Database Users

Droid RAZR M: Qflash Utility Help

QFLASH Problem
What the hell .. squint emoticon
"No data read from USB. This may not be an error. Trying again..."
if anyone knw about it so Guide me .i am very close :|
D:\Downloads\Compressed\Moto.X.Unbrick\Python27>python 8960_blankflash.py
Emergency download enumeration detected on port - com3
Starting qflash!
Executing command qflash.exe -com3 -ramload MPRG8960.hex -mbn 33 MSM8960_bootloa
der_singleimage.bin -v -o
Motorola qflash Utility version 1.3
COMPORT :COM3
RAMLOADER :MPRG8960.hex
type is 0x21
7 mbn file name MSM8960_bootloader_singleimage.bin type 33
verbose mode on
Motorola qflash dll version 1.6
RAMLOADER VERSION: PBL_DloadVER2.0
------------------------------------------------------
DEVICE INFORMATION:
------------------------------------------------------
Version : 0x8
Min Version : 0x1
Max Write Size: 0x600
Model : 0x90
Device Size : 0
Description : Intel 28F400BX-TL or Intel 28F400BV-TL
------------------------------------------------------
Using passed in packet size, changing from 0x600 -> 0x600
EXTENDED_LINEAR_ADDRESS_REC @ 0x2a000000
Write 65536 bytes @ 0x2a000000
100EXTENDED_LINEAR_ADDRESS_REC @ 0x2a010000
Write 11840 bytes @ 0x2a010000
100START_LINEAR_ADDRESS_REC @ 0x2a000000
No data read from USB. This may not be an error. Trying again...
No data read from USB. This may not be an error. Trying again...
No data read from USB. This may not be an error. Trying again...
No data read from USB. This may not be an error. Trying again...
No data read from USB. This may not be an error. Trying again...
Still no data, giving up!
dmss_go : failed to receive ACK
Error loading MPRG8960.hex into device
Blank flashing successful
Device will now enumerate in fastboot mode
D:\Downloads\Compressed\Moto.X.Unbrick\Python27>pause
Press any key to continue . .

[BOOTLOADER] Analysis

Brief synopsis
Bootloader unlock isn't likely. Amazon provide the facility to unlock the bootloader, but there is no way of getting the key.
The program which is locking the bootloader appears to be specific to MediaTek and Amazon, therefore, there isn't any source code.
The partitions with an Android bootimg header are all signed with two Amazon certificates. This includes the Little Kernel (LK) and the kernel itself.
The preloader is custom built for Amazon. The preloader doesn't respond to SP Flash Tool because it's constantly in a reboot loop when in 'META mode'. I presume it's intentional; a different version can however be installed (See 'However...').
However...
@bibikalka has found some strings in tz.img refering to a bootloader unlock. There is an amzn_unlock_verify function in lk too.
There must be a is a way to get the preloader to work properly with SP Flash Tool. However, this won't allow you custom ROMs, just reinstall Amazon's software. The software installed is still verified during the boot process. See this unbrick guide to install a different preloader. The preloader is not signed or checked by the boot process.
There is a small chance some part of the boot process could be fooled.
Downgrade potential
An anti-rollback program appears to have been built in to the bootloader which prevents any attempt at downgrading the software on the device. This is rather irritating, and means that downgrading is almost impossible. Only the preloader seems to be unaffected by this anti-rollback system – so, if you attempted to downgrade, and caused your device to become bricked, then you can restore the version you left.
Note that I vaguely reference to the preloader, uboot and lk collectively as 'the bootloader'.
Original post
I previously had downloaded the 5.0.1 and 5.1.1 LK versions, and thought, why not run these through binwalk?
For the old, 5.0.1 bootloader, putting lk.bin through binwalk gave:
Code:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
204256 0x31DE0 SHA256 hash constants, little endian
292292 0x475C4 Android bootimg, kernel size: 0 bytes, kernel addr: 0x5D73255B, ramdisk size: 1869570592 bytes, ramdisk addr: 0x6D692074, product name: ""
330144 0x509A0 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
330752 0x50C00 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
334248 0x519A8 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
339912 0x52FC8 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
341028 0x53424 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
350360 0x55898 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
351732 0x55DF4 Certificate in DER format (x509 v3), header length: 4, sequence length: 1067
353656 0x56578 Certificate in DER format (x509 v3), header length: 4, sequence length: 1069
369736 0x5A448 CRC32 polynomial table, little endian
397548 0x610EC LZMA compressed data, properties: 0x91, dictionary size: 33554432 bytes, uncompressed size: 134217728 bytes
Whilst the 5.1.1 bootloader's lk.bin gave:
Code:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
204960 0x320A0 SHA256 hash constants, little endian
293720 0x47B58 Android bootimg, kernel size: 0 bytes, kernel addr: 0x5D73255B, ramdisk size: 1869570592 bytes, ramdisk addr: 0x6D692074, product name: ""
332024 0x510F8 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/cry
332628 0x51354 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/mem
336096 0x520E0 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/asn
341712 0x536D0 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/evp
342820 0x53B24 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/obj
352064 0x55F40 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/x50
353420 0x5648C Certificate in DER format (x509 v3), header length: 4, sequence length: 1067
355344 0x56C10 Certificate in DER format (x509 v3), header length: 4, sequence length: 1069
371656 0x5ABC8 CRC32 polynomial table, little endian
So there you go! The bootloader uses OpenSSL to check the partition against two DER format certificates. Ignore the LZMA header for now; binwalk thinks almost everything is LZMA compressed.

