Related
Disclaimer: By following this guide, you understand and accepts that I, and any developers mentioned in this guide, will NOT be held responsible in the event that your device stops functioning or dies. While I try my best to make everything as clear and concise as it can be, accidents will happen should you not follow everything like a hawk.
Installing Kindle Fire HD 8.9" 2nd-Bootloader + TWRP Complete Tutorial
I'm going to lead you through installing Hashcode's 2nd-Bootloader and TWRP in order to start flashing custom ROMs and make backups. First, let's go over the basics and why I'm doing this in the first place. I wrote this guide to be used on a Windows computer, but as long as you can do the same things on Mac/Linux, the whole guide applies. If there are any issues, please first refer to the troubleshooting portion at the end of the guide. The 8.9 version of the device does not need the factory cable to enter fastboot mode.
+Note: As of Amazon OS update 8.3.1+, there has been a lot of issues with rooting and flashing the 2nd-bootloader. Many users reported bootloops during the completion of the guide. Those with tablets running 8.3.1 or higher, please proceed with caution. I strongly recommend you make backups in Step 2.
===== 1. Why do we need a 2nd bootloader? =====
The stock Amazon bootloader doesn't play nice with Android even though it has Android at its core. We can still use fastboot commands with it, but other than that, it's quite locked-down. In other words, normal exploits used to unlock the bootloader on other Android devices, for example, like the Nexus series by Google or the handsets by HTC don't apply here. In order to use the same features, like a custom ROM, custom kernel, custom recovery, we must bypass Amazon's software by installing a 2nd bootloader.
===== 2. Why are you posting a tutorial? =====
I'm doing this because the lack of a guide means that people like myself, who are not proficient developers, keep running into issues and some ended up bricking their devices. This means that they end up with a heavy paperweight, with no chance of fixing, other than hoping that they're lucky with a fastboot cable (not the one that came with the device) and find their way back to the beginning. I'm sick of seeing so many questions about the exact same issues so I thought, why not just make a guide everyone can follow and thus make the world a better place.
===== 3. Do I need any special equipment/knowledge? =====
You don't need any special equipment, provided that you follow this guide word-for-word and be careful. I successfully installed the 2nd-Bootloader + TWRP and flashed CM10.1, within minutes. The key is make sure you don't miss anything, and if you're not sure, don't make any random guesses. As far as knowledge, yes, and no. Know what you're dealing with. Anything underneath the ROM has the chance to brick the device, so know what you're getting into.
===== 4. Can't I just use FireFireFire or another automatic tool to install the bootloader + TWRP? =====
Definitely not. This is the exact reason why there are so many threads in the Q&A section about bricked devices in the first place. Never use a tool that wasn't made for the version of your tablet. The Kindle Fire (1st gen), the Kindle Fire 2 (2nd gen), and the Kindle Fire HD 7" & 8.9" (3rd gen) are not the same devices, at all. Due to the way the bootloader behaves, flashing the files that are only compatible for the Kindle Fire 2 on a Kindle Fire HD 7" will definitely brick it. This is because the bootloader is so-named for a program that checks the booting process before the device actually boots, and if there are any bad sectors that don't match, the device won't boot.
How do you avoid this? By following guides like mine, and first knowing exactly what model you have. Yes, the Kindle Fire 2 and the Kindle Fire HD 7" look similar, and Amazon seriously have problems with their naming method, but a bit of research tells you that the Kindle Fire HD actually contains an HD resolution screen, 1280x800 for the 7" and 1920x1200 for the 8.9". Also, ONLY the Kindle Fire HD 7" and 8.9" models have a front-facing camera while the other models don't have one at all. If you want to be sophisticated about it, you can use working fastboot to identify the tablet.
+Note: if you know 100% that you have the right model, skip to Step 1 and begin the guide. This part is only for those with knowledge of fastboot and would like to confirm scientifically that they have the right model. You don't need to know how to use ADB or fastboot in order to successfullly complete the guide and install custom ROMs:
In CMD, type:
Code:
fastboot -i 0x1949 getvar product
Hitting enter will return with <waiting for device>. If you connect your powered-off Kindle Fire HD 7" or 8.9" at this point, it will reboot into fastboot mode, and on CMD, it will return with "tate-xxx-xxx" for the 7" and "jem-xxx-xxx" for the 8.9". I cannot stress this enough, please know your stuff before you end up crying about how you made a simple mistake that cost you $200, or however many in other currencies, but I do know that universally, it's quite a lot of money.
===== 5. What is Android SDK, ADB, and Fastboot? =====
Android SDK is a package with the tools for an Android developer to modify devices and collect data to help them create builds and maintain a device. Included in the package is what we commonly use around here in the development world, called ADB (Android Debug Bridge) and Fastboot. ADB allows a computer to communicate with a device by means of a USB cable, allowing a developer to push and pull data between the two devices, and this is the way some root methods are discovered.
Fastboot is the term we use to refer to a diagnostic tool built into Android. This is because fastboot is the first thing a developer turns to when their device is bricked. Factory cables are designed to power the devices into fastboot, and that's all they're really good for. While ADB is for communication between two devices, pushing and pulling data, fastboot is all about writing data into the partitions on a device. We call this process "flashing". This is only for the 7 version of the device, the 8.9 version does not require the factory cable.
Generally, ADB commands in command prompts start with "adb" (i.e. "adb reboot bootloader" which commands a typical Android device to boot into bootloader mode, another name for fastboot mode). ADB commands can only be used when both devices are fully booted up, and ADB debugging is selected on the Android device. After the device boots into fastboot, the device no longer recognizes ADB commands, only fastboot commands. Likewise, in fastboot mode, commands begin with "fastboot" (i.e. "fastboot oem unlock" which unlocks the bootloader on many Android devices). While in fastboot mode, the only safe way to exit is by typing "fastboot reboot" although the usual power button will be fine for most cases.
On the Kindle Fire HD 7" and 8.9", you will notice that the fastboot commands look something like this: "fastboot -i 0x1949 flash boot boot.img" ("flash" is the command to flash a file, "boot" is the partition to flash the file into, and "boot.img" is the image file containing the booting information). The reason why there's a "-i 0x1949" is simply because of the locked-down bootloader. After we install the 2nd-bootloader, this part commands the device to flash the files into the stock bootloader, because the 2nd-bootloader doesn't accept fastboot commands.
To install the Android SDK and be able to use ADB + fastboot, go to this link: Android SDK. After you hit download, just be patient, and you will need a video reference to help set up the package properly, so click here: Video on Installation of Android SDK. To check if it installed properly, once you're done with the video, open up a command prompt (for Windows, hold the Windows key + R, and type cmd, then hit Enter), and type either "adb" or "fastboot" and hit Enter. For both cases, you should get a block of text that tells you what each command does.
To check if your device can work with ADB, enable ADB on the device (may be called USB debugging), and connect it to the computer. If there are any drivers installing, let them finish. Then, on the command prompt, type "adb devices" and hit Enter. If your ADB drivers work, you should see a line of letters and characters. Same thing with fastboot. Always do this check before you start messing around to make sure your devices are receiving the commands.
===== 6. How do I boot into fastboot mode? =====
This relies on you having a working device (as long as it can boot at all, you're good). If you wish to enter fastboot mode to flash system images like new versions of TWRP or restore Amazon OS 8.1.4 if you've got freezing or bootloops, then you need a regular USB cable that came with the device, or any other mini-USB cable that fits the device and the computer. Again, you need to have Android SDK installed before you can use fastboot. Turn the device off, and leave it unplugged. Go to your computer, open command prompt, and type this:
Code:
fastboot -i 0x1949 getvar product
Hit enter, and it should return with <waiting for device>. If it doesn't, your fastboot drivers aren't working. Install Android SDK and go from there. If it does, connect your turned-off Kindle to the computer. Two things will happen: one, the command prompt will show "jem-xxx-xxx" (something there), and two, your Kindle should reboot into fastboot mode. From here, you can begin using fastboot commands to flash to the device's partitions. To exit fastboot mode, after you finished flashing what you needed, type this:
Code:
fastboot -i 0x1949 reboot
And that's all for the basics! Let's move on to the actual process.
Step 1: Rooting
+Note: Some users reported not being able to root on later software versions, so check for 8.1.4 in your Settings, if it's higher than that, you may have some trouble, which is why I provided 3 methods.
Before you can do anything else, you need to root the device first. Rooting is the process of acquiring superuser (administrator) access on a Linux system, allowing you to modify just about anything with regards to software. It is generally very safe to do, provided you follow the correct guides and you use the correct tools, and if there are no tools, the knowledge to manually root the device. On many other Android devices, rooting also installs a custom recovery, but the Kindle Fire HD 8.9" is different. You must root first before you do any modifications.
Go to this thread: QEMU Root by sparkym3, and download the necessary attachments. Use any decompressing software to unzip the files, and install the Kindle Fire HD 8.9" ADB drivers (this may fail, no need to worry). Then jump to your device, go to Settings and turn on ADB, then plug it into your computer. At this time, your computer should report that the ADB Composite Interface has been installed. What this means is that your ADB drivers work. Go ahead and use that thread's instructions to root the device.
Alternatively, you can use this if the first method failed: Root_with_Restore_by_Bin4ry, same idea. Make sure your ADB drivers are working, and that ADB is turned on in Settings. Open the RunMe.bat file, choose option 1. Now it will ask for your Amazon account password to restore, go ahead and type in your password and proceed. After the device reboots, it will be sluggish, now run the first method again, and you'll be back to normal with root.
You can aso try this: Root Kindle Fire HD with Windows
To check if you're rooted, when the device is on, go to the Amazon Appstore, install "ES File Manager" or any other root application, you want to see the window asking for superuser permissions. Once it installs, open it, go to settings, and turn on root browsing. If it asks for superuser permissions, you have root access, and you can move on to the next step. If the root programs say you have root, but you don't see the window asking for the permission, remember to go to the app listing, and tap on superuser to initialize the daemon, then try to check for root again.
Recap:
1. Download the root tools from the threads
2. Proceed to root by using the provided tools
3. Check if you successfully have root access using any root application
Step 2: Grabbing Files and Backing Up
Once you're rooted successfully, you need to grab the files we'll need for the installation. Go to Hashcode's thread: Kindle Fire 2nd-bootloader + TWRP for the Kindle Fire HD 8.9. Download ONLY two files: the TWRP recovery image, and the freedom-boot image. That's all, and transfer both of those to the root of the sdcard, now you can move on to Step 3: Installation if you wish to skip backing up.
I will go through the steps to backup. Remember that it is not mandatory that you do this; should you follow the guide very closely, you do not require backing up whatsoever. This just serves as an extraneous step for those who feel comfortable working with ADB and would like to participate in modding the device, in which case these files would come in handy in case the device is bricked. Again, it is NOT mandatory.
Connect the device to the computer through a normal USB cable, turn on ADB through settings. Open up the command prompt (CMD) on your computer: hold down the Windows key, and press R. This will open up Run, type "cmd" and hit Enter. Now, enter the following lines of code one-by-one, wait for a line to finish before going to the next one.
Code:
adb shell su -c "dd if=/dev/block/mmcblk0boot0 of=/sdcard/boot0block.img"
adb shell su -c "dd if=/dev/block/platform/omap/omap_hsmmc.1/by-name/boot of=/sdcard/stock-boot.img"
adb shell su -c "dd if=/dev/block/platform/omap/omap_hsmmc.1/by-name/recovery of=/sdcard/stock-recovery.img"
adb shell su -c "dd if=/dev/block/platform/omap/omap_hsmmc.1/by-name/system of=/sdcard/stock-system.img"
mkdir C:\KFHD8Backup
adb pull /sdcard/stock-boot.img/ [C:\KFHD8Backup]
adb pull /sdcard/stock-recovery.img/ [C:\KFHD8Backup]
adb pull /sdcard/stock-system.img/ [C:\KFHD8Backup]
Now open up the Computer folder, and in the C: drive you will find a folder called "KFHD8Backup" with all of those files that you just pulled in there. Once you're at this stage, you have finished backing up. Take that folder and put it somewhere safe, on a USB drive, or an external flash drive.
If you need to flash these to restore the device in case you have bricked it, boot into fastboot mode. Place the folder and the files in it back to the C: drive before attempting to restore (if you know how to use the cd command, feel free to change the location of the files). Once you're in fastboot, start with the first line of code to command CMD to locate the backups folder, then proceed with the second, one-at-a-time:
Code:
cd C:/KFHD8Backup
fastboot -i 0x1949 flash boot stock-boot.img
fastboot -i 0x1949 flash recovery stock-recovery.img
fastboot -i 0x1949 flash system stock-system.img
fastboot -i 0x1949 reboot
+Note: Be patient, as some of the codes take a while due to the amount of data being transferred between the device and your computer. If nothing happens after you hit Enter on a line of code or it just hangs at nothing, close the command prompt, open it up again, and retry. It might seem scary, but if there are no codes being executed in the command prompt (you'll see data transfers with kB/s and such if there's communication), it's safe to unplug the cable or close the command prompt. Feel free to reboot your computer, then plug the cable in and try again.
Also, know that these files, when flashed through fastboot, will revert your device back to the state of when these backups were made, so once you have TWRP, these files are no longer important. The backups you make in TWRP will be just as useful, and can save you both time and patience. If, however, you want to revert to a completely stock Amazon OS software for warranty purposes, or to redo this process for any reason, they will come into play because these backups retain your apps and your settings. Otherwise, use the KFHD System Restore Tool to go completely stock.
After you have backed-up (optional), and you have the two needed files on the sdcard (TWRP image and freedom-boot image, ignore the Amazon OS and the stack override files), you can move on to step three.
Recap:
1. Go to Hashcode's 2nd-bootloader thread
2. Download both the required files and move them to sdcard
3. Use ADB to make backups (optional)
4. Use fastboot to restore the images you backed up if there are issues
Step 3: Installation
You might have noticed that Hashcode made a pretty extensive thread to help you flash the bootloader, but another coder has since developed an automatic app to do all the work for you: FireFlash. Go ahead and download the .apk file. Move that file to the sdcard, and on the device, install it using "ES File Manager" (tap on that file) or "Easy Installer" (after it finishes scanning, select it and install), both found on the Amazon Appstore. You will then find it in the applications listing, go ahead and open it.
The first thing you notice is that there are spots to plug in files for different partitions. This is where those files from Hashcode come into play. Plug the freedom-boot.img into the boot partition space, plug the TWRP recovery.img into the recovery partition, and make sure to hit "apply stack". If you are NOT on the 8.1.4 bootloader (you'll see red letters warning you), then hit the check box next to that to flash the 8.1.4 bootloader, otherwise you'll see a red screen after you reboot. If you don't see that warning, you're fine, move on.
Check that "disable recovery auto update" box, leave everything else alone, unplug the cable, and hit flash (the first option). You will see a progress window, and just hit OK. Then, turn off the device. Now, when you turn it on, this is the way to enter recovery every time: the moment you turn it on, you'll see the yellow Kindle title. Immediately hold down the Volume Up button (leftmost from the power button) before it turns blue, and once it does, count to three in your head and let go and you'll see the TWRP splash logo. Once you're in TWRP, you're done. Just hit reboot, and everything's finished. Now you can browse the 8.9" Development forum for custom ROMs.
If you want to save space, you can now go ahead and delete all the files we just used; you no longer have a need for any of them. Keep FireFlash, though, because in the future you might want to update TWRP, then leave everything blank, plug the update image into the recovery partition and hit flash. Only use Hashcode's TWRP builds as of now, because he specifically altered those builds to work on the Kindle Fire HD 7" and 8.9" so the official ones on the TWRP site won't work. If you flash those (especially the "blaze" codename), you will brick the device, so don't do it!
Recap:
1. Download FireFlash and install on device using file manager or installer
2. Plug in the required files in the correct areas, and check the necessary checkboxes
3. Flash, and boot into TWRP to confirm successful installation of both 2nd-Bootloader and TWRP recovery
Step 4: Flashing Custom ROMs
This is what you've been waiting for, the ability to load custom ROMs. You have a few choices at this point in time. This list contains (somewhat, if not) stable releases only:
1. CyanogenMod 11 by Hashcode (AOSP, Android 4.4 KitKat)
2. ParanoidAndroid Port by jb2kred (AOKP, Android 4.2.2 Jelly Bean)
3. PAC-man by goldflame09 (AOKP, hybrid of CM + PA, Android 4.3 Jelly Bean)
4. CM11/SGT7 by twa-priv (CM + Samsung Galaxy Tab 7 mods, Android 4.4 KitKat)
Once you have the .zip files for the ROMs with GApps (Google apps, like Play Store), place them on the sdcard, and turn off the device. Turn it on, hold Volume-Up before the logo turns blue, and enter TWRP. Once there, immediately do two things: make a backup, and after that, wipes: system, factory reset, cache, and Dalvik cache. After these two things are done, go ahead and flash the .zip file, and wait for it to finish. After it finishes, go ahead and again, wipe cache and Dalvik cache, then reboot. After you rebooted, wait 5 minutes, then reboot again, and you're all done!
Now, in case your custom ROM doesn't automatically include GApps, and you would know if you boot up and you don't see Play Store or Google Maps in the app drawer, follow this. Go to this link. You will notice a table, and on the left side, you see the CM version that corresponds to the Android version number. All the custom ROMs should use the row that corresponds to the Android version. For example, CM10.1 runs 4.2.2, CM10.2 runs 4.3, so click on the one that corresponds. If your ROM runs 4.2.2, use the 4.2.2 row, etc. After you finish downloading that .zip file, move it to the sdcard, and boot into TWRP. From there, if you want to be fancy, wipe cache and Dalvik cache before flashing, but you don't have to unless there are problems after you restart. If there are problems, like freezing on boot, or crashing, then boot back into TWRP and wipe the two cache partitions.
Generally, you only need to flash the file and you're done, but you can never be too safe. This also applies to ROMs: if you're moving from ROM to ROM, say Ubuntu Touch to CM10.1, you MUST wipe EVERYTHING except the sdcard itself, and this includes the "Factory Reset" option. However, if you're moving from one update of a ROM to another, say a nightly of CM10.1 to a newer nightly of CM10.1, you can just simply flash the update over the old one, no wiping needed (this is called dirty-flashing). However, again, if you notice problems afterward, simply boot back in TWRP and wipe the two cache partitions. Remember to always make backups before you make changes to an otherwise stable build. If there are issues that you can't seem to resolve, you can always restore back to the previous build.
Recap:
1. Download .zip for ROM + GApps and move to sdcard
2. Boot into TWRP, make backups, and wipe the necessary partitions
3. Flash ROM, and wipe cache + Dalvik cache, then reboot
4. Wait for 5 minutes after successful reboot, then reboot again
5. If there's no GApps for your ROM, use the link to download the proper version.
6. Move the file to sdcard, then boot into TWRP and flash.
7. Reboot, and if there are problems, reboot back into TWRP and wipe cache partitions.
Credits: Hashcode, fattire, and verygreen for the work on the bootloader, stanga72 for the app FireFlash, sparkym3 & prokennexusa & Bin4ry for their rooting methods, and myself for the creation of this guide.
This guide/tutorial was extremely helpful to me as a novice, just starting how to learn to modify my Fire HD 8.9". I'd like to suggest a few changes/enhancements to the guide:
1. In the NOTE paragraph just below the first paragraph you mention issues with 8.4.1. specifically you mention issues with this release but there is no indication if these issues will prohibit successful update if the guide is strictly followed. Also, a cable is mentioned. In other posts I have seen references that indicate that no cable is necessary with the Fire HD 8.9". In fact, one post mentions that using a cable may, in fact, possibly damage the Fire HD 8.9".
2. Because I'm so new at this I'm very paranoid about making a mistake. I've read the horror stories in many of the posts and I'd like to avoid these mistakes. And because I'm so new, my only experience is with the 8.4.1 release and unfortunately it is so new, I suspect, that the developers have not had time to verify that their applications are compatible. I am not complaining since I know that 99.9% of these good people do this out of the goodness of their heart, and not for monetary gain. However, I do wish this issue of software release version could be more fully addressed.
