[UNLOCK][ROOT][TWRP][UNBRICK] Fire HD 10 2017 (suez)

• Thread starterk4y0z
• Start dateMar 21, 2019

• Tags

  roottwrpunbrickunlock

• There are no posts matching your filters.
• 88

  K

  k4y0z

  Read this whole guide before starting.
  
  This is for the 7th gen Fire HD10 (suez).
  
  Current version:amonet-suez-v1.1.2.zip
  
  
  NOTE: This process does not require you to open your device, but should something go horribly wrong, be prepared to do so.
  
  
  NOTE: This process will modify the partition-table (GPT) of your device.
  
  
  NOTE: Your device will be reset to factory defaults (including internal storage) during this process.
  
  
  What you need:
  

  • A Linux installation or live-system
  • A micro-USB cable

  
  Install python3, PySerial, adb, fastboot dos2unix. For Debian/Ubuntu something like this should work:
  

  Code:

  sudo apt updatesudo add-apt-repository universesudo apt install python3 python3-serial adb fastboot dos2unix

  
  1. Extract the attached zip-file"amonet-suez-v1.1.2.zip" and open a terminal in that directory.
  
  
  NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by@diplomatic fromhere and place (the unpacked binary) intoamonet/bin folder
  
  
  2. Enable ADB in Developer Settings
  
  3. Start the script:
  

  Code:

  sudo ./step-1.sh

  
  Your device will now reboot into recovery and perform a factory reset.
  
  NOTE: If you are on firmware 5.6.4.0 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
  If you chose the brick option, you don't need to run step-2.sh below:
  
  

  
  Make sure ModemManager is disabled or uninstalled:
  

  Code:

  sudo systemctl stop ModemManagersudo systemctl disable ModemManager

  
  After you have confirmed the bricking by typing "YES", you will need disconnect the device and run
  

  Code:

  sudo ./bootrom-step-minimal.sh

  Then plug the device back in.
  
  It will then boot into "hacked fastboot" mode.
  Then run
  

  Code:

  sudo ./fastboot-step.sh

  
  
  
  NOTE: When you are back at initial setup, you can skip registration by selecting a WiFi-Network, then pressing "Cancel" and then "Not Now"
  NOTE: Make sure you re-enable ADB after Factory Reset.
  
  
  4. Start the script:
  

  Code:

  sudo ./step-2.sh

  
  The exploit will now be flashed and your device will reboot into TWRP.
  
  You can now install Magisk from there.
  
  
  Going back to stock
  Extract the attached zip-file"amonet-suez-v1.1-return-to-stock.zip" into the same folder where you extracted"amonet-suez-v1.1.2.zip" and open a terminal in that directory.
  You can go back to stock without restoring the original partition-table, so you can go back to unlocked without wiping data.
  Just use hacked fastboot to
  

  Code:

  fastboot flash recovery bin/recovery.img

  
  If you want to go back completely (including restoring your GPT):
  

  Code:

  sudo ./return-to-stock.sh

  
  Your device should reboot into Amazon Recovery. Use adb sideload to install stock image from there. (Make sure to use FireOS 5.6.3.0 or newer, otherwise you may brick your device)
  
  Important information
  
  In the new partitioning scheme your boot/recovery-images will be inboot_x/recovery_x respectively, whileboot/recovery will hold the exploit.
  TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.
  
  Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them toboot_x/recovery_x)
  
  Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.
  
  TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).
  
  For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).
  
  It is still advised to disable OTA.
  
  
  Very special thanks to@xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
  Special thanks also to@retyre for porting the bootrom-exploit and for testing.
  Special thanks also to@diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
  Thanks also to@bibikalka and everyone who donated
  Thanks to@TheRealIntence and@b1u3m3th for confirming it also works on the 64GB model.

  Mar 21, 2019View
  15

  K

  k4y0z

  Unbricking
  
  If RecoveryOR FireOS are still accessible there are other means of recovery, don't continue.
  
  If your device shows one of the following symptoms:
  

  1. It doesn't show any life (screen stays dark)
  2. You see the whiteamazon logo, but cannot access Recovery or FireOS.

  
  If you have aType 1 brick, you may not have to open the device, if your device comes up in bootrom-mode (SeeChecking USB connection below).
  

  1. Make sure the device is powered off, by holding the power-button for 20+ seconds
  2. Start bootrom-step.sh
  3. Plug in USB

  
  In all other cases you will have to open the device and partially take it apart.
  Followthis guide by@retyre until(including) step 8..
  AtStep 6. you willreplace
  

  Code:

  sudo ./bootrom.sh

  with
  

  Code:

  sudo ./bootrom-step.sh

  Should the script stall at some point, restart it and replug the USB-cable (Shorting it again should not be necessary unless the script failed at the very beginning).
  
  If the script succeeded, put the device back together.
  When you turn it on, it should start inhacked fastboot mode.
  You can now use
  

  Code:

  sudo ./fastboot-step.sh

  This will flash TWRP and reset your device to factory defaults, then reboot into TWRP.
  
  
  Checking USB connection
  Inlsusb the boot-rom shows up as:
  

  Code:

  Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone

  
  If it shows up as:
  

  Code:

  Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader

  instead, you are in preloader-mode, try again.
  
  dmesg lists the correct device as:
  

  Code:

  [ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00

  Mar 21, 2019View
  11

  K

  k4y0z

  Changelog
  Version 1.1.2 (26.03.2019)
  

  • Fix regenerating GPT from temp GPT

  
  Version 1.1.1 (26.03.2019)
  

  • Fix unbricking procedure

  
  Version 1.1 (25.03.2019)
  

  • Update TWRP-sources to twrp-9.0 branch
  • TWRP uses kernel compiled from source
  • Add scripts to use handshake2.py to enter fastboot/recovery

  
  Features.
  
  

  • Uses 5.6.3 LK for full compatibility with newer kernels.
  • Hacked fastboot mode lets you use all fastboot commands (flash etc).
  • Boots custom/unsigned kernel-images (no patching needed)
  • TWRP protects from downgrading PL/TZ/LK
  • For the devs: setsprintk.disable_uart=0 (enables debug-output over UART).

  
  NOTE: Hacked fastboot can be reached via TWRP.
  
  NOTE: Hacked fastboot doesn't remap partition names, so you can easily go back to stock

  Mar 21, 2019View
  11

  S

  smartypantsuk

  k4v7uk said:

  This sounds promising. Is there any documentation on here to get SuperSu on the Fire? It would be great if i could get this method to work. I really dont want to open the thing. Thanx for your help.

  Click to expand...

  Click to collapse

  You'll need a linux distrubution to work from, a live boot cd/usb will work fine.
  Don't use WSL (Subsystem for Linux) on Windows 10 as usb support doesn't work properly, or at all, for anything other than usb storage devices.
  
  This guide was part of a larger guide on Github, adapted from Retyre's XDA Guide.
  
  Root on Fire HD10 2017 5.6.9.0 (not tried on other systems)
  
  

  1. Download theroot exploit code (alternate link SHA256 8bfc3d5c75964e5fa28c8ffa39a87249ba10ea4180f55f546b2dcc286a585ea8) andSuper_SU18+ (alternate link SHA256 b572c1a982d1e0baeb571d3bc0df7f6be11b14553c181c9e0bf737cc4a4fbbfd).
     wget -c "http://myphone-download.wondershare.cc/mgroot/20165195.zip" "http://myphone-download.wondershare.cc/mgroot/SuperSU_18+.zip"
  2. Unzip them both to a 20165195 directory.
     unzip -u 20165195.zip -d 20165195 && unzip -u SuperSU_18+.zip -d 20165195
  3. Check the 20165195 directory contains all the needed files.
     $ ls -1 20165195
     Matrix
     Superuser.apk
     ddexe
     debuggerd
     fileWork
     install-recovery.sh
     krdem
     mount
     patch_boot.sh
     pidof
     push_root.sh
     start_wssud.sh
     su
     su_arm64
     supersu.zip
     supolicy
     toolbox
     wsroot.sh
  4. Push the directory to the tablet.
     adb push 20165195 /data/local/tmp
  5. Login to the tablet.
     adb shell
  6. Make the files executable.
     chmod 755 /data/local/tmp/20165195/*
  7. Run the exploit. You should see a lot of output while it runs.
     /data/local/tmp/20165195/Matrix /data/local/tmp/20165195 2
     If the script executes successfully, the final lines of output should display the memory location that was exploited (may be different than 0x7fab64c000) and a value of 0 for <Exploit> and <Done>. If it fails, check theTroubleshooting section:
  8. exploited 0x7fab64c000=f97cff8c
     end!!!!!!!
     <WSRoot><Exploit>0</Exploit></WSRoot>
     <WSRoot><Done>0</Done></WSRoot>
     
     
  9. You can verify root with su.
     shell@suez:/ $ su
     su
     root@suez:/ #
  10. Back on your computer, downloadSuperSU 2.82 SR5 apk (alternate link SHA256 2c7be9795a408d6fc74bc7286658dfe12252824867c3a2b726c1f3c78cee918b) and install it to the tablet with adb.
      adb install "eu.chainfire.supersu_2.82-SR5-282_minAPI9(nodpi)_apkmirror.com.apk"
  11. Open up the SuperSU app on the tablet, tapGet Started, then tapContinue and selectNormal to update the app. SelectReboot after it is done installing to reboot the tablet.
  12. After the tablet reboots, open SuperSU app again, tap onSettings tab, then tapDefault access, then chooseGrant.
  13. Log in to your tablet.
      adb shell
  14. Switch to superuser and delete directories /data/data-lib/com.wondershare.DashRoot and /data/data-lib/wondershare.
      su
      rm -r /data/data-lib/com.wondershare.DashRoot /data/data-lib/wondershare

  
  Once rooted, you can start the main guide on here for TWRP installation and skip past the root part.
  Notes: At stage 7, running the exploit, you may find get an error instead of a successful output like above.
  If you get this or similar, try rebooting your Fire HD and try again:
  
  <WSRoot><Exploit>0x00000332</Exploit></WSRoot>
  check done
  sched_setaffinity: Function not implemented<WSRoot><Exploit>0x00000382</Exploit></WSRoot>
  FAIL : load1 --> /sepolicy
  <WSRoot><Exploit>0x00000341</Exploit></WSRoot>
  <WSRoot><Exploit>0x00000881</Exploit></WSRoot>
  <WSRoot><Done>0x00000172</Done></WSRoot>
  
  I had to reboot once to get it to work. It's also worth noting that, even though it was successful the second time, i still received a function not implemented error, but it still worked. This is the part that you're looking for to be sucessful:
  
  <WSRoot><Exploit>0</Exploit></WSRoot>
  <WSRoot><Done>0</Done></WSRoot>

  Oct 24, 2021View
  9

  K

  k4y0z

  Just uploaded version 1.1.
  If you are already unlocked you can just install the zip-file from TWRP to update.
  
  Version 1.1 (25.03.2019)
  

  • Update TWRP-sources to twrp-9.0 branch
  • TWRP uses kernel compiled from source
  • Add scripts to use handshake2.py to enter fastboot/recovery

  Mar 25, 2019View