Potential Fire Stick 2 Root?

Search This thread

k4y0z

Senior Member
Nov 27, 2015
1,468
2,051
It seems that the LK preset cmdline arguments have the precedence over those in the boot image and that makes
impossible to change them during the boot phase while we want to be able to override them in some specific cases.
As an example, how can I change the "root" argument to boot from an external device "root=/dev/block/mmcblk1p1" ?
Or, how can I change the predefined consoles or the other predefined arguments of the LK ?
That's the basic reason why I believe it should be done in the LK itself if it is possible.
I know there are alternatives like kexec but I would prefer they remain alternatives.
I would rather not do any more modifications to misc for that, but I'll think about it.
Why don't you just modify the initramfs to do what you need it to do (i.e. mount external device as system)?
 

el7145

Senior Member
Mar 21, 2012
474
128
NY
Samsung Galaxy Tab A7 Lite
First post, but yeah it would be great if we had someone develop a method for the fire tv 2 as well.

A temp root exploit was just released for the fire TV 2 (among other devices) I have tested it on the most current fire tv2 ver 5.2.6.9 and it works. The problem that fire TV 2 owners are having is turning that temp root into perm root as current versions of super user apk wont open and the older version that I'm using opens, but fails to install the su binaries

Maybe one of the gurus in this thread can take a look?

https://xdaforums.com/hd8-hd10/orig-development/experimental-software-root-hd-8-hd-10-t3904595
 

rbox

Recognized Developer
Apr 22, 2011
1,776
2,612
A temp root exploit was just released for the fire TV 2 (among other devices) I have tested it on the most current fire tv2 ver 5.2.6.9 and it works. The problem that fire TV 2 owners are having is turning that temp root into perm root as current versions of super user apk wont open and the older version that I'm using opens, but fails to install the su binaries

Maybe one of the gurus in this thread can take a look?

https://xdaforums.com/hd8-hd10/orig-development/experimental-software-root-hd-8-hd-10-t3904595

If you have a root shell, then running firetv2_recovery_v6.zip should work. https://xdaforums.com/fire-tv/development/firetv-2-recovery-t3309780
 
  • Like
Reactions: bibikalka

el7145

Senior Member
Mar 21, 2012
474
128
NY
Samsung Galaxy Tab A7 Lite
I noticed that v6 won't work with this root method. I have uploaded a v7. I have not tested it. It probably won't brick it.

https://www.mediafire.com/file/1y0m80ac167jgtr/firetv2_recovery_v7.zip/file


worked absolutely perfectly, thank you so much for your work! This worked on the most recent fire tv update which i received a couple days ago 5.2.6.9

I was wondering am i free to flash your 5.2.6.8 pre rooted image now? or do i have to wait for a 5.2.6.9 pre rooted image?

Thanks again

EDIT: i went ahead and downgraded to 5.2.6.8 pre rooted and it flashed successfully without issue
 
Last edited:
  • Like
Reactions: puppinoo

el_turilo

New member
Aug 7, 2013
4
0
No problem pal, the important thing is that we now have it available also on the Fire TV Stick 2.
Awesome !!! Thank you so much from all owners of a Fire TV Stick 2. (codename tank).

I am trying different things ... up to now everything works as expected ... great !!!
If I may ask, with no rush, I would like to have more space for the kernel parameters in the LK payload.
It will become very useful as soon as new ROMs are built from developers, something like 256/512 bytes would be enough.
If necessary you could use the MISC partition so we will write the parameters there and LK will pick them up from MISC at boot.
Also the same functionality would be appreciated on the other device you already did the porting Fire 5th, Fire 7th and so on.

I am still looking to find a method to boot in "download mode" without having to open the device.
I will let you know in case I find quirks on this device or the remaining test points or pads..
Thank you again ! Have the best.

.:HWMOD:.

How do you boot the device in recovery mode?
 

Michajin

Senior Member
Oct 23, 2012
1,390
559
Here are the points marked on the PCB photo you sent.
UART RX / TX should be sure 100% (labelled in red).
DAT0 pad is also almost sure to be that (labelled in red).
CLK and CMD lines has a great chance to be those (labelled in yellow).
Since I do not own one of these device I cannot be sure 100% so take this info as uncertain.

.:HWMOD:.

Yes this is the one. I am using the @k4y0z scrpit for the fire 7. It get the handshake and disables the watchdog. But i can confirm this is access to the bootrom and unlocking.

There was a cover slightly hiding that clk under it, i just slide a pin and it grounds really easy.
 

hwmod

Senior Member
Dec 12, 2011
309
279
Verona
How do you boot the device in recovery mode?

You can do it from network using:
Code:
adb connect <ip-address>
adb reboot recovery

or by loading a terminal app to the FireTV Stick and do:
Code:
reboot recovery

I believe there should also be a short-cut by using the remote control but I am not sure 100%.

