[UNLOCK][ROOT][TWRP][UNBRICK] Fire HD 8 2017 (douglas)

Search This thread

Sus_i

Senior Member
Apr 9, 2013
1,858
811
No Error on boot-fastboot.sh, readout:
Code:
~/amonet $ sudo ./boot-fastboot.sh
[2022-10-12 20:48:29.254243] Waiting for preloader
[2022-10-12 20:48:55.459661] Found port = /dev/ttyACM0
[2022-10-12 20:48:55.496008] Handshake
[2022-10-12 20:48:55.516266] Preloader ready, sending FACTFACT
Looks good, check:
fastboot devices
if there is a device connected.
 

Sus_i

Senior Member
Apr 9, 2013
1,858
811
Yep my device is listed and I was able to flash twrp but the tablet just hangs at the amazon logo when trying to boot into recovery
How did you flash it and on which partition?

Try it like this:
Code:
fastboot flash recovery_x twrp.img
fastboot erase userdata
fastboot flash MISC boot-recovery.bin
fastboot reboot
In case you get still a bootloop at the logo, try again with:
Code:
fastboot flash recovery_x twrp.img
fastboot format userdata
fastboot flash MISC boot-recovery.bin
fastboot reboot

Grab the images out of the amonet.zip from bin folder.
 

mobaddict

Member
Nov 3, 2016
47
4
I used the brick 9820 and do as told to remove the connection and power off. But upon doing the bootrom-step.sh and reconnecting, nothing happens and it looks like the tablet is in permanent brick. Any ideas on how to fix this?
 

Sus_i

Senior Member
Apr 9, 2013
1,858
811
I used the brick 9820 and do as told to remove the connection and power off. But upon doing the bootrom-step.sh and reconnecting, nothing happens and it looks like the tablet is in permanent brick. Any ideas on how to fix this?
Check lsusb while connected, if you can see something like mtk phone, preloader or fire device
 

kvjajoo

New member
Oct 9, 2008
4
1
Hi All,

I am running Fireos 5.7.0.0 on my 2017 Fire HD 8 (7 Gen). But when i run step-1.sh i get below error. I am using Ubuntu Desktop 22.04 running over VirtualBox 7.

Code:
[email protected]:~/Downloads/amonet$ sudo ./step-1.sh
Testing root access...

Trying to use mtk-su to get temp root...
Pushing root files
bin/mtk-su: 1 file pushed. 0.6 MB/s (65144 bytes in 0.099s)
bin/minisu.img: 1 file pushed. 0.7 MB/s (1048576 bytes in 1.344s)
bin/busybox: 1 file pushed. 0.7 MB/s (587368 bytes in 0.763s)
Failed critical init step 4
Firmware support not implemented
Failed critical init step 4
Firmware support not implemented
Failed critical init step 4
Firmware support not implemented
Failed critical init step 4
Firmware support not implemented
Failed critical init step 4
Firmware support not implemented
Failed critical init step 4
Firmware support not implemented
^C
[email protected]:~/Downloads/amonet$ adb devices
List of devices attached
G090ME0672570NKW    device

Any ideas on what's happening ??
 
  • Like
Reactions: Vlasp

jonpjingleheimler

Senior Member
Aug 12, 2016
198
66
48
Nashville
Hi. Is there by any chance a adb command that can boot into hacked bootloader? I found a newer version of twrp and flashed the image to recovery in the original twrp. the new twrp does nothing and does not have a reboot to hacked bootloader option. I'm on Lineage 17 and it boots properly. I can boot to regular fastboot also but that seems rather pointless. any advice would be welcome. If the wifi allowed me to connect to more than a hotspot I'd simply stay on the os im stuck on now
 

jonpjingleheimler

Senior Member
Aug 12, 2016
198
66
48
Nashville
Hi. Is there by any chance a adb command that can boot into hacked bootloader? I found a newer version of twrp and flashed the image to recovery in the original twrp. the new twrp does nothing and does not have a reboot to hacked bootloader option. I'm on Lineage 17 and it boots properly. I can boot to regular fastboot also but that seems rather pointless. any advice would be welcome. If the wifi allowed me to connect to more than a hotspot I'd simply stay on the os im stuck on now
Post in thread '[UNLOCK][ROOT][TWRP][UNBRICK] Fire HD 8 2017 (douglas)' https://forum.xda-developers.com/t/...-fire-hd-8-2017-douglas.3962846/post-80287339