3. Just an example - The heading clearly states that this guide applies to the Fire HD 8.9". Very clear and difficult to misunderstand! In Step 3 Installation, FireFlash is mentioned with no reference to a Fire HD operating system release number. Can I safely assume then that this utility is compatible with 8.4.1? It may be that the answer would be obvious to a more experienced person but to someone like me(and from reading many, many posts there must be a bunch of folks out there just like me), with little experience in flashing, rooting, etc.,I'm at an impasse regarding should I proceed or not proceed Thank you..
There will have to be some changes to the method to install boot and recovery on both 8.4.1 and now people are receiving 8.4.3 all the present methods will break the system, unless you have a Rom waiting on your sdcard to flash afterwards.
rebelduke said:
This guide/tutorial was extremely helpful to me as a novice, just starting how to learn to modify my Fire HD 8.9". I'd like to suggest a few changes/enhancements to the guide:
1. In the NOTE paragraph just below the first paragraph you mention issues with 8.4.1. specifically you mention issues with this release but there is no indication if these issues will prohibit successful update if the guide is strictly followed. Also, a cable is mentioned. In other posts I have seen references that indicate that no cable is necessary with the Fire HD 8.9". In fact, one post mentions that using a cable may, in fact, possibly damage the Fire HD 8.9".
2. Because I'm so new at this I'm very paranoid about making a mistake. I've read the horror stories in many of the posts and I'd like to avoid these mistakes. And because I'm so new, my only experience is with the 8.4.1 release and unfortunately it is so new, I suspect, that the developers have not had time to verify that their applications are compatible. I am not complaining since I know that 99.9% of these good people do this out of the goodness of their heart, and not for monetary gain. However, I do wish this issue of software release version could be more fully addressed.
3. Just an example - The heading clearly states that this guide applies to the Fire HD 8.9". Very clear and difficult to misunderstand! In Step 3 Installation, FireFlash is mentioned with no reference to a Fire HD operating system release number. Can I safely assume then that this utility is compatible with 8.4.1? It may be that the answer would be obvious to a more experienced person but to someone like me(and from reading many, many posts there must be a bunch of folks out there just like me), with little experience in flashing, rooting, etc.,I'm at an impasse regarding should I proceed or not proceed Thank you..
Click to expand...
Click to collapse
Thepooch said:
There will have to be some changes to the method to install boot and recovery on both 8.4.1 and now people are receiving 8.4.3 all the present methods will break the system, unless you have a Rom waiting on your sdcard to flash afterwards.
Click to expand...
Click to collapse
I am aware of the changes, but I have not been caught up with the status of the methods and their effects on the tablets. I have placed warnings at the beginning of the guide.
I have two questions about Step 2 for backing up files.
1. Is boot0block.img ever needed? It looks like it is backed up, but it isn't referred to in the restore step (fastboot commands).
2. The "adb pull" commands don't work for me. For example, this error message displays: "remote object /sdcard/stock-boot.img' does not exist". But the files are definitely there.
Sorry about asking about 2! I was actually putting the brackets around the local folder, but I realize now that you only had them to indicate that parameter was optional. However, the error that was occurring before wasn't about the local file...it was about the .img file which did exist. I'm baffled because now if I put the brackets back, it only fails with an error about that, not about the .img file. I realize I'm not making much sense, but I can't reproduce it so that it says the same error that I first mentioned above in 2.
I'd still like to know about 1 though. Thanks.
EDIT: I did Step 3 - Installation. I booted into TWRP and did a backup. I assumed that I did not have to do any wipes or install of any other rom yet, i.e. I just wanted to boot the existing 8.1.4 rom that was already there. However, when I "reboot system" from TWRP, it goes into TWRP again instead of booting up the rom.
I tried doing a restore of what I just backed up, but the result is the same. So does this mean I was required to do the wipes and install of another rom, rather just booting up my existing one? Or is there some other step I'm missing to make it get out of TWRP?
sga999 said:
I have two questions about Step 2 for backing up files.
1. Is boot0block.img ever needed? It looks like it is backed up, but it isn't referred to in the restore step (fastboot commands).
2. The "adb pull" commands don't work for me. For example, this error message displays: "remote object /sdcard/stock-boot.img' does not exist". But the files are definitely there.
Click to expand...
Click to collapse
Boot0block is backed up in the event something happens to that particular partition somewhere along the way, you will know if it does no wifi ect. Shift plus right click inside the folder that adb is located, select open command window here. Run all your commands from that cmd prompt. It will pull all those files to that folder location. Since you will know what folder it is to be pulled to this portion of the command can be omitted [C:\KFHD8Backup].
Thepooch said:
Boot0block is backed up in the event something happens to that particular partition somewhere along the way, you will know if it does no wifi ect. Shift plus right click inside the folder that adb is located, select open command window here. Run all your commands from that cmd prompt. It will pull all those files to that folder location. Since you will know what folder it is to be pulled to this portion of the command can be omitted [C:\KFHD8Backup].
Click to expand...
Click to collapse
I realized more about the format of the 'adb pull' command and posted late last night. It's in my post above your response. Thank you for answering. Also, it's good to know about what boot0block is in case something fails later.
I also added another question there, wondering about why I can only boot into TWRP, not the stock rom I already had installed. I'm pointing that out again now, just because you(and others?) may not have seen it in my EDIT above.
Do a full wipe and flash a Rom.zip. Now you will need to
Code:
adb push Rom.zip /sdcard/
For obvious reasons just don`t wipe your sdcard .
Thepooch said:
Do a full wipe and flash a Rom.zip. Now you will need to
Code:
adb push Rom.zip /sdcard/
For obvious reasons just don`t wipe your sdcard .
Click to expand...
Click to collapse
I can do that. But I'm curious to know why you're recommending this. Is it because I had problems booting up the old 8.1.4 rom and you just want me to try some other rom? Or is it that you know that what I did will never work, i.e. using FireFlash with the boot and recovery images and two checkmarks will never allow me to boot into the original rom?
Just "for fun", here's what I see when I try to boot. Times are approximate:
orange 2 seconds, blue 8 seconds, orange 30 seconds, totally black screen 2 seconds, orange 1 second (kind of flickers), blue 3 seconds, TWRP comes up.
My reason for wanting to do this is to "prepare" for going to CM10 (or other) "soon" but not quite yet. I'd like to keep the original rom for now and not wipe any data. Maybe this goal is impossible?
Thanks for your help.
sga999 said:
I can do that. But I'm curious to know why you're recommending this. Is it because I had problems booting up the old 8.1.4 rom and you just want me to try some other rom? Or is it that you know that what I did will never work, i.e. using FireFlash with the boot and recovery images and two checkmarks will never allow me to boot into the original rom?
Just "for fun", here's what I see when I try to boot. Times are approximate:
orange 2 seconds, blue 8 seconds, orange 30 seconds, totally black screen 2 seconds, orange 1 second (kind of flickers), blue 3 seconds, TWRP comes up.
My reason for wanting to do this is to "prepare" for going to CM10 (or other) "soon" but not quite yet. I'd like to keep the original rom for now and not wipe any data. Maybe this goal is impossible?
Thanks for your help.
Click to expand...
Click to collapse
Your system is broken for some reason the present method just does that. Flash Hashcode`s 8.4.1 zip. Disable OTA`s with kindlefire FirstAide or Free your kindle http://forum.xda-developers.com/showthread.php?t=2072198 or even Soupkit http://forum.xda-developers.com/showthread.php?t=2162973 . YOU MUST WIPE. Wipe factory reset, wipe cache, wipe dalvik, wipe system, flash Rom.zip disable OTA`s before enabling wifi or you will go in circles.
Thepooch said:
Your system is broken for some reason the present method just does that. Flash Hashcode`s 8.4.1 zip. Disable OTA`s with kindlefire FirstAide or Free your kindle http://forum.xda-developers.com/showthread.php?t=2072198 or even Soupkit http://forum.xda-developers.com/showthread.php?t=2162973 . YOU MUST WIPE. Wipe factory reset, wipe cache, wipe dalvik, wipe system, flash Rom.zip disable OTA`s before enabling wifi or you will go in circles.
Click to expand...
Click to collapse
Thanks, Thepooch. If I have to wipe anyway, I may as well just go to CM10 now. The main thing I wanted to know was whether I had done something wrong or whether what I tried to do (i.e. not install a new rom and just boot into the original rom) cannot be accomplished by anyone. I think you are saying the latter, right?
I appreciate all the help you've given me!
sga999 said:
Thanks, Thepooch. If I have to wipe anyway, I may as well just go to CM10 now. The main thing I wanted to know was whether I had done something wrong or whether what I tried to do (i.e. not install a new rom and just boot into the original rom) cannot be accomplished by anyone. I think you are saying the latter, right?
I appreciate all the help you've given me!
Click to expand...
Click to collapse
Well you got a free thanks so make sure you hit mine as well. I don`t believe you did anything wrong but I really could not tell you for sure. I have been stuck just where you are a couple times and I know I did everything right. Others I have helped became stuck the same way because Amazon has been diddling around with the boot for the last three updates. I can only assume that some encrypted part of the framework is running a stack check resulting in the system appearing broken. So yes it would be best to have something to flash before starting this process.
Thepooch said:
Well you got a free thanks so make sure you hit mine as well. I don`t believe you did anything wrong but I really could not tell you for sure. I have been stuck just where you are a couple times and I know I did everything right. Others I have helped became stuck the same way because Amazon has been diddling around with the boot for the last three updates. I can only assume that some encrypted part of the framework is running a stack check resulting in the system appearing broken. So yes it would be best to have something to flash before starting this process.
Click to expand...
Click to collapse
Thepooch, it helps to know that you and others ran into this. I did read posts that were similar, but I never was sure if anyone found an answer or knew what went wrong. This is a friend's Kindle that she got in December. I got it rooted for her back then, and I did whatever was necessary to not get OTA's. So it's way back on release 8.1.4. So I don't think Amazon's last 3 updates would have any bearing on this. But who knows! Again, thanks.
sga999 said:
Thepooch, it helps to know that you and others ran into this. I did read posts that were similar, but I never was sure if anyone found an answer or knew what went wrong. This is a friend's Kindle that she got in December. I got it rooted for her back then, and I did whatever was necessary to not get OTA's. So it's way back on release 8.1.4. So I don't think Amazon's last 3 updates would have any bearing on this. But who knows! Again, thanks.
