[GUIDE] Hardware root via emmc chip (requires soldering!)

[superkoal]

So there is a guide from gtvhacker how to hook up an sdcard reader to the FireTV's emmc chip and mount it on a linux machine to put the superuser binary and SuperSU.apk to the system partition.
Link to the guide

xXhighpowerXx managed to do it and put together a tutorial on youtube, big thanks to him!
Link to his post

Also there is this detailed blog post of derPeter, I recommend reading it to everyone interested in this hardware hack. Link to the post

This requires disassembling the fireTV, soldering electronic parts and also basic linux skills (and a linux machine)!
Try at your own risk!

Also he updated the information in the GTVHacker wiki linked above, so everything you need to know is there.

MAKE SURE TO ALSO READ THIS POST, AS THERE IS A SOLID RISK OF BRICKING YOUR DEVICE IF YOU ARE NOT CAREFUL! Thanks to ingrimsch for talking to the gtv guys on IRC and providing the log.

 

[sammy98]

VCC is shown on the first picture with the tx/rx pinout.
GND should be usable from the (usb) shield(s).
Will try it the next few days when i have time

Sammy98

 

[simondo22]

So i have to solder the 5 data lines the cmd, clk, vcc, vss points to a sdcard snifer and unplug the fire tv?

The snifer goes in the pc. Rest is software.


Sent from my Nexus 4 using XDA Free mobile app

 

[sammy98]

So i have to solder the 5 data lines the cmd, clk, vcc, vss points to a sdcard snifer and unplug the fire tv?

The snifer goes in the pc. Rest is software.


Sent from my Nexus 4 using XDA Free mobile app

One data should be sufficient - according to the homepage where the pictures are

 

[sammy98]

So i have to solder the 5 data lines the cmd, clk, vcc, vss points to a sdcard snifer and unplug the fire tv?

The snifer goes in the pc. Rest is software.


Sent from my Nexus 4 using XDA Free mobile app

Alright - just soldered as provided - the connections are fine on the pcb - connected with the sd-card sniffer pinouts, but no luck.
I used gnd from the powerr supply shield. No emmc visible in dmesg.
FireTV is not powered and only the emmc is connected to the reader. Same reader works fine with another emmc chip ...

Sammy98

 

[simondo22]

Could it be that the electrical current wich comes from the reader (pc) is to low?
Because it have to supplied the whole fire tv

Sent from my Nexus 4 using XDA Free mobile app

 

[sammy98]

Could it be that the electrical current wich comes from the reader (pc) is to low?
Because it have to supplied the whole fire tv

Sent from my Nexus 4 using XDA Free mobile app

No the reader should only power the emmc chip. Thats why we asked where to connect vcc and vss. Ground should not be the problem.
I will stop playing now as we want to watch a movie. When the pinout is clear, i will open up the ftv again

Sammy98

 

[simondo22]

But vss and vcc are parallel conected to other chips on the board so the "I" (ampere) divides maybe

Sent from my Nexus 4 using XDA Free mobile app

 

[sammy98]

But vss and vcc are parallel conected to other chips on the board so the "I" (ampere) divides maybe

Sent from my Nexus 4 using XDA Free mobile app

Jepp but how much current and ampere should be used on what pins? A perhaps 1.7V on the pin like in the pinout is not enough for me to try that und probably fry the atv

Sammy98

 

[simondo22]

Have you tried whithout vcc, vss from the cardreader an powered ftv?

Sent from my Nexus 4 using XDA Free mobile app

 

[superkoal]

Have you tried whithout vcc, vss from the cardreader an powered ftv?

i STRONGLY advise against this, but you could measure voltages when the ftv is on, to compare to what your card reader supplies.
Also you could try the 5 data line mode.

 

[sammy98]

I guess the voltage or pins are the culprint. I did not power the atv and will not while connected to the reader. I dont write the emmc while the system is using it

Gesendet von meinem Nexus 7 mit Tapatalk

 

[simondo22]

Ok, stupid idea from me. :banghead:

Sent from my Nexus 4 using XDA Free mobile app

 

[sammy98]

No problem. Just keep Brainstorming

 

[no_spam_for_me]

Hi,

I can find via google these 'SD Card Sniffer Sparkfun' (different versions: TOL-11468 and TOL-09419) and also e.g. 'MicroSD Breakout' and maybe I have an idea how to soldering/connecting the TOL's to pcb (CMD, CLK, DAT0 do I find (not really difficult) but not VCC, VSS), BUT I have no idea what and how I have to do after that (or maybe I'm also wrong at the starting)...
Can someone link me into the right direction?

THX

EDIT:
Maybe I understand it:
1. soldering / connecting the pins at the pcb with wire to the pins at the TOL
2. place the TOL into a card-reader at e.g. PC or another BOX
3. mount the SD card... (but there I don't know how to identify the system-MTD)

 

[sammy98]

Hi,

I can find via google these 'SD Card Sniffer Sparkfun' (different versions: TOL-11468 and TOL-09419) and also e.g. 'MicroSD Breakout' and maybe I have an idea how to soldering/connecting the TOL's to pcb (CMD, CLK, DAT0 do I find (not really difficult) but not VCC, VSS), BUT I have no idea what and how I have to do after that (or maybe I'm also wrong at the starting)...
Can someone link me into the right direction?

