• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!
  • Fill out your device list and let everyone know which phones you have!    Edit Your Device Inventory

[UNLOCK][ROOT][TWRP][UNBRICK] Fire HD 8 2018 (karnak) amonet-3

Search This thread

k4y0z

Senior Member
Nov 27, 2015
1,443
1,855
Read this whole guide before starting.

This is for the 8th gen Fire HD8 (karnak).

Current version: amonet-karnak-v3.0.1.zip

This is based on @xyz`s original work, but adds some features such as reboot to hacked BL.
It also intends to simplify the installation process.
If you are already unlocked you can simply update by flashing the ZIP-file in TWRP.


NOTE: If you are on a firmware lower than 6.3.1.2 this process does not require you to open your device, but should something go horribly wrong, be prepared to do so.


What you need:
  • A Linux installation or live-system
  • A micro-USB cable

Install python3, PySerial, adb, fastboot dos2unix. For Debian/Ubuntu something like this should work:
Code:
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial adb fastboot dos2unix

1. Extract the attached zip-file "amonet-karnak-v3.0.1.zip" and open a terminal in that directory.


NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder


2. Enable ADB in Developer Settings

3. Start the script:
Code:
sudo ./fireos-step.sh


NOTE: If you are on a firmware newer than 6.3.0.1, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)



WARNING: There have been numerous reports that would indicate a hardware-change that doesn't allow access to the bootrom.
When bricking these devices there is currently no known way to unbrick.
This makes the hardware-method currently the safest option.



To brick firmware 6.3.1.2 use the attached brick-karnak.zip, boot into fastboot
Code:
adb reboot bootloader

and run
Code:
./brick-6312.sh

Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager

After you have confirmed the bricking by typing "YES", you will need disconnect the device and run
Code:
sudo ./bootrom-step.sh
Then plug the device back in.

The device will reboot into TWRP.

You can now install Magisk from there.


Going back to stock

Extract the attached zip-file "amonet-karnak-return-to-stock.zip" into the same folder where you extracted "amonet-karnak-v3.0.1.zip" and open a terminal in that directory.

Then run:
Code:
sudo ./return-to-stock.sh

Your device should reboot into Amazon Recovery. Use adb sideload to install stock image from there. (Make sure to use FireOS 6.3.0.0 or newer, otherwise you may brick your device)

Important information


Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)

TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

It is still advised to disable OTA.

Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
Thanks to @Kaijones23 for testing.
 

Attachments

  • amonet-karnak-v3.0.zip
    17 MB · Views: 3,273
  • amonet-karnak-return-to-stock.zip
    17.6 MB · Views: 3,880
  • amonet-karnak-v3.0.1.zip
    17 MB · Views: 17,573
  • brick-karnak.zip
    4.3 MB · Views: 6,258
Last edited:

k4y0z

Senior Member
Nov 27, 2015
1,443
1,855
Unbricking / Unlocking with Firmware 6.3.1.2+

If Recovery OR FireOS are still accessible (or your firmware is below 6.3.1.2) there are other means of recovery, don't continue.

If your device shows one of the following symptoms:
  1. It doesn't show any life (screen stays dark)
  2. You see the white amazon logo, but cannot access Recovery or FireOS.

If you have a Type 1 brick, you may not have to open the device, if your device comes up in bootrom-mode (See Checking USB connection below).
  1. Make sure the device is powered off, by holding the power-button for 20+ seconds
  2. Start bootrom-step.sh
  3. Plug in USB

In all other cases you will have to open the device.

Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager


NOTE: If you have issues running the scripts, you might have to run them using sudo.
Also try using different USB-ports (preferably USB-2.0-ports)


Open the device and short the pin marked in the attached photo to ground while plugging in.
1. Extract the attached zip-file "amonet-karnak-v3.0.zip" and open a terminal in that directory.

2. start the script:
Code:
sudo ./bootrom-step.sh

It should now say Waiting for bootrom.

3. Short the device according to the attached photo and plug it in.

4. When the script asks you to remove the short, remove the short and press enter.

5. Wait for the script to finish.
If it stalls at some point, stop it and restart the process from step 2.

6. Your device should now reboot into unlocked fastboot state.

7. Run
Code:
sudo ./fastboot-step.sh

8. Wait for the device to reboot into TWRP.

9. Use TWRP to flash custom ROM, Magisk or SuperSU

Checking USB connection
In lsusb the boot-rom shows up as:
Code:
Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone

If it shows up as:
Code:
Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader
instead, you are in preloader-mode, try again.

dmesg lists the correct device as:
Code:
[ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00
 

Attachments

  • karnak-bootrom.jpg
    karnak-bootrom.jpg
    143 KB · Views: 5,960
Last edited:

Kctucka

Senior Member
Mar 24, 2019
192
71

NOTE: If you are on a firmware lower than 6.3.1.2 this process does not require you to open your device, but should something go horribly wrong, be prepared to do so.


NOTE: If you are on a firmware newer than 6.3.0.1, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)[/COLOR]

So do you need to open the case to run this exploit on the newest firmware, or can you just brick to install older lk/preloader, and go from there?
 
Last edited:

k4y0z

Senior Member
Nov 27, 2015
1,443
1,855
So do you need to open the case to run this exploit on the newest firmware, or can you just brick to install older lk/preloader, and go from there?

On 6.3.1.2 mtk-su has been fixed, so unless you already have root (or another way to get temp-root is found), bricking isn't an option and you will have to open the case.
If you do have root the script will do the bricking for you.
 
  • Like
Reactions: DB126 and Kctucka

jibgilmon

Senior Member
Apr 29, 2009
201
106
@k4y0z For people who already used the steps in xyz's thread and are running your TWRP and LineageOS, is there anything here that we're missing? Or is this just a new method to arrive at the same results?
 

k4y0z

Senior Member
Nov 27, 2015
1,443
1,855
@k4y0z For people who already used the steps in xyz's thread and are running your TWRP and LineageOS, is there anything here that we're missing? Or is this just a new method to arrive at the same results?

This is based on @xyz`s original work, but adds some features such as reboot to hacked BL.
It also intends to simplify the installation process.
If you are already unlocked you can simply update by flashing the ZIP-file in TWRP.

Additionally it adds support for the boot-recovery and boot-fastboot scripts.
And a script to enable UART output for the kernel.
So nothing essential if you are already using the updated TWRP.
 
Last edited:

DB126

Senior Member
Oct 15, 2013
15,263
10,042
Ran this pup on a unit that I was keeping unrooted (aside from occational temp root via mtk-su) as a control but was becoming painful to use/maintain. Also missed TWRP. Worked like a champ with zero issues ... aside from stumbling over my own stupidity. Used Lubuntu live 18.04 and Magisk 19.3/7.3.2. Staying on FireOS 6.3.0.1 (w/hijacks) for now until a fully vetted custom ROM becomes available.

Thanks for the great tool and accompanying guidance. :)
 
Last edited:
  • Like
Reactions: k4y0z and ggow

madman

Senior Member
Apr 21, 2011
1,598
435
Planet Earth
OnePlus 5
So I got a HD8 2018 today and it came with OS version that forced me to connect to WiFi and update itself. I was pretty pissed but I used this guide to get root easily.

I had Arch based linux installed which gave problems while running script, so I made bootable Ubuntu usb and that worked fine. Thank you everyone involved in developing this hack.
 

DB126

Senior Member
Oct 15, 2013
15,263
10,042
So I got a HD8 2018 today and it came with OS version that forced me to connect to WiFi and update itself. I was pretty pissed but I used this guide to get root easily.

I had Arch based linux installed which gave problems while running script, so I made bootable Ubuntu usb and that worked fine. Thank you everyone involved in developing this hack.
For future reference you can avoid the presumed forced WiFi connect by putting in a bogus password; once authentication fails a 'skip' option will appear.
 

bibikalka

Senior Member
May 14, 2015
1,366
1,089
I think yeah:

Quote:

TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

Yes, exactly.

OK - tried to upgrade to the latest update-kindle-Fire_HD8_8th_Gen-NS6312_user_1852_0002517056644.bin using the suggestions above, and got a hardcore Amazon logo bootloop.

My actions. I had the old unlock, so I flashed the zip in this thread first. New TWRP showed up - so far so good. Then I flashed the Amazon update zip as is, thinking the updated TWRP would do its magic. Flashed Magisk, tried to reboot. No go - Amazon logo bootloop. No recovery either. So it feels that I lost the unlock, and, perhaps LK & preloader & TZ got overwritten with the new versions from the Amazon update zip.

