[Root] Kindle Fire HDX 8.9 14.3.1

Search This thread
By:
Advanced…
jcase

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,308
15,761
Raleigh NC
Please do not donate to me for this, it is not my original work. If you want to donate, I suggest finding a way to donate to fi01 (not aware of a way or if he accepts them) or donating to a charity. It is the holiday times, maybe a toys for tots or something similar. I know a lot of ppl dislike the salvation army, and I can't stand up with some of the things they do, but their toy donation program is good and they do get the toys to kids who really have no other option, maybe drop off some new toys? May be food to a food bank?

Source: https://github.com/hiikezoe/android_run_root_shell

Vuln:
https://www.codeaurora.org/projects...hecks-putusergetuser-kernel-api-cve-2013-6282

Exploit Source:
https://github.com/fi01/libput_user_exploit

Beaups compiled it at my request for you guys.

adb push su /data/local/tmp/
adb push rootme.sh /data/local/tmp/
adb push exploit /data/local/tmp/
adb shell chmod 755 /data/local/tmp/rootme.sh
adb shell chmod 755 /data/local/tmp/exploit
adb shell /data/local/tmp/exploit -c "/data/local/tmp/rootme.sh"
 

Attachments

  • kindlehdx_root.zip
    259.6 KB · Views: 23,023
Last edited:
  • Like
Reactions: devdav2167, veritasaequita, pierro78 and 41 others
GSLEON3

GSLEON3

Retired Senior Moderator
Dec 1, 2006
2,510
1,394
NSA Black Site Whiskey Tango Foxtrot One Niner
Bomb! You are the man!

Bro, I am going to PM you shortly. I would like to thank you & fi01. I will donate to both of you, or if you both prefer, I will donate my original pledge of $150 for root in your names to whatever charity you think is appropriate. If this leads to an unlocked BL, I will double my donation, to the $300 I originally stated in the General/Kernel thread.

If you notice my signature, I have an issue I have become intimately involved in, so if there is something near & dear to your two hearts, just let me know.

PROOF OF ROOT:
IMG_20131125_102749.jpg

IMG_20131125_102829.jpg
 
Last edited:
  • Like
Reactions: pierro78, love is me, xdaysleeper and 6 others
M

Maverick777

Senior Member
May 16, 2008
754
100
GSLEON3 said:
Bomb! You are the man!

Bro, I am going to PM you shortly. I would like to thank you & fi01. I will donate to both of you, or if you both prefer, I will donate my original pledge of $300 in your names to whatever charity you think is appropriate.

If you notice my signature, I have an issue I have become intimately involved in, so if there is something near & dear to your two hearts, just let me know.

PROOF OF ROOT:
IMG_20131125_102749.jpg

IMG_20131125_102829.jpg
Click to expand...
Click to collapse

Awesome! How did you flash it? Is there a stock recovery mode or did you have to use ADB? I'm not familiar with ADB at all, so I'm hoping for a simple way of flashing this. Did you have the Fire OS update installed when you rooted it?
 
Last edited:
E

Epedemic

Senior Member
Apr 4, 2007
390
32
Guess it does not work on 7" (fire os 3.1 updated, ver 13.3.1.0):

Device detected: KFTHWI (JDQ39)

Try to find address in memory...
Attempt msm_cameraconfig exploit...
Detected kernel physical address at 0x00008000 form iomem

Attempt fb_mem exploit...
Detected kernel physical address at 0x00008000 form iomem
You need to manage to get remap_pfn_range addresses.
Failed to get prepare_kernel_cred addresses.
Failed to get commit_creds addresses.
Failed to get ptmx_fops addresses.
KFTHWI (JDQ39) is not supported.
Failed to setup variables.

Have hopes it will be possible soon enough though :)
 
GSLEON3

GSLEON3

Retired Senior Moderator
Dec 1, 2006
2,510
1,394
NSA Black Site Whiskey Tango Foxtrot One Niner
Maverick777 said:
Awesome! How did you flash it? Is there a stock recovery mode or did you have to use ADB? I'm not familiar with ADB at all, so I'm hoping for a simple way of flashing this.
Click to expand...
Click to collapse

I am going to tak as many questions as possible, but will probably do something in the Q&A section to keep this clean. Right now, this is a manual adb exploit, though if you have a rooted device & USB OTG, you can use root transmission. Currently, it is fairly easy & straight forward, but you will need adb to utilize this root method. jcase said we could package it into a one click, but that is going to take some time.

