[ROOT] Amazon Fire TV Gen 2 (4k)

Search This thread

zeroepoch

Senior Member
There is an updated thread now for rooting the AFTV2 that supports both 5.0.3.1 and 5.0.4 and maybe others in the future, see http://xdaforums.com/fire-tv/general/root-amazon-fire-tv-2-updated-t3277556. The new method is simpler than this method and requires less to download and less steps to run.

To be safe run checkver.py every time you handshake since 5.0.4 is starting to roll out! Checkout the 5.0.3.1 tag in order to use this older method.

If you were able to root your AFTV2 we'd appropriate if you report your success on the poll located here.

NOTE: Root was obtained a few weeks ago so... this procedure is not the most time efficient, but it is just a few simple steps that anyone with a technical background can follow. There are ideas and some work in progress to make it easier. It depends also on serial port stability, which is somewhat random luck. Linux experience will be beneficial. The usual disclaimers apply, which means this rooting procedure comes with some risks and the scripts involved haven't been tested in all environments. Any harm that may come from rooting your device using this procedure is at your own risk and I assume no responsibility for any damage it may cause. I will do my best to help you get through it and recover if possible.

Root the Device

It's taken quite a bit of effort, but I've finally managed to create a pre-rooted system image (as well as backup the original) and provide a semi-efficient way to flash the rooted system image. Before attempting any of the steps listed below YOU MUST BE RUNNING 5.0.3.1. You should also have a unmodified/pristine system partition. You would probably know if you had any modifications and at this point that would be uncommon. If the patching fails for some reason just power off the device, reboot your computer (resets the serial port buffer), start the handshake script, then turn on the device. Once the handshake completes run the patching command again. There is no harm running the patching command two or more times. If it keeps hanging try a different computer.

To get started you will need a system that meets the following requirements:

  • Linux (Mac OS X or Windows w/ changes)
  • Python 3.x
  • PySerial
    • sudo yum install python3-pyserial # Fedora or RedHat
    • sudo apt-get install python3-serial # Ubuntu or Debian
  • USB Male A to Male A cable
  • R/W access to /dev/ttyACM0 (or use sudo)
  • ADB USB access (optional, but helpful)
  • Stop ModemManager (if you have it setup, which blocks handshaking)

Now run the following sequence of commands:

Code:
git clone --branch 5.0.3.1 https://gitlab.com/zeroepoch/aftv2-tools.git
cd aftv2-tools
wget http://download.zeroepoch.com/aftv2/5.0.3.1/system.root.img.gz
wget http://download.zeroepoch.com/aftv2/5.0.3.1/system.diff.gz
gunzip system.root.img.gz
gunzip system.diff.gz
adb reboot ; ./handshake.py  # or restart but run ./handshake.py first
./checkver.py  # STOP if it reports NO!
./patch_mmc.hs 0x00000000058e0000 system.root.img system.diff  # takes ~2 hours
# last address is 0x50dce600

For Macs (see post #115, thanks @ians325) to satisfy the requirements above you will need to install python 3.5.0 for Mac OS X from python.org then run "sudo pip3 install pyserial" to install pyserial. Instead of "wget $URL" use "curl -O $URL".

Windows is working now, but it's constantly improving to make it easier for novice users. The bash script has been ported to a batch file (no cygwin needed) and the serial port has some auto-detection built in now. The files needed for Windows have already been added to the repo but the README is constantly evolving. @ImCoKeMaN (big thanks) and myself are working to improve the process and make it easier for Windows users.

Anyone interested in rooting using an Ubuntu VM should watch the YouTube video by @ultimate_spy_binns, https://www.youtube.com/watch?v=CZQqLoO6ojM. There is also a script to help automate the process if you are doing this on an Ubuntu live CD/USB found here (by @BagiMT).

To test that root is working you should first connect to adb shell and then run the command "su". You will need to accept a prompt on the screen (HDMI port) at least once. The shell should change from a dollar-sign ($) prompt to a hash (#) prompt.

If you would like to disable updates after rooting you can use the following commands:

Code:
adb shell
su
pm disable com.amazon.device.software.ota

To go back to stock in case you want to update or for whatever other reason:

Code:
wget http://download.zeroepoch.com/aftv2/5.0.3.1/system.orig.img.gz
gunzip system.orig.img.gz
adb push system.orig.img /data/local/tmp
adb shell
su
pm enable com.amazon.device.software.ota
dd if=/data/local/tmp/system.orig.img of=/dev/block/platform/mtk-msdc.0/by-name/system bs=1m
sync
reboot

I don't always have the best luck transferring large files over ADB so another option is to copy the uncompressed image file to a microSD card and changing the path to /storage/sdcard1/system.orig.img. Be extremely careful that you have the right path, that the file you are reading exists, and that the file is around 1.2 GB in size. Otherwise you may potentially trash your system.

Background Info

This root method works by rebooting the device and halting the boot process at the MediaTek preloader. Once halted at the preloader we can use the preloader binary API to send a series of MMC commands to the flash chip which allows 512 byte blocks to be read and written using a simple FIFO. Since we have both the original and modified system images we can generate a list of blocks that are different between the two images and only patch those blocks. This means we need to write less than 10 MB instead of 1.2 GB. If we had to send the entire system image at the speeds the preloader is limited to it would take about 2 weeks. If for some reason the system partition becomes unbootable that would be your only option to recover right now. By sending just the differences the patching only takes about 2 hours. There are ways to speed this up (about 5-10 minutes instead), but you'd need to obtain limited root access first using a much much more complicated procedure. I choose to provide instead a slower but much simpler series of commands.

The MT preloader is a process that runs before the regular bootloader (lk/fastboot) and of course before the kernel boots. It only shows up for about 3 seconds. Unfortunately the preloader is writable and could potentially be updated. The entire boot chain is cryptographically signed from what I've been able to inspect including the preloader. An unlocked bootloader would most likely be needed to flash a custom kernel (no kexec built-in of course, but modules/device drivers can be loaded) and create ROMs not based on stock. @rbox has been working on getting kexec working as a module but no ETA yet. So in conclusion the tools here allow you to modify the flash contents and using these facilities we have add SuperSU binaries to the system partition.

Anyone interested in how root was obtained should look at the history starting with this post. You should also read the README file from the aftv2-tools git repo. Also feel free to PM me if you have any questions.

Tips

If you want to disable the pop-up message when becoming root you can change notify=1 to notify=0 in /data/data/eu.chainfire.supersu/files/supersu.cfg. You need to reboot the device after making this change. It's also suggested to make the file read-only because it seems to get reset sometimes. (Thanks @ultimate_spy_binns)

Special Thanks

 
Last edited:

reiteravi

Senior Member
Feb 14, 2007
373
36
great news
i never powered on my unit - awaiting root
can we have a 5.0.3.1 image to safely flash before root
otherwise the system might update to different version
now that rooting is out
amazon might be quick ...
 

CiDhed

Senior Member
May 14, 2009
505
114
St. Louis
great news
i never powered on my unit - awaiting root
can we have a 5.0.3.1 image to safely flash before root
otherwise the system might update to different version
now that rooting is out
amazon might be quick ...

Yeah, mine pre-ordered one is still in a box so I'd need to update it too. I guess I can do that tonight before a new version comes out.
 

zeroepoch

Senior Member
great news
i never powered on my unit - awaiting root
can we have a 5.0.3.1 image to safely flash before root
otherwise the system might update to different version
now that rooting is out
amazon might be quick ...

Unfortunately you will need to do a normal update first before patching the system partition. It just takes too long to flash a full system image, original or modified, using the methods we have available to us now. Also the boot partition and other partitions are updated with each OTA. I hope we can continue to provide rooted versions of updated system images, but as you know there is no guarantee of that. I'd update now before there is any new updates and then root it. We could in theory root the older versions as well and even before first boot, but without the OTA updates and applying them in reverse I can't go back and patch the older releases. I strongly think the method used to write the system partition can not be fixed since I believe the preloader code is in a ROM.
 
  • Like
Reactions: 1Xfan

zeroepoch

Senior Member
Mac Update

A few notes for Mac users willing to experiment a little:

I installed python 3.5.0 for Mac OS X from python.org and then ran "sudo pip3 install pyserial" to install pyserial for python 3.x. The final change I needed to make was to change PORT in handshake.py and read_mmc.py/write_mmc.py (only tested reading the boot partition, but everything else should work). In my case the PORT was /dev/cu.usbmodem1430. The device filename seems to be based on the USB port it's connected to. I'm not sure if there is an easier way to find the device filename besides scanning /dev and looking for new devices matching a given pattern. Maybe others on this forum have some better ideas. The final caveat was I need to unplug and replug the USB cable after the handshake completed otherwise the read_mmc.py script would hang on the first read.
 
Last edited:
Mar 8, 2010
12
7
Bay Area, CA
I succeeded in rooting mine! For comparison purposes, here's the md5sums of my partitions:

Code:
0e450c032ddce170667ba3ddc26cb960  DKB
a3ad800f012a153953b403ef1fa36e14  EXPDB
d693da95eb68b40e4315333bcf74918b  KB
50f24ce4c7ac388b33310bff6f79636a  LOGO
59071590099d21dd439896592338bf95  MISC
f9b5ef697fde92c42bbbec35e5a6cad4  PRO_INFO
8a9d058f87711c2e8ccc698647f5026b  TEE1
eda2733e1d0214873d9cb9d78c68425f  TEE2
97a2ccdb7a02838b26b9a57e4f31d51d  boot
fbd20aa58cd63c07392080cad7627e18  lk
74f0bac463bae8141acf20594987a559  recovery
a06c3d6a8c73923ed5c38b479c4410d3  system

So my DKB, KB, and system partitions are different from yours.
 
  • Like
Reactions: zeroepoch

zeroepoch

Senior Member
I succeeded in rooting mine! For comparison purposes, here's the md5sums of my partitions:

Code:
0e450c032ddce170667ba3ddc26cb960  DKB
a3ad800f012a153953b403ef1fa36e14  EXPDB
d693da95eb68b40e4315333bcf74918b  KB
50f24ce4c7ac388b33310bff6f79636a  LOGO
59071590099d21dd439896592338bf95  MISC
f9b5ef697fde92c42bbbec35e5a6cad4  PRO_INFO
8a9d058f87711c2e8ccc698647f5026b  TEE1
eda2733e1d0214873d9cb9d78c68425f  TEE2
97a2ccdb7a02838b26b9a57e4f31d51d  boot
fbd20aa58cd63c07392080cad7627e18  lk
74f0bac463bae8141acf20594987a559  recovery
a06c3d6a8c73923ed5c38b479c4410d3  system

So my DKB, KB, and system partitions are different from yours.

That is awesome news! The first confirmed case I've heard of someone else repeating my success :D

About the DKB and KB partitions being different it makes me wonder what those partitions are for? I didn't include cache and userdata in the MD5SUM of course, which you noticed, because those change all the time. NVRAM when I looked inside appeared to have a few things that looked to be device specific. The system partition being different is actually expected because I found every time I rebooted my system partition changed checksums. Also that is the MD5SUM of the unmodified system partition. I noticed this weird MD5SUM behavior when I was first gaining root and doing some sanity checks. It happens right after daemonsu is started. My best guess is that the SuperSU tools mount the system r/w quickly and that causes the last mounted timestamp to change. Don't know for sure what causes it, but don't worry that's not unexpected. The main reason I kept those hashes in the repo was so when the next version comes out I know which partitions were changed and need to be updated by users who wish to maintain root.
 

skyball2

Member
Jun 25, 2009
37
15
------------------SOLVED-----------------
Please read on if you have problems with handshake script looping forever...
-----------------------------------------------

Hi zeroepoch,

meanwhile I received my Fire TV 2 and tried your scripts but unfortunately without success.

As far as I can see, there are 2 problems:

- The /dev/ttyACM0 device appears on rebooting the Fire TV, but only for some 100th of a second, then it disconnects again.
- If I give it another try, the device will appear as /dev/ttyACM1, next time /dev/ttyACM2, aso.. So I either have to update the handshake script for every try or reboot my computer (then it starts with /dev/ttyACM0 again).

When I first tried it, the handshake-script ran forever, it just missed the short time of availability of /dev/ttyACM0. So I reduced the sleep-timeout in the script from 0.25 to 0.001. Now the handshake script detects the serial device but runs into an I/O Error during one of the next steps (each time different, seems to be a "race condition").

Can you offer any advice? Could my Laptop be too slow somehow or is there some trick to make the Fire TV keep the port open for a longer time?

Greetings, Christian

Code:
shell:

root@DeepThought:~/aftv2-tools#  adb reboot ; ./handshake.py
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
Traceback (most recent call last):
  File "./handshake.py", line 17, in <module>
    dev = serial.Serial(PORT, BAUD)
  File "/usr/lib/python3/dist-packages/serial/serialutil.py", line 261, in __init__
    self.open()
  File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 282, in open
    self._reconfigurePort()
  File "/usr/lib/python3/dist-packages/serial/serialposix.py", line 413, in _reconfigurePor                                          t
    termios.tcsetattr(self.fd, TERMIOS.TCSANOW, [iflag, oflag, cflag, lflag, ispeed, ospeed                                          , cc])
termios.error: (5, 'Input/output error')

Code:
/var/log/syslog;

Nov 11 11:25:41 DeepThought systemd[1111]: Reached target Default.
Nov 11 11:25:41 DeepThought systemd[1111]: Startup finished in 15ms.
Nov 11 11:27:28 DeepThought kernel: [  217.460463] usb 8-2: USB disconnect, device number 2
Nov 11 11:27:31 DeepThought kernel: [  220.608049] usb 8-2: new high-speed USB device number 3 using ehci-pci
Nov 11 11:27:31 DeepThought kernel: [  220.741857] usb 8-2: New USB device found, idVendor=0e8d, idProduct=2000
Nov 11 11:27:31 DeepThought kernel: [  220.741860] usb 8-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Nov 11 11:27:31 DeepThought kernel: [  220.741862] usb 8-2: Product: MT65xx Preloader
Nov 11 11:27:31 DeepThought kernel: [  220.741864] usb 8-2: Manufacturer: MediaTek
Nov 11 11:27:31 DeepThought mtp-probe: checking bus 8, device 3: "/sys/devices/pci0000:00/0000:00:1d.7/usb8/8-2"
Nov 11 11:27:31 DeepThought mtp-probe: bus: 8, device: 3 was not an MTP device
Nov 11 11:27:31 DeepThought kernel: [  220.855737] cdc_acm 8-2:1.1: ttyACM0: USB ACM device
Nov 11 11:27:31 DeepThought kernel: [  220.884047] usbcore: registered new interface driver cdc_acm
Nov 11 11:27:31 DeepThought kernel: [  220.884050] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
Nov 11 11:27:31 DeepThought kernel: [  220.924931] usb 8-2: USB disconnect, device number 3
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn>  (ttyACM0): tcgetattr() error: 5
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn>  (ttyACM0): port attributes not fully set
Nov 11 11:27:31 DeepThought kernel: [  220.928861] cdc_acm 8-2:1.1: failed to set dtr/rts
Nov 11 11:27:31 DeepThought ModemManager[511]: <info>  (tty/ttyACM0): released by modem /sys/devices/pci0000:00/0000:00:1d.7/usb8/8-2
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn>  (Plugin Manager) (Cinterion) [ttyACM0] error when checking support: '(Cinterion) Missing port probe for port (tty/ttyACM0)'
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn>  (Plugin Manager) (Nokia) [ttyACM0] error when checking support: '(Nokia) Missing port probe for port (tty/ttyACM0)'
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn>  (Plugin Manager) (Iridium) [ttyACM0] error when checking support: '(Iridium) Missing port probe for port (tty/ttyACM0)'
Nov 11 11:27:31 DeepThought ModemManager[511]: <warn>  (Plugin Manager) (Generic) [ttyACM0] error when checking support: '(Generic) Missing port probe for port (tty/ttyACM0)'
Nov 11 11:27:33 DeepThought ModemManager[511]: <warn>  Couldn't find support for device at '/sys/devices/pci0000:00/0000:00:1d.7/usb8/8-2': not supported by any plugin
Nov 11 11:27:35 DeepThought wpa_supplicant[837]: nl80211: send_and_recv->nl_recvmsgs failed: -33
Nov 11 11:27:36 DeepThought kernel: [  226.092142] usb 8-2: new high-speed USB device number 4 using ehci-pci
Nov 11 11:27:37 DeepThought kernel: [  226.225936] usb 8-2: New USB device found, idVendor=1949, idProduct=0241
Nov 11 11:27:37 DeepThought kernel: [  226.225945] usb 8-2: New USB device strings: Mfr=2, Product=3, SerialNumber=4
Nov 11 11:27:37 DeepThought kernel: [  226.225951] usb 8-2: Product: FireTV
Nov 11 11:27:37 DeepThought kernel: [  226.225956] usb 8-2: Manufacturer: Amazon
Nov 11 11:27:37 DeepThought kernel: [  226.225961] usb 8-2: SerialNumber: G070GV05544205DE
Nov 11 11:27:37 DeepThought mtp-probe: checking bus 8, device 4: "/sys/devices/pci0000:00/0000:00:1d.7/usb8/8-2"
Nov 11 11:27:37 DeepThought mtp-probe: bus: 8, device: 4 was an MTP device

