Fire HD 8 (2018 ONLY) unbrick, downgrade, unlock & root - Fire HD 8 and HD 10 Original Android Development

{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Changelog:
v2 - Fixed the issue with the screen
Make sure to read this guide completely before starting. It requires you to open the tablet, however you don't need to solder or use any advanced tools.
This is only for Fire HD 8, 8th generation, also known as karnak or KFKAWI. It's now confirmed to work on both 16GB and 32GB models.
You will lose all data on the tablet, make a backup of important data before you start. If you've enabled encryption, it's probably a good idea to disable it before you proceed with the guide.
What you need:
- a Linux installation. Since I had to rush it, this guide is only for Linux. Once I get a chance to test it on Windows I'll update the guide.
- microusb cable to connect your tablet to the PC
- some way to open the tablet (pry tool, opening picks, etc)
- something conductive (metal tweezers, a paper clip, a piece of wire, etc)
- amonet.tar.gz
- 6300.zip: https://mega.nz/#!FI1HSI5T!2zUAeiW9I-eH3Ph0Ar10_2nioNIm0ilSnNYgOG9YPNE
- Magisk-v18.0.zip: https://github.com/topjohnwu/Magisk/releases/download/v18.0/Magisk-v18.0.zip
- finalize.zip
Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work "sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot".
Extract amonet.tar.gz, open a terminal and navigate to it.
You might need to run the scripts on your PC under sudo if you're getting permission errors.
0. Shut your device down and disconnect it from USB! Also, disconnect all other Android devices you might have connected from your PC. Also, if you have ModemManager installed, you MUST disable or uninstall it before you begin
1. Use a pry tool to remove the back shell from the tablet. Start at the bottom and work your way up. There are no cables between the back shell and the motherboard.
2. On the left side of the board there are 4 test points labeled DAT0, RST, CMD, CLK. We only care about the bottom one, CLK.
3. Plug in one end of the microusb cable, either to the PC or to the tablet, whatever's more convenient.
4. On your PC, run `./bootrom-step.sh`. It should print "Waiting for the bootrom".
5. Using your conductive apparatus, short the CLK test point to the ground. This means you should connect one side of your paperclip to the CLK pin and the other to the metallic shield or a side of the PCB. Firmly hold it in place so that there is connection. (See https://i.imgur.com/7BXIb2y.jpg)
6. Plug in the other end of the microusb cable.
7. You should see a new device appear on your PC
Code:
[10894.058045] usb 3-2.4.1: new full-speed USB device number 9 using xhci_hcd
[10894.239684] usb 3-2.4.1: New USB device found, idVendor=0e8d, idProduct=0003
[10894.239690] usb 3-2.4.1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[10894.241330] cdc_acm 3-2.4.1:1.0: ttyACM0: USB ACM device
This *must* be the device you see. If you see a "preloader" device instead, you didn't hold the paperclip strong enough. Unplug it, shut down your Fire (pull out USB cord and wait; if it doesn't shut down, you might have to disconnect the battery) and try again starting at step 4.
8. The script you ran in step 4 should now tell you to remove the short. Remove the paperclip and press Enter as instructed.
9. The script will now proceed to downgrade your device and flash some essential files. Just let it be, it will take about 4 minutes. You should see the following output:
Code:
[2019-01-26 23:30:02.157670] Waiting for bootrom
[2019-01-26 23:30:20.438333] Found port = /dev/ttyACM0
[2019-01-26 23:30:20.439362] Handshake
[2019-01-26 23:30:20.441693] Disable watchdog
* * * Remove the short and press Enter * * *
[2019-01-26 23:30:22.636037] Init crypto engine
[2019-01-26 23:30:22.661832] Disable caches
[2019-01-26 23:30:22.662505] Disable bootrom range checks
[2019-01-26 23:30:22.685773] Load payload from ../brom-payload/build/payload.bin = 0x4690 bytes
[2019-01-26 23:30:22.693170] Send payload
[2019-01-26 23:30:23.527965] Let's rock
[2019-01-26 23:30:23.528832] Wait for the payload to come online...
[2019-01-26 23:30:24.260602] all good
[2019-01-26 23:30:24.261069] Check GPT
[2019-01-26 23:30:24.596346] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216), 'kb': (16384, 2048), 'dkb': (18432, 2048), 'lk': (20480, 2048), 'tee1': (22528, 10240), 'tee2': (32768, 10240), 'metadata': (43008, 80896), 'MISC': (123904, 1024), 'reserved': (124928, 16384), 'boot': (141312, 32768), 'recovery': (174080, 40960), 'system': (215040, 6354944), 'vendor': (6569984, 460800), 'cache': (7030784, 1024000), 'userdata': (8054784, 22722527)}
[2019-01-26 23:30:24.596619] Check boot0
[2019-01-26 23:30:24.841858] Check rpmb
[2019-01-26 23:30:25.051079] Downgrade rpmb
[2019-01-26 23:30:25.052924] Recheck rpmb
[2019-01-26 23:30:25.949978] rpmb downgrade ok
[2019-01-26 23:30:25.950284] Flash lk-payload
[5 / 5]
[2019-01-26 23:30:26.471797] Flash preloader
[288 / 288]
[2019-01-26 23:30:44.845804] Flash tz
[6732 / 6732]
[2019-01-26 23:33:08.502134] Flash lk
[685 / 685]
[2019-01-26 23:33:23.337460] Inject microloader
[4 / 4]
[2019-01-26 23:33:23.667547] Reboot to unlocked fastboot
If the script freezes at some point, you will have to restart it. Terminate the script, unplug USB, and try again starting at step 4. If after unplugging USB cable the device doesn't shut down, you might have to disconnect the battery. You can keep it disconnected until the script succeeds, but once it's done you must reconnect it before booting to fastboot.
9. You should see a success message: "Reboot to unlocked fastboot". Only proceed if you see the message.
10. Once the device boots to fastboot (check with "fastboot devices". You should see amazon logo on the screen.), you can run "./fastboot-step.sh". Then, flip the device over so that you can see the display.
11. At this point the device should boot into recovery, however it's possible that the screen will be off by default. Just press the power button twice and the screen should turn on.
12. We'll now upload required files to the recovery. On your PC, do:
adb push 6300.zip /sdcard
adb push Magisk-v18.0.zip /sdcard
adb push finalize.zip /sdcard
13. In the recovery, go to "Install", navigate to "/sdcard" and flash 6300.zip
14. Go to "Wipe" and do the default wipe, then reboot
15. At the Fire setup screen, select your language. On the next screen, Wifi setup, select any password-protected network, then instead of entering the password press "cancel". Now, back at the wifi setup screen, press "skip" and "skip" in the dialog pop-up again
16. Hold down the power button, press Restart and hold volume down to boot into recovery.
17. In the recovery, go to "Install", navigate to "/sdcard" and flash Magisk-v18.0.zip
18. Press back, select finalize.zip and flash it
19. Once finalize.zip is flashed, press "Reboot System"
20. Done. The device should now boot into a rooted 6.3.0.0 firmware. You should have Magisk manager installed, and root working. You will be able to boot into recovery by holding volume down.
21. At this point it should be safe to connect to wifi. If everything works okay, assemble your device.
Your device is now unlocked. You can flash a custom boot image, system image, etc. However, if you ever brick the device so bad the recovery does not boot, you will have to repeat these steps starting from the first one. Read below for what you should not do.
VERY IMPORTANT STUFF:
Only ever flash boot images from TWRP. Since nothing but TWRP is aware of the exploit, if you try to flash a boot image from Android, it won't have the exploit integrated into it! This includes Magisk as well, so do NOT install or uninstall it from Magisk Manager (However, installing modules should be fine; although it depends on the specific module).
Due to how the exploit works, it takes over the first 0x400 bytes of boot.img/recovery.img. When flashing zips from the recovery, it will transparently remove and then reinstall the exploit when needed. So long as you flash zips from the recovery, you should treat the boot image normally. However, this means that you cannot use any other apps (e.g. FlashFire) to flash the boot or recovery partitions.
To revert back to stock:
- download update package from amazon https://fireos-tablet-src.s3.amazon...ate-kindle-NS6301_user_1611_0001309035396.bin to your PC
- flash 6300.zip from twrp
- flash revert-stock.zip from twrp
- wipe data
- reboot to recovery; you should see amazon recovery now
- select "apply update from ADB" in the recovery menu
- run "adb sideload update-kindle-NS6301_user_1611_0001309035396.bin" on your PC
Another way to fix a brick:
- Download update package from amazon https://fireos-tablet-src.s3.amazon...ate-kindle-NS6301_user_1611_0001309035396.bin to your PC
- Download and unzip revert-stock.zip
- Do steps 0 to 9 from this guide (so everything until fastboot-step.sh)
- Wait for device to boot into fastboot mode (check with "fastboot devices")
- Run "fastboot flash boot boot.img" using boot.img from the revert-stock.zip
- Run "fastboot flash recovery recovery.img" using recovery.img from the from the revert-stock.zip
- Run "fastboot reboot recovery"
- Select "apply update from ADB" in the recovery menu
- Run "adb sideload update-kindle-NS6301_user_1611_0001309035396.bin" on your PC
Other misc information / troubleshooting:
- If you need to disconnect the battery, use a pair of tweezers to grab the wires and gently pull towards yourself. You can do bootrom-step.sh either with or without the battery connected, however fastboot-step.sh should be done with the battery connected.
- If your device is bricked (e.g. from a downgrade), just follow the steps as-is.
- If you're getting an error like "Serial protocol mismatch", or any other error in bootrom-step, try disabling or temporarily uninstalling ModemManager from your Linux
- To remount /system as rw use "mount -o rw,remount /system". ("mount -o remount,rw /system" will not work)
Thanks to: @hwmod @firetablethelp for testing different versions of the payload.
Special thanks to: aftv2-tools contributors https://gitlab.com/zeroepoch/aftv2-tools; the bootrom download protocol scripts are largely based on their work

GPL Notice:
- Source code for modified TWRP is available from https://github.com/xyzz/android_bootable_recovery
- Source code for amonet/brom-payload is available from https://github.com/xyzz/amonet/tree/master/brom-payload
Device tree to build TWRP: https://github.com/xyzz/android_device_amazon_karnak
Additionally, source code of the full exploit chain is available from https://github.com/xyzz/amonet
When I finish the writeup for this vulnerability, I'll update this post with a URL to the writeup.

You sir, are a marvelous wizard leet haxor ?. Thanks for this. Will this ever lead to any software solution for root on this tablet. Parden my noob questions?

beanaman said:
You sir, are a marvelous wizard leet haxor . Thanks for this. Will this ever lead to any software solution for root on this tablet. Parden my noob questions?
Click to expand...
Click to collapse
The only reason you have to open the tablet is to put the bootrom into download mode. If somebody figures out another way to do that, then yes it can be done completely in software. One way is to brick the tablet by erasing the preloader completely (both copies). However, this would require root (temporarily), and is more dangerous. Ultimately, I figured that the difficulty level here is about as much as replacing a battery (even lower) so I haven't investigated this further.

Thank you for explaining that further. It's nice to have this capability in our toolbox.

Wow! @xyz` you are a genius!
This exploit can be applied to fire 7 7th gen?

xyz` said:
Make sure to read this guide completely before starting. It requires you to open the tablet, however you don't need to solder or use any advanced tools.
This is only for Fire HD 8, 8th generation, also known as karnak or KFKAWI. I've also only tested this on the 16GB version, though the 32GB one should work the same.
You will lose all data on the tablet, make a backup of important data before you start. If you've enabled encryption, it's probably a good idea to disable it before you proceed with the guide.
What you need:
- a Linux installation. Since I had to rush it, this guide is only for Linux. Once I get a chance to test it on Windows I'll update the guide.
- microusb cable to connect your tablet to the PC
- some way to open the tablet (pry tool, opening picks, etc)
- something conductive (metal tweezers, a paper clip, a piece of wire, etc)
- amonet.tar.gz
- 6300.zip: https://mega.nz/#!FI1HSI5T!2zUAeiW9I-eH3Ph0Ar10_2nioNIm0ilSnNYgOG9YPNE
- Magisk-v18.0.zip: https://github.com/topjohnwu/Magisk/releases/download/v18.0/Magisk-v18.0.zip
- finalize.zip
Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work "sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot".
Extract amonet.tar.gz, open a terminal and navigate to it.
You might need to run the scripts on your PC under sudo if you're getting permission errors.
0. Shut your device down and disconnect it from USB! Also, disconnect all other Android devices you might have connected from your PC.
1. Use a pry tool to remove the back shell from the tablet. Start at the bottom and work your way up. There are no cables between the back shell and the motherboard.
2. On the left side of the board there are 4 test points labeled DAT0, RST, CMD, CLK. We only care about the bottom one, CLK.
3. Plug in one end of the microusb cable, either to the PC or to the tablet, whatever's more convenient.
4. On your PC, run `./bootrom-step.sh`. It should print "Waiting for the bootrom".
5. Using your conductive apparatus, short the CLK test point to the ground. This means you should connect one side of your paperclip to the CLK pin and the other to the metallic shield or a side of the PCB. Firmly hold it in place so that there is connection. (See https://i.imgur.com/7BXIb2y.jpg)
6. Plug in the other end of the microusb cable.
7. You should see a new device appear on your PC
This *must* be the device you see. If you see a "preloader" device instead, you didn't hold the paperclip strong enough. Unplug it, shut down your Fire (pull out USB cord and wait; if it doesn't shut down, you might have to disconnect the battery) and try again starting at step 4.
8. The script you ran in step 4 should now tell you to remove the short. Remove the paperclip and press Enter as instructed.
9. The script will now proceed to downgrade your device and flash some essential files. Just let it be, it will take about 4 minutes. You should see the following output:
If the script freezes at some point, you will have to restart it. Terminate the script, unplug USB, and try again starting at step 4. If after unplugging USB cable the device doesn't shut down, you might have to disconnect the battery. You can keep it disconnected until the script succeeds, but once it's done you must reconnect it before booting to fastboot.
9. You should see a success message: "Reboot to unlocked fastboot". Only proceed if you see the message.
10. Once the device boots to fastboot (check with "fastboot devices"), you can run "./fastboot-step.sh". Then, flip the device over so that you can see the display.
11. At this point the device should boot into recovery, however it's possible that the screen will be off by default. Just press the power button twice and the screen should turn on.
13. We'll now upload required files to the recovery. On your PC, do:
adb push 6300.zip /sdcard
adb push Magisk-v18.0.zip /sdcard
adb push finalize.zip /sdcard
14. In the recovery, go to "Install", navigate to "/sdcard" and flash 6300.zip
15. Go to "Wipe" and do the default wipe, then reboot
16. At the Fire setup screen, select your language. On the next screen, Wifi setup, select any password-protected network, then instead of entering the password press "cancel". Now, back at the wifi setup screen, press "skip" and "skip" in the dialog pop-up again
17. Hold down the power button, press Restart and hold volume down to boot into recovery.
18. In the recovery, go to "Install", navigate to "/sdcard" and flash Magisk-v18.0.zip, finalize.zip, in that order.
15. Press "Reboot System" once the latest zip, finalize.zip, is installed.
16. Done. The device should now boot into a rooted 6.3.0.0 firmware. You should have Magisk manager installed, and root working. You will be able to boot into recovery by holding volume down.
17. At this point it should be safe to connect to wifi. If everything works okay, assemble your device.
Your device is now unlocked. You can flash a custom boot image, system image, etc. However, if you ever brick the device so bad the recovery does not boot, you will have to repeat these steps starting from the first one. Read below for what you should not do.
VERY IMPORTANT STUFF:
Only ever flash boot images from TWRP. Since nothing but TWRP is aware of the exploit, if you try to flash a boot image from Android, it won't have the exploit integrated into it! This includes Magisk as well, so do NOT install or uninstall it from Magisk Manager (However, installing modules should be fine; although it depends on the specific module).
Due to how the exploit works, it takes over the first 0x400 bytes of boot.img/recovery.img. When flashing zips from the recovery, it will transparently remove and then reinstall the exploit when needed. So long as you flash zips from the recovery, you should treat the boot image normally. However, this means that you cannot use any other apps (e.g. FlashFire) to flash the boot or recovery partitions.
To revert back to stock:
- download update package from amazon https://fireos-tablet-src.s3.amazon...ate-kindle-NS6301_user_1611_0001309035396.bin to your PC
- flash 6300.zip from twrp
- flash revert-stock.zip from twrp
- wipe data
- reboot to recovery; you should see amazon recovery now
- select "apply update from ADB" in the recovery menu
- run "adb sideload update-kindle-NS6301_user_1611_0001309035396.bin" on your PC
Special thanks to: aftv2-tools contributors https://gitlab.com/zeroepoch/aftv2-tools; the bootrom download protocol scripts are largely based on their work
Click to expand...
Click to collapse
LMFAO I can't ****ing believe this. I'm almost certain this will work on the HD 10 too. You found it before me. Absolutely brilliant. You've just proved many weeks and or months of my hard research that I've posted in more than a few threads between the fire 7 forums and here. You just happened to be a lot quicker at this and probably smarter. ACM I discovered a few weeks or months ago on the HD 10. There is a build file that has many ways to set ACM props. doing this made everything light up on my PC...new drivers were installed and being used including the preloader drivers. I set my test HD 10 to persist ACM since then, convinced it was one of the possible keys to the puzzle. If you've read anything I've done in the past several weeks and months you may have been the only one who truly believed anything I had been saying. I don't know who you are or where you came from but I can only thank you. You've made my day, my week and my year. At least now I can say I'm not crazy, hallucinating or 'don't know what I'm doing or talking about.' it will take me a few days to get started, but I'll get right to testing my test HD 10 in the next few days or so.
Edit: I was convinced it had to do with fos_flags too, which I believe is another way to unlock.
Sent from my MotoG3 using XDA Labs