This worked for me.
 

j10hx40r

Member
Nov 2, 2021
9
3

@k4y0z, @Rortiz2, @xyz` I am trying to port this to Echo dot 2nd Gen (mt8163) and can use some help. I have no experience of reverse engineering or binary exploitation. Still I was able to figure some things out.​


For the preloader and LK included in https://d1s31zyz7dcc2d.cloudfront.n...it_puffin-NS6555_user_4310M_0008087721594.bin, I tried reverse engineering the same and was able to patch them to boot into an unlocked device when booting from USB. I have figured out some of the addresses needed for lk-payload and microloader as follows

get_device - 0x4bd190ec
cache_clean - 0x4bd1eac0
fastboot app - 0x4bd21158

I am struggling to create the ROP chain used in inject_microloader.py. Could you guys please help me out with this

PS: I have enabled full root adb access on this device with dm-verity disabled using fos_flags (0xA3) and have also disabled selinux using dev_flags (0x40) so I can easily test any changes on the device.
 
Jul 27, 2017
12
0
Thank you so much for your flashing method. None of the others which I tried got as far as running any scripts to transfer files!

The only time I was confused was when I ran your "sudo ./fastboot-step.sh
// takes a couple of minutes (1-3 min in my case)
// reboots the device"

I got a conflicting message on my Fire screen which told me to disconnect and reboot. I ignored it and got TWRP. The Lineage file I found no problem and downloaded. But the GAPPS file was more difficult. It wasn't until I read the actual filename to be installed that I googled it and downloaded it. Even then I could only find a previous version (3 months, that is) which installed successfully. Google Play services has just updated and all seems tickety-boo. Thank you so much again.
 

CuF

Senior Member
Aug 29, 2015
137
37
Did you go here and select the pico, arm64, 8.1 for LineageOS 15.1 and 10 for LineageOS 17.1?
 

chaosl0rd

New member
Jan 27, 2023
2
0
Hi Guys,
first of all thanks for all the hard work.

Im trying to unlock my douglas Tablet with Firmware 5.7.0.0.
And i cant get it to work , i always get the following error:


<WSRoot><InitResource>0</InitResource></WSRoot>
Decrypt Success: /data/local/tmp/fileWork
Output File Name: /data/local/tmp/fileWork.
<WSRoot><Decrypt>0</Decrypt></WSRoot>
extracting: /data/local/tmp/Bridge_wsroot.sh
extracting: /data/local/tmp/krdirtyCow32
extracting: /data/local/tmp/krdirtyCow64
extracting: /data/local/tmp/libsupol.so
extracting: /data/local/tmp/my.sh
extracting: /data/local/tmp/mysupolicy
extracting: /data/local/tmp/patch_script.sh
extracting: /data/local/tmp/root3
<WSRoot><Decompression>0</Decompression></WSRoot>
execute string: /data/local/tmp/root3 /data/local/tmp/ 2
WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6ffffffe arg 0x600
WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6fffffff arg 0x1
ro.build.version.sdk :22
ro.product.cpu.abi :arm64-v8a
is x64
execute string: /data/local/tmp/krdirtyCow64 /data/local/tmp/ 2
WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6ffffffe arg 0xd30
WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6fffffff arg 0x1
path : /data/local/tmp/
path : /data/local/tmp
[*] path_script:/data/local/tmp/patch_script.sh /data/local/tmp
rm: /data/local/tmp/sepolicy: No such file or directory
rm: /data/local/tmp/load: No such file or directory
supolicy v2.76 (ndk:armeabi) - Copyright (C) 2014-2016 - Chainfire

Patching policy [/data/local/tmp/sepolicy] --> [/data/local/tmp/load] ...
-permissive:zygote=ok
-permissive:kernel=ok
-permissive:init=ok
-permissive:su=ok
-permissive:init_shell=ok
-permissive:shell=ok
-permissive:servicemanager=ok
- Success

find_opcode offset:2d0 opcode:aaffbbee
find ok star:7fb214a008 end:7fb214a2d8 size:2d0
sh : /data/local/tmp/my.sh /data/local/tmp 2 fwrite is count 213148 /data/local/tmp/load1
fwrite is count 54816 /data/local/tmp/load2
find_opcode offset:2b4 opcode:eaeaeaea
find_opcode offset:2b8 opcode:ebebebeb
find_opcode offset:22d opcode:abababab
load = 416bc load1 = 3409c load2 = d620
find_opcode offset:2b0 opcode:efefefef
find_opcode offset:24d opcode:cdcdcdcd
find_opcode offset:2bc opcode:acacacac
init_shellcode
loadsize:267964
loadpath:/data/local/tmp/load
shpath:/data/local/tmp/my.sh /data/local/tmp 2
shpath:2bc

open /proc
PID:188
find logd pid : bc
_inject_start_s:0x7fb214a008
Copying /sepolicy to /data/local/tmp/cp_sepolicy
cow_exploit_mv_file_init: Overriding /sepolicy from /data/local/tmp/load1
size: 213148

[*] mmap 0x7fb1f3b000;
[*] exploit (patch)
[*] currently 0x7fb1f3b000=8f97cff8c
sched_setaffinity: Invalid argument[*] madvise = 0x7fb1f3b000 213148
checking the patch ... exploit
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
exit fork(), loop time more then 30s

<WSRoot><Exploit>0x00000332</Exploit></WSRoot>
check done
sched_setaffinity: Invalid argument<WSRoot><Exploit>0x00000382</Exploit></WSRoot>
FAIL : load1 --> /sepolicy

<WSRoot><Exploit>0x00000341</Exploit></WSRoot>
<WSRoot><Exploit>0x00000881</Exploit></WSRoot>
<WSRoot><Done>0x00000172</Done></WSRoot>


Any Help would be appreciated.
 
Last edited:

Thomas131

Member
Dec 18, 2017
7
0
Hi!
Thanks for the exploit!!

I have "unlocked" my douglas using this hack and installed LineageOS 17.1. How to install magisk - the normal way doesn't work and patching boot_x had no effect.

Thanks in advance!
Thomas
 

danzew

Member
Feb 5, 2023
5
0
Leaving the content up so can laugh, but resolved on own. WSL needs USBIPD to see the attached tablet, if others also experience same as I.

So, in case any old timers are curious why the sudden spike in 2017 fire's... Woot sold a pallet or two of them recently and will likely have clueless sorts such as I wandering the halls aimlessly, touching things and asking dumb questions. So as to not disappoint, while I am or was quite the rooter ricky circa 2012 to 16 I had fallen out of the practice being on a severely prudish network famous for locked bootloaders etc.

Ok with my origin story stopped before it began, Win 10 natively from command, will see the tablet under adb devices. I can even toggle the revoke and get the tablet prompt to ask if pc is trusted... After a reboot, launching the linux shell,initiating script I get stuck at the empty adb devices screen. So, assuming that windows, even without user initiate is hijacking the device. so the shell isn't able to see. anybody have any idea how i can get it to recognize device?
 
Last edited:

danzew

Member
Feb 5, 2023
5
0
Hi Guys,
first of all thanks for all the hard work.

Im trying to unlock my douglas Tablet with Firmware 5.7.0.0.
And i cant get it to work , i always get the following error:

Hi ChaosLord, We might be in similar boat. I too have a Gen7. From the OP it makes mention that if you have newer OS then 5.6 you need to brick and downgrade:

3. Start the script:
Code:
sudo ./step-1.sh

Your device will now reboot into recovery and perform a factory reset.

NOTE: If you are on a firmware newer than 5.6.4.0, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
If you chose the brick option, you don't need to run step-2.sh below:


Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager

WARNING: Do not use bootrom-step-minimal.sh if you bricked using brick(-9820).sh!
You will need to use bootrom-step.sh.

After you have confirmed the bricking by typing "YES", you will need disconnect the device and run

so my question is, after grabbing the arm64 version of rapid temp root file, as directed to place in bin folder, I run the step-1.sh and get a repeating error that

sudo ./step-1.sh
[sudo] password for dubya:
Testing root access...

Trying to use mtk-su to get temp root...
Pushing root files
bin/mtk-su: 1 file pushed. 5.6 MB/s (65144 bytes in 0.011s)
bin/minisu.img: 1 file pushed. 6.6 MB/s
bin/busybox: 1 file pushed
Failed critical init step 4
Firmware support not implemented
repeat

so were you ever prompted to brick device as instructions hint at? I feel either some directions got lost with edits over time, or the script is failing before it can ask me to brick. Any thoughts?
 

chaosl0rd

New member
Jan 27, 2023
2
0
Hi ChaosLord, We might be in similar boat. I too have a Gen7. From the OP it makes mention that if you have newer OS then 5.6 you need to brick and downgrade:



so my question is, after grabbing the arm64 version of rapid temp root file, as directed to place in bin folder, I run the step-1.sh and get a repeating error that



so were you ever prompted to brick device as instructions hint at? I feel either some directions got lost with edits over time, or the script is failing before it can ask me to brick. Any thoughts?
Hi Danzew,

i tried the exact same at the beginning and got the same error (Failed critical init step 4), so i never got to the brick part and then got to the offline root method because everywhere is written down that it would work.
 

NeelFromYT

New member
Jun 20, 2022
3
0
I recently tried to root my fire hd8. but when I tried to boot into twrp using advanced restart, it shows recovery mode, then exits and boots normally. Please help bro
 

danzew

Member
Feb 5, 2023
5
0
Hi Danzew,

i tried the exact same at the beginning and got the same error (Failed critical init step 4), so i never got to the brick part and then got to the offline root method because everywhere is written down that it would work.
can you point me at this offline root? So i read thru the whole thread, there was someone back in october with same issue but OP had already stopped replying to the thread. want to give your attempt a try because you had the impressive log to share... I attempted using the brick shell scripts (both independently, both fail to create the temp root shell to get TWRP installed. other then the other fellow who was successful on satuday, I'd say missing something.

Edit: i'm going to try the hardware root option, as that does still seem to have the most success. I'll try and find or will create if succssful a tutortial where the pictures haven't expired https://forum.xda-developers.com/t/...-fire-hd-8-2017-douglas.3962846/post-80287339
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 59
    Read this whole guide before starting.

    This is for the 7th gen Fire HD8 (douglas).

    Current version: amonet-douglas-v1.2.zip


    NOTE: This process does not require you to open your device, but should something go horribly wrong, be prepared to do so.


    NOTE: This process will modify the partition-table (GPT) of your device.



    NOTE: Your device will be reset to factory defaults (including internal storage) during this process.


    What you need:
    • A Linux installation or live-system
    • A micro-USB cable

    Install python3, PySerial, adb, fastboot dos2unix. For Debian/Ubuntu something like this should work:
    Code:
    sudo apt update
    sudo add-apt-repository universe
    sudo apt install python3 python3-serial adb fastboot dos2unix

    1. Extract the attached zip-file "amonet-douglas-v1.1.zip" and open a terminal in that directory.


    NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder


    2. Enable ADB in Developer Settings

    3. Start the script:
    Code:
    sudo ./step-1.sh

    Your device will now reboot into recovery and perform a factory reset.

    NOTE: If you are on a firmware newer than 5.6.4.0, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
    If you chose the brick option, you don't need to run step-2.sh below:



    Make sure ModemManager is disabled or uninstalled:
    Code:
    sudo systemctl stop ModemManager
    sudo systemctl disable ModemManager


    WARNING: Do not use bootrom-step-minimal.sh if you bricked using brick(-9820).sh!
    You will need to use bootrom-step.sh.


    After you have confirmed the bricking by typing "YES", you will need disconnect the device and run
    Code:
    sudo ./bootrom-step-minimal.sh
    Then plug the device back in.

    It will then boot into "hacked fastboot" mode.
    Then run
    Code:
    sudo ./fastboot-step.sh



    NOTE: When you are back at initial setup, you can skip registration by selecting a WiFi-Network, then pressing "Cancel" and then "Not Now"
    NOTE: Make sure you re-enable ADB after Factory Reset.



    4. Start the script:
    Code:
    sudo ./step-2.sh

    The exploit will now be flashed and your device will reboot into TWRP.

    You can now install Magisk from there.


    Going back to stock
    Extract the attached zip-file "amonet-douglas-return-to-stock.zip" into the same folder where you extracted "amonet-douglas-v1.0.zip" and open a terminal in that directory.
    You can go back to stock without restoring the original partition-table, so you can go back to unlocked without wiping data.
    Just use hacked fastboot to
    Code:
    sudo fastboot flash recovery bin/recovery.img

    If you want to go back completely (including restoring your GPT):
    Code:
    sudo ./return-to-stock.sh

    Your device should reboot into Amazon Recovery. Use adb sideload to install stock image from there. (Make sure to use FireOS 5.6.4.0 or newer, otherwise you may brick your device)

    Important information

    In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
    TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.

    Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)

    Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.

    TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

    For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

    It is still advised to disable OTA.


    Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
    Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
    Thanks to @t0x1cSH and @breakfastofsecrets for testing.
    18
    Yesterday i managed to root updated FireOS and install Lineage 12.1, so, here's my story :D

    Version 5.6.6.0 build 654620620,
    on Linux KDE Neon.

    1. Installed python3, PySerial, adb, fastboot dos2unix as described in this and other posts.
      Code:
      sudo apt update
      sudo add-apt-repository universe
      sudo apt install python3 python3-serial adb fastboot dos2unix
    2. Downloaded the following attachments from the first post : amonet-douglas-v1.2.zip and brick-douglas.zip
    3. Extract both files to the same folder
    4. Enable Developer options and enable ADB (inside debugging options) on Amazon tablet
    5. Plug in the tablet (has to be turned on)
    6. Now comes the commands execution part. So, open the terminal in Linux (lines that start with // are comments and should not be run from command line - if you copy paste)

      Code:
      sudo systemctl stop ModemManager && sudo systemctl disable ModemManager
      Code:
      adb devices
      // there should be an item listed
      // to be sure, you can unplug and run it again, if it's empty, 
      // ou know tablet can connect, so plug in the tablet back
      Code:
      adb reboot bootloader
      // reboots the tablet and awaits commands
      Code:
      sudo ./brick.sh
      // type YES, hit enter
      // it will take a couple of minutes (around 3-5min in my case)
      // watch the tablet for success message, it should be displayed there if everything works
      // but also, watch your terminal...if it gives you error message similiar to:
      // ==> [I][U]failed with error message that it can't write somewhere[/U][/I]
      // you have to try with brick-9820 script
      Code:
      sudo ./brick-9820.sh
      // it will take a couple of minutes, similar to above step

      NOTE : after either of the above commands (which one succeeds) POWER OFF THE TABLET and DO NOT try to turn it back on. It should stay powered off!!

      Code:
      sudo ./bootrom-step.sh
      // this will take some time (in my case around 5-10 minutes)
      // will give you message similar to "awaiting device connection" and nothing else...
      // although nothing seems to happen, just wait a bit and watch the terminal, it will soon start displaying the process
      // it should then reboot the tablet, but in my case, that did not happen, so i had to do it manually...
      // NOTE that althought tablet seems to be "off", it isn't, so press power btn and hold for 5 sec to turn it off
      // after that click and hold volume up button (when in portrait mode it is the right one, the one closest to power btn)
      // and immediately after that press and hold the power btn until amazon logo shows itself
      // it should then show in bottom left corner HACKED FASTBOOT after a few seconds

      Code:
      sudo fastboot devices
      // there should be a device listed
      // if not, you should run (in the extracted directory that you are in):
      ./bin/fastboot devices
      // if sudo fastboot devices does not show your device but ./bin/fastboot works, you have to edit the fastboot-step.sh file and change the fastboot commands to ./bin/fastboot
      Code:
      sudo ./fastboot-step.sh
      // takes a couple of minutes (1-3 min in my case)
      // reboots the device

    after that you should be in TWRP :)

    NOTE when in TWRP:

    DO NOT RESTART tablet before the following
    (or amazon fire os will overwrite TWRP and you will be reset to factory default with fireOS, losing everything you've done and starting from scratch...
    when it happened to me, the brick-9820.sh didn't work anymore and had to use brick.sh script)

    -allow modifications
    -format data,system,cache partitions, go to wipe->advanced wipe-> repair/format (something like that), select each of the 3 partitions aformentioned and format to ext4
    -if you've done it correctly, there should not be any red warnings
    -after that go to wipe, select all partitions and wipe them (just to be sure)

    -tablet should be connected and TWRP should be left on

    on PC
    -download Lineage 12.1 ROM from https://forum.xda-developers.com/hd8-hd10/general/discussion-root-progress-fire-hd-8-t3743024
    -download opengapps from https://opengapps.org/
    - put them inside amonet-douglas-v1.2 folder where you've extracted the prior ZIP files (just to be clear, you can put them anywhere, but i like to keep it all inside the working directory)

    -go to terminal
    Code:
    adb push lineage-12.1-20200614-UNOFFICIAL-douglas.zip /sdcard
    adb push open_gapps-arm64-5.1-nano-20200624.zip /sdcard

    now the files are on the tablet
    - in TWRP go to INSTALL, go to /sdcard folder if not in it
    - first install Lineage ROM from zip
    - then install GApps from zip

    hope it works!
    I'm glad i've finally rooted it, thank you all for the great content here! :)
    13
    Wire root process

    after updating my tablet to the latest version Fire OS 5.6.4.0 (build 636559820) which does not have SW root I have decided to open up the unit and use hardware method which works on all versions of firmware

    What you will need

    1. wire
    2. plastic tool as in the picture below to open the unit.
    3. linux machine, I used Raspberry Pi 3+ and Raspbian.
    MVIMG_20190920_171046.jpg


    Process:

    1. remove SD card from the fire HD to avoid breaking it during the opening process ( yes it happened to me, luckily just 16GB card )
    2. use plastic tool to detach display from plastic rear chassis. It is very easy and safe process.
    MVIMG_20190920_171059.jpg

    3. Remove 4 screws from the motherboard.
    4. detach digitizer ( yellow ) cable and rear camera using plastic tool.
    MVIMG_20190920_171327.jpg

    5. You can leave display flex cable, battery and speaker ( soldered ) connected.
    6. turn montherboard on the other side so it lays on the battery. There is a small adhesive pad on the left side of PCA, use plastic tool to start lifting the board from that side.

    MVIMG_20190920_171508.jpg

    MVIMG_20190920_171533.jpg


    7. find pad TP28 and prepare you Linux PC now

    8. DOwnload amonet-douglas-v1.1.zip from OP of the thread , extract.
    9. run, it will take a while to update your linux distribution to the latest version.
    Code:
     sudo apt update
           sudo add-apt-repository universe
           sudo apt install python3 python3-serial adb fastboot dos2unix
    10. Get your self into the Amonet folder ( most licely Downloads/Amonet ) folder where you extracted ZIP from OP.
    11. run
    Code:
     sudo ./bootrom-step.sh
    12. you should see this msg on the screen
    Code:
    [2019-02-07 14:35:59.478924] Waiting for bootrom

