i just rooted my Fire TV 1 (version 220.127.116.11) via dirtycow, and I wanted to share my experience. (Unfortunately I cannot post external Links here)
Dirtycow allows you to write to files, even if you have no permission to do so. Unfortunately there is no binary on the system with the suid bit set, so I could not replace this binary. (Other attempts on other Android devices replaced the run-as binary. This is not possible here). Another problem was, that the modification only last for the current boot, so I could not just modify boot scripts. I had to find a binary, that is executed as root while the system is running, preferably on demand. This binary is ip. Every time one modifies the network settings in the Fire TV gui, ip is executed as root. Yay. With that in mind, I replaced ip with a shell script, that deploys the su binary.
This is what I did:
- I compiled the dirtycow.c from timwr GitHub Repository CVE-2016-5195
- Then I put the resulting binary into /data/local/tmp on my Firetv (via adb)
- Now I pushed chainfires su binary to /data/local/tmp
- I copied the /system/bin/ip binary to /data/local/tmp
- I wrote this shell script, pushed it to /data/local/tmp and marked it executable (755)
#!/system/bin/sh mount -o remount,rw /system cp /data/local/tmp/su /system/xbin chmod 4755 /system/xbin/su /data/local/tmp/ip "$@"
- After that, I used dirtycow to replace ip with my new ip script (./dirtycow /system/bin/ip ip_script) [This may take a while]
- Now I went to my network settings of my Fire TV and changed them to a static ip address.
- I reconnected to my amazon Fire tv and typed su
shell@android:/ $ su root@android:/ #
- Lastly I installed the Supersu.apk from chainfire
Root seems to work with the adb shell and the terminal app. Somehow it does not with amaze file manager. If I start it I get thrown into the amazon fire ui.
This rooting method should also work for other versions of the fireOS, though I have not tested them.