THX

Did you even read the last posts in the current thread concerning vss and vcc? We dont know either

EDIT:
Maybe I understand it:
1. soldering / connecting the pins at the pcb with wire to the pins at the TOL
2. place the TOL into a card-reader at e.g. PC or another BOX
3. mount the SD card... (but there I don't know how to identify the system-MTD)

The steps 1-3 are correct. The emmc only has a read/writable ext4 according to the gtv hacker.
If you dont know how to mount the ext4 of the sd-card, you probably should not begin to solder.

 

[no_spam_for_me]

Did you even read the last posts in the current thread concerning vss and vcc? We dont know either

Yes, I read it, but I ALSO have no idea (that's what I want to say)...

The steps 1-3 are correct. The emmc only has a read/writable ext4 according to the gtv hacker.
If you dont know how to mount the ext4 of the sd-card, you probably should not begin to solder.

To mount isn't a problem, but I'm wondering in, if the eMMC only contains one "partition" because of the different MTD's (but that is something I don't understand because I have never done it before THIS way via a 'SD Card Sniffer')...

 

[sammy98]

To mount isn't a problem, but I'm wondering in, if the eMMC only contains one "partition" because of the different MTD's (but that is something I don't understand because I have never done it before THIS way via a 'SD Card Sniffer')...

The emmc only provides the partion with the data trough the sd-card reader

 

[ingrimsch]

hey guys,

i dont have my FTV yet, so I cant try hooking up the EMMC to the SD Sniffer myself yet, but maybe I can supply you with a few infos I found in the datasheets. I live in Germany, so my only option to get root access on the FTV will be the EMMC/SD way, which is why I follow this thread with great interest.

@sammy98: are you able to measure the VCC/GND when the SD Sniffer is connected to your PC? As far as I know most SD Cards run on 3.3V, but will work on slightly higher and lower voltages (usually 2.7 to 3.6V). I´ll make an educated guess and say if you measure VCC/GND on the Sniffer you will see a voltage of 3.3V.

According to an article here h t t p : / / w w w .computerbase.de/2014-04/amazon-fire-tv-in-einzelteile-zerlegt the EMMC Chip is a Toshiba THGBM5G6A2JBAIR. So I peeked into the Datasheet (h t t p : / / w w w .magic-sun.com.cn/product/download/pdf/13) and found a pinout plus the Power Supply Voltages for VccQ accepting voltages from 1.7 V to 1.95 V and 2.7 V to 3.6 V. So if the SD Sniffer supplies nice 3.3V as expected, we should be able to use it... just maybe not on the 1.8V spot shown in the UART picture

Only thing I have not found out yet is where to connect the 3.3 V voltage to supply the EMMC yet. In the Datasheet Pinout you can find the correct Pins for Vcc/VccQ, but as the EMMC is a BGA package, they are under the package. Too bad gtvhacker did not trace the Vcc lanes, so we now have to find a spot to inject the voltage to get the EMMC/SD bridge running...


Hope this helps in any way. Until I finally get my FTV (delivery date still unknown :crying I can only help in theory...

 

[sammy98]

hey guys,

@sammy98: are you able to measure the VCC/GND when the SD Sniffer is connected to your PC? As far as I know most SD Cards run on 3.3V, but will work on slightly higher and lower voltages (usually 2.7 to 3.6V). I´ll make an educated guess and say if you measure VCC/GND on the Sniffer you will see a voltage of 3.3V.

According to an article here h t t p : / / w w w .computerbase.de/2014-04/amazon-fire-tv-in-einzelteile-zerlegt the EMMC Chip is a Toshiba THGBM5G6A2JBAIR. So I peeked into the Datasheet (h t t p : / / w w w .magic-sun.com.cn/product/download/pdf/13) and found a pinout plus the Power Supply Voltages for VccQ accepting voltages from 1.7 V to 1.95 V and 2.7 V to 3.6 V. So if the SD Sniffer supplies nice 3.3V as expected, we should be able to use it... just maybe not on the 1.8V spot shown in the UART picture

Only thing I have not found out yet is where to connect the 3.3 V voltage to supply the EMMC yet. In the Datasheet Pinout you can find the correct Pins for Vcc/VccQ, but as the EMMC is a BGA package, they are under the package. Too bad gtvhacker did not trace the Vcc lanes, so we now have to find a spot to inject the voltage to get the EMMC/SD bridge running...

Yes i measured the power of the reader and therefore i decided to put the 1,7V on the pin of the uart with an external device. Did not work as i wrote.
I read the datasheet to, but as the gtv hackers did not measure out the vcc (or did not find the pin), we need the spot to inject the voltage.

Sammy98