.:HWMOD:.
 

Eyedoctor2

Senior Member
Oct 21, 2007
134
35

Attachments

  • error.JPG
    error.JPG
    222.9 KB · Views: 288

rbox

Recognized Developer
Apr 22, 2011
1,776
2,612
Hey Rbox,

Thanks again for all you do for us!! I did a nandroid backup on my Fire TV 2 box using your v7 and received the attached message.

Hrm. I can't remember the last time I tested backup. If you're not switching back and forth between ROM versions, you can ignore it. If you are, then I would say you need to flash the matching stock rom image prior to restoring the backup. I'll add testing this to my list of things to do.
 
  • Like
Reactions: Eyedoctor2

Eyedoctor2

Senior Member
Oct 21, 2007
134
35
Hrm. I can't remember the last time I tested backup. If you're not switching back and forth between ROM versions, you can ignore it. If you are, then I would say you need to flash the matching stock rom image prior to restoring the backup. I'll add testing this to my list of things to do.

Just to be sure, in order to do flash the stock rom image would I just delete the su folder in the attached folder image and flash the remainder?
 

Attachments

  • sloane-5.2.4.2-rooted_r2.jpg
    sloane-5.2.4.2-rooted_r2.jpg
    76.3 KB · Views: 253

BIOYAM

Senior Member
Dec 3, 2007
406
158
Earth!
I noticed that v6 won't work with this root method. I have uploaded a v7. I have not tested it. It probably won't brick it.

https://www.mediafire.com/file/1y0m80ac167jgtr/firetv2_recovery_v7.zip/file
Just to confirm that v7 worked perfectly on a Gen 2 Box that had v5.2.6.6 on it. I also used rbox's pre-rooted v5.2.6.6_r1 because that seems to be the last version that works with Xposed while retaining full Alexa capabilities.....
Thank you rbox!
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 5
    Fire TV Stick 2 (tank): attempt to port the Mediatek hack

    Being the owner of a Fire TV 2 Stick (basic edition / tank) I am already working on it with success.

    I believe I will need the help of @k4y0z though, but I am already reading writing the EMMC and
    I have already found all the needed pads and the CLK (clock) test point for shunting to ground
    and keep the processor from entering the bootrom code and stay in so called "download mode".

    I have also found the UART pins which will help speed up the development having a console log.

    I have been helping in the mentioned hack but I didn't wrote the Python code so I will need to ask
    @k4y0z to give an hand and maybe an arm too. The same hack has already passed the POC tests
    everything is possible also on this platform being the same mt8127 SoC we have to do with.

    Just a bit of patience and I will be able to upload reference photos and hopefully first working code
    in just a couple of weeks, maybe less. No soldering required but device must be opened apart.

    Pinging the right developer @k4y0z, hope he have the time and is willing to give more of his time.
    Vote and put your likes to show your interest.

    .:HWMOD:.
    4
    I noticed that v6 won't work with this root method. I have uploaded a v7. I have not tested it. It probably won't brick it.

    https://www.mediafire.com/file/1y0m80ac167jgtr/firetv2_recovery_v7.zip/file
    3
    Being the owner of a Fire TV 2 Stick (basic edition / tank) I am already working on it with success.

    I believe I will need the help of @k4y0z though, but I am already reading writing the EMMC and
    I have already found all the needed pads and the CLK (clock) test point for shunting to ground
    and keep the processor from entering the bootrom code and stay in so called "download mode".

    I have also found the UART pins which will help speed up the development having a console log.

    I have been helping in the mentioned hack but I didn't wrote the Python code so I will need to ask
    @k4y0z to give an hand and maybe an arm too. The same hack has already passed the POC tests
    everything is possible also on this platform being the same mt8127 SoC we have to do with.

    Just a bit of patience and I will be able to upload reference photos and hopefully first working code
    in just a couple of weeks, maybe less. No soldering required but device must be opened apart.

    Pinging the right developer @k4y0z, hope he have the time and is willing to give more of his time.
    Vote and put your likes to show your interest.

    .:HWMOD:.

    I'll have to see what Fire sticks I have here. I think I have 1 1st and a 2nd gen stick here.
    If It's also mt8127, have you tried running the preloader/lk/tz and lk-exploit from either 5th gen or 7th gen?
    Maybe one of these will already give twrp just like the 5th gen files did for the 7th gen?
    3
    Here is the picture of the PCB with marked CLK (clock) line and the UART TX and RX pins.
    The CLK (clock) test point must be shunted to ground (shield is OK) before connecting the device,
    this will prevent the bootloader to initialize the board and instead enter the download mode which
    is the starting point of the hack.