Rortiz2 said:
Wow! @xyz` you are a genius!
This exploit can be applied to fire 7 7th gen?
Click to expand...
Click to collapse
The vulnerability is present on every mediatek device, so yeah. It will not work as-is because of different addresses (for the crypto device and offsets for LK). Additionally, on Fire 7 7th gen the eMMC test point is hidden behind the shield that you need to desolder, so you will probably want to find a different way to enter the bootrom download mode.

Great work!
xyz` said:
The vulnerability is present on every mediatek device, so yeah. It will not work as-is because of different addresses (for the crypto device and offsets for LK). Additionally, on Fire 7 7th gen the eMMC test point is hidden behind the shield that you need to desolder, so you will probably want to find a different way to enter the bootrom download mode.
Click to expand...
Click to collapse
This is very promising could you please elaborate, what exactly needs to be modified to port this to other MTK-hardware.
I have a fire 5th gen here and I can access brom-mode by pressing left mute button while pluging in.
tried your scripts as is (commenting out the parts that change rpmb or flash partitions) and it get's stuck at
Code:
[2019-01-28 00:01:40.973289] Disable bootrom range checks
Does the hash in load_payload.py (4dd12bdf0ec7d26c482490b3482a1b1f) need to be modified?
I do have the kernel-sources for the device and am willing to investigate correct addressing etc.
Also since this is a boot-rom exploit wouldn't it allow flashing a hacked preloader + lk which just ignore boot-signatures so we can just run a standard twrp?

k4y0z said:
This is very promising could you please elaborate, what exactly needs to be modified to port this to other MTK-hardware.
I have a fire 5th gen here and I can access brom-mode by pressing left mute button while pluging in.
tried your scripts as is (commenting out the parts that change rpmb or flash partitions) and it get's stuck at
Code:
[2019-01-28 00:01:40.973289] Disable bootrom range checks
Does the hash in load_payload.py (4dd12bdf0ec7d26c482490b3482a1b1f) need to be modified?
I do have the kernel-sources for the device and am willing to investigate correct addressing etc.
Also since this is a boot-rom exploit wouldn't it allow flashing a hacked preloader + lk which just ignore boot-signatures so we can just run a standard twrp?
Click to expand...
Click to collapse
So first of all make sure you're accessing bootrom mode and not preloader mode (Although if the preloader supports read/write, the exploit should work there as well, I just haven't tested it since on hd 8 8th gen none of preloaders support these). I suggest soldering on a UART adapter, then use 115200 baud rate. When in bootrom dl mode, you should see "[DL] 00000BB8 444C0005 010701" (basically, the "[DL]" part is the important one)
If it's a different soc, you will have to dump the bootrom and find the offset where range check data is stored (in my case, 0x102868). You might have to modify the 4dd12bdf0ec7d26c482490b3482a1b1f part as well, it's basically calculated as a xor of expected data and actual data it's written. Then, you'll also need to update the pointer I'm overwriting (0x1028A8 in my case, called ptr_send in brom-payload). Again, if executing under preloader it's gonna be completely different way to exploit it.
Once all this is done, you should be able to load binary payloads and execute them in bootrom mode. You'll also need to edit brom-payload and set up proper pointers to send_dword/recv_dword/etc, these can be found by reversing your bootrom dump. At this point it should be possible to get emmc read/write.
Finally, if you want a persistent unlock (and not just the ability to modify /system) you'll need to port lk exploit as well. So you'll have to figure if your lk is vulnerable to the same bug, port microloader, inject_microloader.py and lk-payload to use the proper offsets. It's a lot of work.
I'll hopefully finish my writeup in the next weeks and post a link to it, that should be easier to understand since I'll explain the whole process from start to finish.
You're right about being able to load a custom preloader/lk, however the bootrom exploit requires a PC connection and a bunch of USB commands (so in a way, it's "tethered"). The actual unlock exploit isn't using any bootrom bugs, but rather the lk bug, since that one works without a PC. In fact, the bootrom exploit is only used to flash stuff to eMMC (but, of course you could probably do more fun stuff with it) in my chain.

Thanks for your quick reply.
xyz` said:
So first of all make sure you're accessing bootrom mode and not preloader mode (Although if the preloader supports read/write, the exploit should work there as well, I just haven't tested it since on hd 8 8th gen none of preloaders support these). I suggest soldering on a UART adapter, then use 115200 baud rate. When in bootrom dl mode, you should see "[DL] 00000BB8 444C0005 010701" (basically, the "[DL]" part is the important one)
Click to expand...
Click to collapse
I'm pretty sure I'm in boot-rom, my preloader actually has direct read/write using read_mmc.py but that has been fixed in newer preloaders, so I would rather go the boot-rom route.
Have you tried if pressing left (or both) volume buttons while pluging in brings you to brom-mode as well, like it does on my device?
I'll attach a serial to check for the output.
xyz` said:
If it's a different soc, you will have to dump the bootrom and find the offset where range check data is stored (in my case, 0x102868). You might have to modify the 4dd12bdf0ec7d26c482490b3482a1b1f part as well, it's basically calculated as a xor of expected data and actual data it's written. Then, you'll also need to update the pointer I'm overwriting (0x1028A8 in my case, called ptr_send in brom-payload). Again, if executing under preloader it's gonna be completely different way to exploit it.
Click to expand...
Click to collapse
Any hint on how i would dump the bootrom? Also could you upload your boot-rom so I can compare once i got mine?
xyz` said:
Finally, if you want a persistent unlock (and not just the ability to modify /system) you'll need to port lk exploit as well. So you'll have to figure if your lk is vulnerable to the same bug, port microloader, inject_microloader.py and lk-payload to use the proper offsets. It's a lot of work.
Click to expand...
Click to collapse
Willing to put that work in
xyz` said:
I'll hopefully finish my writeup in the next weeks and post a link to it, that should be easier to understand since I'll explain the whole process from start to finish.
Click to expand...
Click to collapse
looking forward to your writeup.
xyz` said:
You're right about being able to load a custom preloader/lk, however the bootrom exploit requires a PC connection and a bunch of USB commands (so in a way, it's "tethered"). The actual unlock exploit isn't using any bootrom bugs, but rather the lk bug, since that one works without a PC. In fact, the bootrom exploit is only used to flash stuff to eMMC (but, of course you could probably do more fun stuff with it) in my chain.
Click to expand...
Click to collapse
I thought it might be possible to flash a preloader that exploits the same vulnerability, but from your explanation I assume that won't be possible.
For this device it would already be great to be able to overwrite RPMB to downgrade, since there was an LK that allowed booting into unsigned TWRP.

k4y0z said:
Thanks for your quick reply.
I'm pretty sure I'm in boot-rom, my preloader actually has direct read/write using read_mmc.py but that has been fixed in newer preloaders, so I would rather go the boot-rom route.
Have you tried if pressing left (or both) volume buttons while pluging in brings you to brom-mode as well, like it does on my device?
I'll attach a serial to check for the output.
Click to expand...
Click to collapse
Yep, I've tried and it didn't work, though it could be device-specific. There are several additional ways preloader can force you into bootrom download mode, for example if preloader has an assertion and you hold volume down, it just deletes itself from emmc and next boot you'd be in bootrom mode (this doesn't work on hd 8 though as there's a bug in how it's set up); then there's some button checks that sets up a SRAMROM_USBDL which bootrom checks (but the code for the button check isn't present on Fire preloader). So unfortunately the only option that worked for me is shorting eMMC to ground.
k4y0z said:
Any hint on how i would dump the bootrom? Also could you upload your boot-rom so I can compare once i got mine?
Click to expand...
Click to collapse
This will be in the writeup, it's too long to explain here. I'm not sure if I can share my dump since technically it's copyrighted code.
k4y0z said:
I thought it might be possible to flash a preloader that exploits the same vulnerability, but from your explanation I assume that won't be possible.
For this device it would already be great to be able to overwrite RPMB to downgrade, since there was an LK that allowed booting into unsigned TWRP.
Click to expand...
Click to collapse
Well, we only can flash preloaders signed by amazon. If you have a preloader/LK combination that doesn't have signature checks that's great, you can use that.

k4y0z said:
Any hint on how i would dump the bootrom? Also could you upload your boot-rom so I can compare once i got mine?
Click to expand...
Click to collapse
Also, here's what I used on my Fire 7:
Code:
def call_func(func):
sdr_write32(0x11010804, 3)
sdr_write32(0x11010808, 3)
sdr_write32(0x11010C00, func)
sdr_write32(0x11010400, 0)
while (not sdr_read32(0x11010800)):
pass
if (sdr_read32(0x11010800) & 2):
if ( not (sdr_read32(0x11010800) & 1) ):
while ( not sdr_read32(0x11010800) ):
pass
result = -1;
sdr_write32(0x11010804, 3)
else:
while ( not (sdr_read32(0x11010418) & 1) ):
pass
result = 0;
sdr_write32(0x11010804, 3)
return result
def hw_acquire():
sdr_write32(0x11010000, sdr_read32(0x11010000) & 0xFFFFFFF0)
sdr_write32(0x11010000, sdr_read32(0x11010000) | 0xF)
sdr_write32(0x11010004, sdr_read32(0x11010004) & 0xFFFFDFFF)
def hw_release():
sdr_write32(0x11010000, sdr_read32(0x11010000) & 0xFFFFFFF0)
sdr_write32(0x11010000, sdr_read32(0x11010000) | 0xF)
def init():
sdr_write32(0x11010C0C, 0)
sdr_write32(0x11010C10, 0)
sdr_write32(0x11010C14, 0)
sdr_write32(0x11010C18, 0)
sdr_write32(0x11010C1C, 0)
sdr_write32(0x11010C20, 0)
sdr_write32(0x11010C24, 0)
sdr_write32(0x11010C28, 0)
sdr_write32(0x11010C2C, 0)
sdr_write32(0x11010C00 + 18 * 4, [0] * 4)
sdr_write32(0x11010C00 + 22 * 4, [0] * 4)
sdr_write32(0x11010C00 + 26 * 4, [0] * 8)
def aes_read16(addr):
sdr_write32(0x11010C04, addr)
sdr_write32(0x11010C08, 0) # dst to invalid pointer
sdr_write32(0x11010C0C, 1)
sdr_write32(0x11010C14, 18)
sdr_write32(0x11010C18, 26)
sdr_write32(0x11010C1C, 26)
if call_func(126) != 0: # aes decrypt
raise Exception("failed to call the function!")
words = sdr_read32(0x11010C00 + 26 * 4, 4) # read out of the IV
data = b""
for word in words:
data += struct.pack("<I", word)
return data
def aes_write16(addr, data):
if len(data) != 16:
raise RuntimeError("data must be 16 bytes")
pattern = bytes.fromhex("6c38d88958fd0cf51efd9debe8c265a5")
# iv-xor
words = []
for x in range(4):
word = data[x*4:(x+1)*4]
word = struct.unpack("<I", word)[0]
pat = struct.unpack("<I", pattern[x*4:(x+1)*4])[0]
words.append(word ^ pat)
sdr_write32(0x11010C00 + 18 * 4, [0] * 4)
sdr_write32(0x11010C00 + 22 * 4, [0] * 4)
sdr_write32(0x11010C00 + 26 * 4, [0] * 8)
sdr_write32(0x11010C00 + 26 * 4, words)
sdr_write32(0x11010C04, 0xE680) # src to VALID address which has all zeroes (otherwise, update pattern)
sdr_write32(0x11010C08, addr) # dst to our destination
sdr_write32(0x11010C0C, 1)
sdr_write32(0x11010C14, 18)
sdr_write32(0x11010C18, 26)
sdr_write32(0x11010C1C, 26)
if call_func(126) != 0: # aes decrypt
raise Exception("failed to call the function!")
Try calling aes_read16(0) and see if it returns valid looking data (should start with "07 00 00 EA FE FF FF EA FE FF FF EA FE FF FF EA")

xyz` said:
Also, here's what I used on my Fire 7:
Try calling aes_read16(0) and see if it returns valid looking data (should start with "07 00 00 EA FE FF FF EA FE FF FF EA FE FF FF EA")
Click to expand...
Click to collapse
It seems to just hang with both aes_read16 and aes_write16.
It is probably related to the CRYPTO_BASE.
I tried finding the correct one here: https://github.com/chaosmaster/andr...ch/arm/mach-mt8127/include/mach/mt_reg_base.h
but didn't seem to find anything usefull (I tried CRYPTO_BASE = 0x1101B000, but that doesn't work either)

k4y0z said:
It seems to just hang with both aes_read16 and aes_write16.
It is probably related to the CRYPTO_BASE.
I tried finding the correct one here: https://github.com/chaosmaster/andr...ch/arm/mach-mt8127/include/mach/mt_reg_base.h
but didn't seem to find anything usefull (I tried CRYPTO_BASE = 0x1101B000, but that doesn't work either)
Click to expand...
Click to collapse
So what you can do is download a firmware update for your device, load up the preloader in IDA (or a disassembler of your choice) and search for "hw sha". You should see it used like this: https://i.imgur.com/1PcObV7.png. Then inside that function https://i.imgur.com/wvpq5Qm.png the first call is essentially hw_acquire, then hash, then hw_release. Going further https://i.imgur.com/D5Z9UoM.png. So the base in my case is 0x10210000. You should figure out at which point it hangs, if it's inside one of the while loops, make sure you call init() and hw_acquire() first (it's not always required, seems to be hw-dependent)