Click to expand...
Click to collapse
You will have issues rolling it back that far, just saying there are changes that likely if not done properly will leave you stuck again. My suggestion is to flash 8.4.1 then create a solid backup when booted normal giving yourself a safety net in the event of a mishap.
Thepooch said:
You will have issues rolling it back that far, just saying there are changes that likely if not done properly will leave you stuck again. My suggestion is to flash 8.4.1 then create a solid backup when booted normal giving yourself a safety net in the event of a mishap.
Click to expand...
Click to collapse
Thepooch, I'm not sure if this is interesting to you at all, but I experimented a little and learned something. As you suggested, I flashed 8.4.1 and decided to try an unusual step.
After I used Fire Flash yesterday and booted into TWRP, I immediately created a backup. But it turned out to be no good in the sense that restoring it did not help me fix the problem of not being able to boot into the 8.1.4 (old) rom (I could only boot into TWRP). But now that I was on 8.4.1, I did a restore of ONLY the data from that old 8.1.4 backup. It seems fine so far, except for Google Play app, which just exits as soon as I execute it.....it's not a big deal to fix that. (There may be other issues, but I haven't hit anything else yet).
So....it seems like something is bad in either the boot or the system portions of the backup. It's probably system since it has framework, which you had mentioned might be causing the problem. Again, this may not be interesting, but I thought I'd let you know.
Makes sense google play rarely works from my restored backups and your system was in good shape if you flashed the 8.4.1 zip prior to restoring data.
Installing Kindle Fire HD 8.9" 2nd-Bootloader + TWRP with 8.4.3
Has anyone attempted Installing Kindle Fire HD 8.9" 2nd-Bootloader + TWRP running 8.4.3? If so, were you successful? If you were successful did you follow the procedure defined here or did you have to deviate? If you had to deviate, what were the deviations? Thanks!
How to root kindle fire any version (including 8.4.3) ONE CLICK
Hi I need some help.
KFHD 8.9, non-us user, but bought at amazon, i am unsure of the exact version.
ADB worked ok, device showed there. BUT "fastboot devices" didnt really show anything at all. Still I went ahead with it. Rooted using bin4ry, qemu did not work at all, permission denied error.
I did everything up to the point of flashing the freedom-rom and twrp through fireflash. It did not have 8.1.4 bootloader, so I checked the box, checked the other one and left all else as is. It seemed to flash ok. Then I rebooted,,, and its stuck on orange kindlefire logo, forever. doesn't matter what volumes i hold. tried rebooting and everything.
Now I dont really know what to do... any ideas?
Getting errors trying to install the drivers from the QEMU zip file, so no device ( sdcard ) access from recovery and the Advanced...sideload option is not working either.
I'm on windows 8, when plugging in the KFHD89 to my laptop, I see the kindle show up, but I have the yellow explanation sign. When I try to update driver software, i get error it can't update Windows ADB.
Between windows 8 and ubuntu, I've been able to get fastboot working enough to get all the files loaded...but for the lift of me !!! my copy of CM10.1 and gapps.zip are not seen via recovery...AND...I get stuck at Blue boot logo...so I'm sort stuck in recovery and need to get drivers sorted between windows and/or ubuntu so I can copy the .zip files over.
EDIT: #6 from http://forum.xda-developers.com/showthread.php?t=2277105 helped me out. I was starting ADB Sideload and connecting USB out of sequence. Followed directions and it worked.
Hello everyone! Just like others here, I've been somewhat spooked by our inability to enter Ouya's Recovery partition at the earliest stage of booting, meaning a bad flash of the Boot partition would leave the device inoperable. When I heard that Ouya's stock firmware updates were possibly bricking a few units out there, I decided to block updates on mine and see if I could transform the Boot partition such that it would become a logical extension of the bootloader. What I ended up with is something close to the "Ouya Safe Recovery" project, where a user should only need to flash Boot one additional time, along with chain-loading support as well.
Chain-loading in this case refers to the booting of ROM kernel images that reside as regular IMG files under the /sdcard and/or /system filesystems. With this capability it is possible to choose an image to run when the Ouya turns on. As an example, one may wish to set up a 2nd/test kernel+ramdisk image to use with your installed ROM, or he may wish to run Tuomas Kulve's Debian project from time-to-time without having to set up the USB cable for Fastboot mode. When dealing with distinctly different ROMs (not just alternate kernels), only one of them may install to the Ouya's built-in storage (e.g., /system); others must have been designed/created to use external storage.
An image for the Recovery partition is available along with the Boot. The former may be helpful if you wish to try out the boot menu before performing the flash of the Boot partition, or are generally okay with bouncing to Recovery before invoking a chain-load. Either of these may be tested from Fastboot mode, but do note that a successful chain-load requires that the image actually be flashed to the Ouya. (Otherwise it just reboots.) The ClockworkMod (CWM) recovery application is available on both images and is accessible from the boot menu.
Additional Information
There are a few things to consider when deciding if this approach makes sense for you:
- Users of the "Ouya Safe Recovery" project may want to stay put unless the dual-boot aspect is of interest. If so then it would be cleanest to choose my Boot image; the Recovery partition (your ROM image) could be left alone.
- The images here are not compatible with Ouya's stock firmware, due to the auto-update nature of Ouya's ROM. Either your flashed Boot image would get overwritten, or an installed non-Ouya Recovery might cause that update to hang. Therefore, you should be prepared to switch to one of the ROMs here at XDA. If you're currently on stock and don't want to switch right away, that's fine; we'll go over how to block updates for the time being.
- The Ouya CM10 ROM is nice in that it provides the IMG file separately, allowing us to handle it as we wish. However, the other ROMs end up placing their boot.img in the main ZIP. This is standard practice for other devices, but we need to be careful ensuring our Boot partition doesn't get reflashed as part of the ROM installation. Therefore, it would be necessary to investigate repackaging the ROM with an alternate updater-script prior to installation. See my StockPlus post on page 2 for more. (This shouldn't affect those who've opted for my Recovery image.)
This feature is based on CWM's initial ramdisk, and includes a new boot menu application that comes up prior to CWM itself. Basically, CWM shows up later if the menu application exits for any reason. The Ouya stock kernel (561) has also been compiled with HDMI's copy protection turned off, and includes two patch sets:
- KExec-HardBoot is the key to chain-loading on our platform. It overcomes standard KExec's lack of hardware reset (and thus failed execution) by triggering a reboot in the middle of the preparation of the new kernel. This ingenious system has been developed by Tasssadar and others over in the Nexus forums. (Be sure to enable CONFIG_TEGRA_HARDBOOT_RECOVERY if interested in compiling a Recovery kernel.)
- HDMI visual stability has been improved with a little hack of mine: a significant relaxing of a timer in the driver. (The latest Android source has corrected the instability with a significant design change, but my hack seems fine enough for this project.) Also picked up specific Android fixes in the area of Framebuffer double-buffering, as that needs to be working for CWM usability.
Installation
If you're on Ouya's stock firmware, then you should make sure that any future updates do not get applied. There is a project here ("Mod Collection For Ouya") that should help. I personally side-loaded the Baxy custom launcher to avoid Ouya's update environment. It is also likely necessary to stay out of the Ouya/Discover store if going the custom launcher route as I believe the store app can trigger an update.
At this point you can download your chosen image (Boot or Recovery) and unzip to get the IMG file. Boot your Ouya to a working Root/BusyBox environment (ROM or Recovery), and then transfer the IMG to the Ouya. (An example using ADB would be "adb push boot102513.img /sdcard/boot102513.img".)
Bring up the Ouya command prompt (e.g., "adb shell") and run these commands to get started:
su [command not present on CWM - that's okay]
cd /dev/block/platform/sdhci-tegra.3/by-name
ls
You should see the various 3-letter partition names from that last command. Your command prompt should also contain the "#" character to denote root-level access. This next step will save off your current ROM image, both because we may end up overwriting it, and because the saved file will end up as your main bootable kernel for the chain-loader. Run:
cat LNX > /sdcard/kernel.img
(If configured for "Ouya Safe Recovery," then replace the preceding "LNX" with "SOS".)
We are near the flashing stage. Check to make sure your Ouya has a reliable source of power, preferrably from an uninterruptable power supply. Recall that a bad flash of my boot image can leave the device inoperable, but I feel the risk is very low provided the following directions are heeded. Fortunately the flash process only takes a few seconds.
For the Boot image option, verify by running:
md5sum /sdcard/boot102513.img
Do not proceed unless you get "e4b1b1ad553e55ad0b2ce3fb8f5bf623".
Again for the Boot image option, flash to the Ouya by running:
dd if=/sdcard/boot102513.img of=LNX
For the Recovery image option, verify by running:
md5sum /sdcard/rcvy102513.img
Do not proceed unless you get "dda0811a7e8e82a7d4ad3fa4c3ae35e4".
Again for the Recovery image option, flash to the Ouya by running:
dd if=/sdcard/rcvy102513.img of=SOS
You may optionally verify (post-flash) by running "md5sum" on the partition name. Finish up with these commands:
sync
reboot
Usage / Configuration
The menu should come up, defaulting to "kernel.img" for the Boot image and "CWM" for Recovery. That default will then launch after ten seconds of inactivity. You may also briefly press the Ouya power button during the wait to advance through the options. The option list is 1) kernel.img, 2) kernelA1.img, 3) kernelA2.img, 4) CWM, and 5) Recovery Partition.
The defaults from above should be fine for most everyone, but it is possible to fine-tune them. An optional configuration file (/sdcard/bootmenu_b.cfg for Boot, /sdcard/bootmenu_r.cfg for Recovery) may be established to specify the default menu entry as well as the inactivity timeout. As an example, the following command would make Recovery start kernelA1.img after five seconds:
echo "2 5" > /sdcard/bootmenu_r.cfg
It is hoped that the menu would never hang. If it does, then waiting a full minute should allow CWM to start. Otherwise, it may be necessary to attach a wired/USB keyboard and type in the Alt-SysRq-X sequence, similar to Ctrl-Alt-Delete on a PC. The sequence might have to be done early on in the menu startup process, and should blink the Ouya light and place it in Fastboot mode.
The menu may unexpectedly place you in CWM, which would indicate an issue with a chain-load. The reason may be due to a missing or corrupt IMG file. Otherwise you should be able to determine why by checking /tmp/bootmenu.log against the attached source code.
---
I hope this project will be of help to others!
An additional support forum that everyone should be able to post at is available: http://forum.xda-developers.com/showthread.php?t=2450711.
Wow, really great. Thanks a lot for your effort
Gesendet von meinem One X+ mit Tapatalk
nchantmnt said:
Wow, really great. Thanks a lot for your effort
Click to expand...
Click to collapse
My pleasure, nchantmnt. Hope your new Ouya is helping you feel at home!
Yes im happy it already arrived, but after a second miscarriage and lots of stress because of a lawsuit with our neighbour i didn't have time nor nerves to play or code. Seriously this year sucks
Gesendet von meinem One X+ mit Tapatalk
nchantmnt said:
Yes im happy it already arrived, but after a second miscarriage and lots of stress because of a lawsuit with our neighbour i didn't have time nor nerves to play or code. Seriously this year sucks
Click to expand...
Click to collapse
Gosh, I'm very sorry to hear that. Do think ahead to the upcoming holiday season, and may it be a time to reflect and anticipate a fruitful 2014.
@Hal9k+1 - THANK YOU!
I was so nervous flashing CWM and StockPlus as there is no real way to fix things if something goes wrong. This should give people more confidence when flashing their Ouya.
I understand the process using ADB...my question is: can this be used from CWM somehow?
PS. I assume new kernel will always be flashable from CWM, the hack does not require 561 specifically.
Ipse_Tase said:
I understand the process using ADB...my question is: can this be used from CWM somehow?
Click to expand...
Click to collapse
Hi Ipse_Tase - I do hope the feature will be helpful to you and others.
As I think about your question, I suppose I could have have created a ZIP that would have been installed by CWM. Similarly I could have worked through some form of installation shell script. But for an important operation such as flashing, I prefer the one-at-a-time approach of the interactive shell.
Note that CWM does have an ADB service running with it. Your Ouya would show up as a different device while in CWM, so you'd need to enter Device Manager (Windows) and point the unknown device to the same ADB driver as used for the main ROM.
Alternatively you could skip ADB for this Ouya Boot Menu installation and set up an SSH server on your main ROM. I personally have installed "SSH Server" (Ice Cold Apps). I recall two screens to set up (does require the trackpad in cases), where I enabled automatic start on both, and also set the port number to 2222. After an Ouya reboot I had SSH/SCP capability and could use PuTTY/pscp from Windows.
Hal9k+1...fast reply, thank you.
Just to put my ever-so-senile brain at ease: so I run StockPlus 519r1, and WHILE in the ROM, I start ADB and follow your instructions .
OR...I enter CWM, make sure I get the right ADB drivers installed for THAT instance and go from there.
For a developer, I'm sure it's easier and more familiar to run ADB commands - for people like me (5%-over-the average-user) a CVM option to flash a zip and do all this would be more in-line with the abilities to hack.
I have rooted 4-5 devices so far and the only time I type any ADB commands is at root/unlock time - sometimes not even then (Nexus 4 and the Root Toolkit).
So if you ever consider creating a recovery flashable file, it would help many. Probably not me, as by then I would have done the ADB trick
Sounds like great work! I was hoping to implement something like this myself, but I haven't made any more time for OUYA-related development in a while (due to positive life events/busyness)
I will definitely take a look at your work when I have time!
~Troop
Ipse_Tase said:
Hal9k+1...fast reply, thank you.
Just to put my ever-so-senile brain at ease: so I run StockPlus 519r1, and WHILE in the ROM, I start ADB and follow your instructions .
OR...I enter CWM, make sure I get the right ADB drivers installed for THAT instance and go from there.
Click to expand...
Click to collapse
You got it! You don't need to worry about booting to the other partition prior to flashing. That is a given partition (LNX/SOS) is no longer being accessed once the image is booted. For CWM's ADB, you'd simply point Windows to the same INF file that you originally used. Hope this helps.
StockPlus Installation
Well, I finally retired this old stock 393 ROM I was on, and moved to StockPlus 519r2. I was not able to install it the normal way given my Boot image is in place here. So I ended up modifying "updater-script" under META-INF/com/google/android, and then repackaged prior to running the install procedure. I'm attaching my changed version in case it helps anyone, and please note that it makes StockPlus the main image (kernel.img).
(You'll need to right-click to save the attachment. Once done it will need to be renamed such that it does not include the ".txt" suffix.)
The Windows "7-Zip" utility is helpful for packaging. You may start by right-clicking the downloaded ZIP, then 7-Zip --> Extract to "OUYA_[...]". Enter the newly created directory, get to the updater-script, and replace it with mine. Now back up to the area with META-INF, system, and boot.img, still in the new directory. Select all three under Windows (Ctrl+Click), right click that area, and then 7-Zip --> Add to "OUYA_[...].zip". Be sure this new ZIP is the one that makes it to the Ouya.
Still haven't tried this out yet, but I hope to soon.
I missed out on news over the holidays though and just noticed this:
Announcing Ubuntu and Android dual boot developer preview
http://developer.ubuntu.com/2013/12/announcing-ubuntu-and-android-dual-boot-developer-preview/
I'm curious of their dual boot implementation and how it compares and if we can synergize with their approach, but haven't looked into the details of how theirs works yet (its sounds like it uses a custom recovery image, and they have the ability to trigger it to reboot into Ubuntu from an Android app and vice versa, which is cool)
It'd be awesome to be able to multi-boot an Ouya ROM, an Android ROM (CyanogenMod), and Ubuntu with that kind of ease.
EDIT: This may be more our speed though: (MultiROM)
http://forum.xda-developers.com/showthread.php?t=2011403
(did you pull anything from there? Sounds like they have a modified TWRP that can flash zips to the other ROM slots, which is something I was also hoping to implement)
~Troop
Thanks, Trooper. Good to see Ubuntu moving further along in the mobile world.
I briefly looked at MultiROM since it originated from the KExec-HardBoot work, but decided not to go in that direction. The main reason is that I decided not to pursue the setup/learning of an Android build environment, but also because it wasn't clear how I'd deal with our lack of a touchscreen and lack of volume up/down buttons. I ended up creating a small application that fits within Ouya's CWM framework and starts up before CWM itself; it monitors the power button for click events and writes to the framebuffer memory region using regular Linux calls.
I'm not too concerned about the dual-boot aspect of this new Ubuntu, but the lack of touchscreen could be a hindrance if mouse/keyboard were not a viable substitute. Whether this Ubuntu is designed to work from external storage is another question, since our /system and /data would be occupied by Android. But in general I think we could boot it from my framework, and if my Boot image were selected over the Recovery one, then the Ubuntu kernel could reside in Recovery and also be bootable from the Android side with the "reboot recovery" command.
Best of luck, and hope you'll have a chance to try it all!
accidental post please delete
The attached archive includes 3 tools for those of you with .3.2.3.2 (or earlier) bootloaders.
Since other tools (and earlier version of these very tools) are available and working well,
this is mostly meant as an entry to an imaginary beauty contest. (JOKING!!!)
cuber.py
a generic gmpy2-free reimplementation of @vortox's signature.py
use this to generate your unlock.img
cuboot.py (uses cuber.py)
a Python-only reimplementation of @vortox's cuber
includes fixes to the kernel command-line and the device-tree
use this to convert a standard Amazon boot.img (>=.4.x.x)
upHDX (uses cuboot.py)
bash script to repack Amazon updates for TWRP
could be DANGEROUS, use with care
tested on Apollo for both 14.4.5.2 and 14.4.5.3
my unit is fully 14.4.5.3 now, except for aboot (which is 3.2.3.2)
should work on Thor as well
Those with bootloader .3.2.6 and lower can downgrade to .3.1.0
and upgrade the bootloader to the latest vulnerable version .3.2.3.2.
Those with .3.2.7 and higher appear to be out of luck with forged signatures, but I hear there's progress on rooting .4.5.2.
The python scripts have been tested on the following OS / Python combinations:
Windows: 2.7.9 and 3.4.3
Linux: 2.7.9 and 3.3.4
OSX: 2.6.? (cannot quite remember)
In addition to the tools themselves, I also included "educational" examples
(examples.sh for Linux/OSX, examples.bat for Windows).
These make use of the split.py script, which is otherwise unnecessary.
(The Windows example also shows that simply echoing your manfid/serial
combo to cuber.py -the way one does in Linux/OSX- won't work due to
the carriage-return character introduced by the echo command.
You'll need to handcraft a file matching the '0x%02x%08xn' format...)
Another batch file py..bat is meant as an extra aid for Windows users
to avoid trouble with setting paths and such. You should be able to simply
download and install your preferred Python version.
Open a command shell (cmd.exe), navigate to wherever you extracted the
archives, and type 'py PYTHON-SCRIPT ARGS' to run the Python scripts.
(This handholding intentionally does NOT work for the upHDX script.)
Hopefully, someone will find these simple tools useful.
EDIT: To unlock your bootloader (<=.3.2.3.2), you'll need adb and fastboot.
On Linux, most distributions package these separately. Look for android-tools-{adb,fastboot} or some such.
For Windows, you can get these from the official Android SDK (which is a **large** download,
with a lot more tools you won't need, if you don't already use them, but it's safe).
Alternatively, there's a very legit-looking project here an XDA, with a much smaller
download, fast install, and exactly the tools you need. I haven't used either... (-;
The actual unlock procedure is described here and here.
EDIT#2: I added another script 'cublock.py' to make unlock.img generation super easy both on Windows and Linux.
MD5( tools.zip) = c17fc91344bd3b4b040129a79a39741f
EDIT#3: Fixed issues with older versions of certain tools on Debian 7.
MD5( tools.zip) = 4f93ab667fd61db26c83675ce0bd6d9f
EDIT#4: Fixed a bug when 'cuber.py' is used directly from the command line.
