FORUMS
Remove All Ads from XDA

[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 2nd gen (tank)

728 posts
Thanks Meter: 798
 
By k4y0z, XDA Ad-Free Senior Member on 3rd March 2019, 11:20 PM
Post Reply Email Thread
Read this whole guide before starting.

This is for the 2nd gen Fire TV Stick (tank)

Current relase: amonet-tank-v1.2.2.zip

NOTE: If you are on version 1.0, don't update to 1.2.1 through TWRP, as there is a bug.
NOTE: This issue has been fixed in version 1.2.2
NOTE: When updating from version 1.0, don't install anything else before rebooting



To update to the current release if you are already unlocked, just flash the zip in TWRP.

What you need:
  • A Linux installation or live-system
  • A micro-USB cable
  • Something conductive (paperclip, tweezers etc)
  • Something to open the stick.


NOTE: Ideally you want to update your system to 5.2.6.9 before starting this process, since this flashes the 5.2.6.8 boot.img and people have reported issues with adb-authorization with older firmware.
Since version 1.2 this isn't required, because instead of flashing the 5.2.6.9 boot.img, your existing boot.img will be patched.
It is still recommended to first update to 5.2.6.9


Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work:
Code:
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot
Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager

NOTE: If you have issues running the scripts, you might have to run them using sudo.
Also try using different USB-ports (preferably USB-2.0-ports)


1. Extract the attached zip-file "amonet-tank-v1.2.2.zip" and open a terminal in that directory.
2. start the script:
Code:
./bootrom-step.sh
It should now say Waiting for bootrom.

Short CLK to GND (The metal shielding is also GND) according to the attached photo and plug it in.


NOTE:

In lsusb the boot-rom shows up as:
Code:
Bus 002 Device 013: ID 0e8d:0003 MediaTek Inc. MT6227 phone
If it shows up as:
Code:
Bus 002 Device 014: ID 0e8d:2000 MediaTek Inc. MT65xx Preloader
instead, you are in preloader-mode, try again.

dmesg lists the correct device as:
Code:
[ 6383.962057] usb 2-2: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00

4. When the script asks you to remove the short, remove the short and press enter.

5. Wait for the script to finish.
If it stalls at some point, stop it and restart the process from step 2.

6. Your device should now reboot into unlocked fastboot state.

7. Run
Code:
./fastboot-step.sh
8. Wait for the device to reboot into TWRP.

9. Use TWRP to flash custom ROM, Magisk etc.


NOTE:
Only ever flash boot/recovery images using TWRP, if you use FlashFire or other methods that are not aware of the exploit,
your device will likely not boot anymore (unless you flashed a signed image).
TWRP will patch recovery/boot-images on the fly.


NOTE:
This process does not disable OTA or does any other modifications to your system.
You will have to do that according to the other guides in this forum.


Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Thanks to @hwmod for doing initial investigations and providing the attached image.
Attached Thumbnails
Click image for larger version

Name:	Fire-TV-Stick-2-(tank).jpg
Views:	2692
Size:	242.0 KB
ID:	4730951  
Attached Files
File Type: zip amonet-tank-v1.1.zip - [Click for QR Code] (11.19 MB, 682 views)
File Type: zip amonet-tank-v1.2.1.zip - [Click for QR Code] (8.66 MB, 216 views)
File Type: zip amonet-tank-v1.2.2.zip - [Click for QR Code] (8.66 MB, 1722 views)
The Following 39 Users Say Thank You to k4y0z For This Useful Post: [ View ] Gift k4y0z Ad-Free
 
 
3rd March 2019, 11:59 PM |#2  
OP Senior Member
Thanks Meter: 798
 
Donate to Me
More
Changelog

Version 1.2 (25.03.2019)
  • Update TWRP to twrp-9.0 sources
  • Implement downgrade-protection for LK/PL/TZ
  • Add scripts to enter fastboot/recovery in case of bootloop
  • Automatically restore boot-patch when you boot into recovery

Features.
  • Hacked fastboot mode lets you use all fastboot commands (flash etc).
  • Boots custom/unsigned kernel-images (need to be patched)
  • For the devs: sets printk.disable_uart=0 (enables debug-output over UART).
  • TWRP protects from accidental lk/preloader/tz downgrades
  • Set bootmode via preloader

NOTE: Hacked fastboot can be reached via TWRP.

