[UNLOCK][ROOT][TWRP][UNBRICK] Fire HD 8 2018 (karnak) amonet-3

Search This thread

Michajin

Senior Member
Oct 23, 2012
1,311
529
Hi,

It was stating that the device was locked/restricted. After many hours I've finally fixed it - I resorted to opening the case and doing it that way. I've now got working recovery and LOS.

Thanks for the reply :)

J.
Maybe you didn't understand my post. You run the boot-fastboot to get into the "unlocked" fastboot. By running adb reboot bootloader you are in the locked fastboot.
 

journeyman8461

New member
Aug 9, 2021
2
0
Any chance anyone has the GPT file I can use? I accidently used the script for Douglas and borked my GPT. I was able to swap in the other fixes I found and used the Suez 16 GB GPT table, but I don't know that is right either. I am in TWRP now but can't flash any ROMs.
 

journeyman8461

New member
Aug 9, 2021
2
0
I dont have the file you need, but this your device is the

Fire 8 2018 (8th generation) aka "Karnak"

if you dont want to brick your tablet anymore than you might already have stop using files for different devices.
Unfortunately I had already searched all relevant posts on Karnak before making this request. The first flash was a mistake as I did not realize I had downloaded the incorrect version at the time. This is just a tablet I had sitting in a drawer so I really could care less if I cause anymore harm. The fun is in the learning experience.
 

k4y0z

Senior Member
Nov 27, 2015
1,468
1,988
Unfortunately I had already searched all relevant posts on Karnak before making this request. The first flash was a mistake as I did not realize I had downloaded the incorrect version at the time. This is just a tablet I had sitting in a drawer so I really could care less if I cause anymore harm. The fun is in the learning experience.
This should be karnak GPT.
 

Attachments

  • gpt-karnak.zip
    941 bytes · Views: 26

Rvllmor

Member
Oct 29, 2021
6
0
I've unlock this tablet before but chose to upgrade into fireos 7. I am trying to unlock again by shorting the device. How to know if shorting was successfull? I've tried shorting like a lot but it just says "waiting for botroom" all the time.
 

Rvllmor

Member
Oct 29, 2021
6
0
[email protected]:~/Downloads/amonet-karnak-v3.0/amonet$ sudo ./bootrom-step.sh
[2021-10-30 06:43:30.438413] Waiting for bootrom
[2021-10-30 06:44:08.654421] Found port = /dev/ttyACM0
[2021-10-30 06:44:08.715259] Handshake

* * * If you have a short attached, remove it now * * *
* * * Press Enter to continue * * *


Traceback (most recent call last):
File "/home/ubuntu/Downloads/amonet-karnak-v3.0/amonet/modules/main.py", line 213, in <module>
main()
File "/home/ubuntu/Downloads/amonet-karnak-v3.0/amonet/modules/main.py", line 111, in main
load_payload(dev, "../brom-payload/build/payload.bin")
File "/home/ubuntu/Downloads/amonet-karnak-v3.0/amonet/modules/load_payload.py", line 99, in load_payload
dev.write32(0x10007008, 0x1971) # low-level watchdog kick
File "/home/ubuntu/Downloads/amonet-karnak-v3.0/amonet/modules/common.py", line 160, in write32
self.check(self.dev.read(2), b'\x00\x01') # arg check
File "/home/ubuntu/Downloads/amonet-karnak-v3.0/amonet/modules/common.py", line 87, in check
raise RuntimeError("ERROR: Serial protocol mismatch")
RuntimeError: ERROR: Serial protocol mismatch

What i'm doing wrong?
 

Rortiz2

Senior Member
[email protected]:~/Downloads/amonet-karnak-v3.0/amonet$ sudo ./bootrom-step.sh
[2021-10-30 06:43:30.438413] Waiting for bootrom
[2021-10-30 06:44:08.654421] Found port = /dev/ttyACM0
[2021-10-30 06:44:08.715259] Handshake

* * * If you have a short attached, remove it now * * *
* * * Press Enter to continue * * *


Traceback (most recent call last):
File "/home/ubuntu/Downloads/amonet-karnak-v3.0/amonet/modules/main.py", line 213, in <module>
main()
File "/home/ubuntu/Downloads/amonet-karnak-v3.0/amonet/modules/main.py", line 111, in main
load_payload(dev, "../brom-payload/build/payload.bin")
File "/home/ubuntu/Downloads/amonet-karnak-v3.0/amonet/modules/load_payload.py", line 99, in load_payload
dev.write32(0x10007008, 0x1971) # low-level watchdog kick
File "/home/ubuntu/Downloads/amonet-karnak-v3.0/amonet/modules/common.py", line 160, in write32
self.check(self.dev.read(2), b'\x00\x01') # arg check
File "/home/ubuntu/Downloads/amonet-karnak-v3.0/amonet/modules/common.py", line 87, in check
raise RuntimeError("ERROR: Serial protocol mismatch")
RuntimeError: ERROR: Serial protocol mismatch

What i'm doing wrong?
You're either shorting wrong or the update triggered the fuse that disables bootrom (but I'm not sure if this was applied to karnak).
 
  • Like
Reactions: mastercoin

Rvllmor

Member
Oct 29, 2021
6
0
Is ModemManager disabled in Linux?

Or as @Rortiz2 said something is wrong with the short, try different USB cables/ports, also try a different paperclip.
yeah it's disabled. I've tried all 4 usb ports from my pc and 2 different paper clips. Same result.
Nevermind then, thanks anyways.
Edit: how long do i have to hold the clip?
 

Sus_i

Senior Member
Apr 9, 2013
1,695
724
Also any luck getting FireOS 7 working? (without reverting back to stock)
A port of amonet to the latest fireOS7 karnak would be awesome, since karnak is the only (exploitable) tablet with fireOS7 support :)

But it requires a port (or lets say update) of amonet (using microloader) to the suez style exploit.
 
  • Like
Reactions: Reynald0

eris170

Member
Aug 30, 2013
39
3
Well, then you have a patched unit. There's nothing that you can do to unlock it.

I just picked up an FHD 8 2018 8th gen (refurb) off amazon and it's running Fire OS 7.3.2.1. I've "Reset to factory defaults" thinking it would drop back to 6.x but this is not the case.

Is this any indication of a patched unit? Kind of don't want to crack it open to try the short since I could still return it.
 

eris170

Member
Aug 30, 2013
39
3
Thanks Falcon342. No idea when my tablet was manufactured. I thought being a 'refurb' had a good chance of being a legit early model. Maybe there's a manufacture date somewhere on the board. I'll look.

Hmmm.. pulled off the cover to do the short but getting the same error as Rvllmor

If I power off the tablet and run bootom-step.sh, it sits at "Handshake" until I plug in the USB cable. About 4 seconds later the message "...short attached, remove it..." appears and then python hurls with the 'Serial protocol mismatch' error (below).

I "retried from step #2" and when it got to "Handshake" I shorted between CLK and the heat sink cover. Probably held it for 15 seconds. Tried it a few times. The python script didn't detect the short. I powered on the tablet, powered it off again, and then tried again. It seems the script will run the first time after the tab is powered on, but not after that.

I was curious so powered off the tablet and setup a loop at the shell waiting for ttyACM0 to show up. I plugged in the USB cable and a couple seconds later minicom connected. The words "READYREADY...." printed across the terminal for like 2 seconds and then an error message that ttyACM0 couldn't be opened. This must be what caused the "Serial protocol mismatch" error in the python code. It was then a few seconds later that I heard the little startup tune play on the tablet. Sure enough, plugging in the USB cable begins the boot process. Maybe this is normal? It seems that the tablet is only "READYREADY..." for about 2 seconds and then boots the OS.

Any thoughts where to go from here? I'm guessing this is a "patched" device? Maybe try shorting before plugging in the USB cable?

1638964478807.png


python code output:
Code:
# ./bootrom-step.sh

[2021-12-08 05:17:25.877884] Waiting for bootrom

[2021-12-08 05:17:55.259996] Found port = /dev/ttyACM0

[2021-12-08 05:17:55.299206] Handshake


* * * If you have a short attached, remove it now * * *

* * * Press Enter to continue * * *


Traceback (most recent call last):

  File "main.py", line 213, in <module>

    main()

  File "main.py", line 111, in main

    load_payload(dev, "../brom-payload/build/payload.bin")

  File "/tmp/hd8/3.0.1/amonet/modules/load_payload.py", line 99, in load_payload

    dev.write32(0x10007008, 0x1971) # low-level watchdog kick

  File "/tmp/hd8/3.0.1/amonet/modules/common.py", line 160, in write32

    self.check(self.dev.read(2), b'\x00\x01') # arg check

  File "/tmp/hd8/3.0.1/amonet/modules/common.py", line 87, in check

    raise RuntimeError("ERROR: Serial protocol mismatch")

RuntimeError: ERROR: Serial protocol mismatch

^CException ignored in: <module 'threading' from '/usr/lib/python3.7/threading.py'>

Traceback (most recent call last):

  File "/usr/lib/python3.7/threading.py", line 1281, in _shutdown

    t.join()

  File "/usr/lib/python3.7/threading.py", line 1032, in join

    self._wait_for_tstate_lock()

  File "/usr/lib/python3.7/threading.py", line 1048, in _wait_for_tstate_lock

    elif lock.acquire(block, timeout):

KeyboardInterrupt
 
Last edited:

eris170

Member
Aug 30, 2013
39
3
From reading your post it sounds like your doing it wrong, what you need to do is this:

Start the script
Begin applying the short (keep holding the short until the script tells you)
Plug in the USB cable
Wait for the script to tell you to remove the short and press enter.

Thanks again @Falcon342. Working now! @Rvllmor may have made the same mistake.

I still had to retry a couple times as my paper clip was a little corroded on the end so cleaned it with some sandpaper so it was nice and shiny and it took right off.

Code:
021-12-08 15:01:42.850175] Handshake

* * * If you have a short attached, remove it now * * *
* * * Press Enter to continue * * *


[2021-12-08 15:01:45.856470] Init crypto engine
[2021-12-08 15:01:45.874764] Disable caches
[2021-12-08 15:01:45.875229] Disable bootrom range checks
[2021-12-08 15:01:45.893269] Load payload from ../brom-payload/build/payload.bin = 0x4888 bytes
[2021-12-08 15:01:45.897207] Send payload
[2021-12-08 15:01:46.673103] Let's rock
...
 

Rvllmor

Member
Oct 29, 2021
6
0
Thanks again @Falcon342. Working now! @Rvllmor may have made the same mistake.

I still had to retry a couple times as my paper clip was a little corroded on the end so cleaned it with some sandpaper so it was nice and shiny and it took right off.

Code:
021-12-08 15:01:42.850175] Handshake

* * * If you have a short attached, remove it now * * *
* * * Press Enter to continue * * *


[2021-12-08 15:01:45.856470] Init crypto engine
[2021-12-08 15:01:45.874764] Disable caches
[2021-12-08 15:01:45.875229] Disable bootrom range checks
[2021-12-08 15:01:45.893269] Load payload from ../brom-payload/build/payload.bin = 0x4888 bytes
[2021-12-08 15:01:45.897207] Send payload
[2021-12-08 15:01:46.673103] Let's rock
...
yup. i made the same mistake.
it's working now thank you.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Hey all! trying to follow this guide but am running into a snag:

    Bash:
    [email protected]:~$ sudo systemctl stop ModemManager
    [email protected]:~$ sudo systemctl disable ModemManager
    Removed /etc/systemd/system/dbus-org.freedesktop.ModemManager1.service.
    Removed /etc/systemd/system/multi-user.target.wants/ModemManager.service.
    [email protected]:~$ cd '/home/appleguru/Desktop/amonet-karnak-v3.0.1'
    [email protected]:~/Desktop/amonet-karnak-v3.0.1$ ls
    amonet  META-INF
    [email protected]:~/Desktop/amonet-karnak-v3.0.1$ cd amonet/
    [email protected]:~/Desktop/amonet-karnak-v3.0.1/amonet$ sudo ./bootrom-step.sh
    [2022-09-11 22:01:34.907797] Waiting for bootrom
    [2022-09-11 22:01:54.239782] Found port = /dev/ttyACM0
    [2022-09-11 22:01:54.242430] Handshake
    
    * * * If you have a short attached, remove it now * * *
    * * * Press Enter to continue * * *
    
    
    [2022-09-11 22:02:02.384702] Init crypto engine
    [2022-09-11 22:02:02.810546] Disable caches
    [2022-09-11 22:02:02.818569] Disable bootrom range checks
    [2022-09-11 22:02:03.136374] Load payload from ../brom-payload/build/payload.bin = 0x4888
     bytes
    [2022-09-11 22:02:03.138912] Send payload
    [2022-09-11 22:02:16.799644] Let's rock
    [2022-09-11 22:02:16.816306] Wait for the payload to come online...
    [2022-09-11 22:02:17.534090] all good
    [2022-09-11 22:02:17.537674] Check GPT
    [2022-09-11 22:02:17.909226] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216),
    'kb': (16384, 2048), 'dkb': (18432, 2048), 'lk': (20480, 2048), 'tee1': (22528, 10240), '
    tee2': (32768, 10240), 'metadata': (43008, 80896), 'MISC': (123904, 1024), 'reserved': (1
    24928, 16384), 'boot': (141312, 32768), 'recovery': (174080, 40960), 'system': (215040, 6
    354944), 'vendor': (6569984, 460800), 'cache': (7030784, 1024000), 'userdata': (8054784,
    22480863)}
    [2022-09-11 22:02:17.909434] Check boot0
    [2022-09-11 22:02:18.161958] Check rpmb
    [2022-09-11 22:02:18.377407] Clear preloader header
    [8 / 8]
    [2022-09-11 22:02:18.850996] Downgrade rpmb
    [2022-09-11 22:02:18.856021] Recheck rpmb
    [2022-09-11 22:02:19.751660] rpmb downgrade ok
    [2022-09-11 22:02:19.755488] Flash preloader
    [280 / 280]
    [280 / 280]
    [2022-09-11 22:02:35.610415] Flash lk-payload
    [6 / 6]
    [2022-09-11 22:02:36.035489] Flash tz
    [6732 / 6732]
    [2022-09-11 22:05:45.080371] Flash lk
    [685 / 685]
    [2022-09-11 22:06:04.428770] Inject microloader
    [2 / 2]
    [2 / 2]
    [2022-09-11 22:06:04.924653] Force fastboot
    [2022-09-11 22:06:05.264611] Flash preloader header
    [4 / 4]
    [4 / 4]
    [2022-09-11 22:06:05.750306] Reboot
    [email protected]:~/Desktop/amonet-karnak-v3.0.1/amonet$ sudo ./fastboot-step.sh
    < waiting for any device >
    target reported max download size of 114294784 bytes
    sending 'recovery' (13604 KB)...
    OKAY [  0.536s]
    writing 'recovery'...
    FAILED (remote: flash write failure)
    finished. total time: 0.542s

    Any tips?

    [edit] nvm, solved this.. left a wire soldered to CLK and floating. Once I removed it the fasboot step worked fine and it rebooted into TWRP. [/edit]

    Now... how do I install Magisk and root? I grabbed the latest 25.2 apk from https://github.com/topjohnwu/Magisk/releases/tag/v25.2, renamed to .zip, copied to TWRP folder on my SD card and tried to install... but I just get a bootloop.

