New Kindle Fires are locked - 7" Kindle Fire HD General

I've exchanged several PMs with pokey9000 today. He has taken a look at the software update packages for both the 2nd generation KF and the 7" HD. The MLO (xloader, 1st stage bootloader) is signed and the boot header is the type used for HS (high security) OMAP devices with the M-Shield turned on. If the setup is comparable to the Nook Tablet, this is not good news for those hoping to modify these devices in one way or another. The Nook Tablet's exploit was to utilize the external sdcard as an alternate boot device and that doesn't really help with these 2nd generation KFs.
It's all subject to verification by someone who has a device in hand, but it doesn't look good. This is not to say that it's impossible, but it will be considerably more difficult to manipulate these devices than their 1st generation cousin.
So, let's all hope for the best, but be prepared for the worst. If you plan to buy one of these devices, buy them as an Amazon tablet to be used in the Kindle Fire ecosystem. Don't buy them expecting to run Jelly Bean the day after tomorrow.

Some clarification... and much left unanswered...
kinfauns said:
The Nook Tablet's exploit was to utilize the external sdcard as an alternate boot device and that doesn't really help with these 2nd generation KFs.
Click to expand...
Click to collapse
Not quite right. NT's exploit was far more complicated than that and has nothing to do with using the external SD card (or depending on one). It could have been done simply with root (or any other method for overwriting a partition, which was required to insert a 2nd unsigned bootloader into the boot sequence). If you're curious, you can look at the CyanoBoot 2nd bootloader for NT description or source to see what's going on.
I've taken a VERY quick look at the bootloader source for the HD7 as well, pushed here for anyone who wants it. There is in fact signature verification code in the uboot source (~line 140).
Also, looks like there are three configs-- bowser, jem, and tate. I have to look at it closer but it looks like tate is a subtype of bowser, and the HD7 I assume is tate. Hashcode also found a "radley" in the kernel code, but I haven't looked at that.
Anyway.. it is possible that bauwks' flaw or some other flaw exists in this signature verification code, but the code isn't identical to NT so who knows.
Incidentally, the new revision of the Kindle Fire (otter2) also has the same code, and there's a thread about the signature issue here as well.
It's all subject to verification by someone who has a device in hand, but it doesn't look good. This is not to say that it's impossible, but it will be considerably more difficult to manipulate these devices than their 1st generation cousin.
So, let's all hope for the best, but be prepared for the worst. If you plan to buy one of these devices, buy them as an Amazon tablet to be used in the Kindle Fire ecosystem. Don't buy them expecting to run Jelly Bean the day after tomorrow.
Click to expand...
Click to collapse
Yeah.. it all depends on whether there's a flaw as there was with the Nook Tablet... someone get bauwks on the line
Meanwhile, I'm enjoying my free (as in speech) Nexus 7...

fattire said:
Not quite right. NT's exploit was far more complicated than that and has nothing to do with using the external SD card (or depending on one). It could have been done simply with root (or any other method for overwriting a partition, which was required to insert a 2nd unsigned bootloader into the boot sequence).
Click to expand...
Click to collapse
Technically true, but altering the boot chain with a removable microSD makes it a reversible process. Overwriting the boot image on emmc without any other boot options is serious brown trousers time. Now if they left in fastboot, then its not so scary if a similar hack to the NT can be done. Still, with no possibility of USB boot there's no recourse if any exploits get patched.
Meanwhile, I'm enjoying my free (as in speech) Nexus 7...
Click to expand...
Click to collapse
Yes.
Sent from my Nexus 7 using xda premium

fattire said:
Not quite right. NT's exploit was far more complicated than that and has nothing to do with using the external SD card (or depending on one). It could have been done simply with root (or any other method for overwriting a partition, which was required to insert a 2nd unsigned bootloader into the boot sequence). If you're curious, you can look at the CyanoBoot 2nd bootloader for NT description or source to see what's going on.
...
Click to expand...
Click to collapse
Thanks for the clarification and your input as well. I just wanted to get the discussions going on the possibilities of opening up this device to development, but also temper some expectations. There are many people waiting and some undoubtedly have ordered with the assumption that these 2nd generation devices will be getting the full range of development enjoyed by the original. I was mostly paraphrasing and summarizing, so I'll leave the details to those with the know-how.
I'm sure many people will be scouring the code and tinkering with their new devices in the coming days to figure something out.

