• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[UNLOCK][ROOT][TWRP][UNBRICK] Fire HD 8 2016 (giza)

Search This thread

Rortiz2

Senior Member
Mar 1, 2018
2,232
1,517
Barcelona
powered off and disconnected
Code:
# ./boot-fastboot.sh
[2021-10-14 16:13:30.521966] Waiting for preloader
[2021-10-14 16:13:40.380113] Found port = /dev/ttyACM0
[2021-10-14 16:13:40.414216] Handshake
[2021-10-14 16:13:40.434229] Preloader ready, sending FACTFACT

kernel log saw
Code:
Oct 14 16:13:39 asdf kernel: [5118860.980547] usb 1-8: new high-speed USB device number 24 using ehci-pci
Oct 14 16:13:40 asdf kernel: [5118861.137411] usb 1-8: New USB device found, idVendor=0e8d, idProduct=2000, bcdDevice= 1.00
Oct 14 16:13:40 asdf kernel: [5118861.137415] usb 1-8: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Oct 14 16:13:40 asdf kernel: [5118861.137417] usb 1-8: Product: MT65xx Preloader
Oct 14 16:13:40 asdf kernel: [5118861.137419] usb 1-8: Manufacturer: MediaTek
Oct 14 16:13:40 asdf kernel: [5118861.159359] cdc_acm 1-8:1.0: Zero length descriptor references
Oct 14 16:13:40 asdf kernel: [5118861.159370] cdc_acm: probe of 1-8:1.0 failed with error -22
Oct 14 16:13:40 asdf kernel: [5118861.199669] cdc_acm 1-8:1.1: ttyACM0: USB ACM device
Oct 14 16:13:40 asdf kernel: [5118861.563220] usb 1-8: USB disconnect, device number 24

Screen displayed white Amazon logo, which goes black about every minute, for a few seconds and then white logo again.

fastboot devices gave me nothing, adb devices shows nothing
sudo python3 modules/handshake2.py FASTBOOT does something different (it should boot at least locked fastboot mode)?
 

xda.jon

Member
Oct 14, 2021
7
0
sudo python3 modules/handshake2.py FASTBOOT does something different (it should boot at least locked fastboot mode)?
Code:
# python3 modules/handshake2.py FASTBOOT
[2021-10-14 16:55:40.951483] Waiting for preloader
[2021-10-14 16:55:50.313795] Found port = /dev/ttyACM0
[2021-10-14 16:55:50.347597] Handshake
[2021-10-14 16:55:50.367595] Preloader ready, sending FASTBOOT

kernel log
Code:
Oct 14 16:55:50 asdf kernel: [5121391.171837] usb 1-8: New USB device found, idVendor=0e8d, idProduct=2000, bcdDevice= 1.00
Oct 14 16:55:50 asdf kernel: [5121391.171841] usb 1-8: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Oct 14 16:55:50 asdf kernel: [5121391.171843] usb 1-8: Product: MT65xx Preloader
Oct 14 16:55:50 asdf kernel: [5121391.171845] usb 1-8: Manufacturer: MediaTek
Oct 14 16:55:50 asdf kernel: [5121391.193917] cdc_acm 1-8:1.0: Zero length descriptor references
Oct 14 16:55:50 asdf kernel: [5121391.193930] cdc_acm: probe of 1-8:1.0 failed with error -22
Oct 14 16:55:50 asdf kernel: [5121391.234146] cdc_acm 1-8:1.1: ttyACM0: USB ACM device
Oct 14 16:55:50 asdf kernel: [5121391.539513] usb 1-8: USB disconnect, device number 30

