Database Users

[DIY] Fire HD 6/7 bootloader unlock / ultimate unbrick :

The opportunity to unlock the Fire HD 6/7 bootloader and unbrick all bricks is upon us ! Sadly, it's about ~4 years too late.
Nonetheless, if you are proficient with IDA Disassembler and Python, please follow these instructions to accomplish these 2 objectives.
1) Zero out rpmb partition ( mmcblk0rpmb ) - this will set all the bricks free and enable them to boot (this is how anti-rollback is wiped)
2) Enable permanent bootloader unlock (more advanced)
Here are the relevant posts on how to do this:
https://forum.xda-developers.com/hd...fire-hd-8-2018-downgrade-unlock-root-t3894256 (full instructions)
https://forum.xda-developers.com/amazon-fire/development/downgrade-fire-7-2015-softbrick-t3894671 (rpmb partition zeroing method for Fire 7 2015)

bibikalka said:
The opportunity to unlock the Fire HD 6/7 bootloader and unbrick all bricks is upon us ! Sadly, it's about ~4 years too late.
Nonetheless, if you are proficient with IDA Disassembler and Python, please follow these instructions to accomplish these 2 objectives.
1) Zero out rpmb partition ( mmcblk0rpmb ) - this will set all the bricks free and enable them to boot (this is how anti-rollback is wiped)
2) Enable permanent bootloader unlock (more advanced)
Click to expand...
Click to collapse
Yeah, I saw the Fire HD 8 thread and was wondering if it'd be possible for us. Unfortunately, I'm neither proficient with IDA Disassembler nor python. And currently my Fire is on the latest FireOS, unrooted, with the wrong recovery installed. So right now I can't get into recovery to downgrade and fix it, and the preloader method doesnt work because the read/write commands don't work on the newer FireOS. I am interested in if this is possible though!
Update: I attempted using the files from the Fire 7 thread and this is what I got:
Code:
[2019-01-29 17:33:56.846249] Waiting for bootrom
[2019-01-29 17:34:07.704879] Found port = /dev/ttyACM0
[2019-01-29 17:34:07.744128] Handshake
[2019-01-29 17:34:07.766738] Disable watchdog
b''
b'\x00\x01'
Traceback (most recent call last):
File "main.py", line 128, in <module>
main()
File "main.py", line 57, in main
handshake(dev)
File "/root/fire7-2015-downgrade-unbrick/fire7-2015-downgrade-unbrick/modules/handshake.py", line 11, in handshake
dev.write32(0x10007000, 0x22000000)
File "/root/fire7-2015-downgrade-unbrick/fire7-2015-downgrade-unbrick/modules/common.py", line 152, in write32
self.check(self.dev.read(2), b'\x00\x01') # arg check
File "/root/fire7-2015-downgrade-unbrick/fire7-2015-downgrade-unbrick/modules/common.py", line 89, in check
raise RuntimeError("ERROR: Serial protocol mismatch")
RuntimeError: Serial protocol mismatch
I was using the linux iso for unbricking, so I'm not sure if that had something to do with it. Also, I hand-typed that error message so if there are any inconsistencies that may be why (I didn't have an internet connection to post from the iso).

spenceboy98 said:
Yeah, I saw the Fire HD 8 thread and was wondering if it'd be possible for us. Unfortunately, I'm neither proficient with IDA Disassembler nor python. And currently my Fire is on the latest FireOS, unrooted, with the wrong recovery installed. So right now I can't get into recovery to downgrade and fix it, and the preloader method doesnt work because the read/write commands don't work on the newer FireOS. I am interested in if this is possible though!
Update: I attempted using the files from the Fire 7 thread and this is what I got:
Code:
...
RuntimeError: Serial protocol mismatch
I was using the linux iso for unbricking, so I'm not sure if that had something to do with it. Also, I hand-typed that error message so if there are any inconsistencies that may be why (I didn't have an internet connection to post from the iso).
Click to expand...
Click to collapse
See this post for the proper output:
https://forum.xda-developers.com/showpost.php?p=78792151&postcount=14
I think HD 2014 does not switch to the bootrom mode, and is in the pre-loader mode. That's why it says protocol mismatch. With Fire 7 I got the initial stages to work - so it did go into the right mode! But with HD 2014 I got the same messages as you, under Windows. So I think it's just not switching into the bootrom mode.
We need some old timers here if we are to get this done!!!
@powerpoint45

bibikalka said:
I think HD 2014 does not switch to the bootrom mode, and is in the pre-loader mode. That's why it says protocol mismatch. With Fire 7 I got the initial stages to work - so it did go into the right mode! But with HD 2014 I got the same messages as you, under Windows. So I think it's just not switching into the bootrom mode.
We need some old timers here if we are to get this done!!!
Click to expand...
Click to collapse
I'm willing to pop open the back of my Fire HD 6 to check some pins if necessary. Hopefully we're not the only ones wanting to see progress for this device.

spenceboy98 said:
I'm willing to pop open the back of my Fire HD 6 to check some pins if necessary. Hopefully we're not the only ones wanting to see progress for this device.
Click to expand...
Click to collapse
Oh, there are plenty of motherboard pictures floating around:
https://forum.xda-developers.com/showpost.php?p=78789821&postcount=90
Gotta find something like these pins : CMD, CLK, DAT0. I could not spot any labels on the motherboard pictures. If the pin is outside of a shield, it'd be trivial to pop the cover, and short the pin. Then one still has to get the right addresses for HD 2014 to make everything work

bibikalka said:
Oh, there are plenty of motherboard pictures floating around:
https://forum.xda-developers.com/showpost.php?p=78789821&postcount=90
Gotta find something like these pins : CMD, CLK, DAT0. I could not spot any labels on the motherboard pictures. If the pin is outside of a shield, it'd be trivial to pop the cover, and short the pin. Then one still has to get the right addresses for HD 2014 to make everything work
Click to expand...
Click to collapse
I didn't see any labels on the board, so I tried a few pins (the ones that xyz` suggested) and I didn't seem to have any luck there. It's possible that I wasn't holding the wire I was using firm enough against the pins, but I don't know. I'm not sure what test points on this motherboard look like and if you have any suggestions or ideas, I'm willing to give it a go.
Also, on a new installation of Ubuntu 18.10, it's not even detecting the preloader. It just boots normally. And when I try in Windows 10, the device shows up as MT65xx Preloader and won't show up as a COM device even after installing the correct drivers.

