Before starting any action, read the entire manual. You will need to open the back cover of the tablet, but no special devices or soldering are required.
This instruction is only suitable for HD 8 (2018), the internal name is karnak, model KFKAWI. This method is suitable for both 16GB and 32GB versions of the tablet.
Before you begin, make sure that you save all the data you need from the tablet, as they will be completely erased in the process. It is advisable to make sure that you do not enable device encryption - if so, turn it off before starting work. You also need to enable USB debugging in the developer options.
You will need:
- Linux distribution (for example, Ubuntu, go and LiveCD). The instruction for Windows is not ready yet and was not checked.
- cable to connect the tablet to the PC.
- than you can pry and open the lid of the tablet.
- something conductive, for example, a piece of wire or a clip.
- hd8-exploit.zip file (
download), which includes:
--- amonet-v2.tar.gz
--- Magisk-v18.0.zip
--- finalize.zip
- file 6300.zip (
download)
Launch Linux (Ubuntu / LiveCD) and install Python3, PySerial, adb and fastboot using the command from the console:
sudo apt install python3 serial python3 android-tools-adb android-tools-fastboot
We find where you have amonet-v2.tar.gz and unpack it in any place, and then go to the unpacked amonet folder.
Note: you can unpack the archive from under Windows using Winrar and upload it in unpacked form.If you are told that there are not enough permissions to execute scripts, run them in sudo mode or switch to it for a while using "sudo -s".
0) Completely turn off the tablet and disconnect all wires from it. Also, disconnect from the PC all other android devices, if they are connected.
1) Use a handy tool to open the back cover of the tablet. Start at the bottom (assuming the camera is at the top) and move up. The back cover is not connected with the filling of the tablet.
2) On the left side of the board we find 4 outputs with the inscriptions DAT0, RST, CMD, CLK. We are only interested in the bottom, CLK.
3) Insert one end of the USB cable into the tablet or PC, no matter where it is.
4) On the PC, run the command "./bootrom-step.sh" (
being in the amonet folder). The message "Waiting for the bootrom" should appear.
5) Using a clip, lock CLK to the ground. To do this, connect the CLK and, for example, the protective cover of the board, as shown in
this picture. Hold the connection so that there is good contact.
6) Insert the other end of the USB cable.
7) You should see in the console that you have a new device connected:
[10894.058045] usb 3-2.4.1: new full-speed USB device number 9 using xhci_hcd
[10894.239684] usb 3-2.4.1: New USB device found, idVendor = 0e8d, idProduct = 0003
[10894.239690] usb 3-2.4.1: New USB device strings: Mfr = 0, Product = 0, SerialNumber = 0
[10894.241330] cdc_acm 3-2.4.1: 1.0: ttyACM0: USB ACM device
You should see this particular device. If you see that the preloader has connected, then you have poorly closed the contacts in step 5. In this case, remove the paper clip and turn off the tablet (disconnect the USB cable from it and wait - if it does not turn off after a while, you may need to disconnect the battery) . After it is turned off, it is necessary to repeat all actions starting from step 4.
8) The script launched in paragraph 4 will prompt you to remove the clip. Remove it and [Update: you must wait about 40 seconds before pressing Enter] and press Enter.
9) The script will start making the necessary changes to the tablet, which will take about 4 minutes. It will look like this:
[2019-01-26 23: 30: 02.157670] Waiting for bootrom
[2019-01-26 23: 30: 20.438333] Found port = / dev / ttyACM0
[2019-01-26 23: 30: 20.439362] Handshake
[2019-01-26 23: 30: 20.441693] Disable watchdog
* * * Remove the short and press Enter * * *
[2019-01-26 23: 30: 22.636037] Init crypto engine
[2019-01-26 23: 30: 22.661832] Disable caches
[2019-01-26 23: 30: 22.662505] Disable bootrom range checks
[2019-01-26 23: 30: 22.685773] Load payload from ../brom-payload/build/payload.bin = 0x4690 bytes
[2019-01-26 23: 30: 22.693170] Send payload
[2019-01-26 23: 30: 23.527965] Let's rock
[2019-01-26 23: 30: 23.528832] Wait for the payload to come online ...
[2019-01-26 23: 30: 24.260602] all good
[2019-01-26 23: 30: 24.261069] Check GPT
[2019-01-26 23: 30: 24.596346] gpt_parsed = {'proinfo': (1024, 6144), 'PMT': (7168, 9216), 'kb': (16384, 2048), 'dkb': ( 18432, 2048), 'lk': (20480, 2048), 'tee1': (22528, 10240), 'tee2': (32768, 10240), 'metadata': (43008, 80896), 'MISC': ( 123904, 1024), 'reserved': (124928, 16384), 'boot': (141312, 32768), 'recovery': (174080, 40960), 'system': (215040, 6354944), 'vendor': ( 6569984, 460800), 'cache': (7030784, 1024000), 'userdata': (8054784, 22722527)}
[2019-01-26 23: 30: 24.596619] Check boot0
[2019-01-26 23: 30: 24.841858] Check rpmb
[2019-01-26 23: 30: 25.051079] Downgrade rpmb
[2019-01-26 23: 30: 25.052924] Recheck rpmb
[2019-01-26 23: 30: 25.949978] rpmb downgrade ok
[2019-01-26 23: 30: 25.950284] Flash lk-payload
[5 / 5]
[2019-01-26 23: 30: 26.471797] Flash preloader
[288 / 288]
[2019-01-26 23: 30: 44.845804] Flash tz
[6732 / 6732]
[2019-01-26 23: 33: 08.502134] Flash lk
[685 / 685]
[2019-01-26 23: 33: 23.337460] Inject microloader
[4 / 4]
[2019-01-26 23: 33: 23.667547] Reboot to unlocked fastboot
If the script hangs at some point (it will take more than 7-10 minutes), it will be necessary to restart it. Interrupt the script, disconnect the USB cable from the tablet, wait for it to turn off, and repeat everything from step 4. If the tablet does not turn off after disconnecting the USB cable, disconnect the battery - you can keep it disconnected until the script completes Work, however, before the next step (turning on in fastboot mode), the battery must be connected back.
Update: If errors occur during the script operation, you will need to remove the interfering packet with the command "sudo apt-get remove modemmanager".
9) If you saw the inscription "Reboot to unlocked fastboot", everything went well. Do not continue if you do not see this inscription.
10) Flip the tablet to see the screen. When the tablet boots into fastboot mode (Update: if you see the Amazon logo - this is normal, just check the mode with the "fastboot devices" command), run the "./fastboot-step.sh" script.
Update: If the script generates an error, reboot the tablet using the "fastboot reboot" command and hold down the Vol- button while booting to enter recovery.
11) After that, the tablet should boot into recovery mode (TWRP), but the screen may remain off. Then simply press the power button on the tablet twice and the screen will turn on.
12) Now we’ll upload the necessary files (they should be in the adb folder) via recovery mode, for this we run the following commands on the PC:
adb push 6300.zip / sdcard
adb push Magisk-v18.0.zip / sdcard
adb push finalize.zip / sdcard
13) In the recovery, go to the Install menu, find / sdcard and flash 6300.zip
14) Go to the Wipe section and do a default wipe (factory reset). Then reboot.
15) On the initial Fire Setup screen, select your language. Next, select any wi-fi (if any), but do not connect, and click cancel and then "skip" ->"skip" again.
16) Press the power button, select Restart and hold Vol- to enter recovery.
17) In recovery, go to Install and first flash Magisk-v18.0.zip, and then finalize.zip - in that order.
18) After flashing the last file, click Reboot System.
19) Everything. The tablet is now installed firmware 6.3.0.0 with a pre-installed root. You have a rights manager for Magisk, and TWRP is available to you, which you can enter by holding the Vol- (VolDown) tablet on.
20) You can connect the tablet to the wi-fi network. The firmware itself will not be updated, since all update features are disabled in it. You can close the lid of the tablet.
Now you can flash from recovery any compatible firmware, as well as any compatible boot or system image. However, if in the future you break the tablet to a state when recovery is not available, you will have to repeat everything from the very first item. Be sure to read below what you can not do!
VERY IMPORTANT! WHAT CAN'T DO WITH THE TABLET! Flash boot / system images only from TWRP. Due to the specifics of the exploit, only this TWRP sees it and interacts with it correctly. You can not update Magisk from Magisk Manager, it can be done only from TWRP. You can not flash other versions of TWRP, as well as use other programs for firmware, for example, FlashFire. You cannot reset the factory reset from the FireOS shell, this can only be done from TWRP.
-----------------------------------------------------------------------------------
For any comments on the translation, write to me in PM. Spiritovod