• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[ROOT] Amazon Fire TV Gen 2 (4k)

Search This thread

enderffx

Senior Member
Sep 16, 2011
204
25
HW rooting aftv2

aftv2 with 5.2.4.0 os version can't be rooted via software.

Hi !
I searched for a while but was unable to find a good tutorial / writeup / video on how to HW root the aftv, i found very detailed instructions for the Gen 1 aftv but not aftv2.
I do have the required emmc board but i never used it. I bought it for my first FireTV but then it was able to root it via Software so i left it in the drawer :)

If you know a good place that guides a emmc newbie a link would be very nice !

Greetings,

Ender

P.S: a friend has a BRICKED attv2, could i flash a new image via emmc or is emmc only "good" to copy over su binaries ?
 

zeroepoch

Senior Member
Dec 30, 2010
313
214
San Jose, CA
www.zeroepoch.com
Hi !
I searched for a while but was unable to find a good tutorial / writeup / video on how to HW root the aftv, i found very detailed instructions for the Gen 1 aftv but not aftv2.
I do have the required emmc board but i never used it. I bought it for my first FireTV but then it was able to root it via Software so i left it in the drawer :)

If you know a good place that guides a emmc newbie a link would be very nice !

Greetings,

Ender

P.S: a friend has a BRICKED attv2, could i flash a new image via emmc or is emmc only "good" to copy over su binaries ?

I was never able to figure out where the flash pins were. Although I didn't care too much once I found the uart and a way to use SW to access the flash. It's not really the same as using a flash reader though and much slower than a reader.
 

enderffx

Senior Member
Sep 16, 2011
204
25
I was never able to figure out where the flash pins were. Although I didn't care too much once I found the uart and a way to use SW to access the flash. It's not really the same as using a flash reader though and much slower than a reader.

Hello zerotech, thanks for answering.
Ok, then i guess it will stay bricked :)

About the UART pins: could you point out where thise are for the ATV2 or do you have a link showing it ?
Or even better a link to a tutorial (or is it just the same as ATV2 apart from the pin location) ?

Thanks & Greetings:

Ender
 

zeroepoch

Senior Member
Dec 30, 2010
313
214
San Jose, CA
www.zeroepoch.com
Hello zerotech, thanks for answering.
Ok, then i guess it will stay bricked :)

About the UART pins: could you point out where thise are for the ATV2 or do you have a link showing it ?
Or even better a link to a tutorial (or is it just the same as ATV2 apart from the pin location) ?

Thanks & Greetings:

Ender

You can find some info about the UART here: https://forum.xda-developers.com/showpost.php?p=63294247&postcount=505

That's the specific post about the UART, but there is a little more info later in that thread. The same link is also on the first post if you need to find it again, under the background info section.
 
  • Like
Reactions: Kramar111

hunter_bruhh

Senior Member
May 1, 2015
111
136
Murfreesboro
I was never able to figure out where the flash pins were. Although I didn't care too much once I found the uart and a way to use SW to access the flash. It's not really the same as using a flash reader though and much slower than a reader.

Is it possible for someone to use your method of accessing the flash on an unrootable fireTV 2 and hardware root it, similar to what was done on the fireTV 1 by GTVhacker guys?
 

zeroepoch

Senior Member
Dec 30, 2010
313
214
San Jose, CA
www.zeroepoch.com
Is it possible for someone to use your method of accessing the flash on an unrootable fireTV 2 and hardware root it, similar to what was done on the fireTV 1 by GTVhacker guys?

I would think so. If you can access the flash as raw bits you could use rbox tools to modify the ext4 filesystem. I'm not sure what that would take and may even require unsoldering stuff to get to those pins. No idea though.
 

hunter_bruhh

Senior Member
May 1, 2015
111
136
Murfreesboro
I would think so. If you can access the flash as raw bits you could use rbox tools to modify the ext4 filesystem. I'm not sure what that would take and may even require unsoldering stuff to get to those pins. No idea though.

Can you tell me how you accessed the flash? Were you able to access the /system partition? If I could just mount it, I could push su to /system and then install TWRP and all that good jazz.
 

zeroepoch

Senior Member
Dec 30, 2010
313
214
San Jose, CA
www.zeroepoch.com
Can you tell me how you accessed the flash? Were you able to access the /system partition? If I could just mount it, I could push su to /system and then install TWRP and all that good jazz.

I was using commands in the preloader to read/write addresses in the physical memory. At that phase virtual memory equals physical memory or it does at least for the I/O space. I wrote a sort of MMC driver using this memory read/write interface. @rbox took this idea much further and allows you to mount partitions, including /system, and work with them directly like normal filesystems while it does all the magic UART commands in the background. It used the ext libraries to walk the filesystem. It's very slow though so you don't want to change more than a few MB otherwise it could take a day or more to complete. If you're interested in his tools you can find them here:

https://github.com/androidrbox/mediatek-preloader-tools

He used this method to create a mini root filesystem that boots into his TWRP as an unbrick image. So there are some interesting ways to extended it but with recent firmwares removing the preloader commands needed it's not much use anymore except on older firmware or other mediatek devices.
 
  • Like
Reactions: hunter_bruhh

ccf801

Member
Sep 9, 2021
7
1
what pisses me off about amazon is their absolute refusal to just leave peoples fire tvs alone.

i mean , they are always patching holes that allow for root access.

this makes me extremely mad. its like they are saying you are not entitled to have full control over your own device. at any time they can block certain softwares , vpn services or anything else they want to change on your device .

ive learned how to hardware unbrick and root , but that still doesnt change the fact that the average owner
of the fire tv box is mostly screwed because amazon locked down any and almost all holes to allow you
to obtain root .

thank god theres hardware unbricking and rom flashing with pre rooted roms.

amazon ,

i hate you .
 

Han-Droid

Senior Member
Jun 23, 2010
375
76
OnePlus 7T
what pisses me off about amazon is their absolute refusal to just leave peoples fire tvs alone.

i mean , they are always patching holes that allow for root access.

this makes me extremely mad. its like they are saying you are not entitled to have full control over your own device. at any time they can block certain softwares , vpn services or anything else they want to change on your device .

ive learned how to hardware unbrick and root , but that still doesnt change the fact that the average owner
of the fire tv box is mostly screwed because amazon locked down any and almost all holes to allow you
to obtain root .

thank god theres hardware unbricking and rom flashing with pre rooted roms.

amazon ,

i hate you .
that's because THEY THINK, they've sponsored YOUR device giving you a cheap device and granting them a lifetime right to control
 
  • Like
Reactions: SweenWolf and Sus_i

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    what pisses me off about amazon is their absolute refusal to just leave peoples fire tvs alone.

    i mean , they are always patching holes that allow for root access.

    this makes me extremely mad. its like they are saying you are not entitled to have full control over your own device. at any time they can block certain softwares , vpn services or anything else they want to change on your device .

    ive learned how to hardware unbrick and root , but that still doesnt change the fact that the average owner
    of the fire tv box is mostly screwed because amazon locked down any and almost all holes to allow you
    to obtain root .

    thank god theres hardware unbricking and rom flashing with pre rooted roms.

    amazon ,

    i hate you .
    that's because THEY THINK, they've sponsored YOUR device giving you a cheap device and granting them a lifetime right to control
  • 29
    There is an updated thread now for rooting the AFTV2 that supports both 5.0.3.1 and 5.0.4 and maybe others in the future, see http://forum.xda-developers.com/fire-tv/general/root-amazon-fire-tv-2-updated-t3277556. The new method is simpler than this method and requires less to download and less steps to run.

    To be safe run checkver.py every time you handshake since 5.0.4 is starting to roll out! Checkout the 5.0.3.1 tag in order to use this older method.

    If you were able to root your AFTV2 we'd appropriate if you report your success on the poll located here.

    NOTE: Root was obtained a few weeks ago so... this procedure is not the most time efficient, but it is just a few simple steps that anyone with a technical background can follow. There are ideas and some work in progress to make it easier. It depends also on serial port stability, which is somewhat random luck. Linux experience will be beneficial. The usual disclaimers apply, which means this rooting procedure comes with some risks and the scripts involved haven't been tested in all environments. Any harm that may come from rooting your device using this procedure is at your own risk and I assume no responsibility for any damage it may cause. I will do my best to help you get through it and recover if possible.

    Root the Device

    It's taken quite a bit of effort, but I've finally managed to create a pre-rooted system image (as well as backup the original) and provide a semi-efficient way to flash the rooted system image. Before attempting any of the steps listed below YOU MUST BE RUNNING 5.0.3.1. You should also have a unmodified/pristine system partition. You would probably know if you had any modifications and at this point that would be uncommon. If the patching fails for some reason just power off the device, reboot your computer (resets the serial port buffer), start the handshake script, then turn on the device. Once the handshake completes run the patching command again. There is no harm running the patching command two or more times. If it keeps hanging try a different computer.

    To get started you will need a system that meets the following requirements:

    • Linux (Mac OS X or Windows w/ changes)
    • Python 3.x
    • PySerial
      • sudo yum install python3-pyserial # Fedora or RedHat
      • sudo apt-get install python3-serial # Ubuntu or Debian
    • USB Male A to Male A cable
    • R/W access to /dev/ttyACM0 (or use sudo)
    • ADB USB access (optional, but helpful)
    • Stop ModemManager (if you have it setup, which blocks handshaking)

    Now run the following sequence of commands:

    Code:
    git clone --branch 5.0.3.1 https://gitlab.com/zeroepoch/aftv2-tools.git
    cd aftv2-tools
    wget http://download.zeroepoch.com/aftv2/5.0.3.1/system.root.img.gz
    wget http://download.zeroepoch.com/aftv2/5.0.3.1/system.diff.gz
    gunzip system.root.img.gz
    gunzip system.diff.gz
    adb reboot ; ./handshake.py  # or restart but run ./handshake.py first
    ./checkver.py  # STOP if it reports NO!
    ./patch_mmc.hs 0x00000000058e0000 system.root.img system.diff  # takes ~2 hours
    # last address is 0x50dce600

    For Macs (see post #115, thanks @ians325) to satisfy the requirements above you will need to install python 3.5.0 for Mac OS X from python.org then run "sudo pip3 install pyserial" to install pyserial. Instead of "wget $URL" use "curl -O $URL".

    Windows is working now, but it's constantly improving to make it easier for novice users. The bash script has been ported to a batch file (no cygwin needed) and the serial port has some auto-detection built in now. The files needed for Windows have already been added to the repo but the README is constantly evolving. @ImCoKeMaN (big thanks) and myself are working to improve the process and make it easier for Windows users.

    Anyone interested in rooting using an Ubuntu VM should watch the YouTube video by @ultimate_spy_binns, https://www.youtube.com/watch?v=CZQqLoO6ojM. There is also a script to help automate the process if you are doing this on an Ubuntu live CD/USB found here (by @BagiMT).

    To test that root is working you should first connect to adb shell and then run the command "su". You will need to accept a prompt on the screen (HDMI port) at least once. The shell should change from a dollar-sign ($) prompt to a hash (#) prompt.

    If you would like to disable updates after rooting you can use the following commands:

    Code:
    adb shell
    su
    pm disable com.amazon.device.software.ota

    To go back to stock in case you want to update or for whatever other reason:

    Code:
    wget http://download.zeroepoch.com/aftv2/5.0.3.1/system.orig.img.gz
    gunzip system.orig.img.gz
    adb push system.orig.img /data/local/tmp
    adb shell
    su
    pm enable com.amazon.device.software.ota
    dd if=/data/local/tmp/system.orig.img of=/dev/block/platform/mtk-msdc.0/by-name/system bs=1m
    sync
    reboot

    I don't always have the best luck transferring large files over ADB so another option is to copy the uncompressed image file to a microSD card and changing the path to /storage/sdcard1/system.orig.img. Be extremely careful that you have the right path, that the file you are reading exists, and that the file is around 1.2 GB in size. Otherwise you may potentially trash your system.

    Background Info

    This root method works by rebooting the device and halting the boot process at the MediaTek preloader. Once halted at the preloader we can use the preloader binary API to send a series of MMC commands to the flash chip which allows 512 byte blocks to be read and written using a simple FIFO. Since we have both the original and modified system images we can generate a list of blocks that are different between the two images and only patch those blocks. This means we need to write less than 10 MB instead of 1.2 GB. If we had to send the entire system image at the speeds the preloader is limited to it would take about 2 weeks. If for some reason the system partition becomes unbootable that would be your only option to recover right now. By sending just the differences the patching only takes about 2 hours. There are ways to speed this up (about 5-10 minutes instead), but you'd need to obtain limited root access first using a much much more complicated procedure. I choose to provide instead a slower but much simpler series of commands.

    The MT preloader is a process that runs before the regular bootloader (lk/fastboot) and of course before the kernel boots. It only shows up for about 3 seconds. Unfortunately the preloader is writable and could potentially be updated. The entire boot chain is cryptographically signed from what I've been able to inspect including the preloader. An unlocked bootloader would most likely be needed to flash a custom kernel (no kexec built-in of course, but modules/device drivers can be loaded) and create ROMs not based on stock. @rbox has been working on getting kexec working as a module but no ETA yet. So in conclusion the tools here allow you to modify the flash contents and using these facilities we have add SuperSU binaries to the system partition.

    Anyone interested in how root was obtained should look at the history starting with this post. You should also read the README file from the aftv2-tools git repo. Also feel free to PM me if you have any questions.

    Tips

    If you want to disable the pop-up message when becoming root you can change notify=1 to notify=0 in /data/data/eu.chainfire.supersu/files/supersu.cfg. You need to reboot the device after making this change. It's also suggested to make the file read-only because it seems to get reset sometimes. (Thanks @ultimate_spy_binns)

    Special Thanks

    10
    5.0.4 Preloader Still Usable

    I finally got the 5.0.4 update. I took a chance based on other users comments and decide to revert to stock and take the update. Good news is that 5.0.4 still has all the functionality needed in the preloader to root. I was able to read out a file change a byte and write it back as kind of test of the interface. Next step is to hack it enough to dump the original image file and then prepare a rooted image file. No promises on ETA but I wanted to at least let people know it should be possible to root 5.0.4 if it has that version out of the box.
    7
    Simpler Rooting

    @ImCoKeMaN and I have been working to simplify the rooting steps, especially for Windows users. We now have a single script that does the handshaking, version check, and patching with resume. It also includes the Windows drivers and patch files in the zip file. This is the only file you need to download now. Windows users no longer need to install python. You can find it below:

    http://download.zeroepoch.com/aftv2/5.0.3.1/root-aftv2-5.0.3.1.zip

    The underlying method is still the same just streamlined so it's going to take 2 hours or more as usual.


    Windows Users:

    1. Install the included drivers following this guide, http://thebroodle.com/microsoft/win...loader-usb-vcom-drivers-in-windows/#arvlbdata
    2. Run root_aftv2.bat after unzipping the file


    Linux Users:

    1. Install pyserial for python 3 from your distro
    2. Run root_aftv2.py after unzipping the file (try with sudo)


    Mac OS X Users:

    1. Install Python 3.5 from python.org
    2. Install pyserial from the terminal (pip install pyserial)
    3. Run root_aftv2.py after unzipping the file


    If these instructions don't make sense then you should follow the original steps instead for now. Providing any feedback would be appreciated if you believe you know what the problem is. It's been tested on Linux and Windows 10, not yet on OS X, but it's mostly just a combination of the previous steps and safe to run many times or switch back to the older method if something happens.

    Still not sure yet if 5.0.4 will be rootable for devices already on that firmware or how easy it will be to upgrade, but we're hoping this new approach might help people get rooted before the update comes out. If feedback seems pretty positive we can starting switching the guides over to this method.
    6
    How to Install on Mac, (Do Not Use El Captain)

    Stage 1)
    Install Xcode (Get it from App Store) or get command line
    http://osxdaily.com/2014/02/12/install-command-line-tools-mac-os-x/
    Install Fastboot and Adb
    1)Download this Android.zip file to your Mac.
    2)Extract the .zip and place the Android folder on your Desktop.
    3)Open Terminal and type:
    Code:
    cd Desktop/Android
    4)Now install ADB and Fastboot: ./ADB-Install-Mac.sh
    5)Allow the script to run and you'll be all set. Now the ADB and Fastboot files will be placed in /usr/bin/ on your Mac.
    if this does not work then manuall copy files to /usr/bin/


    Stage 2)
    1) install python 3.5.0 for Mac OS X from python.org
    2) Install pyserial.
    Open Terminal type
    Code:
    sudo pip3 install pyserial

    Stage 3)
    1)Turn on Amazon Fire TV
    2)From the main (Launcher) screen, select Settings.
    3)Select System > Developer Options.
    4)Select ADB Debugging.
    5)Select USB Debugging.
    6)Now Plug usb to firetv and mac usb

    Stage 4)
    1)Open Terminal on Mac
    2)Copy and Paste
    Code:
    cd aftv2-tools
    curl -O http://download.zeroepoch.com/aftv2/5.0.3.1/system.root.img.gz
    curl -O http://download.zeroepoch.com/aftv2/5.0.3.1/system.diff.gz
    gunzip system.root.img.gz
    gunzip system.diff.gz

    3)Open Second Terminal,
    2)Copy and Paste
    Code:
    while true ; do ls -l /dev/cu.usbmodem* ; sleep 1 ; done
    This show appear
    "ls: /dev/cu.usbmodem*: No such file or directory"

    4)Goto first terminal and copy & paste
    Code:
    adb reboot

    5) Go Back to 2nd terminal and look for
    and look for some thing like this
    "ls: /dev/cu.usbmodem*: No such file or directory"
    "crw-rw-rw- 1 root wheel 22, 11 17 Nov 04:09 /dev/cu.usbmodem2410"
    press ctrl c stop command,

    6) Open Textedit and copy your /dev/cu.usbmodem(your number)
    7) Close terminal 2
    Stage 5

    1) In Finder Click on your home directory (House Symbol),
    2 now click on aftv2-tools directory
    3) Open with Textedit handshake.py
    Look for
    "PORT = "/dev/ttyACM0"
    BAUD = 115200"

    4) Goto Textedit where you copied your "dev/cu.usbmodem" copy that.

    5) Go back to Handshake.py and change to "PORT="(your copyied dev/cu.usbmodem "
    Example
    PORT = "/dev/cu.usbmodem2410"
    save file
    6) Now repeat process on the following files write_mmc.py, read_mmc.py.

    Stage 6
    1) In first open terminal
    2) Copy and Paste
    Code:
    adb reboot ; ./handshake.py
    3)Wait for Handshake, to state "Handshake Complete" on Screen
    4) Disconnect USB Cable and Reconnect USB Cable
    5) In terminal copy and paste
    Code:
    ./patch_mmc.sh 0x00000000058e0000 system.root.img system.diff  # takes ~2 hours
    # last address is 0x50dce600
    6) If working it shoud start look something (like this
    "Patching patch xxxxxxxxxx"
    1024+0 records in
    1024+0 records out
    1024 bytes (1.0 kB) copied, 0.00124629 s, 822 kB/s
    Addr: 0x50dce400
    Addr: 0x50dce600

    7) When done patching few files it while start patching address
    example:-
    Addr: 0x25bc2e00
    Addr: 0x25bc3000
    Addr: 0x25bc3200
    Addr: 0x25bc3400
    Addr: 0x25bc3600
    Addr: 0x25bc3800
    Addr: 0x25bc3a00
    8) Go Away for 2 hrs
    9) terminal will now display
    Patching patch_4b4ee400.img...
    1024+0 records in
    1024+0 records out
    1024 bytes transferred in 0.043781 secs (23389 bytes/sec)
    Addr: 0x50dce400
    Addr: 0x50dce600

    10) reboot Amazon Fire

    11) Go back to termial copy and paste
    Code:
    adb shell
    su
    12) Now on Amazon Fire TV Screen Super User Notice will display and you need to accept it

    13) Now go back to terminal and copy and pase
    Code:
    pm disable com.amazon.device.software.ota
    to Disable update

    ---------- Post added at 09:08 AM ---------- Previous post was at 09:05 AM ----------
    5
    I got the new zip prepared. Follow the link below for those who know what to do with it.

    http://download.zeroepoch.com/aftv2/5.0.4/root-aftv2-5.0.4.zip

    I'll get the guides updated some time in the near future. This is for going from stock. Need a bit more info before we suggest the way to update without reverting to stock.