Same result, white amazon logo
 

Rortiz2

Senior Member
Mar 1, 2018
2,232
1,517
Barcelona
Code:
# python3 modules/handshake2.py FASTBOOT
[2021-10-14 16:55:40.951483] Waiting for preloader
[2021-10-14 16:55:50.313795] Found port = /dev/ttyACM0
[2021-10-14 16:55:50.347597] Handshake
[2021-10-14 16:55:50.367595] Preloader ready, sending FASTBOOT

kernel log
Code:
Oct 14 16:55:50 asdf kernel: [5121391.171837] usb 1-8: New USB device found, idVendor=0e8d, idProduct=2000, bcdDevice= 1.00
Oct 14 16:55:50 asdf kernel: [5121391.171841] usb 1-8: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Oct 14 16:55:50 asdf kernel: [5121391.171843] usb 1-8: Product: MT65xx Preloader
Oct 14 16:55:50 asdf kernel: [5121391.171845] usb 1-8: Manufacturer: MediaTek
Oct 14 16:55:50 asdf kernel: [5121391.193917] cdc_acm 1-8:1.0: Zero length descriptor references
Oct 14 16:55:50 asdf kernel: [5121391.193930] cdc_acm: probe of 1-8:1.0 failed with error -22
Oct 14 16:55:50 asdf kernel: [5121391.234146] cdc_acm 1-8:1.1: ttyACM0: USB ACM device
Oct 14 16:55:50 asdf kernel: [5121391.539513] usb 1-8: USB disconnect, device number 30

Same result, white amazon logo
Something is messed up (and I'm not sure if it's software side or hardware side). Can you try to boot the stock recovery using the button combo power and volume +?
 

xda.jon

Member
Oct 14, 2021
7
0
I have tried all combinations of vol/power, connected usb or not, with battery, without. I have never seen anything except the white Amazon logo
 

xda.jon

Member
Oct 14, 2021
7
0
the only thing that i have been able to do is the bootrom-step.sh using the shorted pin. this seems to work every time but, in the end, it comes back to a white amazon logo after the bootrom-step seems to succeed with no errors. If there was a new bootrom-step, or new images to deploy (rather than the giza 1.2 versions), maybe I could get this thing booting again
 
Last edited:

owbk

New member
Oct 25, 2021
3
1
Hello,
While following this guide to get TWRP on Fire HD 8 2016, I bricked it in the process (I ran step-1.sh without sudo and now, bootrom-step-minimal.sh doesn't work). My FireOS version is 5.6.8.0, so I opened the device to short the pin to ground, but the motherboard looks different. Here is the photo of the opened device, and here is the photo of the motherboard
 

Rortiz2

Senior Member
Mar 1, 2018
2,232
1,517
Barcelona
Hello,
While following this guide to get TWRP on Fire HD 8 2016, I bricked it in the process (I ran step-1.sh without sudo and now, bootrom-step-minimal.sh doesn't work). My FireOS version is 5.6.8.0, so I opened the device to short the pin to ground, but the motherboard looks different. Here is the photo of the opened device, and here is the photo of the motherboard
FireOS 5.6.8.0 is the latest Software Update available for the Amazon Fire HD8 2016 and mtk-su was patched in FireOS 5.3.6.4. So may I ask how did you brick the Preloader through step-1.sh? Was your tab rooted already (and you updated to the latest FireOS version using something like FlashFire)?

If you really bricked the tablet with step-1.sh and you can't get bootrom-step.sh to work, try to connect the tablet with the battery unplugged (then after the script finishes, reconnect it). Alternatively, if that doesn't work, try pressing the volume - button while plugging it in.

As for the pictures, your motherboard isn't different, you just need to "flip it over" (the picture in the OP shows the other side of the motherboard). If you are brave enough and want to give it a try, some user reported (in PM) that shorting one of these pins causes the tablet to reboot to bootrom (see attached image).
 