After taking a closer look at my syslog and doing some research on problems with /dev/ttyACM0, I finally found the problem. It's the modemmanager. That service immmediately "grabs" the device and tries to do some invalid settings, which leads to an near immediate disconnect.

After I uninstalled the modemmanger (which seemed preinstalled in debian jessie, at least I never installed it on purpose) with
Code:
apt-get remove modemmanager
both of my problems were gone. The device stayed up for 3 seconds and after reboot of the Fire TV it had the same devicename /dev/ttyACM0 again. So I could undo my changes to the handshake script and had instant success with it.

Now I'll try rooting. WHOOT!
 
Last edited:
  • Like
Reactions: zeroepoch

gu3stZA

Member
Nov 4, 2015
6
1
Thank you very much for your efforts!

I'd just like to check my understanding - are the instructions you posted comprehensive to obtaining root from absolute scratch?

I know soldering of eMMC and such things were used in development, but that is not needed now after you've done the hard work, correct?

I can just follow your steps above and root the FTV2?
 

skyball2

Member
Jun 25, 2009
37
15
Thank you very much for your efforts!

I'd just like to check my understanding - are the instructions you posted comprehensive to obtaining root from absolute scratch?

I know soldering of eMMC and such things were used in development, but that is not needed now after you've done the hard work, correct?

I can just follow your steps above and root the FTV2?

Yes, you're right. No need to solder anything. You just need the tools stated in the instructions.
Hardware:
- a computer running Linux (or something very close)
- a A to A USB cable
Software:
- python3 and python3-serial packages
- adb package (not necessary but recommended)
- zeroepochs scripts and patchfiles

That said, a certain amount of base knowledge regarding Linux doesn't hurt ;).
 
  • Like
Reactions: zeroepoch

gu3stZA

Member
Nov 4, 2015
6
1
Thanks! I've played around with Linux but would definitely classify myself as a beginner. I guess we'll see how user-friendly the instructions are :)
 

Jay794

Senior Member
Nov 3, 2012
488
50
This is good news, definitely progress, could this be integrated into ADBFire for windows
 

Savage13

Senior Member
Jul 4, 2012
88
38
By any chance does this root work for the original fire TV ?

Sent from my SM-N910F using Tapatalk
 

Top Liked Posts

  • There are no posts matching your filters.
  • 29
    There is an updated thread now for rooting the AFTV2 that supports both 5.0.3.1 and 5.0.4 and maybe others in the future, see http://xdaforums.com/fire-tv/general/root-amazon-fire-tv-2-updated-t3277556. The new method is simpler than this method and requires less to download and less steps to run.

    To be safe run checkver.py every time you handshake since 5.0.4 is starting to roll out! Checkout the 5.0.3.1 tag in order to use this older method.

    If you were able to root your AFTV2 we'd appropriate if you report your success on the poll located here.

    NOTE: Root was obtained a few weeks ago so... this procedure is not the most time efficient, but it is just a few simple steps that anyone with a technical background can follow. There are ideas and some work in progress to make it easier. It depends also on serial port stability, which is somewhat random luck. Linux experience will be beneficial. The usual disclaimers apply, which means this rooting procedure comes with some risks and the scripts involved haven't been tested in all environments. Any harm that may come from rooting your device using this procedure is at your own risk and I assume no responsibility for any damage it may cause. I will do my best to help you get through it and recover if possible.

