Read this whole guide before starting.
This is for the 2nd gen Fire TV Stick (tank)
Current relase: amonet-tank-v1.2.2.zip
NOTE: Recent reports indicate a change that disables brom DL-mode
The change seems to have been introduced with devices that where manufactured in December 2019 or later.
The change is unrelated to the software-version and results in the device not showing up as a USB device when shorted.
Unfortunately these devices cannot currently be unlocked.
NOTE: If you are on version 1.0, don't update to 1.2.1 through TWRP, as there is a bug.
NOTE: This issue has been fixed in version 1.2.2
NOTE: When updating from version 1.0, don't install anything else before rebooting
To update to the current release if you are already unlocked, just flash the zip in TWRP.
What you need:
- A Linux installation or live-system
- A micro-USB cable
- Something conductive (paperclip, tweezers etc)
- Something to open the stick.
NOTE: Ideally you want to update your system to 5.2.6.9 before starting this process, since this flashes the 5.2.6.8 boot.img and people have reported issues with adb-authorization with older firmware.
Since version 1.2 this isn't required, because instead of flashing the 5.2.6.9 boot.img, your existing boot.img will be patched.
It is still recommended to first update to 5.2.6.9
Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work:
Code:
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot
Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager
NOTE: If you have issues running the scripts, you might have to run them using sudo.
Also try using different USB-ports (preferably USB-2.0-ports)
1. Extract the attached zip-file
"amonet-tank-v1.2.2.zip" and open a terminal in that directory.
2. start the script:
It should now say
Waiting for bootrom.
Short CLK to GND (The metal shielding is also GND) according to the attached photo and plug it in.
NOTE:
In
lsusb the boot-rom shows up as:
Code:
Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone
If it shows up as:
Code:
Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader
instead, you are in preloader-mode, try again.
dmesg lists the correct device as:
Code:
[ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00
4. When the script asks you to remove the short, remove the short and press enter.
5. Wait for the script to finish.
If it stalls at some point, stop it and restart the process from step
2.
6. Your device should now reboot into unlocked fastboot state.
7. Run
8. Wait for the device to reboot into TWRP.
9. Use TWRP to flash custom ROM, Magisk etc.
NOTE:
Only ever flash boot/recovery images using TWRP, if you use FlashFire or other methods that are not aware of the exploit,
your device will likely not boot anymore (unless you flashed a signed image).
TWRP will patch recovery/boot-images on the fly.
NOTE:
This process does not disable OTA or does any other modifications to your system.
You will have to do that according to the other guides in this forum.
Very special thanks to
@xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Thanks to
@hwmod for doing initial investigations and providing the attached image.