    I can get back into TWRP by doing the CLK to gnd short and fastboot steps again, but not sure where to go from here.

    [edit2] I guess I wiped my factory image from TWRP inadvertently... trying to install lineage 17.1 now; hopefully that works! [/edit2]

    [edit3] Ended up installing lineage 18.1: https://forum.xda-developers.com/t/...-karnak-lineage-18-1-25-october-2021.4352241/

    Also added open-gapps-arm-11.0-pico.zip and Magisk-v25.2.zip from TWRP. Boots and seems to be running OK, we'll see if it's stable. Not bad for a $20 tablet :D [/edit3]
  • 37
    Read this whole guide before starting.

    This is for the 8th gen Fire HD8 (karnak).

    Current version: amonet-karnak-v3.0.1.zip

    This is based on @xyz`s original work, but adds some features such as reboot to hacked BL.
    It also intends to simplify the installation process.
    If you are already unlocked you can simply update by flashing the ZIP-file in TWRP.


    NOTE: If you are on a firmware lower than 6.3.1.2 this process does not require you to open your device, but should something go horribly wrong, be prepared to do so.


    What you need:
    • A Linux installation or live-system
    • A micro-USB cable

    Install python3, PySerial, adb, fastboot dos2unix. For Debian/Ubuntu something like this should work:
    Code:
    sudo apt update
    sudo add-apt-repository universe
    sudo apt install python3 python3-serial adb fastboot dos2unix

    1. Extract the attached zip-file "amonet-karnak-v3.0.1.zip" and open a terminal in that directory.


    NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder


    2. Enable ADB in Developer Settings

    3. Start the script:
    Code:
    sudo ./fireos-step.sh


    NOTE: If you are on a firmware newer than 6.3.0.1, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)



    WARNING: There have been numerous reports that would indicate a hardware-change that doesn't allow access to the bootrom.
    When bricking these devices there is currently no known way to unbrick.
    This makes the hardware-method currently the safest option.



    To brick firmware 6.3.1.2 use the attached brick-karnak.zip, boot into fastboot
    Code:
    adb reboot bootloader

    and run
    Code:
    ./brick-6312.sh

    Make sure ModemManager is disabled or uninstalled:
    Code:
    sudo systemctl stop ModemManager
    sudo systemctl disable ModemManager

    After you have confirmed the bricking by typing "YES", you will need disconnect the device and run
    Code:
    sudo ./bootrom-step.sh
    Then plug the device back in.

    The device will reboot into TWRP.

    You can now install Magisk from there.


    Going back to stock

    Extract the attached zip-file "amonet-karnak-return-to-stock.zip" into the same folder where you extracted "amonet-karnak-v3.0.1.zip" and open a terminal in that directory.

    Then run:
    Code:
    sudo ./return-to-stock.sh

    Your device should reboot into Amazon Recovery. Use adb sideload to install stock image from there. (Make sure to use FireOS 6.3.0.0 or newer, otherwise you may brick your device)

    Important information


    Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)

    TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

    For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

    It is still advised to disable OTA.

    Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
    Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
    Thanks to @Kaijones23 for testing.
    15
    Unbricking / Unlocking with Firmware 6.3.1.2+

    If Recovery OR FireOS are still accessible (or your firmware is below 6.3.1.2) there are other means of recovery, don't continue.

    If your device shows one of the following symptoms:
    1. It doesn't show any life (screen stays dark)
    2. You see the white amazon logo, but cannot access Recovery or FireOS.

    If you have a Type 1 brick, you may not have to open the device, if your device comes up in bootrom-mode (See Checking USB connection below).
    1. Make sure the device is powered off, by holding the power-button for 20+ seconds
    2. Start bootrom-step.sh
    3. Plug in USB

    In all other cases you will have to open the device.

    Make sure ModemManager is disabled or uninstalled:
    Code:
    sudo systemctl stop ModemManager
    sudo systemctl disable ModemManager


    NOTE: If you have issues running the scripts, you might have to run them using sudo.
    Also try using different USB-ports (preferably USB-2.0-ports)


    Open the device and short the pin marked in the attached photo to ground while plugging in.
    1. Extract the attached zip-file "amonet-karnak-v3.0.zip" and open a terminal in that directory.

    2. start the script:
    Code:
    sudo ./bootrom-step.sh

    It should now say Waiting for bootrom.

    3. Short the device according to the attached photo and plug it in.

    4. When the script asks you to remove the short, remove the short and press enter.

    5. Wait for the script to finish.
    If it stalls at some point, stop it and restart the process from step 2.

    6. Your device should now reboot into unlocked fastboot state.

    7. Run
    Code:
    sudo ./fastboot-step.sh

    8. Wait for the device to reboot into TWRP.

    9. Use TWRP to flash custom ROM, Magisk or SuperSU

    Checking USB connection
    In lsusb the boot-rom shows up as:
    Code:
    Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone

    If it shows up as:
    Code:
    Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader
    instead, you are in preloader-mode, try again.

    dmesg lists the correct device as:
    Code:
    [ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00
    5
    Success

    Read this whole guide before starting.

    This is for the 8th gen Fire HD8 (karnak).

    @k4y0z thank you so much for your work on this project. About oh...15 pages back you answered a few of my questions, and I finally today got around to giving this a whirl. It was so simple, and worked perfectly. You took a insanely complicated set of instructions into 3 easy to use scripts and you should be applauded for it.

    For anyone who wants to do this (on a current 6.3.1.2 w/ the soft brick method), here are some tips.
    -Factory reset and wipe everything before you start. If you need to keep your data back it up, from a clean boot this works slick with no issues
    -Skip network setup on initial wizard, go straight to enable USB debugging, etc blah
    -Try several USB cables (I had to try 4 before I found one that would enable USB debugging. All cables not created equal)
    -Use Ubuntu 18.04 and use the apt commands provided by @k4y0z in his first post.
    -Open a terminal in Ubuntu and type 'sudo -i' which will switch to a mode where all commands are issued sudo'ed as root
    -Run the bricking script (brick-6312.sh), then in another terminal window tell ADB to reboot to bootloader. Watch his magic script do the soft brick
    -Shutdown with 30s power button hold, and then turn off the Debian/Ubuntu ModemManager service as he indicated in his instructions
    -Run the bootrom script (bootrom-step.sh), and then turn it on with a 3s power button press. Follow instructions in linux terminal
    -Afterwards the device reboots into hacked fastboot (screen will still be blank). Verify fastboot mode with 'adb devices'
    -Run the final fastboot script (fastboot-step.sh), and then watch as it reboots and loads up into TWRP

    Once your in TWRP you are golden. Install Lineage, downgrade to older FireOS, root the current FireOS w/ Magisk, or whatever you want
    *As noted by others, when working with packages (like Magisk) do the work from recovery NOT in the OS, so it properly uses the patched bootloader

    Hopefully they don't push a new update before Black Friday, so I can snag a few more and unlock them as well!

    Cheers!
    5
    So I got a HD8 2018 today and it came with OS version that forced me to connect to WiFi and update itself. I was pretty pissed but I used this guide to get root easily.

    I had Arch based linux installed which gave problems while running script, so I made bootable Ubuntu usb and that worked fine. Thank you everyone involved in developing this hack.
    For future reference you can avoid the presumed forced WiFi connect by putting in a bogus password; once authentication fails a 'skip' option will appear.
    4
    @bibikalka and also for anyone who is on 6.3.1.2 and doesn't want to open the device.
    I have something new for you to try out.
    All you need to do is get into fastboot mode:
    For 6.3.1.2
    Code:
    adb reboot bootloader

    @bibikalka, yours should be in fastboot anyway.

    Then run
    Code:
    brick-6312.sh

    or
    Code:
    brick.sh

    From the attached zip-file and follow the instructions on the display.

    Good luck ;)