    13 Now here is the tricky part which will require some practice. You have to short TP28 with grond ( the big pad neer TP28 ) and while doing it connect USB cable to the PC. Here is how I did it.
    IMG_20190920_171622.jpg

    IMG_20190920_171659.jpg

    14. So I was holding the wire in the left hand and used right hand to plug slowly USB cable into the montherboard. ( not easy I know, but you will get there )
    15. If you did it right you will see a message on the screen to Release the short wire and hit ENTER.
    16. wait till the scripts does its think and when you see this you are in fasboot. Look at the scrren, you should see AMAZON logo and small text on the bottom "fastboot xyz etc..." Don1t unplug table, keep going.
    Code:
    [2019-02-07 12:11:05.621357] Reboot to unlocked fastboot.
    17. run this script
    Code:
    sudo ./fastboot-step.sh
    18. Your unit should boot into TWRP
    19. Assemble back the unit so digitizer will work.
    20 boot into TWRP and install Lieage, GAPPS and Magisk. Install Lineage ZIP file from here. https://forum.xda-developers.com/hd8-hd10/orig-development/rom-lineage-12-1-t3953677
    7
    I was definitely on 9920 (exactly:FireOS 5.6.4.0 (636559920)). Was thinking I was stuck without an unlock method. I did the brick.sh script, then (and here's where my "some problems" comes in - my own error) without paying attention ran the wrong script as the next step after intentionally bricking my tablet. I don't know what state my table was in after doing that, but it wasn't booting into FireOS and I didn't have TWRP. So, not knowing what else to do, I tried flashing the latest official FireOS from the site I linked above. When I rebooted after doing that, I had a working FireOS and going into settings showed me on FireOS 5.6.4.0 (636558520).

    At this point, since I was on a TWRP-able OS, I just started over with step-1.sh and step-2.sh and was able to get where I ultimately wanted to be. I'm running SlimLP. Thanks to everyone who has worked through how to make this happen.

    Thank you sir! I thought 9920 was beyond saving so I did not bother. But after reading your post I decided to give it a try and the process was actually easier than I thought!

    Here's exactly what I did

    1. Code:
      adb reboot bootloader
      to put into fastboot
    2. Run
      Code:
      brick-9820.sh
      (yes, 9820. I tried brick.sh and it didn't work). In this step I actually got an error message on my computer, but it's OK as long as the DEVICE itself tells you to power off on the tablet screen. Power off and unplug the cable.
    3. Run
      Code:
      bootrom-step.sh
      , NOT the minimal one. Plug in the cable again. It'll reboot at the end but your screen would stay blank.
    4. Run
      Code:
      fastboot-step.sh
      , that's it I'm in TWRP !

    As a side note other than the brick step I actually ran the rest (1, 3 and 4) on a Mac (since I already got adb on it and did not want to setup the whole Android SDK on my Linux box again). The brick step I guess you have to be on Linux since the hacked fastboot only came as ELF in the zip. To run bootrom-step on Mac, simply comment out the modemanager check in main.py.
    7
    @willgaj did you enter bootloader mode on the Fire ? Powerdown and then Press VolUp + Power, wait until you see "Enter Recovery" , then select "Bootloader".

    Heres how it worked out for me:

    Files I used:

    amonet-douglas-v1.2.zip from first Page of this Thread:
    https://forum.xda-developers.com/attachments/amonet-douglas-v1-2-zip.4845269/
    Unpack the Archive to a separate Folder.

    brick-douglas.zip from first Page of this Thread:
    https://forum.xda-developers.com/attachments/brick-douglas-zip.4825253/
    Unpack the Archive to a separate Folder.


    MTK-su (i used te 64 bit) from here:
    https://forum.xda-developers.com/t/rapid-temporary-root-for-hd-8-hd-10.3904595/
    Unpack and copy to the MTK-su from the 64 Bit folder to the “bin” folders of the previous unpacked folders.


    Unlock steps:

    1. Reboot FireHD8 to Recovery (Power Off device, then hold VolUp + Power)

    2. Select Facotry Reset then Wipe Cache

    3. Reboot to Bootloader

    4. You will see the balck screen with “Fastboot” in the lower corner.

    5. Open Terminal from “brick-douglas” folder an enter “sudo ./brick.sh
    6. Check Display output for the “Disconnect USB and Powerdown” Message and do so when prompted
      (If theres an Error see below Step 12)

    7. Open Terminal from “amonet-douglas-v1.2” foder.

    8. Enter “sudo ./bootrom-step.sh"

    9. Reconnet USB

    10. Wait until the bootrom step is finished

    11. Enter “sudo ./fastboot-step.sh”

    12. You will end up in TWRP

    If theres an error let the FireHD Reboot and do the “Apps and Data Optimization” at the Welcome Install Screen Powerdown the FireHD and enter Bootloader again.
    • Open Terminal from “brick-douglas” folder
    • Enter “sudo ./brick-8920.sh”
    • Check Display output for the “Disconnect usb and powerdown” message and do so when prompted.
    • Enter “sudo ./bootrom-step.sh
    • Reconnet USB
    • Wait until the bootrom step is finished.
    • Enter “sudo ./fastboot-step.sh"
    • You will end up in TWRP


    Lineage OS installation:

    Prepare a Micro SD Card with: Lineage OS (Search the forum for the douglas (FireHD 8 7.Gen) or suez (FireHD 10 7Gen) Version, Gapps (ARM64, 7.1, nano) and Magisk and insert in FireHD.

    In TWRP Format Data and Wipe data, system, cache.

    Install Rom, gapps and magisk

    Reboot to Lineage OS



    Hardware Method:

    If you got stuck somewhere in the middle or the Exploit doesn’t work try the hardware method.

    I somehow bricked my HD10 , I think I disconnected the USB because I was to unpatient.

    For the Hardware method, you need to open the Tablet, use a prytool or a Creditcars / Knife to remove the backcover, just gently pry around the bezel until the screen pops out.

    You need to unscrew the mainboard and gently flip it over , on the HD10 I didn’t had to remove any wire , just be carefull with the speakers and put a piece of cardboard or plastic on the back between the mainboard and battery so it will not shorten or puncture the battery.

    Find the CLK pin (theres several pictures on the forum for your specific device) use a piece of wire or paperclip to shorten from a ground plane or the SD Card slot housing to the clock pin. This works best if you got someone that will help you.

    • Connect USB to the Tablet, but leave it unplugged on the Computer side.
    • Make sure the Tablet is powered down (Press and hold Power button for 30 seconds)
    • Open Terminal from “amonet-douglas-v1.2” foder.
    • Enter “sudo ./bootrom-step.sh”
    • Now shorten CLK to ground and hold it.
    • Ask a kind person to plug in the USB cable on the Computer now.
    • The Terminal will tell you to remove the wire when ready.
    • Press enter and wait for bootrom-step.sh to finish.
    • If an error during bootrom step occurs , just retry
    • After bootrom step is finished, enter “sudo ./fastboot-step.sh”
    • You will end up in TWRP

    PS: I directly installed LOS 14.1 on the HD8 , on the HD10 i i used LOS 12.1 because LOS 14.1 is missing Camera Support on the HD10 in fact loosing the camera shouldnt trouble too much as the picture quality is horrible anyways. As for now I am happy to have a running Android on the tabs and don´t need to worry amazon giving me headaches every few weeks when updating CrapOS and redndering my configuration unuseable , i got 14 HD8/10 deloyed around the house as input devices for Homeautomation (running Habpannel).

    One thing to mention when switching to LOS, is that you can´t use apps that need to be certified anymore, like Netflix, Banking etc.

    Good luck!

    PPS: Thanks a lot to k4y0z and his fellas for the great job!


    opec