Get the OnePlus 6 early at a pop-up event in your city →
FORUMS
Remove All Ads from XDA

[ROOT] Amazon Fire TV Gen 2 (4k)

306 posts
Thanks Meter: 208
 
Post Reply Email Thread
There is an updated thread now for rooting the AFTV2 that supports both 5.0.3.1 and 5.0.4 and maybe others in the future, see http://forum.xda-developers.com/fire...dated-t3277556. The new method is simpler than this method and requires less to download and less steps to run.

To be safe run checkver.py every time you handshake since 5.0.4 is starting to roll out! Checkout the 5.0.3.1 tag in order to use this older method.

If you were able to root your AFTV2 we'd appropriate if you report your success on the poll located here.

NOTE: Root was obtained a few weeks ago so... this procedure is not the most time efficient, but it is just a few simple steps that anyone with a technical background can follow. There are ideas and some work in progress to make it easier. It depends also on serial port stability, which is somewhat random luck. Linux experience will be beneficial. The usual disclaimers apply, which means this rooting procedure comes with some risks and the scripts involved haven't been tested in all environments. Any harm that may come from rooting your device using this procedure is at your own risk and I assume no responsibility for any damage it may cause. I will do my best to help you get through it and recover if possible.

Root the Device

It's taken quite a bit of effort, but I've finally managed to create a pre-rooted system image (as well as backup the original) and provide a semi-efficient way to flash the rooted system image. Before attempting any of the steps listed below YOU MUST BE RUNNING 5.0.3.1. You should also have a unmodified/pristine system partition. You would probably know if you had any modifications and at this point that would be uncommon. If the patching fails for some reason just power off the device, reboot your computer (resets the serial port buffer), start the handshake script, then turn on the device. Once the handshake completes run the patching command again. There is no harm running the patching command two or more times. If it keeps hanging try a different computer.

To get started you will need a system that meets the following requirements:
  • Linux (Mac OS X or Windows w/ changes)
  • Python 3.x
  • PySerial
    • sudo yum install python3-pyserial # Fedora or RedHat
    • sudo apt-get install python3-serial # Ubuntu or Debian
  • USB Male A to Male A cable
  • R/W access to /dev/ttyACM0 (or use sudo)
  • ADB USB access (optional, but helpful)
  • Stop ModemManager (if you have it setup, which blocks handshaking)

Now run the following sequence of commands:

Code:
git clone --branch 5.0.3.1 https://gitlab.com/zeroepoch/aftv2-tools.git
cd aftv2-tools
wget http://download.zeroepoch.com/aftv2/5.0.3.1/system.root.img.gz
wget http://download.zeroepoch.com/aftv2/5.0.3.1/system.diff.gz
gunzip system.root.img.gz
gunzip system.diff.gz
adb reboot ; ./handshake.py  # or restart but run ./handshake.py first
./checkver.py  # STOP if it reports NO!
./patch_mmc.hs 0x00000000058e0000 system.root.img system.diff  # takes ~2 hours
# last address is 0x50dce600
For Macs (see post #115, thanks @ians325) to satisfy the requirements above you will need to install python 3.5.0 for Mac OS X from python.org then run "sudo pip3 install pyserial" to install pyserial. Instead of "wget $URL" use "curl -O $URL".

Windows is working now, but it's constantly improving to make it easier for novice users. The bash script has been ported to a batch file (no cygwin needed) and the serial port has some auto-detection built in now. The files needed for Windows have already been added to the repo but the README is constantly evolving. @ImCoKeMaN (big thanks) and myself are working to improve the process and make it easier for Windows users.

Anyone interested in rooting using an Ubuntu VM should watch the YouTube video by @ultimate_spy_binns, https://www.youtube.com/watch?v=CZQqLoO6ojM. There is also a script to help automate the process if you are doing this on an Ubuntu live CD/USB found here (by @BagiMT).

To test that root is working you should first connect to adb shell and then run the command "su". You will need to accept a prompt on the screen (HDMI port) at least once. The shell should change from a dollar-sign ($) prompt to a hash (#) prompt.