    Root the Device

    It's taken quite a bit of effort, but I've finally managed to create a pre-rooted system image (as well as backup the original) and provide a semi-efficient way to flash the rooted system image. Before attempting any of the steps listed below YOU MUST BE RUNNING 5.0.3.1. You should also have a unmodified/pristine system partition. You would probably know if you had any modifications and at this point that would be uncommon. If the patching fails for some reason just power off the device, reboot your computer (resets the serial port buffer), start the handshake script, then turn on the device. Once the handshake completes run the patching command again. There is no harm running the patching command two or more times. If it keeps hanging try a different computer.

    To get started you will need a system that meets the following requirements:

    • Linux (Mac OS X or Windows w/ changes)
    • Python 3.x
    • PySerial
      • sudo yum install python3-pyserial # Fedora or RedHat
      • sudo apt-get install python3-serial # Ubuntu or Debian
    • USB Male A to Male A cable
    • R/W access to /dev/ttyACM0 (or use sudo)
    • ADB USB access (optional, but helpful)
    • Stop ModemManager (if you have it setup, which blocks handshaking)

    Now run the following sequence of commands:

    Code:
    git clone --branch 5.0.3.1 https://gitlab.com/zeroepoch/aftv2-tools.git
    cd aftv2-tools
    wget http://download.zeroepoch.com/aftv2/5.0.3.1/system.root.img.gz
    wget http://download.zeroepoch.com/aftv2/5.0.3.1/system.diff.gz
    gunzip system.root.img.gz
    gunzip system.diff.gz
    adb reboot ; ./handshake.py  # or restart but run ./handshake.py first
    ./checkver.py  # STOP if it reports NO!
    ./patch_mmc.hs 0x00000000058e0000 system.root.img system.diff  # takes ~2 hours
    # last address is 0x50dce600

    For Macs (see post #115, thanks @ians325) to satisfy the requirements above you will need to install python 3.5.0 for Mac OS X from python.org then run "sudo pip3 install pyserial" to install pyserial. Instead of "wget $URL" use "curl -O $URL".

    Windows is working now, but it's constantly improving to make it easier for novice users. The bash script has been ported to a batch file (no cygwin needed) and the serial port has some auto-detection built in now. The files needed for Windows have already been added to the repo but the README is constantly evolving. @ImCoKeMaN (big thanks) and myself are working to improve the process and make it easier for Windows users.

    Anyone interested in rooting using an Ubuntu VM should watch the YouTube video by @ultimate_spy_binns, https://www.youtube.com/watch?v=CZQqLoO6ojM. There is also a script to help automate the process if you are doing this on an Ubuntu live CD/USB found here (by @BagiMT).

    To test that root is working you should first connect to adb shell and then run the command "su". You will need to accept a prompt on the screen (HDMI port) at least once. The shell should change from a dollar-sign ($) prompt to a hash (#) prompt.

    If you would like to disable updates after rooting you can use the following commands:

    Code:
    adb shell
    su
    pm disable com.amazon.device.software.ota

    To go back to stock in case you want to update or for whatever other reason:

    Code:
    wget http://download.zeroepoch.com/aftv2/5.0.3.1/system.orig.img.gz
    gunzip system.orig.img.gz
    adb push system.orig.img /data/local/tmp
    adb shell
    su
    pm enable com.amazon.device.software.ota
    dd if=/data/local/tmp/system.orig.img of=/dev/block/platform/mtk-msdc.0/by-name/system bs=1m
    sync
    reboot

    I don't always have the best luck transferring large files over ADB so another option is to copy the uncompressed image file to a microSD card and changing the path to /storage/sdcard1/system.orig.img. Be extremely careful that you have the right path, that the file you are reading exists, and that the file is around 1.2 GB in size. Otherwise you may potentially trash your system.