Can you run binwalk with -e and post the 5.1.1 certs here

benwaffle said:
Can you run binwalk with -e and post the 5.1.1 certs here
Click to expand...
Click to collapse
Look at the thread about the 5.1.1 lk.bin in this forum and download the binary so you can run binwalk on it yourself.
Here is the lk.bin file, zipped. You can try and run '-e' on this binary.
The extracted certificates appear to contain format strings for decompression/compression error and debug messages. It doesn't look right. But the top of the files are valid certificate headers (or appear to be to the untrained eye).
Thanks @benwaffle.

Good effort!
I shall note that Amazon must have a way to un-brick the devices with MTK tools, they would not swap motherboards in order to revive them ...
The problem with the public MTK tools that it's even impossible to create a scatter file automatically (read only operation), meaning that the formats are such that MTK tools don't understand:
http://forum.xda-developers.com/fire-hd/help/mtk-tools-people-hopeless-bricks-t3139784
There is also an attempt to look at which partitions change when 5.0.1 goes to 5.1.1, and frankly, it's not many places to hide (only a couple of partitions):
http://forum.xda-developers.com/amazon-fire/help/understand-5-1-1-bootloader-bricking-fix-t3301991
On Fire 2014 I also looked at the strings within the bootloaders, and they had some interesting stuff regarding unlocking:
http://forum.xda-developers.com/showpost.php?p=61288384&postcount=57
I wonder if it's possible to patch the very first thing that boots (preloader), and have it pass the unlocking flags around ? Or is preloader also encrypted fully ?

bibikalka said:
Good effort!
I shall note that Amazon must have a way to un-brick the devices with MTK tools, they would not swap motherboards in order to revive them ...
The problem with the public MTK tools that it's even impossible to create a scatter file automatically (read only operation), meaning that the formats are such that MTK tools don't understand:
http://forum.xda-developers.com/fire-hd/help/mtk-tools-people-hopeless-bricks-t3139784
There is also an attempt to look at which partitions change when 5.0.1 goes to 5.1.1, and frankly, it's not many places to hide (only a couple of partitions):
http://forum.xda-developers.com/amazon-fire/help/understand-5-1-1-bootloader-bricking-fix-t3301991
On Fire 2014 I also looked at the strings within the bootloaders, and they had some interesting stuff regarding unlocking:
http://forum.xda-developers.com/showpost.php?p=61288384&postcount=57
I wonder if it's possible to patch the very first thing that boots (preloader), and have it pass the unlocking flags around ? Or is preloader also encrypted fully ?
Click to expand...
Click to collapse
Thanks @bibikalka!
Yes – Amazon must have a way of flashing firmware. I wonder if there is a JTAG header on the board as well. The Fire HD 6 had a 'JDEBUG' port, as seen in iFixit's teardown photographs: https://www.ifixit.com/Teardown/Kindle+Fire+HD+6+Teardown/29815#s70239
There might be a bootloader unlock then! It might need someone to decompile uboot to see how to trigger the unlock.
I've only managed to get the preloader_prod.img at this moment in time (I haven't taken preloader.img off). The SHA256 hash starts at around 95% (117KB out of 121KB) of the file, according to binwalk.

Hi,
I'm sorry to shatter hopes for bootloader rollback, but I was looking at the strings in preloader_prod.img and found this:
Code:
$ strings images/preloader_prod.img | grep -i rollback
[ANTI-ROLLBACK] Processing anti-rollback data
[ANTI-ROLLBACK] Failed to read block 0
[ANTI-ROLLBACK] PL: %x TEE: %x LK: %x
[ANTI-ROLLBACK] Need to update version
[ANTI-ROLLBACK] Invalid checksum!
[ANTI-ROLLBACK] Checksum validated
[ANTI-ROLLBACK] PL version mismatch!
[ANTI-ROLLBACK] L: %x R: %x
[ANTI-ROLLBACK] Updating PL version
[ANTI-ROLLBACK] TEE version mismatch!
[ANTI-ROLLBACK] Updating TEE version
[ANTI-ROLLBACK] LK version mismatch!
[ANTI-ROLLBACK] Updating LK version
[ANTI-ROLLBACK] All checks passed
[ANTI-ROLLBACK] Updating RPMB block...
[ANTI-ROLLBACK] Unable to update RPMB block (wc)
[ANTI-ROLLBACK] Unable to update RPMB block (write)
[ANTI-ROLLBACK] RPMB block updated
[RPMB] Failed to initialize anti-rollback block
[RPMB] Anti-rollback block initialized
[RPMB] Valid anti-rollback block exists
[ANTI-ROLLBACK] Invalid anti-rollback state, skipping
There is more stuff when looking for rpmb...
A little bit of googling leads to: https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US20140250290.pdf
This doesn't look good at all
These strings might give a bit hope:
Code:
[RPMB] Invalid magic, re-creating...
[RTC] clear rpmb program mode flag in rtc register
So something could be stored in the realtime clock and the device might recover if the RPMB block gets destroyed. I can't find any mention of OTP or fuses in the image.
EDIT: It seems rpmb can be accessed through /dev/block/mmcblk0rpmb. I've uploaded mine (5.0.1) to: http://bork.cs.fau.de/~michael/fire/
It seems to only contain a few ones and many zeroes.
It would be interesting to get the rpmb of a 5.1.1 device to compare:
Code:
$ adb shell
[email protected]:/ $ su
[email protected]:/ # dd if=/dev/block/mmcblk0rpmb of=/sdcard/rpmb.bin
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.093 secs (5637505 bytes/sec)
I would not advise trying to flash the 5.0.1 rpmb to a 5.1.1 device!
Regards,
Michael