Boring stuff...
pokey9000 said:
Technically true, but altering the boot chain with a removable microSD makes it a reversible process. Overwriting the boot image on emmc without any other boot options is serious brown trousers time
Click to expand...
Click to collapse
It's not THAT risky, I don't think. Even w/o SD card on NT, the safe(st) way to do it would be to replace the recovery partition with a 2ndboot/cyanoboot-enhanced recovery.img from a normal rooted boot. If recovery fails, you're still okay-- you can always just boot normally, gain root, and replace recovery again. If you're verified good, then use recovery to replace boot.img.
On NT, the normal secure boot sequence is unaffected when you replace recovery. That's because on the NT, you are never removing or touching the original uboot (ub1), so there's not much danger of a brick as long as you always have two means for booting (normal + recovery).
This is all academic as far as KFire HD goes, as I'm guessing from existence of the "crypto" partition that bauwks' bugfix won't work. I need to give a look at the signature verification stuff, as I haven't looked at it yet, but I'm not particularly optimistic.
pokey9000 said:
Now if they left in fastboot, then its not so scary if a similar hack to the NT can be done. Still, with no possibility of USB boot there's no recourse if any exploits get patched.
Click to expand...
Click to collapse
True, although w/NT, BN can only patch it by modifying the hardware, which would create massive support headaches for two versions of the boot. This is because w/unchanged hardware, the current, signed xloader->ub1->ub2 chain can always be used to load whatever. Again, I have more clarification on this-- if you're not already familiar with the details, find me on IRC.
speaking of fastboot, apparently if CONFIG_MACH_BOWSER_SUBTYPE_TATE is set, fastboot_idme is defined and fastboot and other debugging stuff seems to be turned on. I'm pretty sure "idme" is a uboot command. It's commented-out of drivers/fastboot.c as a shortcut to be enabled for TATE only.
FWIW, here are some various versions of the bowser board:
Bowser-Jem-PreEVT2-
Bowser-Jem-PreEVT2-
Bowser-Tate-PreEVT2.1-
Bowser-Tate-PostEVT2.1-
Bowser-Tate-PostEVT3HS2-
Bowser-Tate-DVT-
Bowser-Tate-PVT-
Bowser-Radley-
tate = product id 7
jem = product id 8
radley = product id 9
HS is High Security, I'm pretty sure.
Someone apparently is a fan of To Kill a Mockingbird (Boo Radley, Atticuls "Jem" Finch, Heck Tate, etc.). I don't know what the Bowser connection is... this guy? Or maybe just one of these.
Gotta go.

software RD of AMAZON said it was impossible to crack the NEW KF system, unless u know the key in the machine

This was probably done in response to all the bricked Kindle Fires that were returned with the original Fire. That and the fact that if they didn't, it probably would have meant a price increase due to increased warranty expense. However, it seems i would make sense to simply allow an owner to pay a small fee to unlock the boot loader and register a modified Fire as "no warranty" for software issues.

kinfauns said:
I've exchanged several PMs with pokey9000 today. He has taken a look at the software update packages for both the 2nd generation KF and the 7" HD. The MLO (xloader, 1st stage bootloader) is signed and the boot header is the type used for HS (high security) OMAP devices with the M-Shield turned on. If the setup is comparable to the Nook Tablet, this is not good news for those hoping to modify these devices in one way or another. The Nook Tablet's exploit was to utilize the external sdcard as an alternate boot device and that doesn't really help with these 2nd generation KFs.
It's all subject to verification by someone who has a device in hand, but it doesn't look good. This is not to say that it's impossible, but it will be considerably more difficult to manipulate these devices than their 1st generation cousin.
So, let's all hope for the best, but be prepared for the worst. If you plan to buy one of these devices, buy them as an Amazon tablet to be used in the Kindle Fire ecosystem. Don't buy them expecting to run Jelly Bean the day after tomorrow.
Click to expand...
Click to collapse
I got my 7" Fire HD in the mail yesterday and am in this 100% to see custom roms running on it.
While I have just under a year of Android tinkering under my belt and many more years of experience playing with pc's and various flavors of embedded systems, I dunno where it all begins for this new device, but I want to help the dev community in any way I can.
If anybody has specific requests about the device or needs to test out something on one, I don't mind being a guinea pig, as long as there isn't too much risk of bricking my cool new toy...

I will take a look at the u-boot sources of the new fires too and see how/what they have changed. Very possible that they fixed the funny flaw in the loading process for this iteration of their devices.
It would certainly be sad since a full HD android tab is tempting. At least for the 7inch category we have the nexus7 as an extremely good alternative.

Ifixit has a teardown of the device, and there is a big test point labeled "USB BOOT" on the main board, and two smaller ones labeled "RX" and "TX"....
http://guide-images.ifixit.net/igi/UapMeZFPXthjTrEn.huge

Returned
I have already hit the Return Item button on this. I could care less about the speakers and the screen! Gonna pick up the Nexus 7 instead.

pokey9000 said:
Technically true, but altering the boot chain with a removable microSD makes it a reversible process. Overwriting the boot image on emmc without any other boot options is serious brown trousers time. Now if they left in fastboot, then its not so scary if a similar hack to the NT can be done. Still, with no possibility of USB boot there's no recourse if any exploits get patched.
Yes.
Sent from my Nexus 7 using xda premium
Click to expand...
Click to collapse
just wait for pokey9000 to answer , wait for u have idea how to USB boot it

psomero said:
I got my 7" Fire HD in the mail yesterday and am in this 100% to see custom roms running on it.
While I have just under a year of Android tinkering under my belt and many more years of experience playing with pc's and various flavors of embedded systems, I dunno where it all begins for this new device, but I want to help the dev community in any way I can.
If anybody has specific requests about the device or needs to test out something on one, I don't mind being a guinea pig, as long as there isn't too much risk of bricking my cool new toy...
Click to expand...
Click to collapse
Well I for one will be quite happy if someone can get an alternate launcher to work without rooting. Didn't have to on the original KF for them to work.
---------- Post added at 12:50 PM ---------- Previous post was at 12:46 PM ----------
JaxDomino said:
I have already hit the Return Item button on this. I could care less about the speakers and the screen! Gonna pick up the Nexus 7 instead.
Click to expand...
Click to collapse
I hope not cause the Nexus 7 for those two things ain't as good as this Fire HD.

Worst case scenario, there's always the kexec option. As a last resort, it works even on devices where the bootloader was never cracked.

robertc88 said:
Well I for one will be quite happy if someone can get an alternate launcher to work without rooting..
Click to expand...
Click to collapse
Yes, that would do it for me too (along with some ability to sideload apps). I preordered the 8.9 HD so I'll keep close watch on the development. If no solution is found before end of November, I just might cancel, and look around for what's hot (and rootable) at that point.

bournezhang said:
just wait for pokey9000 to answer , wait for u have idea how to USB boot it
Click to expand...
Click to collapse
USB boot needs a special boot loader (aboot in omap4boot used in Firekit) , and at least on the Nook Tablet it needs to be signed too. I doubt that TI's customers can or would opt for locking just flash boot so I'm going to assume that it won't work on the new Fires without a signed USB loader.

glad to see everyone brainstorming over here. sorry for the bad news. i'm gonna follow these closely as i want to get a kfire hd for the gf eventually, but only when this bootloader gets unlocked. til then, back over to my n7 (which i find boring at times, because everything just works... bummer) lol

fattire said:
It's not THAT risky, I don't think. Even w/o SD card on NT, the safe(st) way to do it would be to replace the recovery partition with a 2ndboot/cyanoboot-enhanced recovery.img from a normal rooted boot. If recovery fails, you're still okay-- you can always just boot normally, gain root, and replace recovery again. If you're verified good, then use recovery to replace boot.img.
On NT, the normal secure boot sequence is unaffected when you replace recovery. That's because on the NT, you are never removing or touching the original uboot (ub1), so there's not much danger of a brick as long as you always have two means for booting (normal + recovery).
This is all academic as far as KFire HD goes, as I'm guessing from existence of the "crypto" partition that bauwks' bugfix won't work. I need to give a look at the signature verification stuff, as I haven't looked at it yet, but I'm not particularly optimistic.
True, although w/NT, BN can only patch it by modifying the hardware, which would create massive support headaches for two versions of the boot. This is because w/unchanged hardware, the current, signed xloader->ub1->ub2 chain can always be used to load whatever. Again, I have more clarification on this-- if you're not already familiar with the details, find me on IRC.
speaking of fastboot, apparently if CONFIG_MACH_BOWSER_SUBTYPE_TATE is set, fastboot_idme is defined and fastboot and other debugging stuff seems to be turned on. I'm pretty sure "idme" is a uboot command. It's commented-out of drivers/fastboot.c as a shortcut to be enabled for TATE only.
FWIW, here are some various versions of the bowser board:
Bowser-Jem-PreEVT2-
Bowser-Jem-PreEVT2-
Bowser-Tate-PreEVT2.1-
Bowser-Tate-PostEVT2.1-
Bowser-Tate-PostEVT3HS2-
Bowser-Tate-DVT-
Bowser-Tate-PVT-
Bowser-Radley-
tate = product id 7
jem = product id 8
radley = product id 9
HS is High Security, I'm pretty sure.
Someone apparently is a fan of To Kill a Mockingbird (Boo Radley, Atticuls "Jem" Finch, Heck Tate, etc.). I don't know what the Bowser connection is... this guy? Or maybe just one of these.
Gotta go.
Click to expand...
Click to collapse
fattire is a beast for doing work on the Nooktablet with me, chm and all the other guys.... From what im reading, its actually kinda like booti from the Nook tablet. Very very interesting file at ./common/cmd_idme.c It seems as though theres a way to load a debugging kernel. Kinda curious if we can use that to smash a new boot into it. The following lines interest me:
./common/cmd_idme.c
Code:
#ifdef ENABLE_DIAG_KEY
if (!val_vol_up && val_vol_down) {
/* button up is pressed only */
printf("Tablet: Enter dkernel mode: ....\n");
*ptn = pdkernel;
}
Code:
case '2':
printf("Select Diagnostic image\n");
*ptn = pdkernel;
break;
and also this line in the ./include/config/tate.h
Code:
#define CONFIG_DIAGNOSTIC_BOOTCOMMAND "mmcinit 1;mmc 1 read 0x580 0x81000000 0x600000; bootm 0x81000000"
As for the boot hole that bauwks discovered on the nook tablet, it is not on this device, though it is highly possible that if this Diagnostic mode can be activated we can use the same exploit as we used with the fatload and the booti. This CONFIG_DIAGNOSTIC_BOOTCOMMAND can maybe do the same thing with something in the SAR memory, so its worth someone doing somemore research.