At this point, there are no custome roms & there are no custom recoveries, just root access. I also have the Play Store working, which was just a matter of changing the ro.build.host to point to Google. Again, no easy way to do it yet. Since you are asking about "flashing" this, I would suggest you wait. Either that, or go back & read about some of the old root methods & how to use ADB. There is no flashing this file. You use ADB to push the files, & shell to change owner/permissions. You then run a script (again via adb) that moves the SU binary into xbin. Currently, there is still a bit of a trick to get SU going, but it is pretty easy if you understand the basics of ADB.

Really, what this means is that now the gates have been cracked & it is possible to start building recoveries, roms & all that good stuff.

---------- Post added at 11:21 AM ---------- Previous post was at 11:17 AM ----------
Epedemic said:
Guess it does not work on 7" (fire os 3.1 updated, ver 13.3.1.0):

Device detected: KFTHWI (JDQ39)

Try to find address in memory...
Attempt msm_cameraconfig exploit...
Detected kernel physical address at 0x00008000 form iomem

Attempt fb_mem exploit...
Detected kernel physical address at 0x00008000 form iomem
You need to manage to get remap_pfn_range addresses.
Failed to get prepare_kernel_cred addresses.
Failed to get commit_creds addresses.
Failed to get ptmx_fops addresses.
KFTHWI (JDQ39) is not supported.
Failed to setup variables.

Have hopes it will be possible soon enough though :)
Click to expand...
Click to collapse

Most likely, it is going to take a little address rework of the exploit. I am about 100% certain the exploit is there though.
 
Last edited:
  • Like
Reactions: amandadam, Moronig, bspisak and 5 others
M

Maverick777

Senior Member
May 16, 2008
754
100
GSLEON3 said:
I am going to tak as many questions as possible, but will probably do something in the Q&A section to keep this clean. Right now, this is a manual adb exploit, though if you have a rooted device & USB OTG, you can use root transmission. Currently, it is fairly easy & straight forward, but you will need adb to utilize this root method. jcase said we could package it into a one click, but that is going to take some time.

At this point, there are no custome roms & there are no custom recoveries, just root access. I also have the Play Store working, which was just a matter of changing the ro.build.host to point to Google. Again, no easy way to do it yet. Since you are asking about "flashing" this, I would suggest you wait. Either that, or go back & read about some of the old root methods & how to use ADB. There is no flashing this file. You use ADB to push the files, & shell to change owner/permissions. You then run a script (again via adb) that moves the SU binary into xbin. Currently, there is still a bit of a trick to get SU going, but it is pretty easy if you understand the basics of ADB.

Really, what this means is that now the gates have been cracked & it is possible to start building recoveries, roms & all that good stuff.
Click to expand...
Click to collapse

Awesome. Thanks for the explanation. I will wait for a one click method or recovery to be made unless I get impatient. :D
 
jcase

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,308
15,761
Raleigh NC
Epedemic said:
Guess it does not work on 7" (fire os 3.1 updated, ver 13.3.1.0):

Device detected: KFTHWI (JDQ39)

Try to find address in memory...
Attempt msm_cameraconfig exploit...
Detected kernel physical address at 0x00008000 form iomem

Attempt fb_mem exploit...
Detected kernel physical address at 0x00008000 form iomem
You need to manage to get remap_pfn_range addresses.
Failed to get prepare_kernel_cred addresses.
Failed to get commit_creds addresses.
Failed to get ptmx_fops addresses.
KFTHWI (JDQ39) is not supported.
Failed to setup variables.

Have hopes it will be possible soon enough though :)
Click to expand...
Click to collapse


No but download the update.bin for your firmware from amazon, send me boot.img and system/build.prop and will port it
 
  • Like
Reactions: EniGmA1987, mrkhigh, Moronig and 3 others
shimp208

shimp208

Inactive Recognized Contributor
Jan 25, 2011
2,613
3,089
Boston
Congratulations @jcase on the hard work you put in for us. As a freshman computer engineering student it's things like this that make me want to work harder at my studies, put in that extra time studying for that test, seeking out opportunities my professors give, and hopefully being able to give back to XDA as much as you do. I doubt I'll ever get there but it's worth trying , great job again man :highfive:.
 