If you would like to disable updates after rooting you can use the following commands:

Code:
adb shell
su
pm disable com.amazon.device.software.ota
To go back to stock in case you want to update or for whatever other reason:

Code:
wget http://download.zeroepoch.com/aftv2/5.0.3.1/system.orig.img.gz
gunzip system.orig.img.gz
adb push system.orig.img /data/local/tmp
adb shell
su
pm enable com.amazon.device.software.ota
dd if=/data/local/tmp/system.orig.img of=/dev/block/platform/mtk-msdc.0/by-name/system bs=1m
sync
reboot
I don't always have the best luck transferring large files over ADB so another option is to copy the uncompressed image file to a microSD card and changing the path to /storage/sdcard1/system.orig.img. Be extremely careful that you have the right path, that the file you are reading exists, and that the file is around 1.2 GB in size. Otherwise you may potentially trash your system.

Background Info

This root method works by rebooting the device and halting the boot process at the MediaTek preloader. Once halted at the preloader we can use the preloader binary API to send a series of MMC commands to the flash chip which allows 512 byte blocks to be read and written using a simple FIFO. Since we have both the original and modified system images we can generate a list of blocks that are different between the two images and only patch those blocks. This means we need to write less than 10 MB instead of 1.2 GB. If we had to send the entire system image at the speeds the preloader is limited to it would take about 2 weeks. If for some reason the system partition becomes unbootable that would be your only option to recover right now. By sending just the differences the patching only takes about 2 hours. There are ways to speed this up (about 5-10 minutes instead), but you'd need to obtain limited root access first using a much much more complicated procedure. I choose to provide instead a slower but much simpler series of commands.

The MT preloader is a process that runs before the regular bootloader (lk/fastboot) and of course before the kernel boots. It only shows up for about 3 seconds. Unfortunately the preloader is writable and could potentially be updated. The entire boot chain is cryptographically signed from what I've been able to inspect including the preloader. An unlocked bootloader would most likely be needed to flash a custom kernel (no kexec built-in of course, but modules/device drivers can be loaded) and create ROMs not based on stock. @rbox has been working on getting kexec working as a module but no ETA yet. So in conclusion the tools here allow you to modify the flash contents and using these facilities we have add SuperSU binaries to the system partition.

Anyone interested in how root was obtained should look at the history starting with this post. You should also read the README file from the aftv2-tools git repo. Also feel free to PM me if you have any questions.

Tips

If you want to disable the pop-up message when becoming root you can change notify=1 to notify=0 in /data/data/eu.chainfire.supersu/files/supersu.cfg. You need to reboot the device after making this change. It's also suggested to make the file read-only because it seems to get reset sometimes. (Thanks @ultimate_spy_binns)

Special Thanks
The Following 30 Users Say Thank You to zeroepoch For This Useful Post: [ View ] Gift zeroepoch Ad-Free
 
 
10th November 2015, 01:15 PM |#2  
Senior Member
Thanks Meter: 37
 
More
great news
i never powered on my unit - awaiting root
can we have a 5.0.3.1 image to safely flash before root
otherwise the system might update to different version
now that rooting is out
amazon might be quick ...
10th November 2015, 04:27 PM |#3  
Senior Member
Flag St. Louis
Thanks Meter: 114
 
More
Quote:
Originally Posted by reiteravi

great news
i never powered on my unit - awaiting root
can we have a 5.0.3.1 image to safely flash before root
otherwise the system might update to different version
now that rooting is out
amazon might be quick ...

Yeah, mine pre-ordered one is still in a box so I'd need to update it too. I guess I can do that tonight before a new version comes out.
10th November 2015, 05:45 PM |#4  
OP Senior Member
Flag San Francisco, CA
Thanks Meter: 208
 
Donate to Me
More
Quote:
Originally Posted by reiteravi

great news
i never powered on my unit - awaiting root
can we have a 5.0.3.1 image to safely flash before root
otherwise the system might update to different version
now that rooting is out
amazon might be quick ...

Unfortunately you will need to do a normal update first before patching the system partition. It just takes too long to flash a full system image, original or modified, using the methods we have available to us now. Also the boot partition and other partitions are updated with each OTA. I hope we can continue to provide rooted versions of updated system images, but as you know there is no guarantee of that. I'd update now before there is any new updates and then root it. We could in theory root the older versions as well and even before first boot, but without the OTA updates and applying them in reverse I can't go back and patch the older releases. I strongly think the method used to write the system partition can not be fixed since I believe the preloader code is in a ROM.
The Following User Says Thank You to zeroepoch For This Useful Post: [ View ] Gift zeroepoch Ad-Free
11th November 2015, 12:05 AM |#5  
OP Senior Member
Flag San Francisco, CA
Thanks Meter: 208
 
Donate to Me
More
Mac Update
A few notes for Mac users willing to experiment a little:

I installed python 3.5.0 for Mac OS X from python.org and then ran "sudo pip3 install pyserial" to install pyserial for python 3.x. The final change I needed to make was to change PORT in handshake.py and read_mmc.py/write_mmc.py (only tested reading the boot partition, but everything else should work). In my case the PORT was /dev/cu.usbmodem1430. The device filename seems to be based on the USB port it's connected to. I'm not sure if there is an easier way to find the device filename besides scanning /dev and looking for new devices matching a given pattern. Maybe others on this forum have some better ideas. The final caveat was I need to unplug and replug the USB cable after the handshake completed otherwise the read_mmc.py script would hang on the first read.
11th November 2015, 06:24 AM |#6  
Junior Member
Flag Bay Area, CA
Thanks Meter: 7
 
More
Talking
I succeeded in rooting mine! For comparison purposes, here's the md5sums of my partitions:

Code:
0e450c032ddce170667ba3ddc26cb960  DKB
a3ad800f012a153953b403ef1fa36e14  EXPDB
d693da95eb68b40e4315333bcf74918b  KB
50f24ce4c7ac388b33310bff6f79636a  LOGO
59071590099d21dd439896592338bf95  MISC
f9b5ef697fde92c42bbbec35e5a6cad4  PRO_INFO
8a9d058f87711c2e8ccc698647f5026b  TEE1
eda2733e1d0214873d9cb9d78c68425f  TEE2
97a2ccdb7a02838b26b9a57e4f31d51d  boot
fbd20aa58cd63c07392080cad7627e18  lk
74f0bac463bae8141acf20594987a559  recovery
a06c3d6a8c73923ed5c38b479c4410d3  system
So my DKB, KB, and system partitions are different from yours.
The Following User Says Thank You to NaturalBornHaxor For This Useful Post: [ View ] Gift NaturalBornHaxor Ad-Free
11th November 2015, 07:29 AM |#7  
OP Senior Member
Flag San Francisco, CA
Thanks Meter: 208
 
Donate to Me
More
Quote:
Originally Posted by NaturalBornHaxor

I succeeded in rooting mine! For comparison purposes, here's the md5sums of my partitions:

Code:
0e450c032ddce170667ba3ddc26cb960  DKB
a3ad800f012a153953b403ef1fa36e14  EXPDB
d693da95eb68b40e4315333bcf74918b  KB
50f24ce4c7ac388b33310bff6f79636a  LOGO
59071590099d21dd439896592338bf95  MISC
f9b5ef697fde92c42bbbec35e5a6cad4  PRO_INFO
8a9d058f87711c2e8ccc698647f5026b  TEE1
eda2733e1d0214873d9cb9d78c68425f  TEE2
97a2ccdb7a02838b26b9a57e4f31d51d  boot
fbd20aa58cd63c07392080cad7627e18  lk
74f0bac463bae8141acf20594987a559  recovery
a06c3d6a8c73923ed5c38b479c4410d3  system
So my DKB, KB, and system partitions are different from yours.

That is awesome news! The first confirmed case I've heard of someone else repeating my success

About the DKB and KB partitions being different it makes me wonder what those partitions are for? I didn't include cache and userdata in the MD5SUM of course, which you noticed, because those change all the time. NVRAM when I looked inside appeared to have a few things that looked to be device specific. The system partition being different is actually expected because I found every time I rebooted my system partition changed checksums. Also that is the MD5SUM of the unmodified system partition. I noticed this weird MD5SUM behavior when I was first gaining root and doing some sanity checks. It happens right after daemonsu is started. My best guess is that the SuperSU tools mount the system r/w quickly and that causes the last mounted timestamp to change. Don't know for sure what causes it, but don't worry that's not unexpected. The main reason I kept those hashes in the repo was so when the next version comes out I know which partitions were changed and need to be updated by users who wish to maintain root.
11th November 2015, 10:09 AM |#8  
Member
Thanks Meter: 15
 
More
------------------SOLVED-----------------
Please read on if you have problems with handshake script looping forever...
-----------------------------------------------

Hi zeroepoch,

meanwhile I received my Fire TV 2 and tried your scripts but unfortunately without success.

As far as I can see, there are 2 problems:

- The /dev/ttyACM0 device appears on rebooting the Fire TV, but only for some 100th of a second, then it disconnects again.
- If I give it another try, the device will appear as /dev/ttyACM1, next time /dev/ttyACM2, aso.. So I either have to update the handshake script for every try or reboot my computer (then it starts with /dev/ttyACM0 again).

When I first tried it, the handshake-script ran forever, it just missed the short time of availability of /dev/ttyACM0. So I reduced the sleep-timeout in the script from 0.25 to 0.001. Now the handshake script detects the serial device but runs into an I/O Error during one of the next steps (each time different, seems to be a "race condition").

Can you offer any advice? Could my Laptop be too slow somehow or is there some trick to make the Fire TV keep the port open for a longer time?

Greetings, Christian

Code:
shell:

root@DeepThought:~/aftv2-tools#  adb reboot ; ./handshake.py
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
Traceback (most recent call last):
  File "./handshake.py", line 17, in <module>
    dev = serial.Serial(PORT, BAUD)
  File "/usr/lib/python3/dist-packages/serial/serialutil.py", line 261, in __init__
    self.open()
  File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 282, in open
    self._reconfigurePort()
  File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 413, in _reconfigurePor                                          t
    termios.tcsetattr(self.fd, TERMIOS.TCSANOW, [iflag, oflag, cflag, lflag, ispeed, ospeed                                          , cc])
termios.error: (5, 'Input/output error')
Code:
/var/log/syslog;

Nov 11 11:25:41 DeepThought systemd[1111]: Reached target Default.
Nov 11 11:25:41 DeepThought systemd[1111]: Startup finished in 15ms.
Nov 11 11:27:28 DeepThought kernel: [  217.460463] usb 8-2: USB disconnect, device number 2
Nov 11 11:27:31 DeepThought kernel: [  220.608049] usb 8-2: new high-speed USB device number 3 using ehci-pci
Nov 11 11:27:31 DeepThought kernel: [  220.741857] usb 8-2: New USB device found, idVendor=0e8d, idProduct=2000
Nov 11 11:27:31 DeepThought kernel: [  220.741860] usb 8-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Nov 11 11:27:31 DeepThought kernel: [  220.741862] usb 8-2: Product: MT65xx Preloader
Nov 11 11:27:31 DeepThought kernel: [  220.741864] usb 8-2: Manufacturer: MediaTek
Nov 11 11:27:31 DeepThought mtp-probe: checking bus 8, device 3: "/sys/devices/pci0000:00/0000:00:1d.7/usb8/8-2"
Nov 11 11:27:31 DeepThought mtp-probe: bus: 8, device: 3 was not an MTP device
Nov 11 11:27:31 DeepThought kernel: [  220.855737] cdc_acm 8-2:1.1: ttyACM0: USB ACM device
Nov 11 11:27:31 DeepThought kernel: [  220.884047] usbcore: registered new interface driver cdc_acm
Nov 11 11:27:31 DeepThought kernel: [  220.884050] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
Nov 11 11:27:31 DeepThought kernel: [  220.924931] usb 8-2: USB disconnect, device number 3
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn>  (ttyACM0): tcgetattr() error: 5
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn>  (ttyACM0): port attributes not fully set
Nov 11 11:27:31 DeepThought kernel: [  220.928861] cdc_acm 8-2:1.1: failed to set dtr/rts
Nov 11 11:27:31 DeepThought ModemManager[511]: <info>  (tty/ttyACM0): released by modem /sys/devices/pci0000:00/0000:00:1d.7/usb8/8-2
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn>  (Plugin Manager) (Cinterion) [ttyACM0] error when checking support: '(Cinterion) Missing port probe for port (tty/ttyACM0)'
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn>  (Plugin Manager) (Nokia) [ttyACM0] error when checking support: '(Nokia) Missing port probe for port (tty/ttyACM0)'
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn>  (Plugin Manager) (Iridium) [ttyACM0] error when checking support: '(Iridium) Missing port probe for port (tty/ttyACM0)'
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn>  (Plugin Manager) (Generic) [ttyACM0] error when checking support: '(Generic) Missing port probe for port (tty/ttyACM0)'
Nov 11 11:27:33 DeepThought ModemManager[511]: <warn>  Couldn't find support for device at '/sys/devices/pci0000:00/0000:00:1d.7/usb8/8-2': not supported by any plugin
Nov 11 11:27:35 DeepThought wpa_supplicant[837]: nl80211: send_and_recv->nl_recvmsgs failed: -33
Nov 11 11:27:36 DeepThought kernel: [  226.092142] usb 8-2: new high-speed USB device number 4 using ehci-pci
Nov 11 11:27:37 DeepThought kernel: [  226.225936] usb 8-2: New USB device found, idVendor=1949, idProduct=0241
Nov 11 11:27:37 DeepThought kernel: [  226.225945] usb 8-2: New USB device strings: Mfr=2, Product=3, SerialNumber=4
Nov 11 11:27:37 DeepThought kernel: [  226.225951] usb 8-2: Product: FireTV
Nov 11 11:27:37 DeepThought kernel: [  226.225956] usb 8-2: Manufacturer: Amazon
Nov 11 11:27:37 DeepThought kernel: [  226.225961] usb 8-2: SerialNumber: G070GV05544205DE
Nov 11 11:27:37 DeepThought mtp-probe: checking bus 8, device 4: "/sys/devices/pci0000:00/0000:00:1d.7/usb8/8-2"
Nov 11 11:27:37 DeepThought mtp-probe: bus: 8, device: 4 was an MTP device
After taking a closer look at my syslog and doing some research on problems with /dev/ttyACM0, I finally found the problem. It's the modemmanager. That service immmediately "grabs" the device and tries to do some invalid settings, which leads to an near immediate disconnect.

