Last edited:

Rortiz2

Senior Member
Mar 1, 2018
2,140
1,411
Barcelona
Amazon Fire HD 8 and HD 10
Unbricking

If Recovery OR FireOS are still accessible there are other means of recovery, don't continue.

If your device shows one of the following symptoms:
  1. It doesn't show any life (screen stays dark)
  2. You see the white amazon logo, but cannot access Recovery or FireOS.

If you have a Type 1 brick, you may not have to open the device, if your device comes up in bootrom-mode (See Checking USB connection below).
  1. Make sure the device is powered off, by holding the power-button for 20+ seconds
  2. Start bootrom-step.sh
  3. Plug in USB
In all other cases you will have to open the device and partially take it apart.

1. Extract the attached zip-file "amonet-giza-v1.2.zip" and open a terminal in that directory.
2. Start the script:
Code:
sudo ./bootrom-step.sh
It should now say Waiting for bootrom.

If you're lucky and have an old preloader (Up to FireOS 5.3.2.0), you can just hold the left volume button while plugging the device in.
If you're on a newer preloader, there are two options:
  1. Open the device and short the pin marked in the attached photo to ground while plugging in.
  2. Downgrade to 5.3.1.0 firmware via adb sideload in Amazon recovery, then proceed to use the left volume button to enter boot-rom.
NOTE: Using option two may brick your device until you have successfully finished the process.

4. When the script asks you to remove the short, remove the short and press enter.

5. Wait for the script to finish.
If it fails at some point, stop it and restart the process from step 2.

6. Your device should now reboot into unlocked fastboot state.

7. Run
Code:
sudo ./fastboot-step.sh

The device should reboot to TWRP. Format data and use TWRP to flash a custom ROM, Magisk or SuperSU.

Checking USB connection
In lsusb the boot-rom shows up as:
Code:
Bus 002 Device 013: ID 0e8d:0003 MediaTek Inc. MT6227 phone

If it shows up as:
Code:
Bus 002 Device 014: ID 0e8d:2000 MediaTek Inc. MT65xx Preloader
instead, you are in preloader-mode, try again.

dmesg lists the correct device as:
Code:
[ 6383.962057] usb 2-2: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.0
 
Last edited:

lovaduck

Member
Nov 7, 2018
23
5
Bariloche
Great job by Roger, everything worked very much at first attempt while I tested. Now I have revived an old tablet that was not in use anymore!
I would advise everybody trying this process to keep in mind that things can always go wrong, but you have nothing to lose anyways. Hack at your own risk.
So good luck with the mod, and again, kudos to @Rortiz2
 
  • Like
Reactions: Rortiz2

sancho_sumy

Member
Sep 9, 2021
9
2
Hi. I have a problem on Step 2

adb: error: cannot stat 'bin/boot0short.img': No such file or directory

I checked bin directory and really didn't found boot0short.img. Maybe it should be generated by the script. I checked code and didn't found any other mentions about this file...

What I doing wrong?
 

Rortiz2

Senior Member
Mar 1, 2018
2,140
1,411
Barcelona
Amazon Fire HD 8 and HD 10

sancho_sumy

Member
Sep 9, 2021
9
2
Bricked after running the 1.2 version? That makes no sense, unless your RPMB was updated. What's the output of "lsusb" when you plug in the tablet to the computer"?
Yes. I run Step 2 from 1.2 version.
After "Rebooting into TWRP" screen off and didn't on anymore.

It's not listed in lsusb:
[email protected]:~/Downloads/amonet-giza-v1.2$ lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 004: ID 5986:2113 Acer, Inc Integrated Camera
Bus 001 Device 005: ID 0bda:c024 Realtek Semiconductor Corp. Bluetooth Radio
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

After plug in to USB dmesg:

usb 1-3: USB disconnect, device number 7

Is there any chances to fix it? :-(
 
Last edited:

789mod

Member
Dec 2, 2020
23
0
Amazon Fire HD 8 and HD 10
Yes. I run Step 2 from 1.2 version.
After "Rebooting into TWRP" screen off and didn't on anymore.

It's not listed in lsusb:


After plug in to USB dmesg:



Is there any chances to fix it? :-(
don't worry
first short your devices after this
2. sudo ./boot-fastboot.sh
the screen still black
after that
unplug your USB write sudo ./ fastboot-step.sh and plug it
and wait 1sec

will successfully..
thank
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Tableb become avalable by lsusb.

    When I try you instruction I receve
    Ok, yeah, your Preloader was corrupt, try with this zip (which ignores boot0 status). And no, don't run gpt-fix, your issue isn't the partition table.
    1
    this is off topic and wrong device please create a a topic on the hd 8 and 10 general
    1
    Ok, yeah, your Preloader was corrupt, try with this zip (which ignores boot0 status). And no, don't run gpt-fix, your issue isn't the partition table.

    It works!

    Thank you for prompt reply and assistance.
    Now device flashed with Lineage 15.1 and work good!
    1
    @ri

    nutt camera note working

    but camra not working
    Newer used it in stock, so it's not a problem for me.
  • 3
    Read this whole guide before starting.
    This is for the 6th gen Fire HD8 (giza).

    Current version: amonet-giza-v1.2.zip

    NOTE: This process does not require you to open your device, but should something go horribly wrong, be prepared to do so.
    NOTE: This process will modify the partition-table (GPT) of your device.

    NOTE: Your device will be reset to factory defaults (including internal storage) during this process.

    What you need:
    • A Linux installation or live-system
    • A micro-USB cable
    Install python3, PySerial, adb, fastboot dos2unix. For Debian/Ubuntu something like this should work:
    Code:
    sudo apt update
    sudo add-apt-repository universe
    sudo apt install python3 python3-serial adb fastboot dos2unix

    1. Extract the attached zip-file "amonet-giza-v1.2.zip" and open a terminal in that directory.
    NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder

    2. Enable ADB in Developer Settings.

    3. Start the script:
    Code:
    sudo ./step-1.sh

    Your device will now reboot into recovery and perform a factory reset.

    NOTE: If your PL/TZ/LK versions are too new, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
    If you chose the brick option, you don't need to run step-2.sh below:


    Make sure ModemManager is disabled or uninstalled:
    Code:
    sudo systemctl stop ModemManager
    sudo systemctl disable ModemManager

    After you have confirmed the bricking by typing "YES", you will need disconnect the device and run
    Code:
    sudo ./bootrom-step-minimal.sh

    Then plug the device back in.

    It will then boot into "hacked fastboot" mode.
    Then run
    Code:
    sudo ./fastboot-step.sh
    NOTE: When you are back at initial setup, you can skip registration by selecting a WiFi-Network, then pressing "Cancel" and then "Not Now"
    NOTE: Make sure you re-enable ADB after Factory Reset.


    4. Start the script:
    Code:
    sudo ./step-2.sh

    The exploit will now be flashed and your device will reboot into TWRP.
    You can now install Magisk from there.

    Going back to stock
    Extract the attached zip-file "amonet-giza-v1.2.zip" and open a terminal in that directory.

    You can go back to stock without restoring the original partition-table, so you can go back to unlocked without wiping data.

    Just use hacked fastboot to
    Code:
    sudo fastboot flash recovery bin/recovery.img

    If you want to go back completely (including restoring your GPT):
    Code:
    sudo ./return-to-stock.sh

    Your device should reboot into Amazon Recovery. Use adb sideload to install stock image from there.

    Important information

    In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
    TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.

    Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)

    Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.

    TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

    For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

    It is still advised to disable OTA.

    Very special thanks to @xyz` for making all this possible and releasing the original amonet exploit for karnak.
    Special thanks also to @k4y0z for making all this possible and porting the exploit to 64 bit devices.
    Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
    Special thanks also to @lovaduck for all the testing.
    1
    Great job by Roger, everything worked very much at first attempt while I tested. Now I have revived an old tablet that was not in use anymore!
    I would advise everybody trying this process to keep in mind that things can always go wrong, but you have nothing to lose anyways. Hack at your own risk.
    So good luck with the mod, and again, kudos to @Rortiz2
    1
    I get the following when running step 1:

    Is there much of a difference between the two and if not should I just edit the check in step-1.sh & step-2.sh?
    Oh well, my fault, let me fix that.
    EDIT: Fixed the product check, use the v1.1 package.
    1
    Tableb become avalable by lsusb.

    When I try you instruction I receve
    Ok, yeah, your Preloader was corrupt, try with this zip (which ignores boot0 status). And no, don't run gpt-fix, your issue isn't the partition table.
    1
    this is off topic and wrong device please create a a topic on the hd 8 and 10 general