  • Like
Reactions: davekaz
E

Epedemic

Senior Member
Apr 4, 2007
390
32
jcase said:
No but download the update.bin for your firmware from amazon, send me boot.img and system/build.prop and will port it
Click to expand...
Click to collapse

Update is here: http://www.amazon.com/gp/help/customer/display.html/ref=hp_left_v4_sib?ie=UTF8&nodeId=201357190

I extracted build.prop and it can be found here: https://www.dropbox.com/sh/t9wv1aakvopwpyt/r9nQD3x0Ux

Not sure how to extract boot.img, unless the .bin file from amazon is simply an archive. (in that case it will be on the dropbox link shortly ;) )
 
  • Like
Reactions: davekaz
GSLEON3

GSLEON3

Retired Senior Moderator
Dec 1, 2006
2,510
1,394
NSA Black Site Whiskey Tango Foxtrot One Niner
E

Epedemic

Senior Member
Apr 4, 2007
390
32
BTW i will be going to sleep in a couple of hours at the latest, and then vacation until friday. But i am sure you can find someone else to test the 7" version ;)
 
E

EniGmA1987

Senior Member
Sep 21, 2010
2,064
807
Thanks for root jcase!
If you really don't want my part of the money I put up for achieving root then I will do as you suggested and donate it to charity
 
quantump8

quantump8

Senior Member
Jul 27, 2012
167
47
Dude!!! You guys are the best!! I get mine (HDX 7") in December, so I hope by then to have an easy root method and maybe even a rom or two. :good:
 
K

kholdstare

Member
Oct 30, 2007
28
5
Kansas City
Just in case Amazon fixes the exploit in an update I have blocked the update servers from getting through my router.
The IPs below are the update servers in case anyone else wants to block them.


Code: 
72.21.194.208
176.32.100.136
72.21.195.233

If you have a dd-wrt router just add this to your firewall
Code: 
iptables -I FORWARD -d 72.21.194.208 -j DROP
iptables -I FORWARD -d 176.32.100.136 -j DROP
iptables -I FORWARD -d 72.21.195.233 -j DROP

Bitcoin Address: 186NWvr3buDGmpa5ECVGub37YX94NMSsLj
 
smirciat

smirciat

Senior Member
Nov 15, 2013
156
47
Homer, Alaska
kholdstare said:
Just in case Amazon fixes the exploit in an update I have blocked the update servers from getting through my router.
The IPs below are the update servers in case anyone else wants to block them.


Code: 
72.21.194.208
176.32.100.136
72.21.195.233

If you have a dd-wrt router just add this to your firewall
Code: 
iptables -I FORWARD -d 72.21.194.208 -j DROP
iptables -I FORWARD -d 176.32.100.136 -j DROP
iptables -I FORWARD -d 72.21.195.233 -j DROP

Bitcoin Address: 186NWvr3buDGmpa5ECVGub37YX94NMSsLj
Click to expand...
Click to collapse
Can't Amazon just change the update server addresses to circumvent this? Assuming they care enough about this to patch it quickly, wouldn't they try to get updates through anyway they can? Or do Kindle updates only listen to a specific set of addresses? The HD's allowed a downgrade, do the HDX's prevent downgrade? The mind is ablur with possibilities.
 
You must log in or register to reply here.

Similar threads

Faznx92
[TOOL:FROZEN] Faznx's HDX ToolKit v0.96b
Replies
218
Views
205K
DB126
DB126
ggow
[EOL][4.2.2] HDX Nexus v2.0.5
Replies
1K
Views
275K
DB126
DB126
ggow
  • Locked
[DISCONTINUED][ROM] [4.4.4] [STABLE] HDX Nexus v4.0.5
Replies
647
Views
146K
DB126
DB126
C
[ROM] aosp-4.2.2-thor-0 (Kindle fire hdx 7")
Replies
81
Views
62K
r3pwn
r3pwn
ggow
  • Locked
Safestrap Flashable HDX Stock Images
Replies
84
Views
54K
DB126
DB126

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 44
    jcase
    jcase
    Please do not donate to me for this, it is not my original work. If you want to donate, I suggest finding a way to donate to fi01 (not aware of a way or if he accepts them) or donating to a charity. It is the holiday times, maybe a toys for tots or something similar. I know a lot of ppl dislike the salvation army, and I can't stand up with some of the things they do, but their toy donation program is good and they do get the toys to kids who really have no other option, maybe drop off some new toys? May be food to a food bank?