thebrave said:
Ifixit has a teardown of the device, and there is a big test point labeled "USB BOOT" on the main board, and two smaller ones labeled "RX" and "TX"....
http://guide-images.ifixit.net/igi/UapMeZFPXthjTrEn.huge
Click to expand...
Click to collapse
One way to make the device harder to alter is by making these test points the physical connections for a bootloader USB port. Perhaps the USB port accessible to the user is solely intended as a data transfer port for multimedia where the driver is initialised only after the anti-hacking measures are loaded?

pokey9000 said:
USB boot needs a special boot loader (aboot in omap4boot used in Firekit) , and at least on the Nook Tablet it needs to be signed too. I doubt that TI's customers can or would opt for locking just flash boot so I'm going to assume that it won't work on the new Fires without a signed USB loader.
Click to expand...
Click to collapse
This is standard operating practice. You can be assured that if flash boot is locked, USB boot will also be locked.
Interesting tidbit: While no Samsung Android device other than the Verizon GS3 (and rumor has it, upcoming Verizone Note 2) has a locked bootloader in terms of ability to boot a kernel, nearly ALL of them have the initial first stage of boot locked. It's just that Samsung usually drops the chain of trust early on. This is, for example, why Unbrickable Mod doesn't exist for any GS2 or GS3-family device - No one has access to a signed USB-bootable IBL/PBL/SBL setup. (Technically, one could likely USB-boot the existing IBL, but that IBL is hardcoded to go to flash for PBL/SBL.)
So far, no one I am aware of has ever compromised the low-level hardware enforcement of OMAP4 HS or Exynos4. In all cases of OMAP4, any compromise took advantage of holes in the chain of trust farther down the line - however nearly all attack vectors are known, so probably every compromise technique that is standard (kexec, second init, etc.) has a countermeasure in play with the KFHD if they're THAT confident in its unbreakability. In the case of Exynos4, in all current cases the chain of trust goes "insecure" so early that only people with clobbered bootloaders care.