Attachments

  • imagen_2021-10-25_133712.png
    imagen_2021-10-25_133712.png
    1 MB · Views: 22
Last edited:

Rortiz2

Senior Member
Mar 1, 2018
2,232
1,517
Barcelona
the only thing that i have been able to do is the bootrom-step.sh using the shorted pin. this seems to work every time but, in the end, it comes back to a white amazon logo after the bootrom-step seems to succeed with no errors. If there was a new bootrom-step, or new images to deploy (rather than the giza 1.2 versions), maybe I could get this thing booting again
Well, I can only think of hardware damage but that wouldn't make sense since it's reaching LK (it initializes the LOGO partition). I can provide you a version of amonet that restores the original images in PM if you want.
 

owbk

New member
Oct 25, 2021
3
1
If you really bricked the tablet with step-1.sh and you can't get bootrom-step.sh to work, try to connect the tablet with the battery unplugged (then after the script finishes, reconnect it). Alternatively, if that doesn't work, try pressing the volume - button while plugging it in.
Unplugging the battery and running bootrom-step-minimal.sh works. Thanks.
 
  • Like
Reactions: Rortiz2

xda.jon

Member
Oct 14, 2021
7
0
for the record, I have found that, shorting the pin, holding the short and plugging in the USB (no batt connected) will allow bootrom-step.sh to run. if you plug in the usb first and THEN try to short the pin, sometimes it works, sometimes it doesn't but, shorting before plugging seems to always work.

At the point my tab is (only able to run bootrom-step.sh by the short method above) would my best bet be to get a copy of the original software, try to get it back to original, then start again? If so, could someone PM me the original blob?
 

parintan

Member
Jan 9, 2010
18
4
Goyang City
FireOS 5.6.8.0 is the latest Software Update available for the Amazon Fire HD8 2016 and mtk-su was patched in FireOS 5.3.6.4. So may I ask how did you brick the Preloader through step-1.sh? Was your tab rooted already (and you updated to the latest FireOS version using something like FlashFire)?

If you really bricked the tablet with step-1.sh and you can't get bootrom-step.sh to work, try to connect the tablet with the battery unplugged (then after the script finishes, reconnect it). Alternatively, if that doesn't work, try pressing the volume - button while plugging it in.

As for the pictures, your motherboard isn't different, you just need to "flip it over" (the picture in the OP shows the other side of the motherboard). If you are brave enough and want to give it a try, some user reported (in PM) that shorting one of these pins causes the tablet to reboot to bootrom (see attached image).

this short point is actually working. you not need to disassemble board and makes hole.

i unbricked with that point + usb slot short.
 

Rortiz2

Senior Member
Mar 1, 2018
2,232
1,517
Barcelona
Red point + usb slot is 100% working.

anyway, my fire is unrecoverable bricked https://forum.xda-developers.com/t/fire-hd-8-2016-giza-in-problem-twrp.4358495/

I couldn't enter the recovery, but I carried out the OTA. my mistake.

Can you some advise for i enter TWRP, If not, I need to throw away the device.
Hey there,

If you can access LineageOS but you can't access TWRP try to do the following steps:
  1. First of all, download the latest amonet zip, unzip it and open a terminal in the auto-generated output folder.
  2. Secondly, grab the tablet power it on (let it boot LineageOS) and connect it to the PC.
  3. Once you see the home screen, open Settings and enable Developer Options by pressing 7 times the Build Number (section: System -> About Tablet).
  4. After you enabled Developer Options, search for the Root Access entry and set it to ADB Only.
  5. Afterwards, go back to the computer and in the terminal that you previously opened type adb root && adb shell reboot-amonet.
  6. The tablet will reboot to Hacked Fastboot Mode (Unlocked Fastboot). Once there, run fastboot-step.sh again.
FYI: As a side note, I updated the OP with the new picture now that we know the red dot does the trick as well.

Regards.
 

parintan

Member
Jan 9, 2010
18
4
Goyang City
Hey there,

If you can access LineageOS but you can't access TWRP try to do the following steps:
  1. First of all, download the latest amonet zip, unzip it and open a terminal in the auto-generated output folder.
  2. Secondly, grab the tablet power it on (let it boot LineageOS) and connect it to the PC.
  3. Once you see the home screen, open Settings and enable Developer Options by pressing 7 times the Build Number (section: System -> About Tablet).
  4. After you enabled Developer Options, search for the Root Access entry and set it to ADB Only.
  5. Afterwards, go back to the computer and in the terminal that you previously opened type adb root && adb shell reboot-amonet.
  6. The tablet will reboot to Hacked Fastboot Mode (Unlocked Fastboot). Once there, run fastboot-step.sh again.
FYI: As a side note, I updated the OP with the new picture now that we know the red dot does the trick as well.

Regards.

Oh god, I just had to ask questions and wait for the day.

I already pressed OTA Update out of curiosity in Lineage, and the device cannot escape White Amazon Logo.

There seems to be no way to cancel the OTA update command and return to Lineage.
It keep going to not exist recovery so boot loop now.

My fire has become a brick forever, right?
 

Rortiz2

Senior Member
Mar 1, 2018
2,232
1,517
Barcelona
Oh god, I just had to ask questions and wait for the day.

I already pressed OTA Update out of curiosity in Lineage, and the device cannot escape White Amazon Logo.

There seems to be no way to cancel the OTA update command and return to Lineage.
It keep going to not exist recovery so boot loop now.

My fire has become a brick forever, right?
Well, unfortunately I have a life (like you, I guess) and I can't always reply to messages within 5 minutes ~.

No, your tablet isn't bricked forever. I guess it's just bootloping because it tries to enter recovery mode (triggered by the MISC flag). Try to access Hacked Fastboot mode with the Preloader scripts:
  1. (again, if you haven't already) download the latest amonet zip, unzip it and open a terminal in the auto-generated output folder.
  2. Once you've opened the Terminal, type sudo ./boot-fastboot.sh and plug in the tab (powered off, you don't need to short anything). The script will reboot the tablet to Hacked Fastboot mode.
  3. After that, run sudo ./fastboot-step.sh and the tablet should boot TWRP.
  4. Once TWRP comes up, wipe everything and do a clean flash of LineageOS (this time flash GAPPS and Magisk before rebooting).
Good luck^^.
 

parintan

Member
Jan 9, 2010
18
4
Goyang City
Well, unfortunately I have a life (like you, I guess) and I can't always reply to messages within 5 minutes ~.

No, your tablet isn't bricked forever. I guess it's just bootloping because it tries to enter recovery mode (triggered by the MISC flag). Try to access Hacked Fastboot mode with the Preloader scripts:
  1. (again, if you haven't already) download the latest amonet zip, unzip it and open a terminal in the auto-generated output folder.
  2. Once you've opened the Terminal, type sudo ./boot-fastboot.sh and plug in the tab (powered off, you don't need to short anything). The script will reboot the tablet to Hacked Fastboot mode.
  3. After that, run sudo ./fastboot-step.sh and the tablet should boot TWRP.
  4. Once TWRP comes up, wipe everything and do a clean flash of LineageOS (this time flash GAPPS and Magisk before rebooting).
Good luck^^.
Thx for reply

sudo ./boot-fastboot.sh is working (sending FACTFACT) but it keeps boot normally(so trying enter recovery mode maybe)
keep white amazon logo loop. sadly
 

Rortiz2

Senior Member
Mar 1, 2018
2,232
1,517
Barcelona
Thx for reply

sudo ./boot-fastboot.sh is working (sending FACTFACT) but it keeps boot normally(so trying enter recovery mode maybe)
keep white amazon logo loop. sadly
In that case the exploit has been probably removed from the {boot, recovery} partitions.

Try to start off from the beginning:
  1. Run bootrom-step.sh and plug in the tablet while you press the volume - button (you don't need to short anymore since you have old preloader installed).
  2. Once the script finishes, check if the tablet it's in Hacked Fastboot mode.
  3. If it is, run sudo ./fastboot-step.sh.
Regards.
 

parintan

Member
Jan 9, 2010
18
4
Goyang City
In that case the exploit has been probably removed from the {boot, recovery} partitions.