    Background Info

    This root method works by rebooting the device and halting the boot process at the MediaTek preloader. Once halted at the preloader we can use the preloader binary API to send a series of MMC commands to the flash chip which allows 512 byte blocks to be read and written using a simple FIFO. Since we have both the original and modified system images we can generate a list of blocks that are different between the two images and only patch those blocks. This means we need to write less than 10 MB instead of 1.2 GB. If we had to send the entire system image at the speeds the preloader is limited to it would take about 2 weeks. If for some reason the system partition becomes unbootable that would be your only option to recover right now. By sending just the differences the patching only takes about 2 hours. There are ways to speed this up (about 5-10 minutes instead), but you'd need to obtain limited root access first using a much much more complicated procedure. I choose to provide instead a slower but much simpler series of commands.

    The MT preloader is a process that runs before the regular bootloader (lk/fastboot) and of course before the kernel boots. It only shows up for about 3 seconds. Unfortunately the preloader is writable and could potentially be updated. The entire boot chain is cryptographically signed from what I've been able to inspect including the preloader. An unlocked bootloader would most likely be needed to flash a custom kernel (no kexec built-in of course, but modules/device drivers can be loaded) and create ROMs not based on stock. @rbox has been working on getting kexec working as a module but no ETA yet. So in conclusion the tools here allow you to modify the flash contents and using these facilities we have add SuperSU binaries to the system partition.

    Anyone interested in how root was obtained should look at the history starting with this post. You should also read the README file from the aftv2-tools git repo. Also feel free to PM me if you have any questions.

    Tips

    If you want to disable the pop-up message when becoming root you can change notify=1 to notify=0 in /data/data/eu.chainfire.supersu/files/supersu.cfg. You need to reboot the device after making this change. It's also suggested to make the file read-only because it seems to get reset sometimes. (Thanks @ultimate_spy_binns)

    Special Thanks

    10
    5.0.4 Preloader Still Usable

    I finally got the 5.0.4 update. I took a chance based on other users comments and decide to revert to stock and take the update. Good news is that 5.0.4 still has all the functionality needed in the preloader to root. I was able to read out a file change a byte and write it back as kind of test of the interface. Next step is to hack it enough to dump the original image file and then prepare a rooted image file. No promises on ETA but I wanted to at least let people know it should be possible to root 5.0.4 if it has that version out of the box.
    7
    Simpler Rooting

    @ImCoKeMaN and I have been working to simplify the rooting steps, especially for Windows users. We now have a single script that does the handshaking, version check, and patching with resume. It also includes the Windows drivers and patch files in the zip file. This is the only file you need to download now. Windows users no longer need to install python. You can find it below:

    http://download.zeroepoch.com/aftv2/5.0.3.1/root-aftv2-5.0.3.1.zip

    The underlying method is still the same just streamlined so it's going to take 2 hours or more as usual.


    Windows Users:

    1. Install the included drivers following this guide, http://thebroodle.com/microsoft/win...loader-usb-vcom-drivers-in-windows/#arvlbdata
    2. Run root_aftv2.bat after unzipping the file


    Linux Users:

    1. Install pyserial for python 3 from your distro
    2. Run root_aftv2.py after unzipping the file (try with sudo)


    Mac OS X Users:

    1. Install Python 3.5 from python.org
    2. Install pyserial from the terminal (pip install pyserial)
    3. Run root_aftv2.py after unzipping the file


    If these instructions don't make sense then you should follow the original steps instead for now. Providing any feedback would be appreciated if you believe you know what the problem is. It's been tested on Linux and Windows 10, not yet on OS X, but it's mostly just a combination of the previous steps and safe to run many times or switch back to the older method if something happens.

    Still not sure yet if 5.0.4 will be rootable for devices already on that firmware or how easy it will be to upgrade, but we're hoping this new approach might help people get rooted before the update comes out. If feedback seems pretty positive we can starting switching the guides over to this method.
    6
    How to Install on Mac, (Do Not Use El Captain)

    Stage 1)
    Install Xcode (Get it from App Store) or get command line
    http://osxdaily.com/2014/02/12/install-command-line-tools-mac-os-x/
    Install Fastboot and Adb
    1)Download this Android.zip file to your Mac.
    2)Extract the .zip and place the Android folder on your Desktop.
    3)Open Terminal and type:
    Code:
    cd Desktop/Android
    4)Now install ADB and Fastboot: ./ADB-Install-Mac.sh
    5)Allow the script to run and you'll be all set. Now the ADB and Fastboot files will be placed in /usr/bin/ on your Mac.
    if this does not work then manuall copy files to /usr/bin/


    Stage 2)
    1) install python 3.5.0 for Mac OS X from python.org
    2) Install pyserial.
    Open Terminal type
    Code:
    sudo pip3 install pyserial

    Stage 3)
    1)Turn on Amazon Fire TV
    2)From the main (Launcher) screen, select Settings.
    3)Select System > Developer Options.
    4)Select ADB Debugging.
    5)Select USB Debugging.
    6)Now Plug usb to firetv and mac usb

    Stage 4)
    1)Open Terminal on Mac
    2)Copy and Paste
    Code:
    cd aftv2-tools
    curl -O http://download.zeroepoch.com/aftv2/5.0.3.1/system.root.img.gz
    curl -O http://download.zeroepoch.com/aftv2/5.0.3.1/system.diff.gz
    gunzip system.root.img.gz
    gunzip system.diff.gz

    3)Open Second Terminal,
    2)Copy and Paste
    Code:
    while true ; do ls -l /dev/cu.usbmodem* ; sleep 1 ; done
    This show appear
    "ls: /dev/cu.usbmodem*: No such file or directory"

    4)Goto first terminal and copy & paste
    Code:
    adb reboot

    5) Go Back to 2nd terminal and look for
    and look for some thing like this
    "ls: /dev/cu.usbmodem*: No such file or directory"
    "crw-rw-rw- 1 root wheel 22, 11 17 Nov 04:09 /dev/cu.usbmodem2410"
    press ctrl c stop command,

    6) Open Textedit and copy your /dev/cu.usbmodem(your number)
    7) Close terminal 2
    Stage 5

    1) In Finder Click on your home directory (House Symbol),
    2 now click on aftv2-tools directory
    3) Open with Textedit handshake.py
    Look for
    "PORT = "/dev/ttyACM0"
    BAUD = 115200"

    4) Goto Textedit where you copied your "dev/cu.usbmodem" copy that.

    5) Go back to Handshake.py and change to "PORT="(your copyied dev/cu.usbmodem "
    Example
    PORT = "/dev/cu.usbmodem2410"
    save file
    6) Now repeat process on the following files write_mmc.py, read_mmc.py.

    Stage 6
    1) In first open terminal
    2) Copy and Paste
    Code:
    adb reboot ; ./handshake.py
    3)Wait for Handshake, to state "Handshake Complete" on Screen
    4) Disconnect USB Cable and Reconnect USB Cable
    5) In terminal copy and paste
    Code:
    ./patch_mmc.sh 0x00000000058e0000 system.root.img system.diff  # takes ~2 hours
    # last address is 0x50dce600
    6) If working it shoud start look something (like this
    "Patching patch xxxxxxxxxx"
    1024+0 records in
    1024+0 records out
    1024 bytes (1.0 kB) copied, 0.00124629 s, 822 kB/s
    Addr: 0x50dce400
    Addr: 0x50dce600

    7) When done patching few files it while start patching address
    example:-
    Addr: 0x25bc2e00
    Addr: 0x25bc3000
    Addr: 0x25bc3200
    Addr: 0x25bc3400
    Addr: 0x25bc3600
    Addr: 0x25bc3800
    Addr: 0x25bc3a00
    8) Go Away for 2 hrs
    9) terminal will now display
    Patching patch_4b4ee400.img...
    1024+0 records in
    1024+0 records out
    1024 bytes transferred in 0.043781 secs (23389 bytes/sec)
    Addr: 0x50dce400
    Addr: 0x50dce600

    10) reboot Amazon Fire

    11) Go back to termial copy and paste
    Code:
    adb shell
    su
    12) Now on Amazon Fire TV Screen Super User Notice will display and you need to accept it

    13) Now go back to terminal and copy and pase
    Code:
    pm disable com.amazon.device.software.ota
    to Disable update

    ---------- Post added at 09:08 AM ---------- Previous post was at 09:05 AM ----------
    5
    I got the new zip prepared. Follow the link below for those who know what to do with it.

    http://download.zeroepoch.com/aftv2/5.0.4/root-aftv2-5.0.4.zip

    I'll get the guides updated some time in the near future. This is for going from stock. Need a bit more info before we suggest the way to update without reverting to stock.