Related

Locking off bootloaders

Can you really blame them? I wonder sometimes how many Android returns are due to user screw ups, just look at the kindle fire forums, every other thread is, "help I bricked my fire"
I know this is a dev forum, but it doesn't surprise me at all that manufacturers are making it tougher.
Discuss
Sent from my Rezound using Tapatalk
Shouldn't matter, we know the risks of modding our phones, we pay for our phones and a lot more than we should over the life of a contract and even with upgrade price, we own our phone and should be able to have the bootloaders unlocked.
-Sent from my Droid 2-
It will be great to get our devices with S-OFF and eng S-OFF in advance.
We will not spend so much time with rooting then
Lol, 98% of kindle fire "brick" threads aren't actually bricked.. Being a kindle owner myself, its actually just because the computer doesn't recognize the device when it is stuck at fastboot.. (Easy fix by uninstalling all adb drivers and letting windows find the driver when you plug the kindle fire back in) The symptoms are like brick because it only powers on and it stuck at the kindle fire logo until you change the bootmode via computer...
I can see it now...
Hi Google?
What can I help you with?
My 5 second Google search led me to believe I could flash my street fighter rom to my phone?
::face_palm::
The main problem about unlocking bootloaders is the user itself.
A lot of people are throwing themselves in unlocking, rooting etc etc without reading and pay attention to the warnings. So, if my neighbour can do it, i'll do myself... The technical background is not the same for everyone, so it's not as simple as this.
I ve to admit that i blocked two or three devices (HTC desire HD, Xperia Arc, SGS2) but all the answers were here, if we know how to search unbricking a device only takes a few seconds/minutes to do.
Since the marority of newbies will not read, and search correctly in this forum, the brands will continue to lock their bootloaders to avoid problems with the 95% of users who think they know, but they don't.
I Am Marino said:
Shouldn't matter, we know the risks of modding our phones, we pay for our phones and a lot more than we should over the life of a contract and even with upgrade price, we own our phone and should be able to have the bootloaders unlocked.
-Sent from my Droid 2-
Click to expand...
Click to collapse
I think that is why htc is offering an official unlocking tool, that will void your warranty. That way, you can do what you want, but htc isn't on the hook when you brick it.
e334 said:
Lol, 98% of kindle fire "brick" threads aren't actually bricked.. Being a kindle owner myself, its actually just because the computer doesn't recognize the device when it is stuck at fastboot.. (Easy fix by uninstalling all adb drivers and letting windows find the driver when you plug the kindle fire back in) The symptoms are like brick because it only powers on and it stuck at the kindle fire logo until you change the bootmode via computer...
Click to expand...
Click to collapse
Now look at it through the eyes of the average user. Is that really just a common sense fix?
It is in no way in the OEM's best interest to unlock the bootloader. For them, it's nothing but trouble. Those who want a back door will find one, the tougher it is to get into, the more idiots you can eliminate from the equation.
z33dev33l said:
Now look at it through the eyes of the average user. Is that really just a common sense fix?
It is in no way in the OEM's best interest to unlock the bootloader. For them, it's nothing but trouble. Those who want a back door will find one, the tougher it is to get into, the more idiots you can eliminate from the equation.
Click to expand...
Click to collapse
I think part of why mfgs are still apprehensive of unlocking bootloaders is because they want to protect their code sense, blurr, etc... Some folks are changing there tune. Curious that unlike unlocking Google experience devices some mfgs are developing there own "unlock tool" I'll be apprehensive about using any tool from an mfg. I'm sure they'll CYA and you'll take all of the risk..
nrfitchett4 said:
Can you really blame them? I wonder sometimes how many Android returns are due to user screw ups, just look at the kindle fire forums, every other thread is, "help I bricked my fire"
I know this is a dev forum, but it doesn't surprise me at all that manufacturers are making it tougher.
Discuss
Sent from my Rezound using Tapatalk
Click to expand...
Click to collapse
like many have mentioned, we know what were doing to our phones by rooting/modding, but the manufacturer is treating us like little kids by not trusting us (looking @ you motorola)
Sent from my MB870 using xda premium
Haha, i'm one of those "haaaaah bricked my kindle fire" and yes i was just stuck in fastboot, some reading i build my fix
fastboot -i 0x1949 boot CWM5-B2.img
Click to expand...
Click to collapse
For the manufacturer open bootloader means trouble, people will just brick there devices.
An other interesting argument i was stumling i going like: "We have to look the bootloader to keep the software integer for people not messing with the drm of music / videos. "
yea, i believe they just wanna protect their code
All arguments for a locked bootloader are invalid.
Does your PC have a locked bootloader? NO.
Can you install whatever OS you want on it, provided it is architecture-compatible? YES.
Do PCs get messed up during botched OS installations? Sure they do. Do companies suddenly lose billions and go out of business as a result? NO.
Locking the bootloader on a device is censorship. End of story.
synaesthetic said:
All arguments for a locked bootloader are invalid.
Does your PC have a locked bootloader? NO.
Can you install whatever OS you want on it, provided it is architecture-compatible? YES.
Do PCs get messed up during botched OS installations? Sure they do. Do companies suddenly lose billions and go out of business as a result? NO.
Locking the bootloader on a device is censorship. End of story.
Click to expand...
Click to collapse
I agree. Besides the number of people who actually mess around with their phones are a small amount. I'd say maybe less than 2% (and that's being generous).
If you don't want a locked bootloader, get a Samsung.
synaesthetic said:
All arguments for a locked bootloader are invalid.
Does your PC have a locked bootloader? NO.
Can you install whatever OS you want on it, provided it is architecture-compatible? YES.
Do PCs get messed up during botched OS installations? Sure they do. Do companies suddenly lose billions and go out of business as a result? NO.
Locking the bootloader on a device is censorship. End of story.
Click to expand...
Click to collapse
Also, do PC companies care if you overclock your PC? No.
Bottom line, all in all, this is one of the best posts I've ever had the privilege to quote on XDA.
I Am Marino said:
Also, do PC companies care if you overclock your PC? No.
Bottom line, all in all, this is one of the best posts I've ever had the privilege to quote on XDA.
Click to expand...
Click to collapse
And why the hell not? A smartphone is nothing more than a pocket-sized computer with telephony features. Any desktop from the past thirty years can also make phone calls provided it's connected to a network. So the fact that a smartphone makes calls does not make it less of a computer.
It's a computer. A very small computer that fits in your pocket, that also has phone functions. I long for the day when I can buy a barebones smartphone and install whatever OS I want on it, Android or MeeGo or Ubuntu Mobile or Symbian or Windows Phone or whatever other mobile-oriented OSes are out there at the time.
I just long for the day people get complete control of something they actually own.
synaesthetic said:
All arguments for a locked bootloader are invalid.
Does your PC have a locked bootloader? NO.
Can you install whatever OS you want on it, provided it is architecture-compatible? YES.
Do PCs get messed up during botched OS installations? Sure they do. Do companies suddenly lose billions and go out of business as a result? NO.
Locking the bootloader on a device is censorship. End of story.
Click to expand...
Click to collapse
I have no problem with unlocking of bootloaders. But I do agree with OEM stance that unlocking of bootloader may void your warranty. Same thing if you mod your engine on your car, you may void your warranty for the engine. I agree that you should be allowed to mod the phone, just that htc shouldn't replace it when you screw it up. I think htcdev is about as balanced as we are going to get on it.