Porting the hack to Fire 7" 7th Generation
xyz` said:
So first of all make sure you're accessing bootrom mode and not preloader mode (Although if the preloader supports read/write, the exploit should work there as well, I just haven't tested it since on hd 8 8th gen none of preloaders support these). I suggest soldering on a UART adapter, then use 115200 baud rate. When in bootrom dl mode, you should see "[DL] 00000BB8 444C0005 010701" (basically, the "[DL]" part is the important one)
If it's a different soc, you will have to dump the bootrom and find the offset where range check data is stored (in my case, 0x102868). You might have to modify the 4dd12bdf0ec7d26c482490b3482a1b1f part as well, it's basically calculated as a xor of expected data and actual data it's written. Then, you'll also need to update the pointer I'm overwriting (0x1028A8 in my case, called ptr_send in brom-payload). Again, if executing under preloader it's gonna be completely different way to exploit it.
Once all this is done, you should be able to load binary payloads and execute them in bootrom mode. You'll also need to edit brom-payload and set up proper pointers to send_dword/recv_dword/etc, these can be found by reversing your bootrom dump. At this point it should be possible to get emmc read/write.
Finally, if you want a persistent unlock (and not just the ability to modify /system) you'll need to port lk exploit as well. So you'll have to figure if your lk is vulnerable to the same bug, port microloader, inject_microloader.py and lk-payload to use the proper offsets. It's a lot of work.
I'll hopefully finish my writeup in the next weeks and post a link to it, that should be easier to understand since I'll explain the whole process from start to finish.
You're right about being able to load a custom preloader/lk, however the bootrom exploit requires a PC connection and a bunch of USB commands (so in a way, it's "tethered"). The actual unlock exploit isn't using any bootrom bugs, but rather the lk bug, since that one works without a PC. In fact, the bootrom exploit is only used to flash stuff to eMMC (but, of course you could probably do more fun stuff with it) in my chain.
Click to expand...
Click to collapse
That was smart of you @xyz a genial solution.
You have proven that the "chain of trust" was a joke.
Many have said that what we were trying was impossible.
Did you realize on the 7" 7th Gen there are RST and EINT pads on the back of the photo I sent ?
Can we port your method to the 7th Gen by using RST instead of CLK to stop the MCU accessing the EMMC ?
Also the "watchdog" you disabled is on the RTC device of the MT6323 PMIC chip which in turn is on the I2C bus.
I can write to the I2C bus using a Bus Pirate v4, I already tried some write and seems I can do that too as an alternative.
Again the pads for accessing the I2C bus are on the back of the PCB of 7th Gen. tablets, they are labelled SCL2 and SDA2.
In a couple of week, or less, you have shown that Lab126 didn't deserve all that money for such a fake security mechanism.
I confirm that zeroing the "preloader" in "mmcblk0boot0" also forces the MCU to enter [DL] mode.
I was sure that investing time on the the [DL] mode would have paid back.
Again congratulation for the achievement and thank you for the time you have put on this.
.:HWMOD:.

hwmod said:
Did you realize on the 7" 7th Gen there are RST and EINT pads on the back of the photo I sent ?
Can we port your method to the 7th Gen by using RST instead of CLK to stop the MCU accessing the EMMC ?
Click to expand...
Click to collapse
I haven't tried with RST. Try it and see if you get a "[DL]" message on uart, if you do then it should work.
hwmod said:
Also the "watchdog" you disabled is on the RTC device of the MT6323 PMIC chip which in turn is on the I2C bus.
I can write to the I2C bus using a Bus Pirate v4, I already tried some write and seems I can do that too as an alternative.
Again the pads for accessing the I2C bus are on the back of the PCB of 7th Gen. tablets, they are labelled SCL2 and SDA2.
Click to expand...
Click to collapse
Yeah, I haven't investigated the watchdog too much. I don't think there's anything interesting you can do with it though.
hwmod said:
In a couple of week, or less, you have shown that Lab126 didn't deserve all that money for such a fake security mechanism.
I confirm that zeroing the "preloader" in "mmcblk0boot0" also forces the MCU to enter [DL] mode.
I was sure that investing time on the the [DL] mode would have paid back.
Click to expand...
Click to collapse
To be fair to lab126 all of the fail lies solely on mediatek. The bootrom code amazon probably doesn't even have access to, and LK is likely based on mediatek sources (although, it's a really obvious bug in image loading, come on). The boot chain is reasonably secure in its design, it's only the implementation that's flawed.

xyz` said:
So what you can do is download a firmware update for your device, load up the preloader in IDA (or a disassembler of your choice) and search for "hw sha". You should see it used like this: https://i.imgur.com/1PcObV7.png. Then inside that function https://i.imgur.com/wvpq5Qm.png the first call is essentially hw_acquire, then hash, then hw_release. Going further https://i.imgur.com/D5Z9UoM.png. So the base in my case is 0x10210000. You should figure out at which point it hangs, if it's inside one of the while loops, make sure you call init() and hw_acquire() first (it's not always required, seems to be hw-dependent)
Click to expand...
Click to collapse
Sadly i don't have the IDA decompiler, so just assembler it is :/
I did however find the correct CRYPTO_BASE I believe:
Code:
CRYPTO_BASE = 0x11010000
that gives the following output with aes_read16:
Code:
b'\x07\x00\x00\xea\xfe\xff\xff\xea\xfe\xff\xff\xea\xfe\xff\xff\xea'
aes_write16 now fails with "RuntimeError: ERROR: Serial protocol mismatch".
Can i dump the boot-rom with this now?

First of all, congrats and big thanks!
So, any hope for the 2017 HD8?

k4y0z said:
Sadly i don't have the IDA decompiler, so just assembler it is :/
I did however find the correct CRYPTO_BASE I believe:
Code:
CRYPTO_BASE = 0x11010000
that gives the following output with aes_read16:
Code:
b'\x07\x00\x00\xea\xfe\xff\xff\xea\xfe\xff\xff\xea\xfe\xff\xff\xea'
aes_write16 now fails with "RuntimeError: ERROR: Serial protocol mismatch".
Can i dump the boot-rom with this now?
Click to expand...
Click to collapse
Yeah, just go through all of the bootrom memory (0 to 0x20000, just to be sure, in 16 byte increments), call aes_read16 on it, concatenate everything and you'll get your bootrom dumped. It should end with a bunch of FF bytes so that's how you can tell the actual size.

Related

[HELP!] Velocity Cruz T301 Full Brick Recovery

Hi XDA,
so basically i bought a Velocity Cruz T301 recently and followed the known procedures for rooting, flashing ClockworkMod Recovery and custom rom (SJHill Rom v0.3).
before the full brick my device was at ClockworkMod 5 and rooted with SJHill Rom v0.3.
i installed CWM by flashing the zip in stock recovery, then succesfully rooted the device, finally wiped and flashed my custom rom
after major dissapointment in this tablets performance i decided i wanted to get rid of it.
So i downloaded the stock rom, wipe and flashed it onto the tablet...
the tablet turned off when it was finished (i think it was attempting to reboot) and never turned back on again...EVER! :good:
i cant even get to recovery
i tried flashing with adb and fastboot but the device is never even presents itselft to the computer.
i found out that you can boot the device into USB boot mode where you hold the "VOL -" (Volume Down) button and press the reset button and while connected to the computer (windows only) a "JZ4760 USB Boot Device" appears.
i did some googling and also found out that the T301 is based on similar tech to a bunch of tablets and they can all be modified by some software released by Ingenic called USBBootTool.exe
the tool is written in chinese and i cant decypher it all, though i found out how to use it based on its usage for other Ingenic based tablets
1.) you will need to disable driver signature verification (press F8 on boot of windows and toggle the setting, i hate rebooting too but it has to be done)
2.) boot your tablet into USB Boot Mode (hold down Vol - and press Reset button)
3.) install the driver for your device (included in the files below)
4.) with the tablet disconnected you would open the USBBootTool.exe
5.) select your tablet in the options and fill each box with the files needed to flash (files included below)
6.) reconnect the tablet while still in USB Boot Mode and the software will flash your device on detection
everything goes fine for me except when i get to the flashing part in the end.
when USBBootTool detects my tablet, it attempts to flash and gives me a stream of errors and never flashes my device.
i dont know what to do at this point. i have provided direct links to all the software im using and also links to where i got them.
any help would be appreciated, thank you to the XDA community in advance
>------------------- DOWNLOADS ------------------------<
USBBootTool.exe / Tablet Drivers (4725 / 4725B / 4740 / 4750 / 4755 / 4760 / 4770)
http://dl.dropbox.com/u/79196608/burn_tools_3.0.16.rar
obtained from - http://forum.xda-developers.com/showthread.php?t=1720621
Velocity Cruz T301 Update.zip (contains the system.img / data.img / mbr-xboot.bin files)
http://www.cruztablet.com/T301update.zip
obtained from - http://www.cruztablet.com/Article_861.php
SJHill Rom v0.3
http://www.androidfilehost.com/?fid=9390362690511176486
obtained from - http://www.slatedroid.com/topic/27583-rom-t301-sjhill-rom-17-feb-2012-download-link-updated/
ClockworkMod 5
http://files.androtab.info/ingenic/cwm/20120514/T301-recovery-signed.zip
obtained from - http://androtab.info/mips/ingenic/clockworkmod/
I have the same situation. I have gone through every menu in the USB Boot tool and to no avail am I able to recover my T100.
gmick is redoing the software because the coding is set up wrong. Once he gets that figured out there should be a fool proof unbricking method that we can follow. He is posting information over on Slate Droid if you want to take a look.
feyerbrand said:
gmick is redoing the software because the coding is set up wrong. Once he gets that figured out there should be a fool proof unbricking method that we can follow. He is posting information over on Slate Droid if you want to take a look.
Click to expand...
Click to collapse
ok post the link to the thread, and ill add it to the first post as a solution if its found to be a working one
JustSayTech said:
ok post the link to the thread, and ill add it to the first post as a solution if its found to be a working one
Click to expand...
Click to collapse
*Cross Post from SlateDroid* (but I can't post the link because XDA won't allow it)
I found out why the USB boot isn't working. Well, more appropriately I know where it fails but not exactly "why".
The USB Boot tool works like this:
1) Send x00 command (Get CPU Info)
2) Device responds with "JZ4760V1"
3) Host sends two binaries, stage1 and stage2. Stage 1 sets up memory stuff, and Stage 2 sets up USB flashing functions.
4) Host checks that the binaries executed by issuing another x00 command (Which serves as an "Are you still there?" function)
5) If the response is good, the host will flash the images, if the response is bad, it will abort.
Our devices are failing at step 4. The linux usb boot tools (xburst-tools) fail in an identical fashion.
I know that the first stage binary transfers and executes fine because if it didn't the device would be limited to 16k. The second stage is 120K and is transferred successfully. Once the second stage "execute" command is sent, the device crashes.
The second stage is also unique to the CPU type. I've used all of the binaries for JZ4760 I could find on the net and when that failed I cross compiled my own binary from source and it still crashed.
At this point I highly doubt I'll ever be able to fix it, and this completely explains why no one could get any usb recovery tool to work while others using similar devices could. I guess our board is modified just enough for ingenic's stock binaries to fail. Without knowing what's changed (getting Velocity Micro's source) we're SOL.
I can open it up again and solder on the serial header but I'm betting it's going to give me some generic "couldn't execute" message that isn't going to help me. I'll probably do this anyway though because I've come this far so what's the loss.
wow, i learned alot from that post, seems like writing a usbboottool-like application that can send the commands but also log and possibly bypass security checks etc but that def would take sometime. thank you for your insight, seems youve come the closest to cracking the case, actually you found the fault, hopefully your methods can eventually bring about a fix
JZ 4770
gmick said:
*Cross Post from SlateDroid* (but I can't post the link because XDA won't allow it)
I found out why the USB boot isn't working. Well, more appropriately I know where it fails but not exactly "why".
The USB Boot tool works like this:
1) Send x00 command (Get CPU Info)
2) Device responds with "JZ4760V1"
3) Host sends two binaries, stage1 and stage2. Stage 1 sets up memory stuff, and Stage 2 sets up USB flashing functions.
4) Host checks that the binaries executed by issuing another x00 command (Which serves as an "Are you still there?" function)
5) If the response is good, the host will flash the images, if the response is bad, it will abort.
Our devices are failing at step 4. The linux usb boot tools (xburst-tools) fail in an identical fashion.
I know that the first stage binary transfers and executes fine because if it didn't the device would be limited to 16k. The second stage is 120K and is transferred successfully. Once the second stage "execute" command is sent, the device crashes.
The second stage is also unique to the CPU type. I've used all of the binaries for JZ4760 I could find on the net and when that failed I cross compiled my own binary from source and it still crashed.
At this point I highly doubt I'll ever be able to fix it, and this completely explains why no one could get any usb recovery tool to work while others using similar devices could. I guess our board is modified just enough for ingenic's stock binaries to fail. Without knowing what's changed (getting Velocity Micro's source) we're SOL.
I can open it up again and solder on the serial header but I'm betting it's going to give me some generic "couldn't execute" message that isn't going to help me. I'll probably do this anyway though because I've come this far so what's the loss.
Click to expand...
Click to collapse
for my JZ4770 Earlier USB tool was flashing .img without any problem but for now it is saying "load cfg failed". "API downlaod failed' like dialogues and doesnt flash anything. Any idea? Thanks in advance!!
First restart your computer (actually restart it) then redownload the USB boot tool and save it in a completely new directory and use a different USB port
Sent from my Pokeball
Yes, I did
JustSayTech said:
First restart your computer (actually restart it) then redownload the USB boot tool and save it in a completely new directory and use a different USB port
Sent from my Pokeball
Click to expand...
Click to collapse
Yes, I tried with this suggestion. Rather I reinstalled xp and the tried again. But the dialogues are same. The history is like this. Was having ICS on JZ 4770. Formatted with usb tool and put JB updates. It was not sensing touch so reflashed another JB updates. Now the tab boots, it reaches to boot logo for around 12 seconds and restarts in stock recovery. While it is in booting stage it get detected by windows and adb also. In stock recovery mode it get detected by windows and in turn by adb also. If I tried to install updates through SD card it shows it had installed and reboots after completion. But again the same way it goes to boot logo and then back to stock JB recovery. It also boots in ingenic boot device mode and gets detected by USB burn tools. But when try to flash any of the ROM it gives the same dialogues "check cfg failed" "api download failed" "boot. fw failed" and cant flash anything.
Is there any tool which can be flashed or a script which can be used from SD card for completely formatting flash memory so that USB burn tool can flash required ROM?
can you flash the stock rom in recovery?
Managed using USB BOOT TOOL for ingenic JZ 4770 board in English
JustSayTech said:
can you flash the stock rom in recovery?
Click to expand...
Click to collapse
thanks man but I managed to boot the device. I used following USB BOOT TOOL for ingenic 4770 boards. The goodness with this tool, this is completely in English. You will know what you are doing. Even after opening the main window of the tool you can right click and then get another options(yes again in English). My problem with this device was bad blocks at 1024. In the options there is chance to force erase whole the nand partitions which I used and erased all the partitions thereby made all the partions available for flashing and readable by the tool. Then from File option selected stock rom files and flashed them. While flashing selected JZ4770 iNanad.ini file in manual configuration. This tool has really helped me to come out of the issue and will be useful for guys using JZ 4770 board.
http://www.4shared.com/rar/m1BUV5r2/USBBurnTool_20120401_for_relea.html
Got USBBootTool.exe kind of working.
1. Download the following file from Ingenic.
ftp * ingenic * cn/3sw/01linux/tmp/jz4770-20110610.rar
2. Download Applocale from Microsoft.
www * microsoft * com/en-us/download/details.aspx?id=13209
3. Extract the jz4770-20110610.rar and find the folder. (Using 7zip should keep the UTF encoding in Chinese)
20110610\04burn\20110524_4770_Programmer
4. Copy the folder 20110524_4770_Programmer to location you want to use it in.
5. Install Microsoft Applocale (Just in case, I don't think it is required)
Now Start Applocale and create a shortcut to USBbootTool.exe inside 20110524_4770_Programmer
中文(简体) is simplified Chinese option and should let you view the GUI correctly.
6. Now with the Applocale Shortcut created for USBbootTool.exe you can start the application with correct fonts.
Now this is where is breaks down.
TABLET-8 NAND FINAL BSP(S3 TEST) will allow you to read from it and write to it, but the CFG is off.
\tool_cfg\tablet-8-nand-final.ini is the configuration for it.
DO NOT CONNECT THE DEVICE WITH ANY OPTIONS CHECKED OR LOAD ANY FILES.
See Attached Images.
Next to the Read button is some Boot Option menu. I am not fulling aware of what this does.
What I need is a someone to help me fix/correct the ini/cfg files in
\20110524_4770_Programmer\tool_cfg\.ini
\20110524_4770_Programmer\4760\
to correctly match the files of the NAND.
Also if anyone has a copy (dd to img) or (cat to img) of the block devices.
That would help a ton.
# cat /proc/partitions
# cat /proc/mtd
I would also love another T10x Tablet for cheap.
I want to start building things like new bootloader, kernel, system image,
performance libraries to take full use of the Ingenic JZ4760 (www * ingenic * cn/product.aspx?CID=11)
I also bring Christmas gifts
2 APKS. You can place them in /system/app or /data/app.
Google Play will crash now and again, but it will load and work. (Vending.apk)
Secondly I bring the gift of performance increase, just by a slight bit.
edit the line of the heapsize in /system/build.prop dalvik.vm.heapsize=96m
Remember to make sure the permissions are set back to 666 or 644.
Original Vending.Apk before updates came from here: (Incase you are paranoid)
code * google * com/p/ics-nexus-s-4g/source/browse/trunk/system/app/Vending.apk?spec=svn20&r=18
ics-nexus-s-4g * googlecode * com/svn-history/r18/trunk/system/app/Vending.apk
To prevent spam on the XDA forums, ALL new users prevented from posting outside links in their messages. After approximately 10 posts, you will be able to post outside links. Thank you for
Click to expand...
Click to collapse
Stupid. how do you expect real people to help post Tech Docs? That is bad Moderating and Administrating.
Make sure to replace the Asterisk's with spaces to normal dots.
Requesting Block Images.
Does anyone have a copy of it they can send me for a T10x?
block images......
IceGryphon said:
Does anyone have a copy of it they can send me for a T10x?
Click to expand...
Click to collapse
Which block images do you want?
...also is there a way to rip the stock images off the jz4760 in the t301.
Such as:
Can i usethe ingenic uboot tool?
Anybody find the jtag pins?
Is the 4 pin conn next 2 the batt for serial?
.......i guess ill try to take a look this weekend
Ics would be really nice, but probably slower than stock..... especially with the limited ram
I unpacked the stock rom. I also unpacked an ics rom for a jz4770, and repo sync'd the aosp and mips 3.0.8 android kernel.
I'm still trying to figure out specs for the processor though. I know that its mips32 - el- fp- r1, but i cannot figur out the dsp version ... if it has one?
Error in erasing nand
nanachitang420 said:
thanks man but I managed to boot the device. I used following USB BOOT TOOL for ingenic 4770 boards. The goodness with this tool, this is completely in English. You will know what you are doing. Even after opening the main window of the tool you can right click and then get another options(yes again in English). My problem with this device was bad blocks at 1024. In the options there is chance to force erase whole the nand partitions which I used and erased all the partitions thereby made all the partions available for flashing and readable by the tool. Then from File option selected stock rom files and flashed them. While flashing selected JZ4770 iNanad.ini file in manual configuration. This tool has really helped me to come out of the issue and will be useful for guys using JZ 4770 board.
http://www.4shared.com/rar/m1BUV5r2/USBBurnTool_20120401_for_relea.html
Click to expand...
Click to collapse
I used english ingenic tool to erase bad blocks but m nt able erase bad blocks live suit is giving eror id=0x4848

Linux ISO - Unbrick the Fire HD6/HD7 [Video] [Testers Wanted]

Testers wanted: Anyone who uses this method, let me know if you can access stock recovery after this method.
Summery
Thanks to the amazing work by our active member @bibikalka, a method was found to unbrick these devices Thread link here. The method he found was slightly tedious for some people, so I've decided to put together a Linux iso that you can boot into on your computer with everything you need to get your device running again. It uses the same methods proposed but makes things easier. This comes with all the necessary drivers, scripts to do everything you need, all the img files needed to flash, a hex editor for advanced users, and more. Before the scripts included in this OS, determining the option (A, B, or C) to take in order to unbrick the device required .part files to be evaluated manually. Now with the custom script, it can quickly evaluate what option to take.
Video Instructions
Brief Instructions
1. Download the Linux iso:
Linux ISO
2. Burn the iso to a USB drive or cd
3. Boot into the operating system
4. Type "root" at the login prompt
5. Right click on the desktop and choose file manager. Go to "aftv2-tools" folder
6. Right click on file manager and press "open in terminal"
7. From device turned off, enter command "./handshake.py", then plug in device. You may need to do this a couple times to get a connection. Try pressing volume keys & power etc to get it connected. See video if you have problems
8. After handshake is complete, run "./reader.sh"
9. After all addresses are read in, run "./determineOption.sh". You should get back a result of A, B, or C
10. Depending on the option returned (A,B,or C), run "./readerSpecialOptionA.sh", "./readerSpecialOptionB.sh", or "./readerSpecialOptionC.sh". This is an optional step but may be useful if you want to back up part files or their were no options available. Back up part files to a usb drive if you want to be safe.
11. Now the actual unbricking. Run "./unbrickOptionA.sh", "./unbrickOptionB.sh", or "./unbrickOptionA.sh" depending on your option. This can take about 40 minutes
12. hold volume up and run "./complete.sh" at the same time to get into TWRP
13. boot into your default operating system on your computer
BE VERY CAREFUL FROM NOW ON
13. We will be installing Fire OS 5.3.1. If you are not installing this ROM, make sure you know what you are doing. Download the ROM:
update-kindle-20.5.5.2_user_552153420.bin
14. Download 5.4.1_1133_stock_recovery_uboot.zip: 5.4.1_1133_stock_recovery_uboot.zip. Without this you could turn your device into a paperweight. This installs stock recovery and a uboot version that MUST be installed. This file was taken from the thread here: how-to-upgrade-to-lollipop-root-gapps
15. Rename the ROM extension from .bin to .zip
16. Transfer the two files to the Fire
17. Do a factory reset. Flash the ROM and uboot&recovery file
18. Reboot! Your device should now be working. It will take about 15 mins to boot up.
Big thanks to @bibikalka for helping work everything out and for the initial unbrick method.
Edit 10/13/21: Fixed Google Drive Link
Linux ISO Changelog
Updated 10/5/16:
*Optomized scripts
*Added "complete.sh" This reboots the device
Updated 9/27/16:
*Added script to auto-detect which unbrick option to use (determineOption.sh)
*Added scripts to write img files to correct addresses ( unbrickOptionA.sh, unbrickOptionB.sh, and unbrickOptionC.sh)
*Added scripts to read in and label part files (readerSpecialOptionA.sh, readerSpecialOptionB.sh, and readerSpecialOptionC.sh)
*Nemo open in terminal fixed
*.part files set to open with ghex by default
Updated 9/24/16:
*Nemo as default file manager
*Updated html page with instructions from forum
well, after seriously struggling with the parent thread mentioned in the OP I've managed to get to TWRP & am just waiting for my win10 machine to install it's updates before attempting to adb push the uboot & zip files for installation back to fireOS.
feels great to see the screen displaying something other than the looping amazon logo after months of frustration. I do not have the words to express my gratitude for @powerpoint45 for an excellent & well thought through tool and walkthrough. special mention also goes out to @bibikalka
gascomm said:
well, after seriously struggling with the parent thread mentioned in the OP I've managed to get to TWRP & am just waiting for my win10 machine to install it's updates before attempting to adb push the uboot & zip files for installation back to fireOS.
feels great to see the screen displaying something other than the looping amazon logo after months of frustration. I do not have the words to express my gratitude for @powerpoint45 for an excellent & well thought through tool and walkthrough. special mention also goes out to @bibikalka
Click to expand...
Click to collapse
great to hear! I hope everything works for you! After you get everything done, can you check if you can get into recovery.
after flashing both zips & rebooting I've now got my working fire (OS 5.3.1.0) back. thank you Mr PowerPoint!
i tried rebooting to recovery & it now takes me to the stock amazon recovery not TWRP..... which is unfortunate.
I did get asked if I wanted to install SuperUser which was a no-brainer YES. although I'm staying offline until I identify a functional (fast) flavour of android to flash. suggestions welcome.
gascomm said:
after flashing both zips & rebooting I've now got my working fire (OS 5.3.1.0) back. thank you Mr PowerPoint!
i be tried rebooting to recovery & it now takes me to the stock amazon recovery not TWRP..... which is unfortunate.
I did get asked if I wanted to install SuperUser which was a no-brainer YES. although I'm staying offline until I identify a functional (fast) flavour of android to flash. suggestions welcome.
Click to expand...
Click to collapse
Good to hear everything is working. Ya TWRP does not work with 5.x bootloader. Good to hear you can get into stock recovery because I had some incidents where I could not get into it. Thanks for responding. The only custom ROM ATM is CM13.
powerpoint45 said:
The only custom ROM ATM is CM13.
Click to expand...
Click to collapse
sorry to trouble you again but do you know where I can find a guide/walkthrough of how to root via adb & install twrp or cwm to allow flashing of a rom & gapps..
I can only find the kingroot method & the CM11 rom discussion. where might I find the CM13 you mentioned?
I have searched fruitlessly. I guess I just need a little guidance to avoid running straight into another brick.
cheers.
gascomm said:
sorry to trouble you again but do you know where I can find a guide/walkthrough of how to root via adb & install twrp or cwm to allow flashing of a rom & gapps..
I can only find the kingroot method & the CM11 rom discussion. where might I find the CM13 you mentioned?
I have searched fruitlessly. I guess I just need a little guidance to avoid running straight into another brick.
cheers.
Click to expand...
Click to collapse
I meant to say CM11. This guide is probably one of the best http://forum.xda-developers.com/fire-hd/general/how-to-upgrade-to-lollipop-root-gapps-t3163950/page1
This is a bit older one: http://forum.xda-developers.com/fire-hd/general/how-to-downgrade-to-4-5-3-root-device-t3139351/page1
In order to have TWRP, you must have a 4.x bootloader so CM11 would work with it.
Thank you
I have a question I can work downgrade from 5.3.1 to 4.5.3
I'm currently on version 5.3.1
PRInCEI7 said:
Thank you
I have a question I can work downgrade from 5.3.1 to 4.5.3
I'm currently on version 5.3.1
Click to expand...
Click to collapse
yes you should be fine doing that
Unfortunately, did not respond
I worked
MacBook-Air-2:ROOT IP$ ./handshake.py
Waiting for preloader...
Found port = /dev/cu.usbmodem1420
Handshake complete!
In the second step does not respond to the order ./reader.sh
Also tried
/.read_mmc.py 0x0000000 0x1000 0x0000000.part
Does not respond
By the way tried way on more than one device
And tried through the system Max os x and the system arch-custom-firehd67-unbrick100516.iso did not work and also the same result
MY device Amazon Fire HD 6 version 5.3.1 All functions work, but I need to work downgrade to 4.5.3
Is there a solution to my problem
[/SIZE]
@powerpoint45 thanks for the pointers. I am now the proud owned of an hd6 booting straight into cm11 & it's been well worth the wait. I am forever in your digital debt.
gascomm said:
@powerpoint45 thanks for the pointers. I am now the proud owned of an hd6 booting straight into cm11 & it's been well worth the wait. I am forever in your digital debt.
Click to expand...
Click to collapse
sweet!!!
PRInCEI7 said:
Unfortunately, did not respond
I worked
MacBook-Air-2:ROOT IP$ ./handshake.py
Waiting for preloader...
Found port = /dev/cu.usbmodem1420
Handshake complete!
In the second step does not respond to the order ./reader.sh
Also tried
/.read_mmc.py 0x0000000 0x1000 0x0000000.part
Does not respond
By the way tried way on more than one device
And tried through the system Max os x and the system arch-custom-firehd67-unbrick100516.iso did not work and also the same result
MY device Amazon Fire HD 6 version 5.3.1 All functions work, but I need to work downgrade to 4.5.3
Is there a solution to my problem
[/SIZE]
Click to expand...
Click to collapse
I am also getting the same results with my HD 7 4th gen. The handshake completes just fine, but the reader just hangs. When I'm in recovery, I get errors saying the /cache folder failed to mount. I'm thinking the memory is corrupt and there is no way to fix this.
nai1ed said:
I am also getting the same results with my HD 7 4th gen. The handshake completes just fine, but the reader just hangs. When I'm in recovery, I get errors saying the /cache folder failed to mount. I'm thinking the memory is corrupt and there is no way to fix this.
Click to expand...
Click to collapse
Unfortunately it appears that with the latest bootloader on the latest Amazon update that they have disabled these commands (such as reading and writing). Unfortunately if you can't get into recovery with (vol+ & power) then it is currently unrecoverable. Best option for an unrecoverable device would be to buy another motherboard from eBay or some place. They are pretty cheap and easy to replace. I've had to do it a couple times now.
Confused
First you say it should be OK to downgrade:
powerpoint45 said:
PRInCEI7 said:
Thank you
I have a question I can work downgrade from 5.3.1 to 4.5.3
I'm currently on version 5.3.1
Click to expand...
Click to collapse
yes you should be fine doing that
Click to expand...
Click to collapse
Although, it's unclear how, since reports indicate that sideloading older
firmware bricks the device (or, does that only apply to 5.x?).
Then, we learn that the preloader trick (from aftv2-tools) doesn't work anymore:
Code:
[[email protected] aftv2-tools]# ./handshake.py
Waiting for preloader...
Found port = /dev/ttyACM0
Handshake complete!
[[email protected] aftv2-tools]# ./reader.sh
^CTraceback (most recent call last):
File "./read_mmc.py", line 355, in <module>
if msdc_dma_status():
File "./read_mmc.py", line 146, in msdc_dma_status
return False if sdr_read32(MSDC_CFG) & MSDC_CFG_PIO else True
File "./read_mmc.py", line 82, in sdr_read32
check(dev.read(2), b'\x00\x00') # arg check
File "/usr/lib/python3.5/site-packages/serial/serialposix.py", line 450, in read
ready, _, _ = select.select([self.fd, self.pipe_abort_read_r], [], [], timeout)
KeyboardInterrupt
^CTraceback (most recent call last):
File "./read_mmc.py", line 355, in <module>
if msdc_dma_status():
File "./read_mmc.py", line 146, in msdc_dma_status
return False if sdr_read32(MSDC_CFG) & MSDC_CFG_PIO else True
File "./read_mmc.py", line 82, in sdr_read32
check(dev.read(2), b'\x00\x00') # arg check
File "/usr/lib/python3.5/site-packages/serial/serialposix.py", line 450, in read
ready, _, _ = select.select([self.fd, self.pipe_abort_read_r], [], [], timeout)
KeyboardInterrupt
^Z
[1]+ Stopped ./reader.sh
[[email protected] aftv2-tools]# kill %1
[[email protected] aftv2-tools]#
[1]+ Terminated ./reader.sh
[[email protected] aftv2-tools]#
The above is for a 4th gen HD7 with this device showing in 'lsusb':
Code:
Bus 001 Device 006: ID 0e8d:3000 MediaTek Inc.
powerpoint45 said:
Unfortunately it appears that with the latest bootloader on the latest Amazon update that they have disabled these commands (such as reading and writing). Unfortunately if you can't get into recovery with (vol+ & power) then it is currently unrecoverable. Best option for an unrecoverable device would be to buy another motherboard from eBay or some place. They are pretty cheap and easy to replace. I've had to do it a couple times now.
Click to expand...
Click to collapse
BTW, are we sure that this is *disabled* as opposed to _tweaked_?
(e.g. by changing the protocol slightly by, say, requiring an extra byte
or two "confirmation" before execution? has anyone bothered reversing
the bootloader? [Please excuse my ignorance, but would this be handled
by UBOOT, TEE1, or some other component?])
So, what's the current best option for 5.3.1?
---------- Post added at 11:23 ---------- Previous post was at 10:58 ----------
draxie said:
BTW, are we sure that this is *disabled* as opposed to _tweaked_?
(e.g. by changing the protocol slightly by, say, requiring an extra byte
or two "confirmation" before execution? has anyone bothered reversing
the bootloader?
Click to expand...
Click to collapse
OK. So, I found this post by @zeroepoch,
which makes it very clear that said exercise has been performed for the AFTV2...
No reason to believe that this would be different for the Fire HD7...
draxie said:
First you say it should be OK to downgrade:
Although, it's unclear how, since reports indicate that sideloading older
firmware bricks the device (or, does that only apply to 5.x?).
Then, we learn that the preloader trick (from aftv2-tools) doesn't work anymore:
The above is for a 4th gen HD7 with this device showing in 'lsusb':
BTW, are we sure that this is *disabled* as opposed to _tweaked_?
(e.g. by changing the protocol slightly by, say, requiring an extra byte
or two "confirmation" before execution? has anyone bothered reversing
the bootloader? [Please excuse my ignorance, but would this be handled
by UBOOT, TEE1, or some other component?])
So, what's the current best option for 5.3.1?
---------- Post added at 11:23 ---------- Previous post was at 10:58 ----------
OK. So, I found this post by @zeroepoch,
which makes it very clear that said exercise has been performed for the AFTV2...
No reason to believe that this would be different for the Fire HD7...
Click to expand...
Click to collapse
My understanding is that you only need to worry about bricking if You are downgrading to another lollypop ROM. We found out that the device has a fuse that is set in later lollypop ROMs where it will check against the current version. But this check only seems to be on lollipop ROM's. As for the aftv2 protocol, you might be right but I don't know enough about that yet to know. Currently we have no unbrick method for latest bootloader. If you can get into recovery then you could sideload but most can't get into recovery during brick.
I've followed the steps but not into twrp, only screen amazon and reset. I'm not good at English
error trying to unbrick hd6
[[email protected] aftv2-tools]# ./complete.sh
1: 0xd1
4: 0x00 0x00 0x00 0x00
4: 0x00 0x00 0x00 0x01
Traceback (most recent call last):
File "/usr/lib/python3.5/site-packages/serial/serialposix.py", line 468, in read
'device reports readiness to read but returned no data '
serial.serialutil.SerialException: device reports readiness to read but returned no data (device disconnected or multiple access on port?)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "./read32.py", line 69, in <module>
ret = read32(addr, size)
File "./read32.py", line 45, in read32
print_hex_byte(dev.read(2)) # status
File "/usr/lib/python3.5/site-packages/serial/serialposix.py", line 475, in read
raise SerialException('read failed: {}'.format(e))
serial.serialutil.SerialException: read failed: device reports readiness to read but returned no data (device disconnected or multiple access on port?)
[[email protected] aftv2-tools]#
kingwill101 said:
[[email protected] aftv2-tools]# ./complete.sh
1: 0xd1
4: 0x00 0x00 0x00 0x00
4: 0x00 0x00 0x00 0x01
Traceback (most recent call last):
File "/usr/lib/python3.5/site-packages/serial/serialposix.py", line 468, in read
'device reports readiness to read but returned no data '
serial.serialutil.SerialException: device reports readiness to read but returned no data (device disconnected or multiple access on port?)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "./read32.py", line 69, in <module>
ret = read32(addr, size)
File "./read32.py", line 45, in read32
print_hex_byte(dev.read(2)) # status
File "/usr/lib/python3.5/site-packages/serial/serialposix.py", line 475, in read
raise SerialException('read failed: {}'.format(e))
serial.serialutil.SerialException: read failed: device reports readiness to read but returned no data (device disconnected or multiple access on port?)
[[email protected] aftv2-tools]#
Click to expand...
Click to collapse
You are on any version.
You can access to recovery now

[Root] H901 - For Newbies!

None of the methods in this thread are my own work. I struggled with getting my phone rooted for a long time and spend 10s of hours on the process. I had never rooted before and was therefore unfamiliar with all the terms, unfamiliar with how to complete all the recommended checks to ensure one had the right model, etc. There were several helpful threads but most approach the subject with the assumption that one knows something about the process. In this post I lay out what worked for me in a step-by-step way and what you have to do to achieve my results.
#1 Ensure you have a H-901 motherboard and not the Korean F600 motherboard by checking the sticker, and checking “About Phone” -> “Hardware Info” -> “Model number” in settings. These must both be LG-H901…from what I can tell the community has only developed technique for the H-901 variant.
#2 Get a micro SD card and load it with Magisk https://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445 , and if you have Marshmallow or Lollipop and want Nougat (much better experience IMHO), load the files in this thread: https://forum.xda-developers.com/tmobile-lg-v10/development/h901-t-mobile-nougat-v30b-twrp-t3639203 And maybe this thread as well (read both and then decide): https://forum.xda-developers.com/tm.../h901-t-mobile-nougat-v30c-flashable-t3744648
#3 Ensure you have unlocked your bootloader. (apparently only for T-mobile LG v10s since other carriers lock the bootloader) The FWUL virtual machine root method will not work if you have not done so. This is an entire process in itself. The following 2 videos which show how to root android 6.0 or earlier (process will not work with Nougat, 7.0, since some fastboot commands are missing). https://youtu.be/OtXlokk6JkQ , https://youtu.be/PPLwFGxLQA4
Also, this thread may be helpful. https://forum.xda-developers.com/tm...t-mobile-bootloader-factory-unlocked-t3236224 , download the nexus root toolkit here for easy ADB command entry http://www.wugfresh.com/nrt/ —we will only use the “Advanced Utilities” -> ”Manual Input” -> ”Launch CMD Prompt”. When it prompts you to select a phone, select the first option and then for android version select Android *** Any. Don’t use any of the other commands because they are not configured for your device.
If you get a “waiting for device” error while attempting the fastboot oem unlock command in the above thread, see: https://forum.xda-developers.com/tmobile-g4/help/fastboot-waiting-device-t3489789 Great video which shows how to change drivers. You will need to do this, I found a number of drivers that were already on my PC from google and Samsung worked although I didn’t have the specific one mentioned in the above thread. Don’t be afraid to experiment… you can always try another driver. And don’t require it to be hardware compatible. Ignore the warning message: https://youtu.be/nQjg6ePnGAc
---------------------------------------------
NOW that you have your bootloader unlocked you can proceed to actually flash the TWRP image as per this thread: https://forum.xda-developers.com/tmobile-lg-v10/general/root-h901-nougat-t3773942
Notes before beginning:
-To enter download mode to begin: Plug a USB cable into your phone with your phone powered off, hold down on the Vol Up button and plug the USB cord into your computer. It should immediately boot into download mode. Exiting Download mode after flash: pull battery…no damage will be done.
-To enter recovery after flashing TWRP: power off the phone then hold both the down volume and power at the same time. When you see the black LG screen briefly release the power button and then press it again while not letting the volume down up. You will see a screen asking if you want to delete all user settings. Say YES (via the volume and power keys—no touch input). You will see a screen asking if you want to delete all user data. Say YES (the data is only deleted if TWRP loads successfully) You will briefly see the black LG bootup screen. TWRP or factory recovery will load. Or if you did not unlock your bootloader, it will say recovery is corrupted and cannot be trusted, and then boot normally without changing your settings or deleting files.
-Additional note: as of 7-23-18 some commands had changed:
From V20 forum, Brian (runningnak3d) has moved to gitlab.com. So instead of github.com, we have to use a new git repository that Brian created in gitlab.com.
cd
mv lglaf lglaf_BAK
git clone https://gitlab.com/runningnak3d/lglaf
cd lglaf
git pull
git checkout v10-miscwrte
There are additional comments in the thread. Some timeout errors may be solved by: 1 - Download the VirtualBox extension pack: https://download.virtualbox.org/vir..._VirtualBox_Extension_Pack-5.2.8.vbox-extpack
2 - Go to File / Preferences / Extensions / click the + and browse to where you downloaded it.
3 - Once installed, with the VM off, right click on the VM, and go to settings. Click on USB, and pick USB 3.0. If your machine doesn't have a USB 3 port, pick 2.0.
But frankly, simply up arrow after a timeout error to load the last command on the command line and hit enter again. Simply keep doing this until it works. You know it works because no dialog appears for several minutes before informing one of success.
**Upgrade to Nougat after Flashing TWRP and booting to Recovery steps: (I did a full wipe as suggested by this thread: https://forum.xda-developers.com/v20/development/h918-recowvery-unlock-v20-root-shell-t3490594 before flashing the v30b upgrade then full Nougat zip, and then flashing Magisk. I flashed the 3 zips sequentially. I was afraid Nougat would not boot successfully because the zip files are less than 2 gb combined but success! You may want to also flash the 30c upgrade before flashing Magisk for a total of 4 zip flashes. I did not try this. However doing all this means no backups are done so if there is a problem you may have to flash a KDZ with the LG UP tool (don’t ask me how).
As a final note, I cannot answer specific questions about the various processes provided or errors you may encounter that I have not listed in this write up since I have not experienced them. A bit of research on your part may be required, but this post should provide you with a huge head start compared to where I started. Good luck!
Methods to get unlimited mobile hotspot, very useful if you're on the $50 MetroPCs (owned by T-mobile) unlimited plan. All you $70 T-mobile plan suckazzz! https://forum.xda-developers.com/tm...ited-tetherting-hotspot-t3825144#post77249285
I would actually recommend using a USB tether client and forgoing root access if tethering is your only objective and you are trying to be efficient with your time. However, with root you can install all these cool apps!: https://www.digitaltrends.com/mobile/best-android-root-apps/
The following caught my eye:
-Rec: screen record
-liveboot: boot animation (does not work with Magisk)
-Servicely: checks to see which apps are using a lot of battery and lets you suppress them
-Adblock Plus
-Titanium backup: very powerful phone backup application & bloatware remover look into for quickly switching over to a different lg v10
-Greenify: put apps into hibernation
-System tuner: get lots of info about you phone but be careful making changes
-ES file explorer: dig into the android system
-Disk digger: recovers deleted files (photos only?)

[TUT] ROOT HD8(2018) via Magisk + [TWRP] + [Xposed]

Update - September 7th, 2019.
There is a more convenient method now by @k4y0z that can achieve the same unlocking objectives with fewer user commands. Please head over to this thread to achieve unlocking.
Thanks again to all who used the original method below, and hopefully you are enjoying your unlocked device!
The original post using lots of terminal commands in order to unlock
We are there! We have several fully successful attempts by @glate and @daymz (in addition to 3 partial successes earlier - thanks to @leakcheck, @spdqbr, @ShayBox). I have updated the instructions for further clarity. Please report back if there are issues. Still, be prepared to remove the back cover as described in this link in the rather unlikely case things go wrong.
First of all, full credit to @xyz` and @diplomatic, since the approach here 100% relies on their great work!
Motivation for this post: make obtaining root on Fire HD8 2018 simpler, without removing the back cover of your tablet. You will also preserve your current FireOS version, and all your user apps and settings (meaning, no Factory Reset).
Skill level required: moderate - since you will need to work with Linux and Python. HD8 2018 has Android version 7, and therefore will use Magisk for root management.
Legalese, or the standard disclaimer: While every effort had been made to ensure the instructions accuracy, any and all risk you take with this procedure is entirely yours. Please pay attention, and proceed with care! Happy unlocking!!!
Notice. If you already have a working TWRP from a prior effort, you should start at Step 11 or 12 depending on what you need to do! With TWRP, the tablet is already under your full control! Unlocking is a one time thing! Post on XDA what you are trying to do, and you will be helped!
Here we go:
Get access to Linux, install Linux tools required as per the original work by @xyz` in this link (click Thanks there!!!). Specifically, on Debian/Ubuntu do this "sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot". Download attached amonet-lite.zip to Linux.
Download attached unlock_images.zip, unpack it, place the individual image files into /sdcard/00 folder on your tablet (create /sdcard/00 folder on your tablet if it does not exist - "adb shell mkdir /sdcard/00")
Download attached finalize_no_ota.zip to /sdcard/00 on your tablet
Download Magisk to /sdcard/00 from here: Magisk-v18.0.zip If you like to live on the bleeding edge, and will be itching to upgrade, also download the latest and greatest Magisk zip - link (at present -version 18.1).
Noob protection: drain tablet battery to some low number, ~3% (this is a safety measure, in case you later get a freeze while in BootRom). Use Fast Discharge app from the Google Play Store if you are impatient. If you do get a freeze in BootRom, your Fire will discharge about ~1% per hour. The battery has to discharge to 0% for the device to exit the BootRom mode. So for battery at 50% you will be waiting ~2 days.
Get an adb root shell via mtk-su (arm version, not arm64), follow this method by @diplomatic (click Thanks there while you are doing it!!!) You may not get a proper full root on the very first try. Specifically, if ls command fails, exit shell via exit command, and run mtk-su again.
In this root shell, obtained in the previous step, first, and foremost, please verify that your prompt looks something like this : [karnak:/data/local/tmp #]. Specifically, that your device is really a karnak (i.e., HD8 2018). If you have a different device, MISSION ABORT, and do refer to the original rooting thread for instructions on how to permanently root YOUR type of device. If you do have a karnak, proceed to do the following operations.
Run the following commands
Code:
dd if=/dev/block/platform/soc/11230000.mmc/by-name/boot of=/sdcard/00/boot_orig.img
dd if=/dev/block/platform/soc/11230000.mmc/by-name/lk of=/sdcard/00/orig_lk.bin
dd if=/dev/block/platform/soc/11230000.mmc/by-name/tee1 of=/sdcard/00/orig_tz.bin
dd if=/dev/block/mmcblk0boot0 of=/sdcard/00/orig_boot0.bin
dd if=/dev/zero of=/dev/block/platform/soc/11230000.mmc/by-name/recovery
dd if=/sdcard/00/unlock_recovery-inj.img of=/dev/block/platform/soc/11230000.mmc/by-name/recovery
md5sum /sdcard/00/unlock_lk.bin; md5sum /sdcard/00/unlock_tz.bin; md5sum /dev/block/platform/soc/11230000.mmc/by-name/recovery
Make sure the above commands run without any errors!!! If there are errors, check if you perhaps did not put the image files into /sdcard/00. Below in red are the checksums you should see, take a moment to ensure that they match!!! If the checksums don't match, mission ABORT! Come back here and paste your output. You can disconnect your tablet for the time being.
Code:
[COLOR="Red"]
90ee125c08abc999f78325d30e26a388 /sdcard/00/unlock_lk.bin
982513e70d6de114ed4a9058a86de848 /sdcard/00/unlock_tz.bin
faae811e229f0a7780fd130a286d3c47 /dev/block/platform/soc/11230000.mmc/by-name/recovery
[/COLOR]
If everything looks good, proceed with updating the rest, and wiping the preloader which will enable the BootRom mode:
Code:
dd if=/sdcard/00/unlock_lk.bin of=/dev/block/platform/soc/11230000.mmc/by-name/lk
dd if=/sdcard/00/unlock_tz.bin of=/dev/block/platform/soc/11230000.mmc/by-name/tee1
dd if=/sdcard/00/unlock_tz.bin of=/dev/block/platform/soc/11230000.mmc/by-name/tee2
dd if=/sdcard/00/unlock_recovery-inj.img of=/dev/block/platform/soc/11230000.mmc/by-name/boot
dd if=/sdcard/00/unlock_recovery-inj.img of=/dev/block/platform/soc/11230000.mmc/by-name/recovery
echo 0 > /sys/block/mmcblk0boot0/force_ro
dd if=/dev/zero of=/dev/block/mmcblk0boot0
echo 'EMMC_BOOT' > /dev/block/mmcblk0boot0
md5sum /dev/block/mmcblk0boot0
(Thanks to @k4y0z, @Rortiz2, @retyre, @hwmod for figuring out the last step!!!)
You are now in a properly bricked state. Disconnect the USB cable, turn off your tablet. It's a nice brick
On Linux, you will now finish all the work required to unlock your tablet.
First make sure to uninstall/disable ModemManager (very mission critical!!!) [on Ubuntu: "sudo apt-get remove modemmanager"]. Next, run these commands:
Code:
unzip amonet-lite.zip
cd amonet-lite
chmod 755 ./bootrom-step.sh
sudo su
./bootrom-step.sh
Attach your properly bricked tablet to your Linux computer with a USB cable, do try to use a pure USB2 port on your PC (if you have it). Your tablet should come up in the BootRom mode, and start interacting with the bootrom-step.sh script above (watch the output in the Linux terminal). The tablet screen will be off and you won't see anything. Follow the bootrom-step.sh script instructions. When the script prompts "Remove the short and press Enter", just press Enter (there is no short in this method!). Hopefully, everything works. If it freezes before finishing, disconnect the tablet, and let it sit for few hours (please report back if you had to wait for battery to drain here - mainly for statistics). The battery should drain, and the tablet will leave the BootRom mode. Try again in a few hours by re-running bootrom-step.sh, and connecting your bricked tablet to your Linux computer.
Here your tablet should have rebooted to TWRP. The screen might be blank, try to hit Power button twice to wake TWRP up. If you still don't see anything, try to turn the tablet off by holding the Power button. If nothing works, wait for the battery to drain, and then re-try.
Once TWRP comes up, go to "Install/Install Image", and install /sdcard/00/boot_orig.img to boot partition (here we are returning your original boot image to it's proper partition)
In TWRP, go to "Install", select Magisk zip from /sdcard/00, and install. Version 18.0 is known to be rock solid, the newer 18.1 may or may not work OK. If you do flash 18.1, please watch for TWRP installation errors.
In TWRP, go to "Install", select finalize_no_ota.zip from /sdcard/00,and install. You only need to do this once per new system image, to make sure OTA is disabled. Don't need to repeat this if you did not upgrade/sideload a fresh ROM. It will give an error message if it was already run before - in such a case ignore the error.
In TWRP, reboot
You should now be back in FireOS, but with Magisk for root. If you don't see Magisk Manager in your app list, install it via apk downloaded from this link. If you are bootlooping due to Magisk, reboot to TWRP using Pwr+Vol buttons, and start at Step 11 but using 18.0 Magisk this time.
If you would like to install Xposed, proceed to this post #2.
If your FireOS is not the latest version (6.3.0.1 at present), use instructions in post #3 to upgrade.
Notice. If you modify your tablet to the point of an unrecoverable bootloop, check if you can still boot TWRP. If you can, then you are still unlocked, and have simple ways to recover!!! Do not rush into doing a Factory Reset, reloading your OS, sideloading the stock Amazon ROM, repeating the full above procedure, etc. Come back here, ask questions, and wait for a competent answer. If TWRP is available, everything is relatively easy to fix!!!
TWRP system restore warning: Avoid backing up & restoring your system via TWRP. Unless you fully understand the current HD8 unlocking hack, unpleasant bricks may result! You are better off re-loading the fresh stock back (/system + /boot only) via TWRP, and then immediately re-applying Magisk and finalize zip. This way if you get into a bootloop, your TWRP is still there.
Q&A :
Q: How is this different from the approach by @xyz`? A: No need to remove the back cover. Also, the modified amonet script writes only ~4% of the data in the BootRom mode compared to the original method, thus reducing the chances of a freeze in case BootRom access is flaky. Finally, the battery pre-drain should enable BootRom to die reasonably quickly if it does freeze.
Want to say thanks by clicking the "Thanks" button ?
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Magisk modules, and, Xposed in particular
In this post I shall cover the installation of Magisk modules and Xposed since this operation had presented certain challenges in the past.
Once you have Magisk up and running, install a couple of useful modules first.
Busybox-1.29.2-YDS-ARM.zip. You can flash it either via Magisk, or in TWRP. It does limited modifications to the system, and is very benign, in terms of potentially causing any bootloop issues (pretty much unheard of!).
Magisk Manager for Recovery Mode (mm). Please download this zip to /sdcard/00, and flash via TWRP. Run it in TWRP, and familiarize yourself fully with its features. Specifically, try to disable the above Busybox module, reboot to OS, and observe that the Busybox module is disabled. This module is your ticket out of any bootloop when you try to install more aggressive Magisk modules!
Now that you are familiar with ways to disable bootloop-y Magisk modules via TWRP, proceed to install Xposed. Thanks to @delessio100 (link) for helping me to sort things out on my first attempt!
Download the attached Xposed_Framework_(SDK_25)-89.3_(Systemless).zip to /sdcard/00
Reboot to TWRP, and flash it
Reboot to OS, and be prepared to wait good 10-15 minutes. The first boot is unusually long, where it looks like things are in bootloop. Things may be fine, just slow, wait!!! Most likely, you shall boot into FireOS, just have patience.
If the bootloop is continuing for more than 20 minutes, turn the tablet off via the long Power button press, and reboot to TWRP (Vol buttons + Power together). Run the above mm module (in TWRP terminal, type either mm, or /data/media/mm). Disable Xposed, and reboot to OS. You should boot back into OS without issues. Report your failure back to XDA, and wait for advice.
Install XposedInstaller_3.1.5-Magisk.apk from this link, and verify that the Xposed framework (Systemless) is active.
Install some modules from the list below, activate them in Xposed Installer/Modules, and reboot
In case you get into bootloop while installing other Magisk modules, simply disable those via mm. Then search for solutions on XDA
My favourite Xposed modules
App Settings, version 1.15. This module helps to control misc per app settings. My main use - make Chrome tabs look like those on cell phone, without tabs on top, see this link for examples. AppSettings for Chrome on HD8 to trigger the cell phone look: DPI 240, screen(dp) - 320x480.
Gravity Box - add a network traffic indicator to the status bar, I like to see how much data is coming in/leaving. Also, change battery color.
No Play Games. This will stop bugging you about Google Play Games installation for certain games
Per App Hacking - more options to change settings for a single app
XVolume30 - improve volume control, with more steps
How to upgrade FireOS version:
At this moment 6.3.0.1 is the latest version. If you have something older, just flash the 6301 zip file from this link in TWRP. After the flash, re-apply Magisk and its modules. Clear cache & dalvik in TWRP before reboot.
#4 - reserved
Is it required to create the sdcard/00 ? I cant seem to find the folder at least in the internal storage when connected over usb to it.
leakcheck said:
Is it required to create the sdcard/00 ? I cant seem to find the folder at least in the internal storage when connected over usb to it.
Click to expand...
Click to collapse
Yes, just create yourself!
So far so good I am at reboot to unlock fastboot!
---------- Post added 03-03-2019 at 12:01 AM ---------- Previous post was 02-03-2019 at 11:56 PM ----------
Hmm things looked good but now darkness lol
It had finished and said reboot to unlock fastboot but now nothing, power button does nothing.
leakcheck said:
So far so good I am at reboot to unlock fastboot!
---------- Post added 03-03-2019 at 12:01 AM ---------- Previous post was 02-03-2019 at 11:56 PM ----------
Hmm things looked good but now darkness lol
It had finished and said reboot to unlock fastboot but now nothing, power button does nothing.
Click to expand...
Click to collapse
OK. It may be still stuck in BootRom? If the cover is removed, could you disconnect the battery? Could you post the Linux log here?
bibikalka said:
OK. It may be still stuck in BootRom? If the cover is removed, could you disconnect the battery? Could you post the Linux log here?
Click to expand...
Click to collapse
[email protected]:~$ cd /home/admin/Downloads
[email protected]:~/Downloads$ cd /home/admin/Downloads/amonet-lite
[email protected]:~/Downloads/amonet-lite$ chmod 755 ./[email protected]:~/Downloads/amonet-lite$ sudo su
[email protected]:/home/admin/Downloads/amonet-lite# .bootrom-step.sh
.bootrom-step.sh: command not found
[email protected]:/home/admin/Downloads/amonet-lite# ./bootrom-step.sh
[2019-03-02 17:54:19.837131] Waiting for bootrom
[2019-03-02 17:54:34.187944] Found port = /dev/ttyACM0
[2019-03-02 17:54:34.188213] Handshake
[2019-03-02 17:54:34.188569] Disable watchdog
* * * Remove the short and press Enter * * *
[2019-03-02 17:55:56.007937] Init crypto engine
[2019-03-02 17:55:56.029801] Disable caches
[2019-03-02 17:55:56.030372] Disable bootrom range checks
[2019-03-02 17:55:56.044687] Load payload from ../brom-payload/build/payload.bin = 0x4690 bytes
[2019-03-02 17:55:56.049490] Send payload
[2019-03-02 17:55:56.588729] Let's rock
[2019-03-02 17:55:56.589343] Wait for the payload to come online...
[2019-03-02 17:55:57.321067] all good
[2019-03-02 17:55:57.321628] Check GPT
[2019-03-02 17:55:57.660554] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216), 'kb': (16384, 2048), 'dkb': (18432, 2048), 'lk': (20480, 2048), 'tee1': (22528, 10240), 'tee2': (32768, 10240), 'metadata': (43008, 80896), 'MISC': (123904, 1024), 'reserved': (124928, 16384), 'boot': (141312, 32768), 'recovery': (174080, 40960), 'system': (215040, 6354944), 'vendor': (6569984, 460800), 'cache': (7030784, 1024000), 'userdata': (8054784, 22722527)}
[2019-03-02 17:55:57.660890] Check boot0
[2019-03-02 17:55:57.906247] Check rpmb
[2019-03-02 17:55:58.115712] Downgrade rpmb
[2019-03-02 17:55:58.117623] Recheck rpmb
[2019-03-02 17:55:59.012188] rpmb downgrade ok
[2019-03-02 17:55:59.012691] Inject microloader
[4 / 4]
[2019-03-02 17:55:59.343207] Flash lk-payload
[4 / 4]
[2019-03-02 17:55:59.709695] Flash preloader
[288 / 288]
[2019-03-02 17:56:11.854171] Reboot to unlocked fastboot
---------- Post added at 12:24 AM ---------- Previous post was at 12:17 AM ----------
I tried pulling the battery and now I get this when I try to connect via bootrom-step
[email protected]3:/home/admin/Downloads/amonet-lite# sudo ./bootrom-step.sh
[2019-03-02 18:12:58.394533] Waiting for bootrom
^[[B[2019-03-02 18:13:06.513079] Found port = /dev/ttyACM0
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 265, in open
self.fd = os.open(self.portstr, os.O_RDWR | os.O_NOCTTY | os.O_NONBLOCK)
FileNotFoundError: [Errno 2] No such file or directory: '/dev/ttyACM0'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "main.py", line 123, in <module>
main()
File "main.py", line 51, in main
dev.find_device()
File "/home/admin/Downloads/amonet-lite/modules/common.py", line 80, in find_device
self.dev = serial.Serial(port, BAUD, timeout=TIMEOUT)
File "/usr/lib/python3/dist-packages/serial/serialutil.py", line 240, in __init__
self.open()
File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 268, in open
raise SerialException(msg.errno, "could not open port {}: {}".format(self._port, msg))
serial.serialutil.SerialException: [Errno 2] could not open port /dev/ttyACM0: [Errno 2] No such file or directory: '/dev/ttyACM0'
leakcheck said:
...
Click to expand...
Click to collapse
OK. Thank you for your valuable service!!! I will carefully check my procedure.
I think you are now coming up in the preloader mode, since preloader is now appears to be working fine. Disconnect the battery, and attempt to short the contacts, following the original procedure here: https://forum.xda-developers.com/hd...fire-hd-8-2018-downgrade-unlock-root-t3894256
My procedure is a one shot option, once the preloader is restored, you are back to shorting contacts.
Awesome ok now the shorting contact method worked, however I am not sure what I am suppose to do from here, the directions say I can use fastboot devices to check to see if its good to start( alledgedly should see an amazon logo) the fastboo-stept.sh process. I am not seeing the logo, do you know if this is a long process ?
I think I have it! Took me several tries and many reboots! Thanks for all the help!
leakcheck said:
I think I have it! Took me several tries and many reboots! Thanks for all the help!
Click to expand...
Click to collapse
Great! I've updated instructions to have some quality control along the way as to avoid some critical user errors. I have also kept amonet script as close to the original as possible. Will be asking for more volunteers
Nice guide, @bibikalka!
Although I can't help but think this could be made easier. If you guys update the LK exploit for the latest FW, then you won't need to reboot to the bootrom. If I understand correctly, the only reason that's necessary is to downgrade. Otherwise, everything could be flashed from the OS. And even if there is no way around clearing the RPMB, I'm pretty sure the crypto stuff could be done from the OS as root too.
diplomatic said:
Nice guide, @bibikalka!
Although I can't help but think this could be made easier. If you guys update the LK exploit for the latest FW, then you won't need to reboot to the bootrom. If I understand correctly, the only reason that's necessary is to downgrade. Otherwise, everything could be flashed from the OS. And even if there is no way around clearing the RPMB, I'm pretty sure the crypto stuff could be done from the OS as root too.
Click to expand...
Click to collapse
Excellent points! I raised them before. And, there are a few practical challenges to consider
Updating LK exploits is very time consuming. It's easier to have people install Linux, and clear RPMB, than to hack every new LK version.
For example, I could not convince @xyz` yet to even fix his current exploit. As is, it writes at 2Mb offset into boot0 which is only 1Mb in size. So no easy dd access to the exploit address for now ...
Also, the approach presented here is quite generic, if HD10 gained an unlock, one could again clear RPMB, and use whatever LK was hacked.I
A few people could get by without clearing rpmb, but these would always be in minority ... So the current foolproof method is more complex, but also more general as well. It's a compromise!
I made it to bootrom-step.sh, and that appears to have run successfully. However now when I try
Code:
fastboot reboot recovery
I get the usage message for fastboot:
Code:
# ./bootrom-step.sh
[2019-03-04 00:27:18.798732] Waiting for bootrom
[2019-03-04 00:27:26.336656] Found port = /dev/ttyACM0
[2019-03-04 00:27:26.336890] Handshake
[2019-03-04 00:27:26.337276] Disable watchdog
* * * Remove the short and press Enter * * *
[2019-03-04 00:27:56.377687] Init crypto engine
[2019-03-04 00:27:56.395798] Disable caches
[2019-03-04 00:27:56.399726] Disable bootrom range checks
[2019-03-04 00:27:56.410763] Load payload from ../brom-payload/build/payload.bin = 0x4690 bytes
[2019-03-04 00:27:56.412639] Send payload
[2019-03-04 00:27:57.074721] Let's rock
[2019-03-04 00:27:57.075569] Wait for the payload to come online...
[2019-03-04 00:27:57.807523] all good
[2019-03-04 00:27:57.807917] Check GPT
[2019-03-04 00:27:58.164678] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216), 'kb': (16384, 2048), 'dkb': (18432, 2048), 'lk': (20480, 2048), 'tee1': (22528, 10240), 'tee2': (32768, 10240), 'metadata': (43008, 80896), 'MISC': (123904, 1024), 'reserved': (124928, 16384), 'boot': (141312, 32768), 'recovery': (174080, 40960), 'system': (215040, 6354944), 'vendor': (6569984, 460800), 'cache': (7030784, 1024000), 'userdata': (8054784, 22480863)}
[2019-03-04 00:27:58.164880] Check boot0
[2019-03-04 00:27:58.410125] Check rpmb
[2019-03-04 00:27:58.619520] Downgrade rpmb
[2019-03-04 00:27:58.621743] Recheck rpmb
[2019-03-04 00:27:59.515990] rpmb downgrade ok
[2019-03-04 00:27:59.516232] Flash lk-payload
[4 / 4]
[2019-03-04 00:27:59.847318] Flash preloader
[288 / 288]
[2019-03-04 00:28:06.291277] Inject microloader
[4 / 4]
[2019-03-04 00:28:06.623363] Reboot to unlocked fastboot
[email protected]/amonet-lite# fastboot reboot recovery
usage: fastboot [ <option> ] <command>
commands:
update <filename> Reflash device from update.zip.
flashall Flash boot, system, vendor, and --
if found -- recovery.
flash <partition> [ <filename> ] Write a file to a flash partition.
flashing lock Locks the device. Prevents flashing.
...
A few things I was able to try:
At this point I have the amazon logo on a black screen:
Holding down the power button shuts off the tablet.
Issuing
Code:
fastboot reboot
reboots the tablet to the Amazon logo
Issuing
Code:
fastboot reboot-bootloader
reboots the table and I get a black screen with just
Code:
=> FASTBOOT mode...
at the bottom
If I shut down the tablet, and rerun the script, I get the following:
Code:
# ./bootrom-step.sh
[2019-03-04 00:39:41.574553] Waiting for bootrom
[2019-03-04 00:39:51.413047] Found port = /dev/ttyACM0
[2019-03-04 00:39:51.413639] Handshake
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 537, in write
n = os.write(self.fd, d)
OSError: [Errno 5] Input/output error
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "main.py", line 121, in <module>
main()
File "main.py", line 54, in main
handshake(dev)
File "/home/spdqbr/Fire HD 8 2018/amonet-lite/modules/handshake.py", line 9, in handshake
dev.handshake()
File "/home/spdqbr/Fire HD 8 2018/amonet-lite/modules/common.py", line 97, in handshake
c = self._writeb(b'\xa0')
File "/home/spdqbr/Fire HD 8 2018/amonet-lite/modules/common.py", line 91, in _writeb
self.dev.write(out_str)
File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 571, in write
raise SerialException('write failed: {}'.format(e))
serial.serialutil.SerialException: write failed: [Errno 5] Input/output error
I appear to be stuck from this point. Do you have any suggestions?
@spdqbr - Sounds like your fastboot is out of date. Several of the mainstream repos have this problem. The reboot recovery option didn't come along until more recently. Try updating manually from sdk or Google for one of the updates you can wget and copy over the existing.
spdqbr said:
I made it to bootrom-step.sh, and that appears to have run successfully. However now when I try
Code:
fastboot reboot recovery
I get the usage message for fastboot:
...
I appear to be stuck from this point. Do you have any suggestions?
Click to expand...
Click to collapse
Ok, I think you have made it! You are success case #1 !!!
Turn the tablet off, and boot recovery by holding Vol buttons when you press Power to turn it on (the usual deal). I think I shall remove the unlocked fastboot flashing from amonet, since it only creates issues.
ktdt00 said:
@spdqbr - Sounds like your fastboot is out of date. Several of the mainstream repos have this problem. The reboot recovery option didn't come along until more recently. Try updating manually from sdk or Google for one of the updates you can wget and copy over the existing.
Click to expand...
Click to collapse
Interesting. Indeed then, it's another option - updating fastboot on Linux/Windows.
I've got a 2018 HD8 that's just sitting here with its battery dead waiting for this exact moment; however, my machine runs Windows (I know, I know).
Is there a LiveCD that you'd recommend to complete this task? Just straight up Ubuntu I assume? Haven't run Linux as my daily driver in a few years so thought I'd double check before downloading anything. For ModemManager I'd assume it would just be `sudo apt-get remove modemmanager` correct?
Thanks!
I've gotten through all the steps, but i'm stuck at fastboot reboot recovery, I am running on arch and have the latest android-tools, so it shouldn't be an out of date problem unless its a feature that hasn't hit actual release yet, holding volume when turning on doesn't do anything.
EDIT: Turns out the package is out of date, because google split adb and fastboot into seperate packages, I got the command working, but it doesn't reboot into twrp it just goes to the amazon logo again, and I never downloaded a twrp image as far as I know.
Also unless this changes this, the HD 8 can not boot to recovery with vol buttons, so removing the fastboot part may not be a great idea, at-least if I understand it right.
EDIT2: I figured it out, I had to download the non-lite amonet because it contained an extra fastboot shell script that actually flashed the recovery, amonet-lite didn't
EDIT3: TWRP cant find the boot_orig.bin file, it finds unlock_recovery-inj.img but not bin files, in both image and zip mode
Also flashing magisk worked, but flashing finalize_no_ota.zip errored with code 1, then any following attempts with code 255
EDIT4: I just ended up doing the rest of the instructions on the original guide, I had to factory reset but that's alright. Thanks, this worked and I never had to open my device! Tester #2 (or 3)
I can't wait to see roms for this, get rid of this amazon garbage

[GUIDE][ROOT] QLink Scepter 8 Tablet (Gen 1 & Gen 2) | Bootloader Unlocking & Rooting Guide

QLink Scepter 8 Tablet​By Hot Pepper Mobile
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Bootloader Unlocking
& Rooting Guide
For Gen 1 & Gen 2 Models​
TABLET MODELS & VARIANTS:
For those members familiar with the firmware restoration thread, there are a total of four model variants of the QLink Scepter 8 tablet: two variants of the Gen 1 model, and two variants of the latest Gen 2 model. Determining which Scepter 8 you have is a very simple two-part check. First, if you don't already know your Android OS version, go to device Settings> About tablet, and locate your Android version. If you are running Android 11 (Go Edition), you have the original Gen 1 model. If you are running Android 12 (Go Edition), your tablet is the latest Gen 2 model. Secondly, you will need to locate the device S/N in order to determine your tablet variant. Your S/N is printed on the manufacturer's label affixed to the exterior of the tablet's rear housing. From the Android OS, you can also locate your S/N by opening device Settings>About tablet>Model. Regardless of whether you have the Gen 1 or the Gen 2, the first two letters of your S/N will be either CF or MD. This is the codification of your tablet variant. To alleviate some of the legwork of rooting, and to keep this thread simple to follow, I have provided boot images pre-patched for Magisk v25.2 systemless root support. I have categorized the download links for each of the boot images in accordance with the respective model and S/N variant. To avoid potential bugs, instabilities, boot loops and the like, it is crucial that you download the boot image that corresponds with your model & variant. ​​OVERVIEW:
This guide outlines step-by-step instructions for unlocking the bootloader and rooting all variants of the Gen 1 & Gen 2 QLink Scepter 8 tablet. This guide also includes a detailed section on properly installing the ADB, fastboot, & USB device drivers on your Windows PC or laptop, as well as steps to troubleshoot & manually update these drivers in the event the tablet is not being recognized while in fastboot mode.
DISCLAIMER:
Unlocking your bootloader and rooting your device are both procedures that carry inherent risks. Because these procedures involve modifying the device from it's stock factory configuration, it is possible to corrupt, damage, or even render your tablet completely inoperable. By proceeding further, you are assuming sole responsibility for the integrity and operability of your device, therefore absolving me of any liability in the event something goes south. I have, however, tested these guides and feel confident that things will go smoothly as long as you follow the instructions carefully. Moreover, I encourage all members to read the instructions fully before starting the steps, in order to first gain a fundamental understanding of the concepts and methods involved.
PLEASE PLAY NICE & FOLLOW XDA RULES:
This thread was created with the intent of being a noob-friendly forum. This simply means that new and inexperienced members are fully welcome here, and will be provided with extra guidance and assistance if needed. Please keep in mind that XDA is a global community of developers, enthusiasts and device users. As such, and although English is the only permitted language in the forums & threads, not all members speak English as their first language, and often rely on text translation tools when asking questions & posting. Accordingly, it is very common for words to be misconstrued, meanings to be misinterpreted, and the context as a whole lost in translation. I ask members to be patient, compassionate and respectful to others on this thread. Those members with the knowledge to do so are urged and asked to help newer members, and recall back when you were new here and others helped you.
Please help me with keeping this thread on point by ensuring that all subject matter herein be kept relevant to the topics of rooting and OEM unlocking the QLink Scepter 8. Any posts about other devices or subject matter run afoul of XDA rules and are subject to removal by moderators -- and potential sanctions imposed upon the offending member. Moreover, an on-topic thread keeps things organized and easier to follow. Thank you for your consideration.
PREREQUISITES:
To unlock the bootloader and root the QLink Scepter 8 tablet, you will need a laptop or PC running on Windows 7/8.1/10/11. (A Mac or Linux machine can also be used. For purposes of this guide, however, I am focusing on a Windows setup.) You will also need the OEM-supplied or a quality equivalent micro USB to USB-A data sync cable. Last but not least, you will need to install compatible USB device drivers for ADB & Fastboot on your PC/laptop. I have included the 15-Second ADB Driver Installer below, under the DOWNLOADS section. This Installer will configure ADB & Fastboot system-wide, and installs the universal Google USB device drivers. I would encourage members to first read the instructions in their entirety prior to actually starting the guide.
•INSTALLING USB DEVICE DRIVERS•
This section is included to install and configure ADB, Fastboot and the proper USB device drivers on your Windows computer. This section can also be used to troubleshoot and fix issues involving your tablet not being recognized by Windows while connected in fastboot mode. If you have already installed the ADB & Fastboot tools (& the proper USB device drivers), and you are not experiencing fastboot recognition issues, you may skip this section and proceed to the bootloader unlocking section.
Many members have reported issues with device recognition while in fastboot mode. I have also noticed a persistence problem with Windows drivers on this tablet. I can manually update the driver using Windows Device Manager, enabling fastboot recognition; yet, once the tablet is disconnected from my PC the updated driver does not always persist, requiring a manual driver update each time fastboot mode is needed. Follow these steps to enable fastboot recognition of your device.
• 1. If you have not yet done so, install the 15-Second ADB Installer from the link below on your Windows PC or laptop. Open the utility and follow the prompts to install the ADB & Fastboot drivers. Next, opt to install ADB system-wide. Lastly, you will be prompted to install the Google USB device drivers. Select Y and install them. You should see an interface informing you that the drivers were successfully installed. NOTE: If you get a warning notification that the drivers are unsigned, select the option to install anyway;
• 2. With your tablet powered off, hold the Power and Volume Down buttons simultaneously until the QLink logo appears, at which time you release the Power button but continue holding Volume Down. When a green Android graphic appears on your display, you are in fastboot mode;
• 3. Connect your tablet to your Windows machine using the OEM-supplied or a quality equivalent micro USB to USB-A data sync cable;
• 4. Open a command window in the path of your ADB/Fastboot directory. Execute this command:
Code:
fastboot devices
If properly connected, the command window will return an alphanumeric string which is synonymous with your tablet serial number. If this occurs, you are finished with this section and may proceed to the instructions for unlocking the bootloader/rooting. If the command window displays Waiting on Any Device, or if your serial number is not displayed, continue with the following steps;
• 5. Keeping your device connected to your Windows PC/laptop, right click your Windows Start icon and select Device Manager. Locate your tablet in the menu. It will likely be located under either the Portable Devices or Android Device heading;
• 6. Right click your device and select Update Driver. Next, select Browse My Computer for Drivers. On the next screen choose the option for Let Me Pick From a List... Now you will see a list of drivers to select from. Depending on the manner in which Windows recognized your tablet in the Device Manager menu, the driver selection menu can vary. If you see an option for Android Device, select that option and then select Android Composite ADB Interface. Or, you may be directly presented with options for Android Bootloader Interface, Android ADB Interface and Android Composite ADB Interface. In any event, choose Android Composite ADB Interface and then click Next. Click Yes in the Update Driver Warning dialogue screen, at which time the drivers will be installed.
• 7. Return to your command window and again execute the fastboot devices command. If your serial number is displayed, your drivers are now properly installed. If you are still experiencing fastboot recognition issues, try using another data sync cable, change USB ports on your computer, and/or reinstall the drivers using the 15-Second ADB Installer.
I. UNLOCKING THE BOOTLOADER:
If you plan on rooting your tablet, this step is mandatory. If your bootloader is already unlocked and you only wish to root your device, skip down to the rooting instructions in the next section below.
WARNING: Unlocking your bootloader forces the device into a factory data reset, which will effectively wipe all saved user data from the device. Make a backup at this point if there are files and media on your tablet that you wish to keep.
INSTRUCTIONS:
1. Enable Developer Options on your tablet by going to device Settings>About tablet and tap Build number approximately seven times. Android will notify you that Developer Options are enabled; this menu will appear under device Settings>System>Advanced.
2. Enable USB Debugging and OEM Unlocking in the Developer Options menu. NOTE: Users have reported the OEM Unlocking option being greyed-out unless you are signed in to your Google account.
3. Now to boot into fastboot mode, and this particular step is extremely important. Android 10 introduced a new fastboot mode for dynamic partitions, known as FASTBOOTD, which is relocated from the bootloader to userspace. This particular fastboot mode supports resizeable partitions within the dynamic scheme, and enables the user to create, resize and delete various logical partitions. However, FASTBOOTD mode cannot be utilized to unlock the bootloader, and will not recognize the unlock command. As such, the user must rely upon legacy fastboot mode in order to unlock the bootloader. From stock recovery mode, you may simply choose the option to reboot to bootloader. DO NOT CHOOSE THE OPTION TO ENTER FASTBOOT, as this option will boot to FASTBOOTD. From the Android OS, you can boot into legacy fastboot mode by executing:
Code:
adb reboot bootloader
Once you see a green Android graphic appear in the center of your display, you are in the correct fastboot mode.
4. Connect your tablet to your PC/laptop using the OEM-supplied or a quality equivalent micro USB to USB-A data sync cable. Next, open a command window in the path of your ADB/Fastboot directory. Check your connection by executing this command:
Code:
fastboot devices
If you are properly connected, the command window will return an alphanumeric string synonymous with your device's serial number. If you do not see this, there is a problem with communications between your tablet and PC/laptop. To troubleshoot the issue, switch to another USB port, try another data sync cable, and/or reinstall the ADB/Fastboot drivers on your PC or laptop. Also, see my instructions above on installing USB device drivers on your Windows computer;
5. Once a proper connection has been verified, execute this command:
Code:
fastboot oem unlock
Once you see the Okay notification in the command window, your bootloader is now unlocked. Execute this command:
Code:
fastboot reboot
Your tablet will now initiate a factory data reset and then reboot into the initial setup for the Android OS.
II. ROOTING THE QLINK SCEPTER 8
Now that the bootloader has been unlocked, rooting this tablet is very straightforward. Again, I have provided pre-rooted boot image files in the DOWNLOADS section for all four models & variants.
INSTRUCTIONS:
A. Gen 1 QLink Scepter 8​Android 11 (Go Edition)​
NOTE: If your tablet is running Android 12 Go Edition, you're in the wrong place. Skip down to the next section.
1. Download the Gen 1 patched boot image that matches your S/N variant using the links below, and save the file on your PC/laptop in the ADB/Fastboot directory. Note that the file is named patched_boot.img. The flashing command below assumes that you leave this file name unchanged;
2. Go to device Settings>About tablet and tap Build number 7 times or until Developer Options are enabled. (This step is necessary if you unlocked your bootloader using the previous section, due to the factory data reset.) Enable USB Debugging in the Developer Options menu;
3. Power your tablet off. Hold the Power and Volume Down keys simultaneously until the QLink logo appears, at which time you release Power but continue holding Volume Down. The green Android will appear on the display to indicate fastboot mode;
4. Connect your tablet to your PC or laptop using a quality data sync cable. Verify your connection using the instructions in Step 4 of the bootloader unlocking section above;;
5. Once a solid connection is verified, execute these commands:​
Code:
fastboot flash boot patched_boot.img
fastboot reboot
NOTE: Your active boot slot should be boot_a. Regardless, the above command flashes your active slot by default, without having to specify slot _a or _b.
Upon reboot, your tablet will be rooted with the latest Magisk systemless root strategy. If you do not see the Magisk app or the placeholder stub in your app drawer, go ahead and download the latest version from the link below and install the APK on your tablet. Open the Magisk app, grant the prompted permissions, and follow any prompts to complete setting up the root environment.
B. Gen 2 QLink Scepter 8​Android 12 (Go Edition)​
NOTE: If your tablet is running Android 11 Go Edition, you're in the wrong place. Go back to the previous section. .
1.Download the Gen 2 patched boot image that matches your S/N variant and the empty vbmeta.img using the links below, and save the files on your PC/laptop in the ADB/Fastboot directory. Note that the boot image file is named patched_boot.img, and the vbmeta image is named vbmeta.img. The flashing commands below assume that you leave these file names unchanged;
2. Go to device Settings>About tablet and tap Build number 7 times or until Developer Options are enabled. (This step is necessary if you unlocked your bootloader using the previous section, due to the factory data reset.) Enable USB Debugging in the Developer Options menu;
3. Power your tablet off. Hold the Power and Volume Down keys simultaneously until the QLink logo appears, at which time you release Power but continue holding Volume Down. The green Android will appear on the display to indicate fastboot mode;
4. Connect your tablet to your PC or laptop using a quality data sync cable. Verify your connection using the instructions in Step 4 of the bootloader unlocking section above;;
5. Once a solid connection is verified, execute this command:
Code:
fastboot flash boot patched_boot.img
Now, continuing in fastboot mode, you will need to disable dm-verity/Android Verified Boot (AVB) by flashing an empty vbmeta.img via executing the following command:​
Code:
fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img
Next, execute this command to reboot your device:
Code:
fastboot reboot
Upon reboot, your tablet should now be rooted with the Magisk systemless root strategy. If you do not see the Magisk app or the stub placeholder in your app drawer, go ahead and download the latest version from the link below and install it on your tablet. Open the Magisk app, grant the prompted permissions, and follow any prompts to update Magisk and/or complete setting up the root environment.
IMPORTANT NOTE:
In the unfortunate event you have a mishap with rooting your tablet and get stuck in a boot loop, or if your tablet will not otherwise boot into the Android OS, have no worries. My tutorial on firmware restoration for the QLink Scepter 8 will revert your device back to its original stock factory state. You can then return here and give it another try.
QLink Scepter 8 Firmware Restoration Guide
DOWNLOADS:
• 15-Second ADB Installer
• Gen 1 (CF) Patched Boot Image
• Gen 1 (MD) Patched Boot Image
• Gen 2 (CF) Patched Boot Image
• Gen 2 (MD) Patched Boot Image
• Empty vbmeta.img
• Official Magisk Releases / GitHub Repo
THANKS & MENTIONS:
Thanks goes out to Hot Pepper Mobile CEO Shawn Sun and Support Specialist Joshua G for providing stock firmware images for this device.
Also, I wish to recognize and thank @13lack13ox for being a huge help to thread members at times when I was not able.
​
For some reason, I'm stuck on the part where you have to use the fastboot option. So basically, I got my tablet in fastboot mode (the secondary one with the green android graphic), but when I tried to use the adb function, it doesn't detect my tablet. And also, the command, "fastboot devices" doesn't do anything, and when I try to use "fastboot device" it just says waiting for any device and just... stays there, not detecting my tablet. I tried multiple computers, tried both PowerShell and the command prompt with admin privileges, to no avail. For information, it worked when my tablet was on my tablet is the V9 firmware, but it slightly newer since I just updated to V9_20220224... so maybe that might have something to do with it...
64Star said:
For some reason, I'm stuck on the part where you have to use the fastboot option. So basically, I got my tablet in fastboot mode (the secondary one with the green android graphic), but when I tried to use the adb function, it doesn't detect my tablet. And also, the command, "fastboot devices" doesn't do anything, and when I try to use "fastboot device" it just says waiting for any device and just... stays there, not detecting my tablet. I tried multiple computers, tried both PowerShell and the command prompt with admin privileges, to no avail. For information, it worked when my tablet was on my tablet is the V9 firmware, but it slightly newer since I just updated to V9_20220224... so maybe that might have something to do with it...
Click to expand...
Click to collapse
Sounds like you have a common driver issue. Do this: with your device connected to your PC in fastboot mode, right click your Windows start button and open Device Manager. What is your tablet showing up as? We will need to update your driver. I can walk you through it. Did you install the Google driver from the 15-Second ADB Installer? I am nearly finished writing a guide on properly installing the device drivers. I will link it here when posted. It will give you a detailed step-by,-step outline. I don't think it's an issue with the firmware builds. Fastboot detection issues are common with this tablet due to some type of instability with driver persistence. For example, I often need to update my driver every time I use fastboot mode because, for some odd reason, the updated driver doesn't persist once the tablet is disconnected from the PC and then reconnected.
i dont have this tablet but another hot pepper device called the poblano. with that i was able to boot into ffbm from the bootloader and have root adb access. then i ran dd on my boot partition and patched it with magisk and flashed it back
wondering if hot pepper still makes their devices like that or they patched it. either way props to you for getting the fw straight from the oem
luridphantom said:
i dont have this tablet but another hot pepper device called the poblano. with that i was able to boot into ffbm from the bootloader and have root adb access. then i ran dd on my boot partition and patched it with magisk and flashed it back
wondering if hot pepper still makes their devices like that or they patched it. either way props to you for getting the fw straight from the oem
Click to expand...
Click to collapse
The Scepter 8 does not ship with adb root shell (adbd) enabled. In fact, the bootloader was not even intended to be unlocked. The unlock command is disabled in standard fastboot mode. Luckily, the Scepter 8 is integrated with a second fallback fastboot mode, which we were able to use to to the oem unlock.
Many AllWinner tablets and other Chinese devices do, as you pointed out on your Hot Pepper device. When the Scepter 8 was first released I was able to pull a boot image using a Phoenix Suite tool that had been reverse engineered and modded. As luck would have it, I got rid of the tablet and lost my files along with access to the Phoenix Suite tool. So I've been weeks quarreling with Hot Pepper Mobile to provide firmware and the kernel source code. To their credit, the Hot Pepper CEO and support team were very helpful once they understood what I needed. Hot Pepper's software developers are in China, so a language translation issue hindered my request for some time.
Anyway thank you for your kind words and it is a pleasure making your acquaintance.
@64Star I have updated the thread above with some detailed instructions on updating your device drivers. Hope this helps.
Viva La Android said:
@64Star I have updated the thread above with some detailed instructions on updating your device drivers. Hope this helps.
Click to expand...
Click to collapse
It does, I've unlocked the bootloader and now i'm gonna go root it. Thanks for your help!
I have an unfortunate update: When I went to turn on my tablet, I've noticed there was a noticeable crack on the top left corner of the screen... and then when I tried to use it... the touchscreen no longer functions. I have no clue where that crack came from, cause that wasn't there yesterday, and I've kept it safe in a drawer until now, so I have no clue how it's possible. Guess the software isn't the only thing that's cheap, cause my 2020 Moto G Power survived way worse without even a single crack.
TL,DR: Touch screen somehow broke overnight, meaning I can't get past the setup screen, so GG no re, this $10 qlink tablet ****ing sucks.
64Star said:
I have an unfortunate update: When I went to turn on my tablet, I've noticed there was a noticeable crack on the top left corner of the screen... and then when I tried to use it... the touchscreen no longer functions. I have no clue where that crack came from, cause that wasn't there yesterday, and I've kept it safe in a drawer until now, so I have no clue how it's possible. Guess the software isn't the only thing that's cheap, cause my 2020 Moto G Power survived way worse without even a single crack.
TL,DR: Touch screen somehow broke overnight, meaning I can't get past the setup screen, so GG no re, this $10 qlink tablet ****ing sucks.
Click to expand...
Click to collapse
@64Star I hate to hear that but I know exactly how it goes. I've cracked many a screen in my day. But, on a positive note, if you have the extra funds, there are a ton of these tablets available on eBay within the $35 to $40 price range.
Viva La Android said:
@64Star I hate to hear that but I know exactly how it goes. I've cracked many a screen in my day. But, on a positive note, if you have the extra funds, there are a ton of these tablets available on eBay within the $35 to $40 price range.
Click to expand...
Click to collapse
LOL really turning a profit!
13lack13ox said:
LOL really turning a profit!
Click to expand...
Click to collapse
Haha. No doubt
Sorry about the delay on TWRP guys. My mounting issues are actually encryption issues. TWRP isn't decrypting the /userdata or /vendor partitions with the default key. I'm going to chat with one of my friends over at TeamWin and see if I can get a little guidance.
Viva La Android said:
@64Star I hate to hear that but I know exactly how it goes. I've cracked many a screen in my day. But, on a positive note, if you have the extra funds, there are a ton of these tablets available on eBay within the $35 to $40 price range.
Click to expand...
Click to collapse
You really expect me to shell out around 35$ to 40$ on a slow, laggy 10$ tablet just to experiment on? Hahahahahaha....
Spoiler
Perhaps
64Star said:
You really expect me to shell out around 35$ to 40$ on a slow, laggy 10$ tablet just to experiment on? Hahahahahaha....
Spoiler
Perhaps
Click to expand...
Click to collapse
Not really. I was only providing you info as to where they were available. I found one for $19 which is more than I really wanted to give.
As it stands now,.all the lag is gone in mine. I debloated everything that wasn't essential for normal operations. Then I edited the system/build.prop to increase responsiveness and I limited background apps & processes. Finally, I installed a kernel tuner and set the LMK to very aggressive, tweaked the I/o scheduler parameters, and increased entropy from the available pool. And set SELinux to permissive mode. I'm using Nova Launcher Premium with the launcher locked into memory. Believe it or not, the tablet is now very responsive considering the specs. I'm looking into overclocking the CPU a bit, but 1.46 GHz seems to suffice once RAM is optimized. It's a difference in night and day. It's good for a project tablet but that's about it.
There's another government tablet floating around called the Maxwest Nitro 7Q. 4G/LTE supported with a lot better specs. I think I have one located to buy for cheap.
Lots of tweaks it doesnt run too bad just removing bloatware. Would be cool to get your params on your tweaks etc. If you ever got time could you post it up? Maybe the rom you were talking about in another post has all that included? Anyways if not no biggie, this thing is just for playing around on.
13lack13ox said:
Lots of tweaks it doesnt run too bad just removing bloatware. Would be cool to get your params on your tweaks etc. If you ever got time could you post it up? Maybe the rom you were talking about in another post has all that included? Anyways if not no biggie, this thing is just for playing around on.
Click to expand...
Click to collapse
Absolutely. I'll list those for you here in just a little bit. I have a pure stock ROM built with a TWRP installer, but my TWRP has run into a snag. I've reached out to TeamWin for guidance on that.
All in good time, man. Just glad someone with knowledge is doing all this. Wish I could help more. My ability to program and compile is equivalent to stick poking. I've done it once with aosp 6 that was awhile ago.
13lack13ox said:
All in good time, man. Just glad someone with knowledge is doing all this. Wish I could help more. My ability to program and compile is equivalent to stick poking. I've done it once with aosp 6 that was awhile ago.
Click to expand...
Click to collapse
You seem to know your way around the Android OS pretty well. I'm a developer in training myself. Learning every day. Yeah AOSP 6, I still love working with the Marshmallow builds.
Ok first things first. I notice a huge performance boost from some kernel level mods. Here is a link to Kernel Toolkit. Install both APKs. https://mega.nz/folder/QYwA0QTA#O_Zg3h_iVkHOdeyU_yOmLw
First go to the CPU heading and change the scaling governor to Ondemand. Under CPU Governor Params, tap on Performance Profile and select Maximum Performance (you may personally want to scale back to Aggressive or Balanced, depending on your need for battery life). Now, close Kernel Toolkit and restart the app. Next go to the I/O heading. Choose kyber as the I/o scheduler and set the read ahead buffer to 512 KB. Go down to ZRAM and increase to the maximum of 1000 MB. Set Swappiness to 100. Go over to the Profiles heading, create a profile will all settings and give it a name recommended from the list. When complete, tap on the profile, select save settings and then apply settings.
Now go to the menu button in the upper left of the app. Go down and enable Apply Settings on Boot. Select All and set a 5 second delay.
Next, download a build.prop editor from Play Store. There are tons of free ones and any will suffice. Make a backup of your system/build.prop before you tweak anything. Open the editor and grant root permission.
For build.prop edits, locking your launcher into memory helps a lot with responsiveness. Add this line to system/build.prop
ro.HOME_APP_ADJ=1
This basically prevents the launcher from being killed by Android's native LMK.
To increase touch responsiveness, add these lines as well.
debug.performance.tuning=1
video.accelerate.hw=1
Disable the boot animation for faster boot time.
debug.sf.nobootanimation=1
Reboot to enable the tweaks.
Give these a try and let me know your feedback. I'm working on a few more mods to optimize this tablet and I'll keep you posted on those as well.
Thx great changes so far. Yeah more "snappyness" for sure. I'll have to play around and open up as much as i can swap around.
I can't change I/O scheduler though, I get a contact developer message.
13lack13ox said:
Thx great changes so far.
Click to expand...
Click to collapse
Yw. Do you notice a decent improvement?

Categories

Resources