spenceboy98 said:
I didn't see any labels on the board, so I tried a few pins (the ones that xyz` suggested) and I didn't seem to have any luck there. It's possible that I wasn't holding the wire I was using firm enough against the pins, but I don't know. I'm not sure what test points on this motherboard look like and if you have any suggestions or ideas, I'm willing to give it a go.
Also, on a new installation of Ubuntu 18.10, it's not even detecting the preloader. It just boots normally. And when I try in Windows 10, the device shows up as MT65xx Preloader and won't show up as a COM device even after installing the correct drivers.
Click to expand...
Click to collapse
Yep - it's a tough cookie. No labels on the board, and button pushes don't work either to get the device into the BootRom mode. I could only get the pre-loader mode as well.
We will have to wait for somebody to figure out the electrical connections here. Unfortunately, I don't have time to dig around like that.

(HD7, 7th Gen)
Just chiming in, I tried a few pads on the board (on both sides), and was unable to kick it into bootrom mode. It also looks like our shielding is soldered on. :/
May try some other methods later, but likely not going to have the easiest of times messing with this thing.

r3pwn said:
(HD7, 7th Gen)
Just chiming in, I tried a few pads on the board (on both sides), and was unable to kick it into bootrom mode. It also looks like our shielding is soldered on. :/
May try some other methods later, but likely not going to have the easiest of times messing with this thing.
Click to expand...
Click to collapse
7th Gen, or 4th Gen? Sorry for nitpicking, but it is huge for context!
spenceboy98 said:
Yeah, I saw the Fire HD 8 thread and was wondering if it'd be possible for us. Unfortunately, I'm neither proficient with IDA Disassembler nor python. And currently my Fire is on the latest FireOS, unrooted, with the wrong recovery installed. So right now I can't get into recovery to downgrade and fix it, and the preloader method doesnt work because the read/write commands don't work on the newer FireOS. I am interested in if this is possible though!
...
Click to expand...
Click to collapse
Btw, you can always sideload FireOS 4, and get root that way. Then re-load your current latest fireos via TWRP, and install SuperSu.

bibikalka said:
Btw, you can always sideload FireOS 4, and get root that way. Then re-load your current latest fireos via TWRP, and install SuperSu.
Click to expand...
Click to collapse
I can't because I have FireOS 5 with the twrp img installed (I didn't realize that the latest update.bin didn't include a stock recovery image). And I can't use the unbricking iso because it doesnt work with the latest FireOS. So this method is my best bet for getting back to stock with a stock recovery.
Btw, I'm not sure what exactly happened, but I'm pretty sure that my playing with the pins messed with something. All I get now is the grey Amazon logo and it doesn't boot into the OS. :|

spenceboy98 said:
I can't because I have FireOS 5 with the twrp img installed (I didn't realize that the latest update.bin didn't include a stock recovery image). And I can't use the unbricking iso because it doesnt work with the latest FireOS. So this method is my best bet for getting back to stock with a stock recovery.
Btw, I'm not sure what exactly happened, but I'm pretty sure that my playing with the pins messed with something. All I get now is the grey Amazon logo and it doesn't boot into the OS. :|
Click to expand...
Click to collapse
I see. Usually, recovery is verified each time you boot, and the OS will overwrite it if the checksum does not match. But, in your case, TWRP disabled that feature, so you are out in the cold.
I have 2 tablets that are looping on the white Amazon logo. I tried to restore them via aftv2-tools, but nothing worked. It's interesting you got the same glitch.
Look at the bright side - keep poking around now on your motherboard, you have nothing to lose!

I attempted to overwrite the beginning of EMMC - and got an absolutely dead tablet, see here:
https://forum.xda-developers.com/showpost.php?p=78871662&postcount=784
No bootrom mode as far as I can see ... One of these days I'll open the case, and try to disconnect the battery.

bibikalka said:
7th Gen, or 4th Gen? Sorry for nitpicking, but it is huge for context!
Click to expand...
Click to collapse
2017 Fire HD7, so 7th gen, aka austin

r3pwn said:
2017 Fire HD7, so 7th gen, aka austin
Click to expand...
Click to collapse
You are in the wrong forum.
The 2017 Fire 7 AKA austin doesn't use the suffix HD. It's just Fire or Fire 7.
This is what you are looking for: https://forum.xda-developers.com/amazon-fire/development/unlock-fire-t3899860

spenceboy98 said:
I can't because I have FireOS 5 with the twrp img installed (I didn't realize that the latest update.bin didn't include a stock recovery image). And I can't use the unbricking iso because it doesnt work with the latest FireOS. So this method is my best bet for getting back to stock with a stock recovery.
Btw, I'm not sure what exactly happened, but I'm pretty sure that my playing with the pins messed with something. All I get now is the grey Amazon logo and it doesn't boot into the OS. :|
Click to expand...
Click to collapse
Did put any more time into this? Was it some damaged contact?

bibikalka said:
Did put any more time into this? Was it some damaged contact?
Click to expand...
Click to collapse
No I haven't. Not sure what the issue is. As far as I know it's still not booting up to anything. I just started school recently and I left my Fire HD6 at home, so I haven't had the chance to mess around with it more.

Just for test. Is there any possiblility that pressing the power button with any volume button makes the tablet enter in BootROM. My Fire and my BQ enter in BootROM when I press volume -. Just try all the bootloaders for see if one support it like 5.0.1.
Regards!

bibikalka said:
The opportunity to unlock the Fire HD 6/7 bootloader and unbrick all bricks is upon us ! Sadly, it's about ~4 years too late.
Nonetheless, if you are proficient with IDA Disassembler and Python, please follow these instructions to accomplish these 2 objectives.
1) Zero out rpmb partition ( mmcblk0rpmb ) - this will set all the bricks free and enable them to boot (this is how anti-rollback is wiped)
2) Enable permanent bootloader unlock (more advanced)
Here are the relevant posts on how to do this:
https://forum.xda-developers.com/hd...fire-hd-8-2018-downgrade-unlock-root-t3894256 (full instructions)
https://forum.xda-developers.com/amazon-fire/development/downgrade-fire-7-2015-softbrick-t3894671 (rpmb partition zeroing method for Fire 7 2015)
Click to expand...
Click to collapse
I would love to get my HD 6 working again.

I recently ran the amonet script on my HD 10 and in a few minutes had an unlocked bootloader and TWRP. I read the HD 8 thread where the author posted his exploit and it really is an epic achievement. I'm also hoping the bootloader unlock comes to the 4K firestick as well. It's a lot of work from I read, but the firestick is popular enough to warrant that kind of attention. I have a Fire HD 6 which only boots to a recovery that allows me to reset or reboot but has no option to apply update from adb, so I've been stuck on stock Fire OS. It would be nice to finally get TWRP after so long on the HD 6.

***

fire hd 8 bootloop after installing custom rom

Well, I made a Fire HD 8 2018 custom ROM successfully but it went into boot loop that all it does show Amazon logo and I have a dmesg log attached and it was a kernel error, id like to mention @k4y0z to help me out to figure out what's wrong with the kernel. and i think that something went missing or it could not initialize. I copied the log from recovery.

Kaijones23 said:
Well, I made a Fire HD 8 2018 custom ROM successfully but it went into boot loop that all it does show Amazon logo and I have a dmesg log attached and it was a kernel error, id like to mention @k4y0z to help me out to figure out what's wrong with the kernel. and i think that something went missing or it could not initialize. I copied the log from recovery.
Click to expand...
Click to collapse
The log you attached is from recovery, so it won't help finding issues with the ROM.
You can try to get /proc/last_kmsg to see if that shows anything.
Otherwise you may need to attach a serial console to UART.
Not sure if kernel-logging on UART is enabled in amonet-karnak though.
Alternatively you can try getting adb to work on your ROM to see if you can get a logcat and dmesg.
Make sure you build an eng-kernel so adb is enabled by default.
You may also need to add
Code:
sys.usb.ffs.aio_compat=1
to your default.prop

k4y0z said:
The log you attached is from recovery, so it won't help finding issues with the ROM.
You can try to get /proc/last_kmsg to see if that shows anything.
Otherwise you may need to attach a serial console to UART.
Not sure if kernel-logging on UART is enabled in amonet-karnak though.
Alternatively you can try getting adb to work on your ROM to see if you can get a logcat and dmesg.
Make sure you build an eng-kernel so adb is enabled by default.
You may also need to add
Code:
sys.usb.ffs.aio_compat=1
to your default.prop
Click to expand...
Click to collapse
well, it doesn't boot up because it shuts down by itself. what happened is that, when I started it up and it shows the Amazon logo and shuts down. I can be able to boot into recovery. what I cant find is proc/last_kmsg. and how can i do the UART?

Kaijones23 said:
well, it doesn't boot up because it shuts down by itself. what happened is that, when I started it up and it shows the Amazon logo and shuts down. I can be able to boot into recovery. what I cant find is proc/last_kmsg. and how can i do the UART?
Click to expand...
Click to collapse
Look in /sys/fs/pstore/console-ramoops if there is no /proc/last_kmsg.
If it crashes, then hold the volume-button so it will reboot directly into recovery after crashing.
You should get the last kernel log there to see what caused the crash.
I don't know where the UART is on the karnak, since I don't have the device.

I don’t see that file in the recovery too. Well I reverted the changes from adding ambient capabilities to the kernel and. Removed all that by extracting a fresh kernel from amazon and then I had to rebuild the rom and added some overrides that you told me to add. If I had to I can use the prebuilt kernel as a fallback but what are the issues building with the prebuilt kernel
Sent from my iPhone using Tapatalk

Kaijones23 said:
I don’t see that file in the recovery too. Well I reverted the changes from adding ambient capabilities to the kernel and. Removed all that by extracting a fresh kernel from amazon and then I had to rebuild the rom and added some overrides that you told me to add. If I had to I can use the prebuilt kernel as a fallback but what are the issues building with the prebuilt kernel
Sent from my iPhone using Tapatalk
Click to expand...
Click to collapse
well I got the file and here you go @k4y0z

Kaijones23 said:
well I got the file and here you go @k4y0z
Click to expand...
Click to collapse
That's still the log from your recovery.
You need to get the device to reboot into recovery right after it crashes, so you can get the log from the crash.

Ok so I tried with prebuilt kernel, it stays on amazon logo and when I tried with the stock boot img with symlinks to fosinit and fossvc jars to linage os platform. But it still stays on amazon logo for the prebuilt and stock boot img. On the built kernel, it crashes and I can’t get logs. I’m trying to find a way to patch it with carliv’s image kitchen. But I don’t know what init files I can modify from my tree
Sent from my iPhone using Tapatalk

@k4y0z I won’t be able to get last_kmsg and ram-oops logs. I don’t know why
Sent from my iPhone using Tapatalk

@k4y0z I won’t be able to get last_kmsg and ram-oops logs. I don’t know why
Sent from my iPhone using Tapatalk

Code:
deleted. Posted twice by accident

I’m having issues booting with the custom rom with built kernel because it panics at startup and shuts down with built kernel. What methods I have tried is that I used the built kernel and it stops at amazon logo and shuts down. When I use prebuilt kernel, it stays on amazon logo. When I use its stock boot img from fire os with symbolic links it doesn’t boot and stays on amazon logo. I’m stuck at this process that it doesn’t boot up and I can’t get last_kmsg or ramoops. It’s making me struggle and I’d like @k4y0z to help me out and can fork my tree or authored it to help me what is wrong with my tree. I really can’t figure out but I am able to flash stock fire os back and it still has root access and twrp. I think the main cause of the problem is the verified boot or something. My tree is updated. https://github.com/488315/android_device_amazon_karnak. I tried adb devices on the boot process when it is on the amazon logo and it doesn’t show up on there. I tried to use default prop overrides and well it doesn’t show up too. Honestly I really don’t understand what is going on and I really need help to test this rom out. The kernel source for this device is incomplete and i have experience with building ROMs and this took me days than usual. I made a rom by using otapackage and it is block based. I’ve copied kernel modules and vendor files and some bin files and lib from fire os. When I made this rom, everything is included in this rom that are needed. I hope you guys have a good easter and I start school upcoming Monday and I will have a little time working on this rom and figuring it out to make it boot up. This device is not easy. Thanks

fire hd 8 2018 boots into fast-boot after installing custom ROM.
Kaijones23 said:
@k4y0z I won’t be able to get last_kmsg and ram-oops logs. I don’t know why
Click to expand...
Click to collapse
@k4y0z, well I see some progress in this code after I remove this line,
Code:
/dev/block/platform/mtk-msdc.0/11230000.MSDC0/by-name/system /system ext4 ro wait,verify
to
Code:
/dev/block/platform/mtk-msdc.0/11230000.MSDC0/by-name/system /system ext4 ro wait
it boots into fastboot after installing custom ROM.
the files I have attached is:
ramdisk.zip rootdir from my device tree
boot.zip boot.img from lineage os before it was compiled.
there is something is preventing the ROM from booting up because I won't be able to get the logs.
if you want to see the fire HD 8's extracted boot image, it is posted on my GitHub here.
the problem I think it is an issue with init files.
thank you for your help. I know you dont have a fire hd 8 and i want this thing to boot into lineage.

Kaijones23 said:
@k4y0z, well I see some progress in this code after I remove this line,
Code:
/dev/block/platform/mtk-msdc.0/11230000.MSDC0/by-name/system /system ext4 ro wait,verify
to
Code:
/dev/block/platform/mtk-msdc.0/11230000.MSDC0/by-name/system /system ext4 ro wait
Click to expand...
Click to collapse
Yes, you definitely want to disable dm-verity.
Kaijones23 said:
it boots into fastboot after installing custom ROM.
Click to expand...
Click to collapse
If it (re)boots into fastboot, you are probably missing some kernel-patches/features

k4y0z said:
Yes, you definitely want to disable dm-verity.
If it (re)boots into fastboot, you are probably missing some kernel-patches/features
Click to expand...
Click to collapse
Ok so I have been using prebuilt kernel and then well if I use the original kernel amazon uses, I can’t boot it up. It just bootloops. What patches do I need to add from the kernel tree l, I can’t build a rom Amazon’s script because it has issues. I’ll try once more with Amazon’s build script. How can I use it properly so it can successfully compile
Sent from my iPhone using Tapatalk

Hello I was able to compile the Amazon’s fire hd kernel with the script that’s included with the source. I don’t know what modifications to make it support android pie
Sent from my iPhone using Tapatalk

you could start with cherry-picking commits to get it booting and then go from there
mostly you are gonna be building up from scratch and cherry picking commits from other mtk devices
its not impossible I know @k4y0z
has los16 booting on suez but I am pretty sure it doesn't do much else yet

Legitsu said:
you could start with cherry-picking commits to get it booting and then go from there
mostly you are gonna be building up from scratch and cherry picking commits from other mtk devices
its not impossible I know @k4y0z
has los16 booting on suez but I am pretty sure it doesn't do much else yet
Click to expand...
Click to collapse
@k4y0z well since I set to SELinux to permissive, it has logcat and I proveded it in this attachment. when I build the kernel with amazons script and added some patches to my kernel from your tree, it doesn't boot up like it shows at Amazon logo and shuts down.
how would you be able to get the built kernel to boot up?

Legitsu said:
you could start with cherry-picking commits to get it booting and then go from there
mostly you are gonna be building up from scratch and cherry picking commits from other mtk devices
its not impossible I know @k4y0z
has los16 booting on suez but I am pretty sure it doesn't do much else yet
Click to expand...
Click to collapse
That's not entirely accurate, I have WiFi working and audio partially
But yes, getting it to boot is something entirely different from getting it to actually be usable.
Kaijones23 said:
@k4y0z well since I set to SELinux to permissive, it has logcat and I proveded it in this attachment. when I build the kernel with amazons script and added some patches to my kernel from your tree, it doesn't boot up like it shows at Amazon logo and shuts down.
how would you be able to get the built kernel to boot up?
Click to expand...
Click to collapse
I don't know why your kernel doesn't boot, but the log shows you are missing some stuff as I have said before.
You probably need ambient capabilities and hwbinder patches.

k4y0z said:
That's not entirely accurate, I have WiFi working and audio partially
But yes, getting it to boot is something entirely different from getting it to actually be usable.
I don't know why your kernel doesn't boot, but the log shows you are missing some stuff as I have said before.
You probably need ambient capabilities and hwbinder patches.
Click to expand...
Click to collapse
ahh I was just going by why I saw in your git
nice nice

Walmart ONN Surf 100005208

Im attempting to get info or at least start a thread on the possibility of ROOTING the (Walmart) ONN Surf 100005208 10.1"

It's a rebranding of the ONA19TB003. Same hardware, new name.

jordianz said:
Im attempting to get info or at least start a thread on the possibility of ROOTING the (Walmart) ONN Surf 100005208 10.1"
Click to expand...
Click to collapse
As @razredge stated, the Onn Surf 10.1 is merely a rebranding of its predecessor tablet. The Surf 10.1 can be rooted with or without TWRP. Follow the guides on rooting the previous Onn 10.1. Everything works exactly the same. TWRP is fully compatible as well.

can you share your stock firmware with me

no
the thing was a brick when i attempted the mod its a MT8768WA chipset not MT8163
Viva La Android said:
As @razredge stated, the Onn Surf 10.1 is merely a rebranding of its predecessor tablet. The Surf 10.1 can be rooted with or without TWRP. Follow the guides on rooting the previous Onn 10.1. Everything works exactly the same. TWRP is fully compatible as well.
Click to expand...
Click to collapse

KaosKreationz said:
the thing was a brick when i attempted the mod its a MT8768WA chipset not MT8163
Click to expand...
Click to collapse
Regardless of chipset platforms, both Onn 10.1" tablet variants can be rooted using the same TWRP and the same root method, and without TWRP by fastboot flashing a Magisk patched boot image.

Viva La Android said:
Regardless of chipset platforms, both Onn 10.1" tablet variants can be rooted using the same TWRP and the same root method, and without TWRP by fastboot flashing a Magisk patched boot image.
Click to expand...
Click to collapse
I keep reading it can’t and I do not want to brick this tablet so tell me exactly how to root it it’s the android 10 preloaded version.
---------- Post added at 08:37 PM ---------- Previous post was at 08:34 PM ----------
KaosKreationz said:
I keep reading it can’t and I do not want to brick this tablet so tell me exactly how to root it it’s the android 10 preloaded version.
Click to expand...
Click to collapse
Also how does one patch the image with magisk if the magisk software does not work on said tablet?
As well as how does one dump the images when so flash nor mt software doesn’t recognize the image.

KaosKreationz said:
I keep reading it can’t and I do not want to brick this tablet so tell me exactly how to root it it’s the android 10 preloaded version.
---------- Post added at 08:37 PM ---------- Previous post was at 08:34 PM ----------
Also how does one patch the image with magisk if the magisk software does not work on said tablet?
As well as how does one dump the images when so flash nor mt software doesn’t recognize the image.
Click to expand...
Click to collapse
Well, you just taught me something I wasn't aware of. I have not yet seen the Onn 10.1" variant with preloaded Android 10. My variant (Onn Surf 10.1, Model No. 100005208) came with Android 9 Pie. And I was able to root it using the TWRP build from my tablet's predecessor, which had the same chipset and also rah on Android 9 Pie. You seem to be referring to an entirely new variant that ships with Android 10. What is your exact model number and your current firmware build number? I'll see what I can find out.

Viva La Android said:
Well, you just taught me something I wasn't aware of. I have not yet seen the Onn 10.1" variant with preloaded Android 10. My variant (Onn Surf 10.1, Model No. 100005208) came with Android 9 Pie. And I was able to root it using the TWRP build from my tablet's predecessor, which had the same chipset and also rah on Android 9 Pie. You seem to be referring to an entirely new variant that ships with Android 10. What is your exact model number and your current firmware build number? I'll see what I can find out.
Click to expand...
Click to collapse
It just got a silent OTA update which I was trying to find in the saved directory but it went right to it and installed before i had a chance to pull it. ****ing thing has been a pain since i got it. trying to root and remove bloat bc its a decent setup and could run pretty fast if it were a clean android OS.
To answer your question it is the ONN 10003562 with MT8768WA Chipset ill update with the firmware one i fix the damn thing it bricked on me again while removing bloatware. this thing has some kinda tamper check or something. i get it starting to run really nice without root and then on reboot its a brick.

KaosKreationz said:
It just got a silent OTA update which I was trying to find in the saved directory but it went right to it and installed before i had a chance to pull it. ****ing thing has been a pain since i got it. trying to root and remove bloat bc its a decent setup and could run pretty fast if it were a clean android OS.
To answer your question it is the ONN 10003562 with MT8768WA Chipset ill update with the firmware one i fix the damn thing it bricked on me again while removing bloatware. this thing has some kinda tamper check or something. i get it starting to run really nice without root and then on reboot its a brick.
Click to expand...
Click to collapse
So you have yet another variant of the Onn 10.1" tablet. That's good to know. My 100005208 was merely a rebranding of its predecessor but it appears now that Onn has released yet another variant. Yeah, hold off on trying to root right now. Anything released with Android 10 out of the box uses the system-as-root (SAR) implementation. While Magisk does support SAR, the rooting process has changed up some. I'll see what I can dig up for you.

Viva La Android said:
So you have yet another variant of the Onn 10.1" tablet. That's good to know. My 100005208 was merely a rebranding of its predecessor but it appears now that Onn has released yet another variant. Yeah, hold off on trying to root right now. Anything released with Android 10 out of the box uses the system-as-root (SAR) implementation. While Magisk does support SAR, the rooting process has changed up some. I'll see what I can dig up for you.
Click to expand...
Click to collapse
ok thanks. the only thing I am able to really do is remove some bloatware. but even then it still runs like ****. I found some OTA's in one of the threads here and also its supposedly a stock from the box backup but the scatter doesnt match the chipset. I was hoping someone could inform me if there is a way to get an android ten backup of the older device and swap out keys or whatever the thing is checking for when it boots and flash it.
very limited with no real su so stuff wont work right when I delete certain bloatware. Also if anyone can inform as to how I can even pull my firmware and recover.img and boot.img etc. I have tried MTK device or whatever that software is as well as sp flashtool and nothing seems to read the device rom. can see the device but cant pull. its been so long since ive used or attempted to root an android device im out of practice.

KaosKreationz said:
ok thanks. the only thing I am able to really do is remove some bloatware. but even then it still runs like ****. I found some OTA's in one of the threads here and also its supposedly a stock from the box backup but the scatter doesnt match the chipset. I was hoping someone could inform me if there is a way to get an android ten backup of the older device and swap out keys or whatever the thing is checking for when it boots and flash it.
very limited with no real su so stuff wont work right when I delete certain bloatware. Also if anyone can inform as to how I can even pull my firmware and recover.img and boot.img etc. I have tried MTK device or whatever that software is as well as sp flashtool and nothing seems to read the device rom. can see the device but cant pull. its been so long since ive used or attempted to root an android device im out of practice.
Click to expand...
Click to collapse
Earlier, you mentioned a "silent OTA." Could you elaborate on that? Did the OTA install seamlessly, without rebooting to recovery? I'm wondering if your variant has A/B partitions.

Viva La Android said:
Earlier, you mentioned a "silent OTA." Could you elaborate on that? Did the OTA install seamlessly, without rebooting to recovery? I'm wondering if your variant has A/B partitions.
Click to expand...
Click to collapse
When I said silently I meant I was sitting at the computer with the tablet hooked up in adb mode and i walked away for maybe 3 minutes to relieve myself and upon returning the tablet was rebooting and installing an update. I swear I had the automatic updates in dev mode turned to off.
Here is what I gather from the device.

KaosKreationz said:
When I said silently I meant I was sitting at the computer with the tablet hooked up in adb mode and i walked away for maybe 3 minutes to relieve myself and upon returning the tablet was rebooting and installing an update. I swear I had the automatic updates in dev mode turned to off.
Here is what I gather from the device.
Click to expand...
Click to collapse
Thanks for the stats. Yeah it looks like you're fully Treble supported but non-A/B. Ok just to make sure I'm not missing something, sort of give me a simple outline on everything you've done from start until now. Did you mention your device was a brick when you got it, or did you brick it initially attempting to root? How did you recover from the brick? I'm assuming SP Flash Tool and I recall you mentioned something about a mismatched scatter file. I believe I have a root solution for you but I want to make sure I have my info correct. Thanks for helping me to help you. You seem to know your Android well.

It was a soft brick via adb removal of bloat ware it was able to be restored from factory settings..
I think I may almost have it but i'm to afraid of flashing the boot.img bc I did brick the first one I had via sp flash. The firmware someone added in this thread a bit back says 100003562 but the chipset is MT6765 not the MT8768WA. I was able to mod that boot.img with magisk but as I stated I'm to afraid to flash it I tried the fastboot boot magiskpatched.img command it seemed to read with no errors but it shutdown and then rebooted. soo im afraid it may cause a loop. Im trying now to figure out a way to remove the dm verity check but have had no success as of yet. if i could just pull my own roms Im sure I could get this to root with magisk maybe.
link to larger files https://drive.google.com/drive/folders/1-j0wj9d0FuLxvHdvW8CjYICp3-xV00cs?usp=sharing
I cant seem to get SP Flash to read the device scatter properly Im unable to pull roms with readback I think i have to set it up manually?
I have attached the screenshots, rom, magisk image created as well as the bug report from soft brick.

It would Be soo much easier if i could get the DM verity off and or pull my roms.

KaosKreationz said:
It would Be soo much easier if i could get the DM verity off and or pull my roms.
Click to expand...
Click to collapse
Ok as you probably know, your device has SAR (system-as-root) implementation, because it shipped with Android 10. It appears that you will need to install Magisk to recovery ramdisk, because your boot image contains no ramdisk. Magisk does support this, as you probably know. Go to this link and look under the heading "Magisk in Recovery"
https://topjohnwu.github.io/Magisk/install.html#magisk-in-recovery
My Moto G7 Play is SAR as well, and has no boot image ramdisk, so I have it rooted with Magisk installed to recovery. It's different indeed, but as of now, it's the only root solution for SAR devices with recovery ramdisk implementations like yours and mine. Magisk will actually "live" within the recovery partition and actually becomes hijacked by Magisk. As you will read in the link I sent, it is still possible to use recovery mode. You will need to get a stock recovery image from somebody with your variant who has pulled the image, or from a stock firmware package. In sum, you will be patching your recovery image, not your boot image. Accordingly, you will be flashing your /recovery partition to achieve root, not your /boot partition. As you know, as long as you are bootloader unlocked, you can flash the patched recovery image using fastboot. You will not need a TWRP for root. In the link I sent, also look for the previous heading "Patching Images." To test and make sure I'm 100% right on this, install the latest Magisk Manager app on your device and open the app. Look in the "Ramdisk" section. If it says NO, then I'm right and you must install Magisk to recovery as I've stated. If it says YES I'm wrong and you need to disregard this entire post.
But please let me know the status on things, and if you manage to get Magisk systemless root installed properly.

Anyone have a 100003562 boot.img or recovery.img for the MT8678WA
---------- Post added at 06:52 PM ---------- Previous post was at 06:45 PM ----------
I tried the recommended and it bricked I'm only able to use and now when the device boots it hangs at the logo screen or does anyone know Walmarts update software command.

Blade A3 Prime (Visible)

Doing anything listed here will void your warranty. I don't know the laws where you are so assume it makes you a criminal. These things are posted here for educational purposes only. Never follow any guide if you don't understand the commands.
Enough BS, let's jump in.
For windows users. Installing drivers:
1. Plug USB cable into PC.
2. On the A3 prime, instead of using USB as charging, select use USB as Updating Firmware (i forget actual wording)
3. A prompt will come up on Windows, install those drivers.
4. Reboot.
Install adb and fastboot on your PC, it is up to you to do this.
Enable developer options on your phone, and enable USB debugging and OEM Unlocking.
In your CMD/Shell/Whatever you have.
adb reboot bootloader
fastboot flashing unlock (use volume up to confirm)
fastboot flashing unlock_critical (use volume up to confirm)
Congrats you've unlocked the bootloader.
Use 'fastboot reboot' to reboot if you haven't done so already.
-----
this is where the progress on this device comes to a halt.
The kernel source is available from opensource.ztedevices.com
The device codename is Z5157V, the Kernel they have is listed under Z5157V Q(10) Kernel(4.4.185)
What needs to happen next? Someone needs to compile the kernel from source.
Once that is done, they can extract the boot.img from it, use Magisk, and make a modified boot.img
Whoila, they will now have root. Once this person has root, they can extract recovery.img from the device, and we can begin making a custom TWRP, or who knows, maybe Team Win will pick it up (unlikely).
Once we have a custom recovery and working Magisk, it's just a matter of time before we start seeing custom ROMS.
If someone will sign up to be a guinea pig, or has an extra A3 Prime laying around I will continue development. I bricked mine because I was impulsive and honestly, kinda stupid. (browse through thread to see my idiocy)
Until such a time that I come to possess another A3 Prime OR someone steps up to provide a firmware dump, I am unable to help.
Good luck developing!

Only managed to unlock the bootloader but can't seem to find any information on rooting it.
The structure is indeed different than what you would normally expect to find. 'recovery' isn't a valid partition when trying to flash under fastboot for example.
The only reason I'm interested in trying to root this device is because The mtk engineering mode app doesn't work on this phone, at least not the visible version, so band locking doesn't seem possible without root and a different rom.

Yeah, I bricked my device by flashing a universal MTK TWRP.
Came here to say this, do not flash universal MTK.
It is a soft brick, bootloops with no access to stock or TWRP recovery.
The phone's model number is Z5157V and the stock firmware is Z5157VV1.0.0B17 for google indexing reasons. Only place that MAY have it is behind a $40 pay wall.

Managed to get the kernel from opensource.ztedevices.com, just beginning to work on it now (not sure how I'm gonna get my phone out of bootloop mode, but I'll solve it later)

I have never compiled a kernel from source, but I'm eager to learn, I have two days in the wilderness planned ahead of me. If anyone would compile the kernel, that is great. If not? I'll get it done when I get back.
Been playing around with the phone and key combinations, I think I have found a way to use SP Flash Tool in it's current soft brick state.
If I am successful in compiling the kernel, I will share it.
If I am able to unbrick this phone, I will write a guide.
If those two things happen, I'll be moving forward to make an AOSP based custom ROM for this phone. Maybe a first for a $100 device, but I like root.
If anyone else knows HOW to compile the kernel, you'd put me a few steps ahead when I get back.
Either way, nearly 200 lurkers on this thread, I hope to have answers soon.

ORANGE
zaduma said:
I was able to unlock the bootloader. Confirmed with a boot message on boot.
Click to expand...
Click to collapse
how does that bootmessage read?
does it say : "ORANGE STATE" et cetera ?

s4goa said:
how does that bootmessage read?
does it say : "ORANGE STATE" et cetera ?
Click to expand...
Click to collapse
Yeah
Orange State
Device can't be trusted
Booting in x seconds

1st.
zaduma said:
to make an AOSP based custom ROM for this phone. Maybe a first for a $100 device, but I like root.
Click to expand...
Click to collapse
why do you think you are first ? their are literally tons of €100 phones in circulation!

s4goa said:
why do you think you are first ? their are literally tons of €100 phones in circulation!
Click to expand...
Click to collapse
Who knows, guess I don't have much experience in this area. (Cheap phones) Figured it's usually not worth it to do all this work for a throwaway phone.
That said, I've been wrong before!

zaduma said:
Yeah
Orange State
Device can't be trusted
Booting in 5 seconds
Click to expand...
Click to collapse
same here after
Code:
fastboot flashing unlock_critical
(bootloader) Start unlock flow
FAILED ()
Finished. Total time: 21.830s

s4goa said:
same here after
Code:
fastboot flashing unlock_critical
(bootloader) Start unlock flow
FAILED ()
Finished. Total time: 21.830s
Click to expand...
Click to collapse
Strange it fails, try flashing unlock first, then flashing unlock_critical, make sure to press volume up on phone when prompted.

fastboot
dude, in order to avoid fuqqing confusion you ought not abbreviate a shell command like you do.
Anyhow, since we two guys have different phones, it makes sense only for me to generally discuss the rooting strategy on a ZTE Spreadtrum phone, as the specifics will differ too much.
I have fastboot on a Lumigon T3 as my "ZTE blade A5 2019" does not have fastboot.
---------- Post added at 16:07 ---------- Previous post was at 15:55 ----------
rooters, come join https://forum.xda-developers.com/group.php?groupid=1925

s4goa said:
dude, in order to avoid fuqqing confusion you ought not abbreviate a shell command like you do.
Anyhow, since we two fuys have different phones, it makes sense only for me to generally discuss the rooting strategy on a ZTE Spreadtrum phone, as the specifics will differ too much.
I have fastboot on a Lumigon T3 as my "ZTE blade A5 2019" does not have fastboot..
---------- Post added at 16:07 ---------- Previous post was at 15:55 ----------
rooters, come join https://forum.xda-developers.com/group.php?groupid=1925
Click to expand...
Click to collapse
Sorry, for clarity if on Linux type su and your root password, or use sudo to escalate your permissions if you don't have permission to use fastboot as a regular user.
If you're on windows, consider a free upgrade, but also leave out sudo and once in fastboot mode on a3 prime, type
1. (sudo) fastboot flashing unlock
2. (sudo) fastboot flashing unlock_critical
Press volume up when prompted and congrats your warranty is now void, bootloader unlocked. I'm not responsible for your choices.
__________
Also yeah, the phones even have different chipsets the Z5157V is a MTK phone

fastboot
this "orange state unlock bootloader" has - however - nothing or little to do with "Developer Menu option UNLOCK BOOTLOADER"
do you know more about this?
on my Lumigon these 2 unlockings are independent of each other, never mind the identical name "unlock bootloader".

s4goa said:
this "orange state unlock bootloader" has - however - nothing or little to do with "Developer Menu option UNLOCK BOOTLOADER"
do you know more about this?
on my Lumigon these 2 unlockings are independent of each other, never mind the identical name "unlock bootloader".
Click to expand...
Click to collapse
Yeah, you'll need to toggle that option to on in Developer Settings before entering the bootloader/fastboot mode and running the unlock commands or they will fail.

we're screwed !
dude, dammit! they cryptosign bootloaders now LINK
if that is true we're done for! how to hack those cryptochips?
its for Unisoc SC9863A Spreadtrum but also other CPUs.
zaduma said:
:crying:
Click to expand...
Click to collapse

s4goa said:
Click to expand...
Click to collapse
Well, I am terribly sorry to hear that, but at least the A3 prime is on mediatek chipsets which I don't believe has any such protection.

Spreadtrum SC9832E, 64bit
zaduma said:
the A3 prime is on mediatek chipsets
Click to expand...
Click to collapse
if you are sure that boot.img can be "modded" then the A3 is a superior phone, let me tell you.
---------- Post added at 22:54 ---------- Previous post was at 22:50 ----------
anyway... its kewl u posted at https://www.gizmochina.com/2020/07/01/zte-blade-a3v-key-specs-leak/

s4goa said:
if you are sure that boot.img can be "modded" then the A3 is a superior phone, let me tell you.
---------- Post added at 22:54 ---------- Previous post was at 22:50 ----------
anyway... its kewl u posted at https://www.gizmochina.com/2020/07/01/zte-blade-a3v-key-specs-leak/
Click to expand...
Click to collapse
Keep checking for updates, once I'm back in town that's exactly what I'll be working on.

Sorry to anyone following this thread, I will continue working on building the kernel, extracting boot, and getting this phone rooted. I will need a volunteer to test the root solution once it is built, and then if possible follow a few steps and extract recovery.img on your newly rooted device and send that to me.
I just don't have the time today even though I said I would be doing it. If there are any volunteers with an A3 prime let me know!

Custom ROM for Z500KL P00I - Zenpad 3s 10 LTE

I'm trying to resume the discussion about the possibility to build a custom ROM for ASUS Z500KL P00I - Asus Zenpad 3S 10 LTE. I'll put together all the stuff I found about this argument, in the hope to find a way to give some more life to this nice piece of hardware.
I actually can't think of a reason it couldn't smoothly stand last Android 10, except maybe for issues in driver versions.
Of course I own one of those and I'm willing to do help the development.
Unluckily so far I didn't find anything about a custom rom, apart for some rumors about rooting and unlocking.
BOOTLOADER:
In another post I found someone that claims that the bootloader can be unlocked with the asus unlock tools apk, but in the last firmware versions it sais "the package conflicts with an existing package by the same name" and the apk won't install.
I tried with the unlock tool for the Z500M and I can confirm it won't install.
In another post I found someone that says the Z500KL bootloader can be "fooled" to flash self signed packages using fastboot in this way:
Code:
fastboot getvar sofia_support
fastboot flash boot boot_patched.img
I think this bootloader can be unlocked somehow, or it is possibile to flash stuff in some way. I don't think the bootloader is the issue here.
Posts:
https://forum.xda-developers.com/showpost.php?p=76322038&postcount=15
https://forum.xda-developers.com/zenpad-10/how-to/root-asus-zenpad-z10-zt500kl-zenpad-3s-t4067617
https://forum.xda-developers.com/zenpad-10/help/custom-recovery-rooting-z500kl-p00i-t3796558
RECOVERY MODE:
Found some posts where someone says the Z500M TWRP can work also for the Z500KL, but found others that say that they are completely different hardware.
I tried installing the official TWRP APP, but it seem it don't have the package for any zenpad at all. I did then some searching, but can't seem to find a link to a modified version either.
Also, looking at the bootloader, it don't say anything about a recovery mode. There is just a "Factory reset" entry in the fastboot menu.
CUSTOM ROM:
I found at the asus site the sources of an earlier version.
I'm used to compiling linux kernel and programs, but don't have any experience in compiling this stuff, or using the configurations and drivers in these sources to compile a recent version of android.
If is there someone that has news on this front or that has experience and it's willing to help I'll put my device and time to do tests and stuff.
Thanks

I wish there were some roms and I knew how to build lineage is for this tablet.

I wouldn't try a Z500M binary on Z500KL or TKL, the Z500M is a MediaTek SOC and the Z500kl is a Qualcomm.
I think the first step is TWRP.

saq-xda said:
I wouldn't try a Z500M binary on Z500KL or TKL, the Z500M is a MediaTek SOC and the Z500kl is a Qualcomm.
I think the first step is TWRP.
Click to expand...
Click to collapse
Hi, thanks for the info!
Do you have any hint on how to get a working TWRP for the Z500KL?

_payne_ said:
Hi, thanks for the info!
Do you have any hint on how to get a working TWRP for the Z500KL?
Click to expand...
Click to collapse
Trying to get it figured out, not familiar enough with Android internals to know where to go yet. AFAIK there is a switch somewhere to set bootloader lock off, I have root but not sure where that variable is stored ("set" commands from ADB root shell are not working). After that is done it is probably a pretty standard TWRP build. Too bad as it looks like a pretty nice tablet.

Handicapped by not knowing much about Android, but think of three possible attack surfaces from a rooted device (which we have now):
(1) Hacking an Asus unlock tool to send the Z500KL information to Asus - might work, depends on how much checking they do at their end for serial validity or if the databases for serial/etc. numbers are separate for the different models or not. If they're all together and it is a simple lookup command on their end this might work. Also possibly snooping in on the connection from another Asus device and see if we could "spoof" it without the app. Note that this is based on the hypothesis that the app calls out to Asus for a unlock code, there are other ways it could work.
(2) If as has been hinted Asus merely removed the "OEM Unlock" toggle from the menus then going through a rooted tablet and setting "by hand" might work. Depends where the toggle is located and if the bootloader will still recognize it. Per https://android.stackexchange.com/q...ed-against-physical-tampering-in-google-pixel it appears to be stored in TEE (Trusty) or FRP on Pixels, and . From a rooted device if you know the calls we should (?) be able to call Trusty to set the flag, or if we know where it is in FRP set it there. A post on XDA here from Dr. Mario points at the physical efuse partition and suggests it can be adjusted if we have root (which we do now) - https://forum.xda-developers.com/t/asus-zenpad-z10-zt500kl-verizon.3494106/#post-69674114
(3) There are hints and signs that perhaps Asus' signing verification chain isn't watertight - see https://forum.xda-developers.com/t/...-z10-zt500kl-and-zenpad-3s-10-z500kl.4067617/ and https://forum.xda-developers.com/t/custom-rom-for-z500kl-p00i-zenpad-3s-10-lte.4184773/ (comment on self-signed loaders), as well as possibly looking at the "user settable root of trust" option at https://source.android.com/security/verifiedboot/device-state.
I know that I flashed the Z500KL bootloader to a ZT500kl and installed Magisk. Tablet boots but gives the Android-recommended user root of trust warning screen.

If you need a custom ROM you can dig here, and you can also download LineageOS 16 here

Looks like nothing has happened here in a while. Am hoping for an update though if some progress ahs been made. I can't even unlock the bootloader so far... never mind find a ROM that works on it!
The reason I'm here is, I now find that even the ASUS apps are no longer supported on Android 7 (not that I used the ASUS apps much), but still... I looked on the firmware page and was really saddened by the fact that the JP version (which I have) had only 4 months of support (ie date from first firmware and last firmware is only 4 months apart...). For the WW version, it was 6 months. This is really a complete joke... It's a real pity because the hardware is not bad at all, and it is one of the last 4:3 screen ratio tablets. It's terrible to think that this thing has not had even security updates for the last 5 years, so unless I can get a custom ROM on there, then I think I'm going to have to look elsewhere for something.