[PSA] Don't buy one as a "cheap tablet" and expect a bootloader unlock

All Amazon devices dating back to the Kindle Fire HD 7/8.9" (2012) have a "locked bootloader", meaning that it may not ever be possible to root, get a custom recovery, or install CyanogenMod (Or any custom ROM for that matter).
This is not intended to bash Amazon (They should make "Developer friendly" tablets, though), I just wanted to let everyone know before it gets released better than after.
r3pwn said:
All Amazon devices dating back to the Kindle Fire HD 7/8.9" (2012) have a "locked bootloader", meaning that it may not ever be possible to root, get a custom recovery, or install CyanogenMod (Or any custom ROM for that matter).
This is not intended to bash Amazon (They should make "Developer friendly" tablets, though), I just wanted to let everyone know before it gets released better than after.
Click to expand...
Click to collapse
I don't have big idea about those tablet's searched them yesterday but i found THIS. isn't it the previous amazon kindle forum page? And they managed to unlock the bootloader so you can flash a custom ROM. And propably this will come for the "newest generation" Amazon tablets too.
Geo_Tech said:
I don't have big idea about those tablet's searched them yesterday but i found THIS. isn't it the previous amazon kindle forum page?
Click to expand...
Click to collapse
One generation before the last set of Kindles. The last generation of Kindles (the HDXs) have yet to get any ROMs of any kind, except for via SafeStrap.
r3pwn said:
One generation before the last set of Kindles. The last generation of Kindles (the HDXs) have yet to get any ROMs of any kind, except for via SafeStrap.
Click to expand...
Click to collapse
Is this not a ROM for the last generation of HDXs ? Maybe we are talking about the same, don't know just saying.
Geo_Tech said:
Is this not a ROM for the last generation of HDXs ? Maybe we are talking about the same, don't know just saying.
Click to expand...
Click to collapse
That's why I said "except via SafeStrap". SafeStrap allows for modified stock ROMs on bootloader-locked devices.
Geo_Tech said:
Is this not a ROM for the last generation of HDXs ? Maybe we are talking about the same, don't know just saying.
Click to expand...
Click to collapse
Safestrap has "roms" but they basically run the stock kernel and add stuff around that. This severely limits what a rom can do.
The last generation of Amazon Kindles (the HDX series) were locked much tighter than the second generation (the original HD versions) which are locked tighter than the original Fire. Amazon has been working hard to prevent us from messing with their "content delivery" system. I love the price of these things, and the hardware for the price looks pretty good, but I will not be getting one since I honestly do not think that the community will pry them open for open development usage.
Ok, now i have a clear view of whats going on.
If we can just get a root method would be a great start.
Sent from my KFARWI using XDA Free mobile app
It seems a fastball cable does not bring up fastball mode. Is this just me? My cable my be screwed up since I made it a year back.
Sent from my KFARWI using Tapatalk

Unlock bootloader for Fire HD 8 6th Gen

I just got couple Fire HD 8 6th Gen tablets for my kids, and thought I'd flash them right away with a custom ROM. I was quite disappointed with the absence of development for this tablet.
Anyway, as far as I understood from reading the forum (and I just started, sorry if I missed something), the first problem is the factory locked bootloader. And it sounded from a post I read like it's something that cannot be solved: http://forum.xda-developers.com/hd8-hd10/help/rooted-boot-img-t3508316 (bootloader locked discussion starts at the bottom of the 1st page).
Well, I am definitely not a pro in mobile development (I work on server side software for living), so I beg your pardon if I'm wrong. But unlocking a locked bootloader is not something unheard of.
So, I was wondering, if it could be done for other device, then probably it can be done for this one too. And the fact that it has not been done yet could mean for example, that this device is somehow different. Or, it could mean that there was no one yet with enough expertise AND the device at hand to do it.
So if the latter is true, and it's just lack of attention from good developers. Then I guess it could be arranged to donate a device to a reputable XDA dev. A dev that would be interested in having a challenge. And a free device.
I would definitely pitch in, and if you would too, please tell. And if you know an XDA dev who has expertise to do it, please tell too, and give an example of their work.
All the above is open for discussion of course, constructive suggestions would be much appreciated.
The 7" is locked but got a lot of love and is now rootable. If the guys at Kingroot that interest, we might see something but otherwise not. Until rooted, not much point porting a ROM.
So I suppose the proposition is to send a device to KingRoot guys?
...in China.....
I was wondering how the issue of locked encrypted bootloader was solved for other Fire devices. Here's how it's been done for Fire HDX 8.9: http://forum.xda-developers.com/kin...bootloader-unlock-procedure-software-t3030281 . I suppose the bug used in this method has been fixed already, this is just a demonstration that it can be done.
That was cracked using a crypto bug. Basically exploiting a weakness in the RSA encryption of the bootloader's signature. It's incredibly rare for encryption to get totally broken like this, and easily patched with system updates. Kinda got lucky on that one. Best thing to hope for first is root, then try to find a way around the bootloader's protection. These keep getting exponentially harder, and there's a lot more money on developing protections than breaking them.
I received one as a gift. I will probably never use it unless its opened up.... i mean im appreciative that someone gifted me it. But I become really upset by the fact that samsung and amazon... all the big players really lock up their bootloader and force me onto some ecosystem when i know the tablet or device could work just so much better. Anyways, if there is anything i can contribute let me know...
Download the Kingroot App then run it. After running it once or twice it will ask you to send a device request. Root may eventually be achieved for the 6th Gen but that may be as far as it gets. Very unlikely that the bootloader will be unlocked. Amazon actively puts a lot of effort into keeping them locked. Its been a while since any newer version of these Fire bootloaders have been unlocked. The HD 8 5th Gen is about 2 years old and the only thing thats been achieved was root and that was done by Kingroot..... But hey nothings impossible....

A way to hide the "Bootloader Unlocked" splash?