Any recovery here other than opening the case?
 

k4y0z

Senior Member
Nov 27, 2015
1,443
1,855
OK - tried to upgrade to the latest update-kindle-Fire_HD8_8th_Gen-NS6312_user_1852_0002517056644.bin using the suggestions above, and got a hardcore Amazon logo bootloop.

My actions. I had the old unlock, so I flashed the zip in this thread first. New TWRP showed up - so far so good. Then I flashed the Amazon update zip as is, thinking the updated TWRP would do its magic. Flashed Magisk, tried to reboot. No go - Amazon logo bootloop. No recovery either. So it feels that I lost the unlock, and, perhaps LK & preloader & TZ got overwritten with the new versions from the Amazon update zip.

Any recovery here other than opening the case?

That is strange, I've had no issues installing that firmware unmodified through TWRP.
So you can't boot neither normal or recovery?
Does it say something in the corner when trying to boot recovery?
You can try the boot-fastboot.sh script to get into hacked fastboot.
 

bibikalka

Senior Member
May 14, 2015
1,366
1,089
That is strange, I've had no issues installing that firmware unmodified through TWRP.
So you can't boot neither normal or recovery?
Does it say something in the corner when trying to boot recovery?
You can try the boot-fastboot.sh script to get into hacked fastboot.

Cannot boot anywhere - no message about booting recovery either. When you tried installing unmodified firmware, was that on HD8 2018, or some other tablet? I wonder if perhaps there are some differences with HD8 2018 given that it's Nougat.

I will try the hacked fastboot, but most likely - will have to open the case.
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 36
    Read this whole guide before starting.

    This is for the 8th gen Fire HD8 (karnak).

    Current version: amonet-karnak-v3.0.1.zip

    This is based on @xyz`s original work, but adds some features such as reboot to hacked BL.
    It also intends to simplify the installation process.
    If you are already unlocked you can simply update by flashing the ZIP-file in TWRP.


    NOTE: If you are on a firmware lower than 6.3.1.2 this process does not require you to open your device, but should something go horribly wrong, be prepared to do so.


    What you need:
    • A Linux installation or live-system
    • A micro-USB cable

    Install python3, PySerial, adb, fastboot dos2unix. For Debian/Ubuntu something like this should work:
    Code:
    sudo apt update
    sudo add-apt-repository universe
    sudo apt install python3 python3-serial adb fastboot dos2unix

    1. Extract the attached zip-file "amonet-karnak-v3.0.1.zip" and open a terminal in that directory.


    NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder


    2. Enable ADB in Developer Settings

    3. Start the script:
    Code:
    sudo ./fireos-step.sh


    NOTE: If you are on a firmware newer than 6.3.0.1, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)



    WARNING: There have been numerous reports that would indicate a hardware-change that doesn't allow access to the bootrom.
    When bricking these devices there is currently no known way to unbrick.
    This makes the hardware-method currently the safest option.



    To brick firmware 6.3.1.2 use the attached brick-karnak.zip, boot into fastboot
    Code:
    adb reboot bootloader

    and run
    Code:
    ./brick-6312.sh

    Make sure ModemManager is disabled or uninstalled:
    Code:
    sudo systemctl stop ModemManager
    sudo systemctl disable ModemManager

    After you have confirmed the bricking by typing "YES", you will need disconnect the device and run
    Code:
    sudo ./bootrom-step.sh
    Then plug the device back in.

    The device will reboot into TWRP.

    You can now install Magisk from there.


    Going back to stock

    Extract the attached zip-file "amonet-karnak-return-to-stock.zip" into the same folder where you extracted "amonet-karnak-v3.0.1.zip" and open a terminal in that directory.

    Then run:
    Code:
    sudo ./return-to-stock.sh

    Your device should reboot into Amazon Recovery. Use adb sideload to install stock image from there. (Make sure to use FireOS 6.3.0.0 or newer, otherwise you may brick your device)

    Important information


    Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)

    TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

    For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

    It is still advised to disable OTA.

    Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
    Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
    Thanks to @Kaijones23 for testing.
    14
    Unbricking / Unlocking with Firmware 6.3.1.2+

    If Recovery OR FireOS are still accessible (or your firmware is below 6.3.1.2) there are other means of recovery, don't continue.

    If your device shows one of the following symptoms:
    1. It doesn't show any life (screen stays dark)
    2. You see the white amazon logo, but cannot access Recovery or FireOS.