After I uninstalled the modemmanger (which seemed preinstalled in debian jessie, at least I never installed it on purpose) with
Code:
apt-get remove modemmanager
both of my problems were gone. The device stayed up for 3 seconds and after reboot of the Fire TV it had the same devicename /dev/ttyACM0 again. So I could undo my changes to the handshake script and had instant success with it.

Now I'll try rooting. WHOOT!
The Following User Says Thank You to skyball2 For This Useful Post: [ View ] Gift skyball2 Ad-Free
11th November 2015, 10:10 AM |#9  
Junior Member
Thanks Meter: 1
 
More
Thank you very much for your efforts!

I'd just like to check my understanding - are the instructions you posted comprehensive to obtaining root from absolute scratch?

I know soldering of eMMC and such things were used in development, but that is not needed now after you've done the hard work, correct?

I can just follow your steps above and root the FTV2?
11th November 2015, 11:25 AM |#10  
Member
Thanks Meter: 15
 
More
Quote:
Originally Posted by gu3stZA

Thank you very much for your efforts!

I'd just like to check my understanding - are the instructions you posted comprehensive to obtaining root from absolute scratch?

I know soldering of eMMC and such things were used in development, but that is not needed now after you've done the hard work, correct?

I can just follow your steps above and root the FTV2?

Yes, you're right. No need to solder anything. You just need the tools stated in the instructions.
Hardware:
- a computer running Linux (or something very close)
- a A to A USB cable
Software:
- python3 and python3-serial packages
- adb package (not necessary but recommended)
- zeroepochs scripts and patchfiles

That said, a certain amount of base knowledge regarding Linux doesn't hurt .
The Following User Says Thank You to skyball2 For This Useful Post: [ View ] Gift skyball2 Ad-Free
11th November 2015, 12:10 PM |#11  
Junior Member
Thanks Meter: 1
 
More
Thanks! I've played around with Linux but would definitely classify myself as a beginner. I guess we'll see how user-friendly the instructions are
Post Reply Subscribe to Thread

Tags
aftv2, root

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes