[UNLOCK][ROOT][TWRP][UNBRICK] Fire HD 8 2018 (karnak) amonet-3

[k4y0z]

Read this whole guide before starting.

This is for the 8th gen Fire HD8 (karnak).

Current version: amonet-karnak-v3.0.1.zip

This is based on @xyz`s original work, but adds some features such as reboot to hacked BL.
It also intends to simplify the installation process.
If you are already unlocked you can simply update by flashing the ZIP-file in TWRP.


NOTE: If you are on a firmware lower than 6.3.1.2 this process does not require you to open your device, but should something go horribly wrong, be prepared to do so.


What you need:

• A Linux installation or live-system
• A micro-USB cable

Install python3, PySerial, adb, fastboot dos2unix. For Debian/Ubuntu something like this should work:

sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial adb fastboot dos2unix

1. Extract the attached zip-file "amonet-karnak-v3.0.1.zip" and open a terminal in that directory.


NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder


2. Enable ADB in Developer Settings

3. Start the script:

sudo ./fireos-step.sh

NOTE: If you are on a firmware newer than 6.3.0.1, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)


WARNING: There have been numerous reports that would indicate a hardware-change that doesn't allow access to the bootrom.
When bricking these devices there is currently no known way to unbrick.
This makes the hardware-method currently the safest option.

To brick firmware 6.3.1.2 use the attached brick-karnak.zip, boot into fastboot

adb reboot bootloader

and run

./brick-6312.sh

Make sure ModemManager is disabled or uninstalled:

sudo systemctl stop ModemManager
sudo systemctl disable ModemManager

After you have confirmed the bricking by typing "YES", you will need disconnect the device and run

sudo ./bootrom-step.sh

Then plug the device back in.

The device will reboot into TWRP.

You can now install Magisk from there.


Going back to stock
Extract the attached zip-file "amonet-karnak-return-to-stock.zip" into the same folder where you extracted "amonet-karnak-v3.0.1.zip" and open a terminal in that directory.

Then run:

sudo ./return-to-stock.sh

Your device should reboot into Amazon Recovery. Use adb sideload to install stock image from there. (Make sure to use FireOS 6.3.0.0 or newer, otherwise you may brick your device)

Important information

Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)

TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

It is still advised to disable OTA.

Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
Thanks to @Kaijones23 for testing.

 

[k4y0z]

Unbricking / Unlocking with Firmware 6.3.1.2+

If Recovery OR FireOS are still accessible (or your firmware is below 6.3.1.2) there are other means of recovery, don't continue.

If your device shows one of the following symptoms:

1. It doesn't show any life (screen stays dark)
2. You see the white amazon logo, but cannot access Recovery or FireOS.

If you have a Type 1 brick, you may not have to open the device, if your device comes up in bootrom-mode (See Checking USB connection below).

1. Make sure the device is powered off, by holding the power-button for 20+ seconds
2. Start bootrom-step.sh
3. Plug in USB

In all other cases you will have to open the device.

Make sure ModemManager is disabled or uninstalled:

sudo systemctl stop ModemManager
sudo systemctl disable ModemManager

NOTE: If you have issues running the scripts, you might have to run them using sudo.
Also try using different USB-ports (preferably USB-2.0-ports)

Open the device and short the pin marked in the attached photo to ground while plugging in.
1. Extract the attached zip-file "amonet-karnak-v3.0.zip" and open a terminal in that directory.

2. start the script:

sudo ./bootrom-step.sh

It should now say Waiting for bootrom.

3. Short the device according to the attached photo and plug it in.

4. When the script asks you to remove the short, remove the short and press enter.

5. Wait for the script to finish.
If it stalls at some point, stop it and restart the process from step 2.

6. Your device should now reboot into unlocked fastboot state.

7. Run

sudo ./fastboot-step.sh

8. Wait for the device to reboot into TWRP.

9. Use TWRP to flash custom ROM, Magisk or SuperSU

Checking USB connection
In lsusb the boot-rom shows up as:

Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone

If it shows up as:

Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader

instead, you are in preloader-mode, try again.

dmesg lists the correct device as:

[ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00

 

[k4y0z]

Reserved #2

 

[k4y0z]

Reserved #3

 

[Rortiz2]

This is very cool @k4y0z!
Now we can use boot-recovery.sh & boot-fastboot no?
Regards!

 

[k4y0z]

This is very cool @k4y0z!
Now we can use boot-recovery.sh & boot-fastboot no?
Regards!

Yes, that is also supported.

 

[Kctucka]

NOTE: If you are on a firmware lower than 6.3.1.2 this process does not require you to open your device, but should something go horribly wrong, be prepared to do so.


NOTE: If you are on a firmware newer than 6.3.0.1, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)[/COLOR]

So do you need to open the case to run this exploit on the newest firmware, or can you just brick to install older lk/preloader, and go from there?

 

[k4y0z]

So do you need to open the case to run this exploit on the newest firmware, or can you just brick to install older lk/preloader, and go from there?

On 6.3.1.2 mtk-su has been fixed, so unless you already have root (or another way to get temp-root is found), bricking isn't an option and you will have to open the case.
If you do have root the script will do the bricking for you.

 

[jibgilmon]

@k4y0z For people who already used the steps in xyz's thread and are running your TWRP and LineageOS, is there anything here that we're missing? Or is this just a new method to arrive at the same results?

 

[k4y0z]

@k4y0z For people who already used the steps in xyz's thread and are running your TWRP and LineageOS, is there anything here that we're missing? Or is this just a new method to arrive at the same results?

This is based on @xyz`s original work, but adds some features such as reboot to hacked BL.
It also intends to simplify the installation process.
If you are already unlocked you can simply update by flashing the ZIP-file in TWRP.

Additionally it adds support for the boot-recovery and boot-fastboot scripts.
And a script to enable UART output for the kernel.
So nothing essential if you are already using the updated TWRP.

 

[DB126]

Ran this pup on a unit that I was keeping unrooted (aside from occational temp root via mtk-su) as a control but was becoming painful to use/maintain. Also missed TWRP. Worked like a champ with zero issues ... aside from stumbling over my own stupidity. Used Lubuntu live 18.04 and Magisk 19.3/7.3.2. Staying on FireOS 6.3.0.1 (w/hijacks) for now until a fully vetted custom ROM becomes available.

Thanks for the great tool and accompanying guidance.

 

[k4y0z]

I have added unbricking/bootrom instructions in Post #2

 

[bibikalka]

@k4y0z

If I flash your zip, can I then flash Amazon update as is? Will your TWRP manage the bootloaders/etc when flashing the stock ROM?

 

[Rortiz2]

@k4y0z

If I flash your zip, can I then flash Amazon update as is? Will your TWRP manage the bootloaders/etc when flashing the stock ROM?

I think yeah:

TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

 

[madman]

So I got a HD8 2018 today and it came with OS version that forced me to connect to WiFi and update itself. I was pretty pissed but I used this guide to get root easily.

I had Arch based linux installed which gave problems while running script, so I made bootable Ubuntu usb and that worked fine. Thank you everyone involved in developing this hack.

 

[DB126]

So I got a HD8 2018 today and it came with OS version that forced me to connect to WiFi and update itself. I was pretty pissed but I used this guide to get root easily.

I had Arch based linux installed which gave problems while running script, so I made bootable Ubuntu usb and that worked fine. Thank you everyone involved in developing this hack.

For future reference you can avoid the presumed forced WiFi connect by putting in a bogus password; once authentication fails a 'skip' option will appear.

 

[k4y0z]

@k4y0z

If I flash your zip, can I then flash Amazon update as is? Will your TWRP manage the bootloaders/etc when flashing the stock ROM?

I think yeah:

Yes, exactly.

 

[bibikalka]

I think yeah:

Quote:

TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

Yes, exactly.

OK - tried to upgrade to the latest update-kindle-Fire_HD8_8th_Gen-NS6312_user_1852_0002517056644.bin using the suggestions above, and got a hardcore Amazon logo bootloop.

My actions. I had the old unlock, so I flashed the zip in this thread first. New TWRP showed up - so far so good. Then I flashed the Amazon update zip as is, thinking the updated TWRP would do its magic. Flashed Magisk, tried to reboot. No go - Amazon logo bootloop. No recovery either. So it feels that I lost the unlock, and, perhaps LK & preloader & TZ got overwritten with the new versions from the Amazon update zip.

Any recovery here other than opening the case?

 

[k4y0z]

OK - tried to upgrade to the latest update-kindle-Fire_HD8_8th_Gen-NS6312_user_1852_0002517056644.bin using the suggestions above, and got a hardcore Amazon logo bootloop.

My actions. I had the old unlock, so I flashed the zip in this thread first. New TWRP showed up - so far so good. Then I flashed the Amazon update zip as is, thinking the updated TWRP would do its magic. Flashed Magisk, tried to reboot. No go - Amazon logo bootloop. No recovery either. So it feels that I lost the unlock, and, perhaps LK & preloader & TZ got overwritten with the new versions from the Amazon update zip.

Any recovery here other than opening the case?

That is strange, I've had no issues installing that firmware unmodified through TWRP.
So you can't boot neither normal or recovery?
Does it say something in the corner when trying to boot recovery?
You can try the boot-fastboot.sh script to get into hacked fastboot.

 

[bibikalka]

That is strange, I've had no issues installing that firmware unmodified through TWRP.
So you can't boot neither normal or recovery?
Does it say something in the corner when trying to boot recovery?
You can try the boot-fastboot.sh script to get into hacked fastboot.

Cannot boot anywhere - no message about booting recovery either. When you tried installing unmodified firmware, was that on HD8 2018, or some other tablet? I wonder if perhaps there are some differences with HD8 2018 given that it's Nougat.

I will try the hacked fastboot, but most likely - will have to open the case.