When one unlocks the bootloader on an Android device, the device then shows a "Bootloader Unlocked" warning splash screen. This is a general Android thing, not specific to the OP6T.
On the Moto Z2 Force (my previous phone), there was a way to hide that warning screen by flashing logo.bin. See thread:
https://forum.xda-developers.com/z2-force/development/remove-bootloader-unlocked-warning-t3702353
I have no idea if an approach like this would be relevant to our OP6T, but wondered if there could be something similar.
Thanks
dismembered3po said:
When one unlocks the bootloader on an Android device, the device then shows a "Bootloader Unlocked" warning splash screen. This is a general Android thing, not specific to the OP6T.
On the Moto Z2 Force (my previous phone), there was a way to hide that warning screen by flashing logo.bin. See thread:
https://forum.xda-developers.com/z2-force/development/remove-bootloader-unlocked-warning-t3702353
I have no idea if an approach like this would be relevant to our OP6T, but wondered if there could be something similar.
Thanks
Click to expand...
Click to collapse
Intriguing, but idunno.
Doubtful. Logo.bin is encrypted in most recent Android phones because the locked bootloader exists for a reason other than stabbing the customers in the back. So, I am confident that logo.bin mods will not work, since there are some machine codes embedded into the image file, meant for the phone to check if it's legit or not.
Sent from my OnePlus 6T using Tapatalk
This quest is vane.
All is hardcoded and all devs that tried to hack the files failed.
The only question in fact is: what is your problem with this screen? It lasts 5 secs and only when your reboot....
There are many more crucial things to deal with
Striatum_bdr said:
This quest is vane.
All is hardcoded and all devs that tried to hack the files failed.
The only question in fact is: what is your problem with this screen? It lasts 5 secs and only when your reboot....
There are many more crucial things to deal with
Click to expand...
Click to collapse
There may be more crucial things to deal with, and yes it's only showing for a few seconds, but that doesn't mean it's not important to the OP. It annoys the crap out of me as well but will admit I don't have the knowledge to even attempt looking for a solution. Just because you see it as nothing more than a minor annoyance doesn't invalidate his or others annoyance level over it. I'd love to see a solution to it but am aware one is probably not coming.
jestyr8 said:
There may be more crucial things to deal with, and yes it's only showing for a few seconds, but that doesn't mean it's not important to the OP. It annoys the crap out of me as well but will admit I don't have the knowledge to even attempt looking for a solution. Just because you see it as nothing more than a minor annoyance doesn't invalidate his or others annoyance level over it. I'd love to see a solution to it but am aware one is probably not coming.
Click to expand...
Click to collapse
My concerns about it are twofold:
1) If someone reboots my device without my knowing it, it's a dead giveaway that...well...the device is physically attackable.
2) When I inevitably pass this phone down to my wife, it will annoy her. Also, she has far worse opsec than I do.
Also, on some phones, possibly this one (OnePlus 6T), the logo.bin image file is deeply embedded inside the second stage UEFI bootloader (aboot), meaning if you try, you will definitely brick it, since it obviously will cause the bootloader to either be quite upset that the logo.bin now no longer pass the cryptography checks, or worse, be completely corrupted.
Sent from my OnePlus 6T using Tapatalk
dismembered3po said:
My concerns about it are twofold:
1) If someone reboots my device without my knowing it, it's a dead giveaway that...well...the device is physically attackable.
2) When I inevitably pass this phone down to my wife, it will annoy her. Also, she has far worse opsec than I do.
Click to expand...
Click to collapse
1) that's exactly why Google is against 'root' and why many manufacturers forbid bootloader unlock.... And why phones are encrypted
And why nearly all phone that permit bootloader unlock have this type of screen
Far less annoying than the warning that never stops in your car if your don't put your belt....
Actually, Google don't really care about rooting nowadays (they allow you to unlock the Google Store version of Google Pixel phones' bootloaders - if they are so against rooting, why do they give you a choice to unlock the bootloader), but they're more concerned about whether root agents are being hijacked (which is why Magisk have Superuser lockout protection, and I use it to only authorize the legit apps), and what the hackers (and cops hellbent on violating the privacy rights laws) would find once they get ahold of the Linux device block handles (like /dev/sda0 for instance) leading to the SD cards and embedded SSD.
So Google have had a right reason to encrypt the whole SSD; it's for your own protection and privacy, something you should be worried about especially after a few high profile security breaches.
In the end, it's never about rooting, it's always about the ramifications of if someone have a hold of your phone. Of course the argument against rooting is useless nowadays anyhow because when you unlock the bootloader, the phone automatically wipes itself clean leaving nothing for the suspects to try and steal (as the bootloader also do perform TRIM wipe too to make sure there's nothing left behind).
Sent from my OnePlus 6T using Tapatalk
Striatum_bdr said:
1) that's exactly why Google is against 'root' and why many manufacturers forbid bootloader unlock.... And why phones are encrypted
And why nearly all phone that permit bootloader unlock have this type of screen
Far less annoying than the warning that never stops in your car if your don't put your belt....
Click to expand...
Click to collapse
Google can't be said to be "against root," really. We continually see phones released with bootloader unlock allowed natively. I mean, all of Google's own phones - Pixels, Nexuses (Nexi?) - have permitted oem unlocking since basically ever (Ok, not sure about the Galaxy Nexus). All of the OnePlus phones have permitted it (save the new T-mobile 6t). It's mostly the CARRIERS who forbid it because they have a vested interest in making sure you can't take your phone to another network. Oh...and Samsung.
Full disk encryption is about user privacy, and I can't stress enough how important it is, but it's a separate argument.
I understand the underlying motivation for employing a warning screen like this. For someone who doesn't understand all this stuff, having a blatant warning is beneficial because they will know their device has been tampered with. On the other hand, I'm fully aware of the risks involved with unlocking, rooting, etc. I choose to do it because I'm using it to enhance the functionality and security of the phone for my very specific use-cases. That said, if I could mitigate one additional threat by not broadcasting to everyone that my bootloader is unlocked, maybe the attacker moves on to an easier target.
Whether you like it or not isn't really important to my motivation for asking these questions.
Those questions are asked since OnePlus 1, years ago.... Answer will always be the same. Impossible to get rid of the warning screen
Striatum_bdr said:
Those questions are asked since OnePlus 1, years ago.... Answer will always be the same. Impossible to get rid of the warning screen
Click to expand...
Click to collapse
People keep saying that, I don't buy it. It's been done on too many devices when someone has been determined.
Here is the Nexus 5X thread, it had some details about how it's done on that device. Perhaps it would be useful or provide some ideas?
The problem is, Nexus 5X's bootloader use different disk partition compared to OnePlus 6T's, and OnePlus made a change to how the bootloader protect itself ever since OnePlus 5T phone was shown to be vulnerable to the bootloader console and UEFI payload partition attacks.
So don't be surprised if you attempted the Nexus 5X boot splash trick on the OnePlus 6T's bootloader, only to have to use the Qualcomm Snapdragon processor tool to get it back to life.
Sent from my OnePlus 6T using Tapatalk
After a little bit of research, it's kind of possible to install a modified UEFI payload bootloader (abl / aboot) on the Snapdragon 845 phones like our OnePlus 6T. It will be tricky because of the UEFI XBL bootloader agent which is very strict about the file size / cryptography checks even if *it* is technically already unlocked, it still acts like a locked bootloader for a good reason.
TLR, it is possible to replace the bootloader unlocked warning splash screen on the OnePlus 6T, but the encryption and UEFI security check will stop you short of attaining your hacking goal.
Sent from my OnePlus 6T using Tapatalk