Try to start off from the beginning:
  1. Run bootrom-step.sh and plug in the tablet while you press the volume - button (you don't need to short anymore since you have old preloader installed).
  2. Once the script finishes, check if the tablet it's in Hacked Fastboot mode.
  3. If it is, run sudo ./fastboot-step.sh.
Regards.

sadly, bootrom-step.sh is not working.
tried volume - button, or something, I can not join bootrom mode
 

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    Read this whole guide before starting.
    This is for the 6th gen Fire HD8 (giza).

    Current version: amonet-giza-v1.2.zip

    NOTE: This process does not require you to open your device, but should something go horribly wrong, be prepared to do so.
    NOTE: This process will modify the partition-table (GPT) of your device.

    NOTE: Your device will be reset to factory defaults (including internal storage) during this process.

    What you need:
    • A Linux installation or live-system
    • A micro-USB cable
    Install python3, PySerial, adb, fastboot dos2unix. For Debian/Ubuntu something like this should work:
    Code:
    sudo apt update
    sudo add-apt-repository universe
    sudo apt install python3 python3-serial adb fastboot dos2unix

    1. Extract the attached zip-file "amonet-giza-v1.2.zip" and open a terminal in that directory.
    NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder

    2. Enable ADB in Developer Settings.

    3. Start the script:
    Code:
    sudo ./step-1.sh

    Your device will now reboot into recovery and perform a factory reset.

    NOTE: If your PL/TZ/LK versions are too new, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
    If you chose the brick option, you don't need to run step-2.sh below:


    Make sure ModemManager is disabled or uninstalled:
    Code:
    sudo systemctl stop ModemManager
    sudo systemctl disable ModemManager

    After you have confirmed the bricking by typing "YES", you will need disconnect the device and run
    Code:
    sudo ./bootrom-step-minimal.sh

    Then plug the device back in.

    It will then boot into "hacked fastboot" mode.
    Then run
    Code:
    sudo ./fastboot-step.sh
    NOTE: When you are back at initial setup, you can skip registration by selecting a WiFi-Network, then pressing "Cancel" and then "Not Now"
    NOTE: Make sure you re-enable ADB after Factory Reset.


    4. Start the script:
    Code:
    sudo ./step-2.sh

    The exploit will now be flashed and your device will reboot into TWRP.
    You can now install Magisk from there.

    Going back to stock
    Extract the attached zip-file "amonet-giza-v1.2.zip" and open a terminal in that directory.

    You can go back to stock without restoring the original partition-table, so you can go back to unlocked without wiping data.

    Just use hacked fastboot to
    Code:
    sudo fastboot flash recovery bin/recovery.img

    If you want to go back completely (including restoring your GPT):
    Code:
    sudo ./return-to-stock.sh

    Your device should reboot into Amazon Recovery. Use adb sideload to install stock image from there.

    Important information

    In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
    TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.

    Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)

    Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.

    TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

    For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

    It is still advised to disable OTA.

    Very special thanks to @xyz` for making all this possible and releasing the original amonet exploit for karnak.
    Special thanks also to @k4y0z for making all this possible and porting the exploit to 64 bit devices.
    Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
    Special thanks also to @lovaduck for all the testing.
    1
    Great job by Roger, everything worked very much at first attempt while I tested. Now I have revived an old tablet that was not in use anymore!
    I would advise everybody trying this process to keep in mind that things can always go wrong, but you have nothing to lose anyways. Hack at your own risk.
    So good luck with the mod, and again, kudos to @Rortiz2
    1
    I get the following when running step 1:

    Is there much of a difference between the two and if not should I just edit the check in step-1.sh & step-2.sh?
    Oh well, my fault, let me fix that.
    EDIT: Fixed the product check, use the v1.1 package.
    1
    Tableb become avalable by lsusb.

    When I try you instruction I receve
    Ok, yeah, your Preloader was corrupt, try with this zip (which ignores boot0 status). And no, don't run gpt-fix, your issue isn't the partition table.
    1
    this is off topic and wrong device please create a a topic on the hd 8 and 10 general