stargo said:
Hi,
I'm sorry to shatter hopes for bootloader rollback, but I was looking at the strings in preloader_prod.img and found this:
Code:
$ strings images/preloader_prod.img | grep -i rollback
[ANTI-ROLLBACK] Processing anti-rollback data
[ANTI-ROLLBACK] Failed to read block 0
[ANTI-ROLLBACK] PL: %x TEE: %x LK: %x
[ANTI-ROLLBACK] Need to update version
[ANTI-ROLLBACK] Invalid checksum!
[ANTI-ROLLBACK] Checksum validated
[ANTI-ROLLBACK] PL version mismatch!
[ANTI-ROLLBACK] L: %x R: %x
[ANTI-ROLLBACK] Updating PL version
[ANTI-ROLLBACK] TEE version mismatch!
[ANTI-ROLLBACK] Updating TEE version
[ANTI-ROLLBACK] LK version mismatch!
[ANTI-ROLLBACK] Updating LK version
[ANTI-ROLLBACK] All checks passed
[ANTI-ROLLBACK] Updating RPMB block...
[ANTI-ROLLBACK] Unable to update RPMB block (wc)
[ANTI-ROLLBACK] Unable to update RPMB block (write)
[ANTI-ROLLBACK] RPMB block updated
[RPMB] Failed to initialize anti-rollback block
[RPMB] Anti-rollback block initialized
[RPMB] Valid anti-rollback block exists
[ANTI-ROLLBACK] Invalid anti-rollback state, skipping
There is more stuff when looking for rpmb...
A little bit of googling leads to: https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US20140250290.pdf
This doesn't look good at all
These strings might give a bit hope:
Code:
[RPMB] Invalid magic, re-creating...
[RTC] clear rpmb program mode flag in rtc register
So something could be stored in the realtime clock and the device might recover if the RPMB block gets destroyed. I can't find any mention of OTP or fuses in the image.
EDIT: It seems rpmb can be accessed through /dev/block/mmcblk0rpmb. I've uploaded mine (5.0.1) to: http://bork.cs.fau.de/~michael/fire/
It seems to only contain a few ones and many zeroes.
It would be interesting to get the rpmb of a 5.1.1 device to compare:
Code:
$ adb shell
[email protected]:/ $ su
[email protected]:/ # dd if=/dev/block/mmcblk0rpmb of=/sdcard/rpmb.bin
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.093 secs (5637505 bytes/sec)
I would not advise trying to flash the 5.0.1 rpmb to a 5.1.1 device!
Regards,
Michael
Click to expand...
Click to collapse
How interesting. Thanks @stargo! I've updated the OP accordingly to your findings. Yes, it seems more complex than previously thought. I'll upload my 5.1.1 rpmb binary soon.

Hi there! As se en within I read mtk is a very hard platform to work with, because they are very closed, and they hardly ever release any source, so most Roms are ports of a similar decide. I'll have a search for a device with this same soc to ser if i can come back with related info. That's why I'm surprised we have cm here!

error while repo init

Hellow guys, i have an hP laptop with 16 gigs of ram and enough hdd space. also i am running xubuntu 16.04 where i was previously able to compile custom roms. however recently my hard drive had crashed and i had to recover using easeUS. then i formatted it to exFat. Xubuntu as such is giving me write operations on exFat devices. my problem is now whenever am using repo sync a custom rom source it gives error like
Code:
[email protected]:/media/ayan/Ayan/Mobile/mo/pixel$ repo init -u https://github.com/PixelExperience/manifest -b oreo-mr1
Get https://gerrit.googlesource.com/git-repo/clone.bundle
Get https://gerrit.googlesource.com/git-repo
remote: Finding sources: 100% (5/5)
remote: Total 5 (delta 0), reused 5 (delta 0)
Unpacking objects: 100% (5/5), done.
From https://gerrit.googlesource.com/git-repo
cf7c083..0f2e45a master -> origin/master
Get https://github.com/PixelExperience/manifest
Traceback (most recent call last):
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/main.py", line 531, in <module>
_Main(sys.argv[1:])
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/main.py", line 507, in _Main
result = repo._Run(argv) or 0
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/main.py", line 180, in _Run
result = cmd.Execute(copts, cargs)
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/subcmds/init.py", line 399, in Execute
self._SyncManifest(opt)
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/subcmds/init.py", line 171, in _SyncManifest
m._InitGitDir(mirror_git=mirrored_manifest_git)
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/project.py", line 2292, in _InitGitDir
self._UpdateHooks()
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/project.py", line 2312, in _UpdateHooks
self._InitHooks()
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/project.py", line 2341, in _InitHooks
os.symlink(os.path.relpath(stock_hook, os.path.dirname(dst)), dst)
OSError: [Errno 38] Function not implemented
[email protected]:/media/ayan/Ayan/Mobile/mo/pixel$
any help would be recommended and appreciated

Ayan Uchiha Choudhury said:
Code:
[email protected]:/media/ayan/Ayan/Mobile/mo/pixel$ repo init -u https://github.com/PixelExperience/manifest -b oreo-mr1
Get https://gerrit.googlesource.com/git-repo/clone.bundle
Get https://gerrit.googlesource.com/git-repo
remote: Finding sources: 100% (5/5)
remote: Total 5 (delta 0), reused 5 (delta 0)
Unpacking objects: 100% (5/5), done.
From https://gerrit.googlesource.com/git-repo
cf7c083..0f2e45a master -> origin/master
Get https://github.com/PixelExperience/manifest
Traceback (most recent call last):
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/main.py", line 531, in <module>
_Main(sys.argv[1:])
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/main.py", line 507, in _Main
result = repo._Run(argv) or 0
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/main.py", line 180, in _Run
result = cmd.Execute(copts, cargs)
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/subcmds/init.py", line 399, in Execute
self._SyncManifest(opt)
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/subcmds/init.py", line 171, in _SyncManifest
m._InitGitDir(mirror_git=mirrored_manifest_git)
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/project.py", line 2292, in _InitGitDir
self._UpdateHooks()
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/project.py", line 2312, in _UpdateHooks
self._InitHooks()
File "/media/ayan/Ayan/Mobile/mo/pixel/.repo/repo/project.py", line 2341, in _InitHooks
os.symlink(os.path.relpath(stock_hook, os.path.dirname(dst)), dst)
OSError: [Errno 38] Function not implemented
[email protected]:/media/ayan/Ayan/Mobile/mo/pixel$
any help would be recommended and appreciated
Click to expand...
Click to collapse
Wrong place to ask but yeah, have you installed the latest version of repo and python2 ?
Or before that try `rm -rf .repo` and then init again.
Android Building queries can be discussed here:
https://forum.xda-developers.com/chef-central/android/guide-android-rom-development-t2814763

Yes yes I did both. I also created a new directory and tried repo init. But still

emmm....
Ayan Uchiha Choudhury said:
Yes yes I did both. I also created a new directory and tried repo init. But still
Click to expand...
Click to collapse
Have you found anything to solution ?

SchafferWang said:
Have you found anything to solution ?
Click to expand...
Click to collapse
Exfat was the problem. Formatted to NTFS to fix it

Fire HD 8 (7th gen) stuck at Amazon logo

Hello, everyone!
So, today I decided to install TWRP and root my device. Everything was going well until I reach this point where the tablet restarted and now is in boot-loop.
I had just finished the unbricking point and was about then I typed the following command in the shell: 'sudo ./fastboot-step.sh'.
This is where it's stopped:
[2021-03-27 16:43:29.236887] Reboot
bash-5.0# sudo ./fastboot-step.sh
Your device will be reset to factory defaults...
Press Enter to Continue...
< waiting for any device >
I don't what else to do. I've tried the power button + volume down method for 5 secs, then 10 secs, and nothing happens. The loop keeps happening. I've also removed the back lid and disconnected the battery for a while, and still haven't got any results.
Can anyeone help me with this issue? Thank you!
edit: typo

Hello again!
I still haven't found a way to unbrick my fire tablet. So I tried following this obsolete thread:
Fire hd8 2017 root, debrick​Hoping that it could be the solution for the reported issue. I tried doing it through the current method, but my machine doesn't recognize the tablet.
So trying the old method (short in the TP28), I've got this error:
Code:
bash-5.0# ./bootrom-step.sh
[2021-04-01 22:50:17.478448] Waiting for bootrom
[2021-04-01 22:50:41.354091] Found port = /dev/ttyACM0
[2021-04-01 22:50:41.354662] Handshake
[2021-04-01 22:50:41.355259] Disable watchdog
* * * Remove the short and press Enter * * *
[2021-04-01 22:50:44.662380] Init crypto engine
[2021-04-01 22:50:44.683846] Disable caches
[2021-04-01 22:50:44.684597] Disable bootrom range checks
[2021-04-01 22:50:44.703222] Load payload from ../brom-payload/build/payload.bin = 0x4690 bytes
[2021-04-01 22:50:44.713671] Send payload
[2021-04-01 22:50:45.332866] Let's rock
[2021-04-01 22:50:45.333552] Wait for the payload to come online...
[2021-04-01 22:50:46.491024] all good
[2021-04-01 22:50:46.491635] Check GPT
[2021-04-01 22:50:46.951993] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216), 'lk': (16384, 1024), 'lk2': (17408, 1024), 'boot_x': (18432, 32768), 'recovery_x': (51200, 34816), 'tee1': (86016, 10240), 'tee2': (96256, 10240), 'metadata': (106496, 80896), 'kb': (187392, 2048), 'dkb': (189440, 2048), 'MISC': (191488, 1024), 'reserved': (192512, 16384), 'system': (208896, 3306496), 'cache': (3515392, 868352), 'userdata': (4383744, 25942016)}
Traceback (most recent call last):
File "main.py", line 125, in <module>
main()
File "main.py", line 69, in main
raise RuntimeError("bad gpt")
RuntimeError: bad gpt
What does that mean, guys? Is it a normal error, or it means that I cannot recover it at all?
UPDATE: I have also tried the gpt-fix-16G.sh script, but I still get the same error:
Code:
bash-5.0# ./gpt-fix-16G.sh
[2021-04-02 00:04:23.563886] Waiting for bootrom
[2021-04-02 00:04:32.363785] Found port = /dev/ttyACM0
[2021-04-02 00:04:32.365383] Handshake
[2021-04-02 00:04:32.366282] Disable watchdog
* * * Remove the short and press Enter * * *
[2021-04-02 00:04:35.287663] Init crypto engine
[2021-04-02 00:04:35.311740] Disable caches
[2021-04-02 00:04:35.312526] Disable bootrom range checks
[2021-04-02 00:04:35.332376] Load payload from ../brom-payload/build/payload.bin = 0x4690 bytes
[2021-04-02 00:04:35.341711] Send payload
[2021-04-02 00:04:35.967352] Let's rock
[2021-04-02 00:04:35.968132] Wait for the payload to come online...
[2021-04-02 00:04:37.125624] all good
[2021-04-02 00:04:37.126335] Check GPT
[2021-04-02 00:04:37.461818] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216), 'lk': (16384, 1024), 'lk2': (17408, 1024), 'boot_x': (18432, 32768), 'recovery_x': (51200, 34816), 'tee1': (86016, 10240), 'tee2': (96256, 10240), 'metadata': (106496, 80896), 'kb': (187392, 2048), 'dkb': (189440, 2048), 'MISC': (191488, 1024), 'reserved': (192512, 16384), 'system': (208896, 3306496), 'cache': (3515392, 868352), 'userdata': (4383744, 25942016)}
Traceback (most recent call last):
File "main.py", line 123, in <module>
main()
File "main.py", line 69, in main
raise RuntimeError("bad gpt")
RuntimeError: bad gpt

Trouble with bootrom-step.sh on my Kindle Fire HD 8 8th gen while attempting to unlock bootloader

Following this guide, I was able to successfully root and install lineage OS on my first Fire HD 8. I have two, so I want to do it to my other HD 8. I do everything up until bootrom-step.sh. When I short CLK, it gives me this error. Every single time I do it. Can't seem to fix it.
[email protected]:/home/aden/Downloads/amonet# ./bootrom-step.sh
[2022-08-05 12:28:22.282976] Waiting for bootrom
[2022-08-05 12:29:12.540370] Found port = /dev/ttyACM0
[2022-08-05 12:29:12.570923] Handshake
[2022-08-05 12:29:12.591566] Disable watchdog
Traceback (most recent call last):
File "/home/aden/Downloads/amonet/modules/main.py", line 121, in <module>
main()
File "/home/aden/Downloads/amonet/modules/main.py", line 54, in main
handshake(dev)
File "/home/aden/Downloads/amonet/modules/handshake.py", line 11, in handshake
dev.write32(0x10007000, 0x22000000)
File "/home/aden/Downloads/amonet/modules/common.py", line 147, in write32
self.check(self.dev.read(2), b'\x00\x01') # arg check
File "/home/aden/Downloads/amonet/modules/common.py", line 84, in check
raise RuntimeError("ERROR: Serial protocol mismatch")
RuntimeError: ERROR: Serial protocol mismatch
Anyone know how to fix this? I uninstalled modem manager a long time ago, and double checked. It is not installed. I don't know what is causing this issue :/
It always fails on "Disable watchdog".

Najatski said:
Following this guide, I was able to successfully root and install lineage OS on my first Fire HD 8. I have two, so I want to do it to my other HD 8. I do everything up until bootrom-step.sh. When I short CLK, it gives me this error. Every single time I do it. Can't seem to fix it.
[email protected]:/home/aden/Downloads/amonet# ./bootrom-step.sh
[2022-08-05 12:28:22.282976] Waiting for bootrom
[2022-08-05 12:29:12.540370] Found port = /dev/ttyACM0
[2022-08-05 12:29:12.570923] Handshake
[2022-08-05 12:29:12.591566] Disable watchdog
Traceback (most recent call last):
File "/home/aden/Downloads/amonet/modules/main.py", line 121, in <module>
main()
File "/home/aden/Downloads/amonet/modules/main.py", line 54, in main
handshake(dev)
File "/home/aden/Downloads/amonet/modules/handshake.py", line 11, in handshake
dev.write32(0x10007000, 0x22000000)
File "/home/aden/Downloads/amonet/modules/common.py", line 147, in write32
self.check(self.dev.read(2), b'\x00\x01') # arg check
File "/home/aden/Downloads/amonet/modules/common.py", line 84, in check
raise RuntimeError("ERROR: Serial protocol mismatch")
RuntimeError: ERROR: Serial protocol mismatch
Anyone know how to fix this? I uninstalled modem manager a long time ago, and double checked. It is not installed. I don't know what is causing this issue :/
It always fails on "Disable watchdog".
Click to expand...
Click to collapse
You forgot to disable or stop ModemManager. Try this command:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager

Najatski said:
Following this guide, I was able to successfully root and install lineage OS on my first Fire HD 8. I have two, so I want to do it to my other HD 8. I do everything up until bootrom-step.sh. When I short CLK, it gives me this error. Every single time I do it. Can't seem to fix it.
[email protected]:/home/aden/Downloads/amonet# ./bootrom-step.sh
[2022-08-05 12:28:22.282976] Waiting for bootrom
[2022-08-05 12:29:12.540370] Found port = /dev/ttyACM0
[2022-08-05 12:29:12.570923] Handshake
[2022-08-05 12:29:12.591566] Disable watchdog
Traceback (most recent call last):
File "/home/aden/Downloads/amonet/modules/main.py", line 121, in <module>
main()
File "/home/aden/Downloads/amonet/modules/main.py", line 54, in main
handshake(dev)
File "/home/aden/Downloads/amonet/modules/handshake.py", line 11, in handshake
dev.write32(0x10007000, 0x22000000)
File "/home/aden/Downloads/amonet/modules/common.py", line 147, in write32
self.check(self.dev.read(2), b'\x00\x01') # arg check
File "/home/aden/Downloads/amonet/modules/common.py", line 84, in check
raise RuntimeError("ERROR: Serial protocol mismatch")
RuntimeError: ERROR: Serial protocol mismatch
Anyone know how to fix this? I uninstalled modem manager a long time ago, and double checked. It is not installed. I don't know what is causing this issue :/
It always fails on "Disable watchdog".
Click to expand...
Click to collapse
If purchased after Jan 2020 the exploit was blocked.