MD5(tools.zip) = 67b4a6d65aa2b0aa3500b122c8a25290View attachment 3210856
XDA:DevDB Information
HDXtools, Tool/Utility for the Amazon Kindle Fire HDX 7" & 8.9"
Contributors
draxie
Version Information
Status: Alpha
Created 2015-03-13
Last Updated 2015-03-13
Thank for your works.
Can I use upHDX to remove bootloader, recovery from 4.5.3 and flash via TWRP?
Thanks
tuanda82 said:
Thank for your works.
Can I use upHDX to remove bootloader, recovery from 4.5.3 and flash via TWRP?
Thanks
Click to expand...
Click to collapse
Let's hope so. That's what I did, in any case.
I'm an adventurer; so, I ran './upHDX fw update-kindle-14.4.5.3_user_453011120.bin',
pushed the resulting update-kindle-14.4.5.3_user_453011120-upHDXfw.zip to my HDX 8.9
and installed it with TWRP.
Worked for me, but I cannot provide any guarantees, unfortunately.
It may be wise to omit 'fw', and doublecheck that you're happy with the contents of the
updater-script in the newly generated archive.
AND, -of course- make sure your bootloader version is at most .3.2.3.2!!!
draxie said:
Let's hope so. That's what I did, in any case.
I'm an adventurer; so, I ran './upHDX fw update-kindle-14.4.5.3_user_453011120.bin',
pushed the resulting update-kindle-14.4.5.3_user_453011120-upHDXfw.zip to my HDX 8.9
and installed it with TWRP.
Worked for me, but I cannot provide any guarantees, unfortunately.
It may be wise to omit 'fw', and doublecheck that you're happy with the contents of the
updater-script in the newly generated archive.
AND, -of course- make sure your bootloader version is at most .3.2.3.2!!!
Click to expand...
Click to collapse
Thanks. But your upHDX scripts is for linux user only. I am on Windows .
If you have time could you upload your xxxx_14.4.5.3_xxxx.zip? Thanks
draxie said:
The attached archive includes 3 tools for those of you with .3.2.3.2 (or earlier) bootloaders.
Since other tools (and earlier version of these very tools) are available and working well,
this is mostly meant as an entry to an imaginary beauty contest. (JOKING!!!)
cuber.py
a generic gmpy2-free reimplementation of @vortox's signature.py
use this to generate your unlock.img
cuboot.py (uses cuber.py)
a Python-only reimplementation of @vortox's cuber
includes fixes to the kernel command-line and the device-tree
use this to convert a standard Amazon boot.img (>=.4.x.x)
upHDX (uses cuboot.py)
bash script to repack Amazon updates for TWRP
could be DANGEROUS, use with care
tested on Apollo for both 14.4.5.2 and 14.4.5.3
my unit is fully 14.4.5.3 now, except for aboot (which is 3.2.3.2)
should work on Thor as well
Those with bootloader .3.2.6 and lower can downgrade to .3.1.0
and upgrade the bootloader to the latest vulnerable version .3.2.3.2.
Those with .3.2.7 and higher appear to be out of luck with forged signatures, but I hear there's progress on rooting .4.5.2.
The python scripts have been tested on the following OS / Python combinations:
Windows: 2.7.9 and 3.4.3
Linux: 2.7.9 and 3.3.4
OSX: 2.6.? (cannot quite remember)
In addition to the tools themselves, I also included "educational" examples
(examples.sh for Linux/OSX, examples.bat for Windows).
These make use of the split.py script, which is otherwise unnecessary.
(The Windows example also shows that simply echoing your manfid/serial
combo to cuber.py -the way one does in Linux/OSX- won't work due to
the carriage-return character introduced by the echo command.
You'll need to handcraft a file matching the '0x%02x%08x\n' format...)
Another batch file py..bat is meant as an extra aid for Windows users
to avoid trouble with setting paths and such. You should be able to simply
download and install your preferred Python version.
Open a command shell (cmd.exe), navigate to wherever you extracted the
archives, and type 'py PYTHON-SCRIPT ARGS' to run the Python scripts.
(This handholding intentionally does NOT work for the upHDX script.)
Hopefully, someone will find these simple tools useful.
EDIT: To unlock your bootloader (<=.3.2.3.2), you'll need adb and fastboot.
On Linux, most distributions package these separately. Look for android-tools-{adb,fastboot} or some such.
For Windows, you can get these from the official Android SDK (which is a **large** download,
with a lot more tools you won't need, if you don't already use them, but it's safe).
Alternatively, there's a very legit-looking project here an XDA, with a much smaller
download, fast install, and exactly the tools you need. I haven't used either... (-;
The actual unlock procedure is described here and here.
EDIT#2: I added another script 'cublock.py' to make unlock.img generation super easy both on Windows and Linux.
MD5( tools.zip) = c17fc91344bd3b4b040129a79a39741f
Click to expand...
Click to collapse
Thanks a lot for the good work but id like to let tell you that it will be great if you can explain all the entire work in layman's terms because there would be many people having hundreds of questions and concerns.
Just an advice if you feel worthy... No disrespect intended...
I would like it in layman terms...
And how to do it on Windows. This seems like confusion for me. I have no idea where to start.
I did it all in windows 8.1 64 bit edition.
With help from this post:
http://forum.xda-developers.com/showpost.php?p=58897784&postcount=67
get Python 2.7 for windows and install it >>https://www.python.org/download/releases/2.7/
btw I installed the 64 bit edition for both
get GMPY2 for Python 2.7 https://code.google.com/p/gmpy/downloads/list
Follow the post for step by step. I encountered some trouble with fast boot driver, I had to remove the driver and install a generic one I selected from windows then I manually installed it. Ran the fast boot command to unlock and I was unlocked. a lot easier than it looks.
Reckerr said:
I would like it in layman terms...
And how to do it on Windows. This seems like confusion for me. I have no idea where to start.
Click to expand...
Click to collapse
Appreciate it. Will attempt Saturday after a read through.
Works on Windows...
tuanda82 said:
Thanks. But your upHDX scripts is for linux user only. I am on Windows .
If you have time could you upload your xxxx_14.4.5.3_xxxx.zip? Thanks
Click to expand...
Click to collapse
Actually, I tested upHDX in Windows using Cygwin.
I had to select zip and unzip in the Archive group and python in the Python group
in the installer to get all the dependencies in place, and the only issue I faced was a few filename collisions
in the /system/media/audio/ringtones folder (case-sensitivity problem).
Code:
[COLOR="Lime"]>[/COLOR] diff -ru cygwin/ linux/
Only in linux/system/media/audio/ringtones: ANDROMEDA.ogg
Only in linux/system/media/audio/ringtones: CANISMAJOR.ogg
Only in linux/system/media/audio/ringtones: Hydra.ogg
Only in linux/system/media/audio/ringtones: PERSEUS.ogg
Only in linux/system/media/audio/ringtones: URSAMINOR.ogg
These could just be copied from the original update-*.bin after installation.
Reckerr said:
I would like it in layman terms...
And how to do it on Windows. This seems like confusion for me. I have no idea where to start.
Click to expand...
Click to collapse
If you could spell out what you mean by 'it', I might be able to help.
yujikaido79 said:
I did it all in windows 8.1 64 bit edition.
With help from this post:
http://forum.xda-developers.com/showpost.php?p=58897784&postcount=67
get Python 2.7 for windows and install it >>https://www.python.org/download/releases/2.7/
btw I installed the 64 bit edition for both
get GMPY2 for Python 2.7 https://code.google.com/p/gmpy/downloads/list
Follow the post for step by step. I encountered some trouble with fast boot driver, I had to remove the driver and install a generic one I selected from windows then I manually installed it. Ran the fast boot command to unlock and I was unlocked. a lot easier than it looks.
Click to expand...
Click to collapse
Of course, if you want to make it more difficult for yourself,
you can use the older version of my tool as well.
The new one is not limited to Python 2.7, but works on both current Python versions;
and does NOT require GMPY2.
Also, if you are looking to unlock your bootloader, the 'cublock.py' script is your friend.
You just pass in the manfid and serial (separately; no need to fuse them).
Whether you choose to install Python standalone or as part of Cygwin is up to you.
The latter also includes 'bash' and lets you convert the Amazon update to a TWRP-friendly ZIP.
draxie said:
Of course, if you want to make it more difficult for yourself, you can use the older version of ny tool as well.
The new one is not limited to Python 2.7, but works on both current Python versions; and does NOT require GMPY2.
Also, if you are looking to unlock your bootloader, the 'unlock.py' script is your friend.
You just pass in the manfid and serial (separately; no need to fuse them).
Whether you choose to install Python standalone or as part of Cygwin is up to you.
The latter also includes 'bash' and lets you convert the Amazon update to a TWRP-friendly ZIP.
Click to expand...
Click to collapse
I have Windows 7 and Nexus 2.0.5 with bootloader from http://forum.xda-developers.com/kin...p-flashable-3-2-3-bootloader-upgrade-t3025504 installed Python 2.7 and the adb and fastboot and driver package from post 1
Using
adb shell
cat /sys/block/mmcblk0/device/manfid
cat /sys/block/mmcblk0/device/serial
And unlock.py and then
adb reboot-bootloader
And
Fastboot -i 0x1949 devices
fastboot -i 0x1949 flash unlock <unlock file>
fastboot -i 0x1949 reboot
IT was very easy, I only had some driver problems in fastboot mode
Uphdx don't work on debian 7
Bruder Torgen said:
I have Windows 7 and Nexus 2.0.5 with bootloader from http://forum.xda-developers.com/kin...p-flashable-3-2-3-bootloader-upgrade-t3025504 installed Python 2.7 and the adb and fastboot and driver package from post 1
Using
adb shell
cat /sys/block/mmcblk0/device/manfid
cat /sys/block/mmcblk0/device/serial
And unlock.py and then
adb reboot-bootloader
And
Fastboot -i 0x1949 devices
fastboot -i 0x1949 flash unlock <unlock file>
fastboot -i 0x1949 reboot
IT was very easy, I only had some driver problems in fastboot mode
Click to expand...
Click to collapse
FYI - followed this process on an identical environment with identical results. Struggled a bit more with Windows drivers; if you're having trouble this might help (posts 8-10).
im running this version 13.3.0.2 and im a newbe with kindle what should I do
benyo8990 said:
im running this version 13.3.0.2 and im a newbe with kindle what should I do
Click to expand...
Click to collapse
Welcome to the HDX forums. How to proceed depends on what you want to accomplish. Read through the various threads to see what is available and the effort required. If your goal is to root and/or install custom roms you MUST disconnect from WiFi as Amazon will attempt to upgrade your tablet to the lastest Fire OS. Should that happen your options will be severely limited.
Two words of caution:
1) Kindles are not like other devices. Tough to tame and easy to brick. If you approach modding with a casual attitude you'll probably end up with a non-recoverable brick. READ, READ, READ before doing anything. Ask questions when you are ready.
2) There are no tidy fail-safe tutorials for the HDX. There is work and risk involved. You have to do your homework first. No one is going to hold your hand (sorry for the lecture - just trying to set expectations early).
More info please!
dpeddi said:
Uphdx don't work on debian 7
Click to expand...
Click to collapse
Given that it worked for me even in Cygwin on Windows 7, this sounds odd.
Nevertheless, I'd appreciate more info on how it fails (and which flavor of Debian 7
you are using; so, that I have a chance to reproduce your issue).
UPDATE: Nevermind. I fired up a VM with Debian 7.8.0-amd64-standard,
and found out for myself. Apparently, 'df' in 'coreutils 8.13' used here
doesn't support the '--output' option; AND, python 2.7.3 is more strict
about the input types to 'unpack'. I fixed these and the script worked.
I'll post the new version in a second.
DF --optional not supported, $m seems to not be set
Thank you for posting this awesome tool. I am running 13.4.5.2 with a twrp recovery and the most recent available (without breaking twrp) kernel.
My question is, if worst case scenario happens and I try to use cygwin to upHDX, it does not work, but I think it did, and I install a partially working update, am I bricked? Or, will it just write over my kernel and recovery with no hope of going back. As I type this, I am thinking the answer is, both are possible, but thought I would ask before breaking things.
Sent from my KFTHWI using Tapatalk
[Edit] If you know what you are doing, this script is very helpful. I especially enjoy how it explains everything it does as it does it. So, you can see the files it changes. I used cygwin and it worked perfectly. If you understand the Unix command tools, it is a piece of cake. I do not mean to belittle the risk involved, it is significant, however, if you read what is happening, and know this worked, and can be assured there is no issue with your recovery, you can still roll back if something goes wrong. Do not take this comment as minimal risk, the risk is substantial, and you need to wipe to go back. One of my devices did not take the update well (My fault), and, I had to go back. These devices do not handle wipes well. So, the moral of the story.
-This is an excellent and versatile tool,
-There is significant risk
-If you do your research, follow directions, and meet the requirements, you can get success. Have your cake and eat it too on your terms!!
-With this tool, I have the most recent update, root, and twrp (Amazon apps work too).
Thanks again for the tools.
[/Edit]
lekofraggle said:
My question is, if worst case scenario happens and I try to use cygwin to upHDX, it does not work, but I think it did, and I install a partially working update, am I bricked? Or, will it just write over my kernel and recovery with no hope of going back. As I type this, I am thinking the answer is, both are possible, but thought I would ask before breaking things.
Click to expand...
Click to collapse
I saw you managed fine, but just in case anybody else wonders,
the script will bail at the first sign of error and you'll know it.
Of course, this won't guarantee that things cannot go wrong,
but minimizes the chances that they go unnoticed.
NOTE, HOWEVER that:
This has only been tested on 4.5.2 and 4.5.3; and, I would strongly recommend against blindly running it on newer releases (as the pattern matching that's being relied upon for what to throw away --including the anti-rollback fuse stuff-- might easily get broken with relatively minor changes.
A good sanity check is to unzip both the original update and the newly created "sanitized" version, and compare them (e.g. via a recursive diff) to doublecheck if the changes are sensible.
I'm trying to create an application to make flashing files on our pixel devices easier.
Features:
Install ADB
Unlock bootloader
Reboot to bootloader
Download and install factory images
Download and install TWRP
Download Magisk
Easy to use GUI
Enjoy! :good:
Credit to Dees_Troy and bigbiff for TWRP image.
Feel free to modify and hack away at the source.
WARNING: I am not responsible for anything that goes wrong using this tool, it works fine on my windows 10 machine, and tested on windows 7. However, make sure you know what these tools are doing beforehand.
New update!
Beta Release
What's New?:
All new base being built.
Better .exe support (requires installing the app)
Console interface for now.
Removed some features that were broken in the old app, will add them back one-by-one, but this time, not until they work 100%.
Usage:
Just follow the prompts on screen.
Allows picking the files for booting TWRP or pushing files via ADB.
Install:
Easy method (requires install): https://github.com/boostedd2/crosshatchdb/blob/boostedd2-patch-1/crosshAtchDB-2.3-win32.msi
Install the app with the provided .msi, choose where you want to install it. Open the folder where you installed it and run the crosshatchdbbeta.exe.
Build/Run from source:
Requires:
source .py file: https://github.com/boostedd2/crosshatchdb/blob/boostedd2-patch-1/crosshatchbeta.py
cxfreeze config: https://github.com/boostedd2/crosshatchdb/blob/boostedd2-patch-1/setup.py
To run from source, just install Python on your PC, then from cmd window run : "pip install requests".
Then just double click on the crosshatchdbbeta.py file.
To build the .exe:
You need both files from above.
Install Python
python -m pip install cx_Freeze --upgrade
With setup.py and crosshatchdbbeta.py in the same directory, run "python setup.py build"
This is a very minimal release, I will continue to fix any bugs and add features once they are working better.
Thank you so much for this! I was actually going to unlock my bootloader and root today after work. Now it will only take 2 minutes instead of 20!
I appreciate it and will report back later after testing!
**Didn't want to waste thread space so I'm editing this to reply** - Thank you so much for the response below! Very helpful! I'm up and running and really appreciate the tool and the help!
NippleSauce said:
Thank you so much for this! I was actually going to unlock my bootloader and root today after work. Now it will only take 2 minutes instead of 20!
I appreciate it and will report back later after testing!
Click to expand...
Click to collapse
No problem, quick usage guide to make sure it goes smooth.
Enable OEM unlock in developer options, also enable ADB debugging.
Plug in your phone, run crosshatchdb.
Select option 9, this will auto download and extract adb to your c: drive.
Select option 1 to check for ADB devices, check the box on the dialog that pops up on your phone.
All set. You can download magisk directly to your phone or push it from your PC.
Reboot bootloader option 2, from here you can unlock the bootloader(formats your phone btw).
Setup your phone, enable ADB debugging again and your free to reboot bootloader and download/boot TWRP to flash magisk.(use TWRP img not zip)
Hopefully these instructions are not too confusing, it is pretty easy once you do it once, and the tool really does make the next time you do it faster.
Tested on a windows 7 virtual machine and my own personal windows 10 machine.
NippleSauce said:
Thank you so much for this! I was actually going to unlock my bootloader and root today after work. Now it will only take 2 minutes instead of 20!
I appreciate it and will report back later after testing!
Click to expand...
Click to collapse
The time to unlock a Google purchased Pixel isn't the issue. The factory reset just sucks if you run stock for any time before doing it.
Two things I think you should add.
1) adb sideload for when adb works in twrp.
2) adb logcat for our great developers, so there isn't an excuse for getting them a logcat in event that they need one.
Sent from my Pixel 3 XL using Tapatalk
superchilpil said:
Two things I think you should add.
1) adb sideload for when adb works in twrp.
2) adb logcat for our great developers, so there isn't an excuse for getting them a logcat in event that they need one.
Click to expand...
Click to collapse
Good idea, should be easy to pipe logcat output to a text file.
ADB sideload can be added as well, next update will probably be when TWRP ADB is fixed, or sooner depending how long that takes.
Already thinking of ways to make the current version of this script more automated, but I like to err on the side of explicit is better than implicit.
Thanks for the ideas.
Can this install TWRP ?
Zorachus said:
Can this install TWRP ?
Click to expand...
Click to collapse
No. Everything you need to know is in the OP and everything else you need to know is in the twrp thread.
Sent from my Pixel 3 XL using Tapatalk
superchilpil said:
No. Everything you need to know is in the OP and everything else you need to know is in the twrp thread.
Click to expand...
Click to collapse
This.
It is a good option of you want an easy way to just boot TWRP in 1 button, if you don't want to install a custom recovery like TWRP.
New update coming soon, decided that command line didn't work very well for this purpose...
Also working on making all of the actions smoother.
New update released, let me know if you have any issues or feature requests, still waiting for TWRP to be fully functional before adding ADB sideload options.
CMD window still wants to hang out for now, you can minimize it though if needed.
can you add a (check for update)
Maty360414 said:
can you add a (check for update)
Click to expand...
Click to collapse
Yes, that is on the list for next update.
When TWRP is more reliable I will probably add options for copying TWRP backups to your PC as well.
Still need to get rid of the cmd window and cut down on having to open browser windows or file selection dialogs, just to get it feeling less clunky.
I'd like to send out a big thank you to boostedduece I've used platform tools and google flash all for years with no hitch whatsoever but I tried to glies an update to my kernel and ran into the red corrupt device thing and used my platform tools to flash all and halfway through it stopped and said error. I then tried this tool and it worked perfect!! Thank you so much!
quinejh said:
I'd like to send out a big thank you to boostedduece I've used platform tools and google flash all for years with no hitch whatsoever but I tried to glies an update to my kernel and ran into the red corrupt device thing and used my platform tools to flash all and halfway through it stopped and said error. I then tried this tool and it worked perfect!! Thank you so much!
Click to expand...
Click to collapse
Glad to hear it helped out, working on some new updates to make the UI even better.
Trying to make all of the download links update automatically too, just working on some web scraping again ?
It's a nice little tool if something gets messed up, also for new users to get up and running.
New update released, Download factory image has been overhauled, it will now download the image automatically, check the SHA-256 hash, then unzip it to the correct folder, just run the factory image flash option after and you're set. Be patient, the image.zip can take a while to download, takes several minutes for me, but I'm only at 50mbps down...and who knows if google throttled my connection after all the web scraper testing lol.
Pull TitaniumBackup folder via ADB to your PC, pull TWRP backup might not work it failed for me, but will not cause any damage to your PC or phone, ADB is copying the files read only from your device, and ADB just seemed to crash on me.
CMD window is still here for now until I pipe the output to the built in box on the GUI and bind keyboard keys to interact with it. For now it will help with any debugging.
boostedduece said:
New update released, Download factory image has been overhauled, it will now download the image automatically, check the SHA-256 hash, then unzip it to the correct folder, just run the factory image flash option after and you're set. Be patient, the image.zip can take a while to download, takes several minutes for me, but I'm only at 50mbps down...and who knows if google throttled my connection after all the web scraper testing lol.
Pull TitaniumBackup folder via ADB to your PC, pull TWRP backup might not work it failed for me, but will not cause any damage to your PC or phone, ADB is copying the files read only from your device, and ADB just seemed to crash on me.
CMD window is still here for now until I pipe the output to the built in box on the GUI and bind keyboard keys to interact with it. For now it will help with any debugging.
Click to expand...
Click to collapse
Can't believe I still haven't gotten the Ota Nov update
Will this work on p3?
frewys said:
Can't believe I still haven't gotten the Ota Nov update
Will this work on p3?
Click to expand...
Click to collapse
It will work for pixel 3, but you will need to download the factory image for your blueline device and extract it into c:\crosshatch_stuff\platform-tools. This program is basically a gui wrapper for ADB commands.
Just stick with the ADB tools section and find the downloads you need separately.
boostedduece said:
It will work for pixel 3, but you will need to download the factory image for your blueline device and extract it into c:\crosshatch_stuff\platform-tools. This program is basically a gui wrapper for ADB commands.
Just stick with the ADB tools section and find the downloads you need separately.
Click to expand...
Click to collapse
Right
So it doesn't automate the process the same as for xl?
frewys said:
Right
So it doesn't automate the process the same as for xl?
Click to expand...
Click to collapse
It will still install ADB and allow you to run reboot bootloader, boot TWRP, factory reset, ADB logcat, unlock bootloader.
But the only extra part that is manual would be extracting the factory image into the c:\crosshatch_stuff\platform-tools folder.
Read this whole guide before starting.
This is for the 2nd gen Fire TV Stick (tank)
Current relase: amonet-tank-v1.2.2.zip
NOTE: Recent reports indicate a change that disables brom DL-mode
The change seems to have been introduced with devices that where manufactured in December 2019 or later.
The change is unrelated to the software-version and results in the device not showing up as a USB device when shorted.
Unfortunately these devices cannot currently be unlocked.
NOTE: If you are on version 1.0, don't update to 1.2.1 through TWRP, as there is a bug.
NOTE: This issue has been fixed in version 1.2.2
NOTE: When updating from version 1.0, don't install anything else before rebooting
To update to the current release if you are already unlocked, just flash the zip in TWRP.
What you need:
A Linux installation or live-system
A micro-USB cable
Something conductive (paperclip, tweezers etc)
Something to open the stick.
NOTE: Ideally you want to update your system to 5.2.6.9 before starting this process, since this flashes the 5.2.6.8 boot.img and people have reported issues with adb-authorization with older firmware.
Since version 1.2 this isn't required, because instead of flashing the 5.2.6.9 boot.img, your existing boot.img will be patched.
It is still recommended to first update to 5.2.6.9
Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work:
Code:
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot
Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager
NOTE: If you have issues running the scripts, you might have to run them using sudo.
Also try using different USB-ports (preferably USB-2.0-ports)
1. Extract the attached zip-file "amonet-tank-v1.2.2.zip" and open a terminal in that directory.
2. start the script:
Code:
./bootrom-step.sh
It should now say Waiting for bootrom.
Short CLK to GND (The metal shielding is also GND) according to the attached photo and plug it in.
NOTE:
In lsusb the boot-rom shows up as:
Code:
Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone
If it shows up as:
Code:
Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader
instead, you are in preloader-mode, try again.
dmesg lists the correct device as:
Code:
[ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00
4. When the script asks you to remove the short, remove the short and press enter.
5. Wait for the script to finish.
If it stalls at some point, stop it and restart the process from step 2.
6. Your device should now reboot into unlocked fastboot state.
7. Run
Code:
./fastboot-step.sh
8. Wait for the device to reboot into TWRP.
9. Use TWRP to flash custom ROM, Magisk etc.
NOTE:
Only ever flash boot/recovery images using TWRP, if you use FlashFire or other methods that are not aware of the exploit,
your device will likely not boot anymore (unless you flashed a signed image).
TWRP will patch recovery/boot-images on the fly.
NOTE:
This process does not disable OTA or does any other modifications to your system.
You will have to do that according to the other guides in this forum.
Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Thanks to @hwmod for doing initial investigations and providing the attached image.
Changelog
Version 1.2 (25.03.2019)
Update TWRP to twrp-9.0 sources
Implement downgrade-protection for LK/PL/TZ
Add scripts to enter fastboot/recovery in case of bootloop
Automatically restore boot-patch when you boot into recovery
Features.
Hacked fastboot mode lets you use all fastboot commands (flash etc).
Boots custom/unsigned kernel-images (need to be patched)
For the devs: sets printk.disable_uart=0 (enables debug-output over UART).
TWRP protects from accidental lk/preloader/tz downgrades
Set bootmode via preloader
NOTE: Hacked fastboot can be reached via TWRP.
NOTE: Hacked fastboot won't patch your boot/recovery-images, so you can easily go back to stock.
Use TWRP for autopatching.
There are three options for interacting with TWRP:
A mouse via USB-OTG
TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
Via /cache/recovery/command
Example for /cache/recovery/command:
Code:
echo "--update_package=/path/to/zipfile" > /cache/recovery/command
echo "--wipe_cache" >> /cache/recovery/command
reboot recovery
Should you somehow end in a bootloop you can boot into hacked fastboot or recovery using.
Code:
sudo ./boot-fastboot.sh
Code:
sudo ./boot-recovery.sh
NOTE:This will only work if the boot-exploit is still there.
Source Code:
https://github.com/chaosmaster/amonet
https://github.com/chaosmaster/android_bootable_recovery
how would you get to twrp after rebooting to system?
krsmit0 said:
how would you get to twrp after rebooting to system?
Click to expand...
Click to collapse
Code:
adb reboot recovery
k4y0z said:
Code:
adb reboot recovery
Click to expand...
Click to collapse
ok, made it to recovery. not sure how to navigate recovery.
krsmit0 said:
ok, made it to recovery. not sure how to navigate recovery.
Click to expand...
Click to collapse
Either via adb shell, or a mouse via USB-OTG
k4y0z said:
Either via adb shell, or a mouse via USB-OTG
Click to expand...
Click to collapse
found this, thanks, didnt know about this
https://twrp.me/faq/openrecoveryscript.html
Oh nice! I'll try it later today!
first one worked fine. second seemed to go ok but i cant get back in with adb. device unauthorized. i went through the process again to get back to recovery and i copied the adb_keys from the one that worked to the other one. permissions and ownership are the same, but it still says unauthorized. i also dont get the prompt to allow connection on the stick itself. i have connected with this stick through adb before this.
UPDATE: Factory reset didnt bring back the adb debug prompt. but an update did. I was on an older version.
krsmit0 said:
first one worked fine. second seemed to go ok but i cant get back in with adb. device unauthorized. i went through the process again to get back to recovery and i copied the adb_keys from the one that worked to the other one. permissions and ownership are the same, but it still says unauthorized. i also dont get the prompt to allow connection on the stick itself. i have connected with this stick through adb before this.
Click to expand...
Click to collapse
Mhh, what Firmware are you on?
Does it still boot normally?
Have you tried adb both over network and USB?
Can you make sure, adb is enabled in developer settings?
If that doesn't help could you try factory reset?
k4y0z said:
Either via adb shell, or a mouse via USB-OTG
Click to expand...
Click to collapse
k4y0z said:
Mhh, what Firmware are you on?
Does it still boot normally?
Have you tried adb both over network and USB?
Can you make sure, adb is enabled in developer settings?
If that doesn't help could you try factory reset?
Click to expand...
Click to collapse
it took an update to resolve it. factory reset didnt work. i was not getting the adb authorization prompt so i couldnt boot to recovery. i have it back up and running.
krsmit0 said:
it took an update to resolve it. factory reset didnt work. i was not getting the adb authorization prompt so i couldnt boot to recovery. i have it back up and running.
Click to expand...
Click to collapse
fastboot-step flashes the 5.2.6.8 boot.img, maybe that was causing an issue with older firmware.
Glad you got it solved. Now we also know updates are working fine (Allthough disabling OTA might not be the worst idea)
The photo has the points labeled but doesn't specify what gets shorted. Are you supposed to short CLK to GND?
AFTVnews.com said:
The photo has the points labeled but doesn't specify what gets shorted. Are you supposed to short CLK to GND?
Click to expand...
Click to collapse
Yes, exactly.
I have updated the OP.
Wow, nice one @k4y0z. I'm so happy this little device can now have an unlocked bootloader; it's going to open up many possibilities on a device that is so inexpensive.
My Firestick 4k bootloops
Sir i have a serious problem with my Firestick 4k. I experimented to sideload google play services on my FS 4k and it installed successfully. But when i restart my device it bootloops on and on to Firestick logo. Any solution sir? Damn i must have not do that. Please sir help me. I think i must hard reset the Firestick 4k but how?
Will the Playing with Fire pack work without any changes?
Any chance a similar exploit can be done on the 1st gen stick (montoya)?
k4y0z said:
Yes, exactly.
I have updated the OP.
Click to expand...
Click to collapse
It looks like there is a test point attached to the trace that looks like it's going to what's labeled as CLK. Is that what you can use to short, or do you have to short the thing you are pointing to?
Have you modified anything, or is this the stock stuff that the original exploit used? Are these .bin files what I would get if I were to compile everything from the github?