NOTE: Hacked fastboot won't patch your boot/recovery-images, so you can easily go back to stock.
Use TWRP for autopatching.
The Following 6 Users Say Thank You to k4y0z For This Useful Post: [ View ] Gift k4y0z Ad-Free
4th March 2019, 12:00 AM |#3  
OP Senior Member
Thanks Meter: 798
 
Donate to Me
More
There are three options for interacting with TWRP:
  1. A mouse via USB-OTG
  2. TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
  3. Via /cache/recovery/command

Example for /cache/recovery/command:
Code:
echo "--update_package=/path/to/zipfile" > /cache/recovery/command
echo "--wipe_cache" >> /cache/recovery/command
reboot recovery
Should you somehow end in a bootloop you can boot into hacked fastboot or recovery using.
Code:
sudo ./boot-fastboot.sh
Code:
sudo ./boot-recovery.sh
NOTE:This will only work if the boot-exploit is still there.

Source Code:
https://github.com/chaosmaster/amonet
https://github.com/chaosmaster/andro...table_recovery
The Following 9 Users Say Thank You to k4y0z For This Useful Post: [ View ] Gift k4y0z Ad-Free
4th March 2019, 12:21 AM |#4  
Senior Member
Thanks Meter: 57
 
More
how would you get to twrp after rebooting to system?
4th March 2019, 12:33 AM |#5  
OP Senior Member
Thanks Meter: 798
 
Donate to Me
More
Quote:
Originally Posted by krsmit0

how would you get to twrp after rebooting to system?

Code:
adb reboot recovery
4th March 2019, 12:49 AM |#6  
Senior Member
Thanks Meter: 57
 
More
Quote:
Originally Posted by k4y0z

Code:
adb reboot recovery

ok, made it to recovery. not sure how to navigate recovery.
4th March 2019, 01:31 AM |#7  
OP Senior Member
Thanks Meter: 798
 
Donate to Me
More
Quote:
Originally Posted by krsmit0

ok, made it to recovery. not sure how to navigate recovery.

Either via adb shell, or a mouse via USB-OTG
4th March 2019, 02:53 AM |#8  
Senior Member
Thanks Meter: 57
 
More
Quote:
Originally Posted by k4y0z

Either via adb shell, or a mouse via USB-OTG

found this, thanks, didnt know about this

https://twrp.me/faq/openrecoveryscript.html
The Following 2 Users Say Thank You to krsmit0 For This Useful Post: [ View ] Gift krsmit0 Ad-Free
4th March 2019, 11:57 AM |#9  
Oh nice! I'll try it later today!
4th March 2019, 02:57 PM |#10  
Senior Member
Thanks Meter: 57
 
More
first one worked fine. second seemed to go ok but i cant get back in with adb. device unauthorized. i went through the process again to get back to recovery and i copied the adb_keys from the one that worked to the other one. permissions and ownership are the same, but it still says unauthorized. i also dont get the prompt to allow connection on the stick itself. i have connected with this stick through adb before this.

UPDATE: Factory reset didnt bring back the adb debug prompt. but an update did. I was on an older version.
4th March 2019, 04:12 PM |#11  
OP Senior Member
Thanks Meter: 798
 
Donate to Me
More
Quote:
Originally Posted by krsmit0

first one worked fine. second seemed to go ok but i cant get back in with adb. device unauthorized. i went through the process again to get back to recovery and i copied the adb_keys from the one that worked to the other one. permissions and ownership are the same, but it still says unauthorized. i also dont get the prompt to allow connection on the stick itself. i have connected with this stick through adb before this.

Mhh, what Firmware are you on?
Does it still boot normally?
Have you tried adb both over network and USB?
Can you make sure, adb is enabled in developer settings?
If that doesn't help could you try factory reset?
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes