[GUIDE] Hardware root via emmc chip (requires soldering!)

superkoal

Senior Member
Sep 24, 2011
1,026
717
133
Vienna
So there is a guide from gtvhacker how to hook up an sdcard reader to the FireTV's emmc chip and mount it on a linux machine to put the superuser binary and SuperSU.apk to the system partition.
Link to the guide

xXhighpowerXx managed to do it and put together a tutorial on youtube, big thanks to him!
Link to his post

Also there is this detailed blog post of derPeter, I recommend reading it to everyone interested in this hardware hack. Link to the post

This requires disassembling the fireTV, soldering electronic parts and also basic linux skills (and a linux machine)!
Try at your own risk!

Also he updated the information in the GTVHacker wiki linked above, so everything you need to know is there.

MAKE SURE TO ALSO READ THIS POST, AS THERE IS A SOLID RISK OF BRICKING YOUR DEVICE IF YOU ARE NOT CAREFUL! Thanks to ingrimsch for talking to the gtv guys on IRC and providing the log.
 
Last edited:

simondo22

Senior Member
Apr 30, 2011
71
16
0
So i have to solder the 5 data lines the cmd, clk, vcc, vss points to a sdcard snifer and unplug the fire tv?

The snifer goes in the pc. Rest is software.


Sent from my Nexus 4 using XDA Free mobile app
 

sammy98

Senior Member
Jul 22, 2007
70
11
0
Plz 54xxx
So i have to solder the 5 data lines the cmd, clk, vcc, vss points to a sdcard snifer and unplug the fire tv?

The snifer goes in the pc. Rest is software.


Sent from my Nexus 4 using XDA Free mobile app
Alright - just soldered as provided - the connections are fine on the pcb - connected with the sd-card sniffer pinouts, but no luck.
I used gnd from the powerr supply shield. No emmc visible in dmesg.
FireTV is not powered and only the emmc is connected to the reader. Same reader works fine with another emmc chip ...

Sammy98
 

simondo22

Senior Member
Apr 30, 2011
71
16
0
Could it be that the electrical current wich comes from the reader (pc) is to low?
Because it have to supplied the whole fire tv

Sent from my Nexus 4 using XDA Free mobile app
 

sammy98

Senior Member
Jul 22, 2007
70
11
0
Plz 54xxx
Could it be that the electrical current wich comes from the reader (pc) is to low?
Because it have to supplied the whole fire tv

Sent from my Nexus 4 using XDA Free mobile app
No the reader should only power the emmc chip. Thats why we asked where to connect vcc and vss. Ground should not be the problem.
I will stop playing now as we want to watch a movie. When the pinout is clear, i will open up the ftv again

Sammy98
 

simondo22

Senior Member
Apr 30, 2011
71
16
0
But vss and vcc are parallel conected to other chips on the board so the "I" (ampere) divides maybe

Sent from my Nexus 4 using XDA Free mobile app
 

sammy98

Senior Member
Jul 22, 2007
70
11
0
Plz 54xxx
But vss and vcc are parallel conected to other chips on the board so the "I" (ampere) divides maybe

Sent from my Nexus 4 using XDA Free mobile app
Jepp but how much current and ampere should be used on what pins? A perhaps 1.7V on the pin like in the pinout is not enough for me to try that und probably fry the atv

Sammy98
 

sammy98

Senior Member
Jul 22, 2007
70
11
0
Plz 54xxx
I guess the voltage or pins are the culprint. I did not power the atv and will not while connected to the reader. I dont write the emmc while the system is using it

Gesendet von meinem Nexus 7 mit Tapatalk
 
Sep 25, 2013
43
7
0
Hi,

I can find via google these 'SD Card Sniffer Sparkfun' (different versions: TOL-11468 and TOL-09419) and also e.g. 'MicroSD Breakout' and maybe I have an idea how to soldering/connecting the TOL's to pcb (CMD, CLK, DAT0 do I find (not really difficult) but not VCC, VSS), BUT I have no idea what and how I have to do after that (or maybe I'm also wrong at the starting)...
Can someone link me into the right direction?

THX

EDIT:
Maybe I understand it:
1. soldering / connecting the pins at the pcb with wire to the pins at the TOL
2. place the TOL into a card-reader at e.g. PC or another BOX
3. mount the SD card... (but there I don't know how to identify the system-MTD)
 
Last edited:

sammy98

Senior Member
Jul 22, 2007
70
11
0
Plz 54xxx
Hi,

I can find via google these 'SD Card Sniffer Sparkfun' (different versions: TOL-11468 and TOL-09419) and also e.g. 'MicroSD Breakout' and maybe I have an idea how to soldering/connecting the TOL's to pcb (CMD, CLK, DAT0 do I find (not really difficult) but not VCC, VSS), BUT I have no idea what and how I have to do after that (or maybe I'm also wrong at the starting)...
Can someone link me into the right direction?

THX
Did you even read the last posts in the current thread concerning vss and vcc? We dont know either

EDIT:
Maybe I understand it:
1. soldering / connecting the pins at the pcb with wire to the pins at the TOL
2. place the TOL into a card-reader at e.g. PC or another BOX
3. mount the SD card... (but there I don't know how to identify the system-MTD)
The steps 1-3 are correct. The emmc only has a read/writable ext4 according to the gtv hacker.
If you dont know how to mount the ext4 of the sd-card, you probably should not begin to solder.
 
Sep 25, 2013
43
7
0
Did you even read the last posts in the current thread concerning vss and vcc? We dont know either
Yes, I read it, but I ALSO have no idea (that's what I want to say)...
The steps 1-3 are correct. The emmc only has a read/writable ext4 according to the gtv hacker.
If you dont know how to mount the ext4 of the sd-card, you probably should not begin to solder.
To mount isn't a problem, but I'm wondering in, if the eMMC only contains one "partition" because of the different MTD's (but that is something I don't understand because I have never done it before THIS way via a 'SD Card Sniffer')...
 

ingrimsch

Member
Sep 25, 2014
15
9
0
hey guys,

i dont have my FTV yet, so I cant try hooking up the EMMC to the SD Sniffer myself yet, but maybe I can supply you with a few infos I found in the datasheets. I live in Germany, so my only option to get root access on the FTV will be the EMMC/SD way, which is why I follow this thread with great interest. ;)

@sammy98: are you able to measure the VCC/GND when the SD Sniffer is connected to your PC? As far as I know most SD Cards run on 3.3V, but will work on slightly higher and lower voltages (usually 2.7 to 3.6V). I´ll make an educated guess and say if you measure VCC/GND on the Sniffer you will see a voltage of 3.3V.

According to an article here h t t p : / / w w w .computerbase.de/2014-04/amazon-fire-tv-in-einzelteile-zerlegt the EMMC Chip is a Toshiba THGBM5G6A2JBAIR. So I peeked into the Datasheet (h t t p : / / w w w .magic-sun.com.cn/product/download/pdf/13) and found a pinout plus the Power Supply Voltages for VccQ accepting voltages from 1.7 V to 1.95 V and 2.7 V to 3.6 V. So if the SD Sniffer supplies nice 3.3V as expected, we should be able to use it... just maybe not on the 1.8V spot shown in the UART picture :eek:

Only thing I have not found out yet is where to connect the 3.3 V voltage to supply the EMMC yet. In the Datasheet Pinout you can find the correct Pins for Vcc/VccQ, but as the EMMC is a BGA package, they are under the package. Too bad gtvhacker did not trace the Vcc lanes, so we now have to find a spot to inject the voltage to get the EMMC/SD bridge running...


Hope this helps in any way. Until I finally get my FTV (delivery date still unknown :crying:) I can only help in theory...
 
Last edited:
  • Like
Reactions: gregianos

sammy98

Senior Member
Jul 22, 2007
70
11
0
Plz 54xxx
hey guys,

@sammy98: are you able to measure the VCC/GND when the SD Sniffer is connected to your PC? As far as I know most SD Cards run on 3.3V, but will work on slightly higher and lower voltages (usually 2.7 to 3.6V). I´ll make an educated guess and say if you measure VCC/GND on the Sniffer you will see a voltage of 3.3V.

According to an article here h t t p : / / w w w .computerbase.de/2014-04/amazon-fire-tv-in-einzelteile-zerlegt the EMMC Chip is a Toshiba THGBM5G6A2JBAIR. So I peeked into the Datasheet (h t t p : / / w w w .magic-sun.com.cn/product/download/pdf/13) and found a pinout plus the Power Supply Voltages for VccQ accepting voltages from 1.7 V to 1.95 V and 2.7 V to 3.6 V. So if the SD Sniffer supplies nice 3.3V as expected, we should be able to use it... just maybe not on the 1.8V spot shown in the UART picture :eek:

Only thing I have not found out yet is where to connect the 3.3 V voltage to supply the EMMC yet. In the Datasheet Pinout you can find the correct Pins for Vcc/VccQ, but as the EMMC is a BGA package, they are under the package. Too bad gtvhacker did not trace the Vcc lanes, so we now have to find a spot to inject the voltage to get the EMMC/SD bridge running...
Yes i measured the power of the reader and therefore i decided to put the 1,7V on the pin of the uart with an external device. Did not work as i wrote.
I read the datasheet to, but as the gtv hackers did not measure out the vcc (or did not find the pin), we need the spot to inject the voltage.

Sammy98