This is for the 2nd gen Fire TV Stick (tank)
Current relase: amonet-tank-v1.2.2.zip
NOTE: Recent reports indicate a change that disables brom DL-mode
The change seems to have been introduced with devices that where manufactured in December 2019 or later.
The change is unrelated to the software-version and results in the device not showing up as a USB device when shorted.
Unfortunately these devices cannot currently be unlocked.
NOTE: If you are on version 1.0, don't update to 1.2.1 through TWRP, as there is a bug.
NOTE: This issue has been fixed in version 1.2.2
NOTE: When updating from version 1.0, don't install anything else before rebooting
To update to the current release if you are already unlocked, just flash the zip in TWRP.
What you need:
- A Linux installation or live-system
- A micro-USB cable
- Something conductive (paperclip, tweezers etc)
- Something to open the stick.
Since version 1.2 this isn't required, because instead of flashing the 220.127.116.11 boot.img, your existing boot.img will be patched.
It is still recommended to first update to 18.104.22.168
Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work:
sudo apt update sudo add-apt-repository universe sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot
sudo systemctl stop ModemManager sudo systemctl disable ModemManager
NOTE: If you have issues running the scripts, you might have to run them using sudo.
Also try using different USB-ports (preferably USB-2.0-ports)
1. Extract the attached zip-file "amonet-tank-v1.2.2.zip" and open a terminal in that directory.
2. start the script:
Short CLK to GND (The metal shielding is also GND) according to the attached photo and plug it in.
In lsusb the boot-rom shows up as:
Bus 002 Device 013: ID 0e8d:0003 MediaTek Inc. MT6227 phone
Bus 002 Device 014: ID 0e8d:2000 MediaTek Inc. MT65xx Preloader
dmesg lists the correct device as:
[ 6383.962057] usb 2-2: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00
4. When the script asks you to remove the short, remove the short and press enter.
5. Wait for the script to finish.
If it stalls at some point, stop it and restart the process from step 2.
6. Your device should now reboot into unlocked fastboot state.
9. Use TWRP to flash custom ROM, Magisk etc.
Only ever flash boot/recovery images using TWRP, if you use FlashFire or other methods that are not aware of the exploit,
your device will likely not boot anymore (unless you flashed a signed image).
TWRP will patch recovery/boot-images on the fly.
This process does not disable OTA or does any other modifications to your system.
You will have to do that according to the other guides in this forum.
Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Thanks to @hwmod for doing initial investigations and providing the attached image.