How does Amazon load Fire OS onto new/refurbished tablets?

Every so often customers will return Fire tablets that are under warranty because they've stopped working. It could be a battery problem, or it could be an error taking an update that left the tablet unable to boot. When that happens, one would presume that Amazon would try to recoup their investment by cosmetically spiffing up the tablet and wiping and reloading Fire OS to make it ready for resale.
Whether or not that's the case, when a tablet comes off the assembly line there has to be some way Amazon loads the OS before they box it up for sale. My question is, in each case, how do they do it?
At the factory, I suspect the OS might be loaded into memory before final assembly of the motherboard onto the tablet body. In fact it might even happen before the memory is soldered onto the board. When refurbishing though, it seems like any feasible way to reload the tablet's OS would have to go through a USB cable -- which wouldn't be the case when you're prepping hundreds of thousands of tablets a month or more for sale.
That's assuming unbricking is possible, of course. They might just collect all those dead tablets and convert them into hide-a-beds for Amazon's warehouse workers for all I know.
It just seems like there ought to be a way to revive a hard bricked, as in incomplete write to the boot loader, tablet. And in case there's any doubt, yes, that's exactly what I've done with one of mine. I suspect that I'm going to have to play Baron von Frankenstein and transplant the working motherboard from a Fire HD 8 with a cracked screen into the body of a Fire with an intact screen, but that went south during a boot ROM update and is now an attractive paperweight. But my experience has me curious whether Amazon can reverse such disasters, and if so, how they do it. Whether such methods are available to us mere mortals is of course a different matter entirely.
Which generation of HD8 is it? Can it not be unbricked using the bootrom method, shorting the appropriate connection on the motherboard?
MontysEvilTwin said:
Which generation of HD8 is it? Can it not be unbricked using the bootrom method, shorting the appropriate connection on the motherboard?
Click to expand...
Click to collapse
Maybe. It's a Fire HD 8 2017 (karnak) and I've successfully rooted one or two of these tablets after opening them up, so I can give that a go. As long as I don't have to be able to power up the tablet, everything should be fine.
NerdFire said:
Maybe. It's a Fire HD 8 2017 (karnak) and I've successfully rooted one or two of these tablets after opening them up, so I can give that a go. As long as I don't have to be able to power up the tablet, everything should be fine.
Click to expand...
Click to collapse
The 2018 model is Karnak, not 2017.
semada said:
The 2018 model is Karnak, not 2017.
Click to expand...
Click to collapse
You are of course correct. These tablets are karnak/2018 models.
Thank you for the reminder @MontysEvilTwin -- I was able to unbrick the tablet and get it back to working. It didn't repair the cracked screen though.
I really am still interested in the process Amazon uses to load tablets at scale. I'm sure it's nothing that's available to us mere mortals; I'm just curious in a "how stuff works" sort of way.

Categories

Resources