    If you have a Type 1 brick, you may not have to open the device, if your device comes up in bootrom-mode (See Checking USB connection below).
    1. Make sure the device is powered off, by holding the power-button for 20+ seconds
    2. Start bootrom-step.sh
    3. Plug in USB

    In all other cases you will have to open the device.

    Make sure ModemManager is disabled or uninstalled:
    Code:
    sudo systemctl stop ModemManager
    sudo systemctl disable ModemManager


    NOTE: If you have issues running the scripts, you might have to run them using sudo.
    Also try using different USB-ports (preferably USB-2.0-ports)


    Open the device and short the pin marked in the attached photo to ground while plugging in.
    1. Extract the attached zip-file "amonet-karnak-v3.0.zip" and open a terminal in that directory.

    2. start the script:
    Code:
    sudo ./bootrom-step.sh

    It should now say Waiting for bootrom.

    3. Short the device according to the attached photo and plug it in.

    4. When the script asks you to remove the short, remove the short and press enter.

    5. Wait for the script to finish.
    If it stalls at some point, stop it and restart the process from step 2.

    6. Your device should now reboot into unlocked fastboot state.

    7. Run
    Code:
    sudo ./fastboot-step.sh

    8. Wait for the device to reboot into TWRP.

    9. Use TWRP to flash custom ROM, Magisk or SuperSU

    Checking USB connection
    In lsusb the boot-rom shows up as:
    Code:
    Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone

    If it shows up as:
    Code:
    Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader
    instead, you are in preloader-mode, try again.

    dmesg lists the correct device as:
    Code:
    [ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00
    5
    Success

    Read this whole guide before starting.

    This is for the 8th gen Fire HD8 (karnak).

    @k4y0z thank you so much for your work on this project. About oh...15 pages back you answered a few of my questions, and I finally today got around to giving this a whirl. It was so simple, and worked perfectly. You took a insanely complicated set of instructions into 3 easy to use scripts and you should be applauded for it.

    For anyone who wants to do this (on a current 6.3.1.2 w/ the soft brick method), here are some tips.
    -Factory reset and wipe everything before you start. If you need to keep your data back it up, from a clean boot this works slick with no issues
    -Skip network setup on initial wizard, go straight to enable USB debugging, etc blah
    -Try several USB cables (I had to try 4 before I found one that would enable USB debugging. All cables not created equal)
    -Use Ubuntu 18.04 and use the apt commands provided by @k4y0z in his first post.
    -Open a terminal in Ubuntu and type 'sudo -i' which will switch to a mode where all commands are issued sudo'ed as root
    -Run the bricking script (brick-6312.sh), then in another terminal window tell ADB to reboot to bootloader. Watch his magic script do the soft brick
    -Shutdown with 30s power button hold, and then turn off the Debian/Ubuntu ModemManager service as he indicated in his instructions
    -Run the bootrom script (bootrom-step.sh), and then turn it on with a 3s power button press. Follow instructions in linux terminal
    -Afterwards the device reboots into hacked fastboot (screen will still be blank). Verify fastboot mode with 'adb devices'
    -Run the final fastboot script (fastboot-step.sh), and then watch as it reboots and loads up into TWRP

    Once your in TWRP you are golden. Install Lineage, downgrade to older FireOS, root the current FireOS w/ Magisk, or whatever you want
    *As noted by others, when working with packages (like Magisk) do the work from recovery NOT in the OS, so it properly uses the patched bootloader

    Hopefully they don't push a new update before Black Friday, so I can snag a few more and unlock them as well!

    Cheers!
    4
    @bibikalka and also for anyone who is on 6.3.1.2 and doesn't want to open the device.
    I have something new for you to try out.
    All you need to do is get into fastboot mode:
    For 6.3.1.2
    Code:
    adb reboot bootloader

    @bibikalka, yours should be in fastboot anyway.

    Then run
    Code:
    brick-6312.sh

    or
    Code:
    brick.sh

    From the attached zip-file and follow the instructions on the display.

    Good luck ;)
    4
    So I got a HD8 2018 today and it came with OS version that forced me to connect to WiFi and update itself. I was pretty pissed but I used this guide to get root easily.

    I had Arch based linux installed which gave problems while running script, so I made bootable Ubuntu usb and that worked fine. Thank you everyone involved in developing this hack.
    For future reference you can avoid the presumed forced WiFi connect by putting in a bogus password; once authentication fails a 'skip' option will appear.