    Source: https://github.com/hiikezoe/android_run_root_shell

    Vuln:
    https://www.codeaurora.org/projects...hecks-putusergetuser-kernel-api-cve-2013-6282

    Exploit Source:
    https://github.com/fi01/libput_user_exploit

    Beaups compiled it at my request for you guys.

    adb push su /data/local/tmp/
    adb push rootme.sh /data/local/tmp/
    adb push exploit /data/local/tmp/
    adb shell chmod 755 /data/local/tmp/rootme.sh
    adb shell chmod 755 /data/local/tmp/exploit
    adb shell /data/local/tmp/exploit -c "/data/local/tmp/rootme.sh"
    View
    9
    GSLEON3
    GSLEON3
    Bomb! You are the man!

    Bro, I am going to PM you shortly. I would like to thank you & fi01. I will donate to both of you, or if you both prefer, I will donate my original pledge of $150 for root in your names to whatever charity you think is appropriate. If this leads to an unlocked BL, I will double my donation, to the $300 I originally stated in the General/Kernel thread.

    If you notice my signature, I have an issue I have become intimately involved in, so if there is something near & dear to your two hearts, just let me know.

    PROOF OF ROOT:
    IMG_20131125_102749.jpg

    IMG_20131125_102829.jpg
    View
    8
    GSLEON3
    GSLEON3
    Maverick777 said:
    Awesome! How did you flash it? Is there a stock recovery mode or did you have to use ADB? I'm not familiar with ADB at all, so I'm hoping for a simple way of flashing this.
    Click to expand...
    Click to collapse

    I am going to tak as many questions as possible, but will probably do something in the Q&A section to keep this clean. Right now, this is a manual adb exploit, though if you have a rooted device & USB OTG, you can use root transmission. Currently, it is fairly easy & straight forward, but you will need adb to utilize this root method. jcase said we could package it into a one click, but that is going to take some time.

    At this point, there are no custome roms & there are no custom recoveries, just root access. I also have the Play Store working, which was just a matter of changing the ro.build.host to point to Google. Again, no easy way to do it yet. Since you are asking about "flashing" this, I would suggest you wait. Either that, or go back & read about some of the old root methods & how to use ADB. There is no flashing this file. You use ADB to push the files, & shell to change owner/permissions. You then run a script (again via adb) that moves the SU binary into xbin. Currently, there is still a bit of a trick to get SU going, but it is pretty easy if you understand the basics of ADB.

    Really, what this means is that now the gates have been cracked & it is possible to start building recoveries, roms & all that good stuff.

    ---------- Post added at 11:21 AM ---------- Previous post was at 11:17 AM ----------
    Epedemic said:
    Guess it does not work on 7" (fire os 3.1 updated, ver 13.3.1.0):

    Device detected: KFTHWI (JDQ39)

    Try to find address in memory...
    Attempt msm_cameraconfig exploit...
    Detected kernel physical address at 0x00008000 form iomem

    Attempt fb_mem exploit...
    Detected kernel physical address at 0x00008000 form iomem
    You need to manage to get remap_pfn_range addresses.
    Failed to get prepare_kernel_cred addresses.
    Failed to get commit_creds addresses.
    Failed to get ptmx_fops addresses.
    KFTHWI (JDQ39) is not supported.
    Failed to setup variables.

    Have hopes it will be possible soon enough though :)
    Click to expand...
    Click to collapse

    Most likely, it is going to take a little address rework of the exploit. I am about 100% certain the exploit is there though.
    View
    8
    M
    Moronig
    Good News Everyone! I made the required changes in source, and recompiled it for the Kindle Fire HDX 7". It worked for me at least! Here it goes:

    http://goo.gl/4gBmq5

    Be sure to rename the file to 'exploit', follow the instructions on the first post, and don't forget to thank jcase and fi01.
    View
    6
    jcase
    jcase
    Epedemic said:
    Guess it does not work on 7" (fire os 3.1 updated, ver 13.3.1.0):

    Device detected: KFTHWI (JDQ39)

    Try to find address in memory...
    Attempt msm_cameraconfig exploit...
    Detected kernel physical address at 0x00008000 form iomem

    Attempt fb_mem exploit...
    Detected kernel physical address at 0x00008000 form iomem
    You need to manage to get remap_pfn_range addresses.
    Failed to get prepare_kernel_cred addresses.
    Failed to get commit_creds addresses.
    Failed to get ptmx_fops addresses.
    KFTHWI (JDQ39) is not supported.
    Failed to setup variables.

    Have hopes it will be possible soon enough though :)
    Click to expand...
    Click to collapse


    No but download the update.bin for your firmware from amazon, send me boot.img and system/build.prop and will port it
    View

New posts