[ROOT] Rooting the FireTV Cube and Pendant with FireFU

Search This thread

xXhighpowerXx

Senior Member
Feb 2, 2011
61
66
Today we’re excited to be bringing you something we’ve been working on for the last few months. Today, we’re introducing you to FireFU. FireFU is an exploit chain we’ve created to allow users to unlock (and root) their FireTV Cube and FireTV Pendant.

FireFULogo.png


https://blog.exploitee.rs/2018/rooting-the-firetv-cube-and-pendant-with-firefu/

Exploit package
This download is intended for users who are only seeking the binaries to perform the exploit.
https://download.exploitee.rs/file/amazon/FireFU/FireFU.tgz

Source Code
This is for the users who are needing to recompile the exploit or are just curious about the process.
https://gitlab.com/Exploiteers/FireFU_Exploit
https://gitlab.com/Exploiteers/amlogic_usb_mmc
 

puppinoo

Senior Member
Jun 14, 2008
164
30
This is amazing. Thanks a lot.
I'm completely newbie but look forward testing this.
Can this exploit be eventually patched by Amazon so it's better to block updates if you don't use it immediately?
EDIT: I just read they can but I meant if they can patch with future updates so that the process is defeated and can't be used anymore.

Regards and congratulations.
Pino.
 
Last edited:

xXhighpowerXx

Senior Member
Feb 2, 2011
61
66
This is amazing. Thanks a lot.
I'm completely newbie but look forward testing this.
Can this exploit be eventually patched by Amazon so it's better to block updates if you don't use it immediately?
EDIT: I just read they can but I meant if they can patch with future updates so that the process is defeated and can't be used anymore.

Regards and congratulations.
Pino.

Yes the exploit is patchable. Amazon will probably patch it in the next firmware release. I'm not sure how long this exploit will last. Make sure to disable OTA update after you rooted it. This exploit also allow you to run custom roms too since it bypass the signature check in uboot :) SoC is similar to Odroid C2 board so you might able to run it image on the FireTV with little/no modifications.
 
  • Like
Reactions: puppinoo

puppinoo

Senior Member
Jun 14, 2008
164
30
Yes the exploit is patchable. Amazon will probably patch it in the next firmware release. I'm not sure how long this exploit will last. Make sure to disable OTA update after you rooted it. This exploit also allow you to run custom roms too since it bypass the signature check in uboot :) SoC is similar to Odroid C2 board so you might able to run it image on the FireTV with little/no modifications.

Thanks for precious info,
I already blocked URLs from Amazon on my LEDE router in dnsmasq.conf.
Really interesting. I have LibreElec installed on my Odroid C2 and the idea of installing a Linux distro on the pendant is also interesting.

BTW I stress my gratitude cause your work is amazing.
Pino.
 

AZImmortal

Senior Member
Dec 22, 2010
505
74

Is the HDMI breakout adapter linked in the wiki the correct one that would be needed for this project?

https://www.amazon.com/Adapter-sign...rs-20&linkId=eca52d73a58d16cf24fb94f55bfd7ebe

From what I can tell from the pictures, that breakout board has a male adapter, but you would need a female adapter to plug the Fire TV into, correct?

Also, would it be possible to provide a little more detail on the command line steps needed? I'm a Linux novice so I'm having a little difficulty trying to figure out how to execute some of these steps. The exact commands for each step would be great. Thanks for your work!
 

retyre

Senior Member
Jan 14, 2011
280
303
Central FL
Is the HDMI breakout adapter linked in the wiki the correct one that would be needed for this project?

https://www.amazon.com/Adapter-sign...rs-20&linkId=eca52d73a58d16cf24fb94f55bfd7ebe

From what I can tell from the pictures, that breakout board has a male adapter, but you would need a female adapter to plug the Fire TV into, correct?

Correct. Something like this is what you need. This looks like the one used in the wiki.

IMO, putting the device into DFU mode is the bottleneck. You will have to set up the correct udev rules to get the Amlogic side recognized through the HDMI breakout.

(The Linux rooting commands are in the video.)
 

AZImmortal

Senior Member
Dec 22, 2010
505
74
Correct. Something like this is what you need. This looks like the one used in the wiki.

IMO, putting the device into DFU mode is the bottleneck. You will have to set up the correct udev rules to get the Amlogic side recognized through the HDMI breakout.

(The Linux rooting commands are in the video.)

Thanks for confirming about the HDMI breakout. I found this on AliExpress for the cheapest option (but longest delivery time). Can you explain what you mean by the DFU mode bottleneck? I know that the Fire TV has to be put into DFU mode, but I wasn't sure if you meant that it's trickier than it seems (like maybe some computers don't have the right chipset or something along those lines). Also, I saw the video but it seems to start at step 7, which is basically where the easy parts of the process start, haha. I need more details on the earlier steps.
 
Last edited:

retyre

Senior Member
Jan 14, 2011
280
303
Central FL
Can you explain what you mean by the DFU mode bottleneck? I know that the Fire TV has to be put into DFU mode, but I wasn't sure if you meant that it's trickier than it seems (like maybe some computers don't have the right chipset or something along those lines).

There are so many variables here: genuine Arduino vs. counterfeit, quality of the HDMI breakout board, USB 3.0 vs. 2.0, Linux box with proper udev rules, ...

Take a look at something like this if you want to automate the last part (udev).
 

AZImmortal

Senior Member
Dec 22, 2010
505
74
There are so many variables here: genuine Arduino vs. counterfeit, quality of the HDMI breakout board, USB 3.0 vs. 2.0, Linux box with proper udev rules, ...
I have an Arduino clone but I've never actually used it for real (other than flashing sketches to it to make sure that it works), but assuming that the clone is functional, then what kind of issues might prevent it from working for this project? I guess same question goes for the breakout board and USB 3.0 vs 2.0. Just trying to figure out what kind of obstacles I might encounter if I decide to try this.

Take a look at something like this if you want to automate the last part (udev).
This helps put things a little more together for me (at least I know which libusb I'd need to install). I'm still not sure that I understand how to execute step 1 or step 6 under the Rooting Process instructions though.

Thanks for the help so far.
 
  • Like
Reactions: puppinoo

retyre

Senior Member
Jan 14, 2011
280
303
Central FL
his helps put things a little more together for me (at least I know which libusb I'd need to install). I'm still not sure that I understand how to execute step 1 or step 6 under the Rooting Process instructions though.

Depending on the Linux distro, libusb may already be installed. Run dpkg -l libusb* to check.

Step 1: udev rules are set up in /etc/udev/rules.d/. You will have to create a file (e.g., 90-usb-serial.rules) with the information (usually, the subsystem, vendor-product attributes as mentioned in the wiki, name, symlink, etc.). Syntax varies by distro. You should test your rule with a less tricky device that's guaranteed to show up (e.g., a common peripheral) and see whether the name or symlink in the rule was picked up properly.

Step 6: In general, lsusb lists the USB devices connected to the Linux box. For example, if you connect just the Arduino and run lsusb, you should see the Due show up as, say, 2341:003d. If everything works as planned (i.e., the AFTV3 gets into DFU mode), you should see the correct device show up when you run lsusb (1b8e:c003). If it does not, you now have to check all the failure points: whether the sketch was flashed properly, whether the Arduino's or breakout's SCL and SDA pins are working properly, whether the USB port is the issue, whether the jumper wire or cable is the issue, and whether your udev rule was set up properly. In the event of an unsuccessful outcome (i.e., Amlogic doesn't show up in lsusb), isolating the issue can be a bear.

There's only one way to find out. Gather the paraphernalia, test it out, and post here!
 
  • Like
Reactions: puppinoo

AZImmortal

Senior Member
Dec 22, 2010
505
74
Depending on the Linux distro, libusb may already be installed. Run dpkg -l libusb* to check.

Step 1: udev rules are set up in /etc/udev/rules.d/. You will have to create a file (e.g., 90-usb-serial.rules) with the information (usually, the subsystem, vendor-product attributes as mentioned in the wiki, name, symlink, etc.). Syntax varies by distro. You should test your rule with a less tricky device that's guaranteed to show up (e.g., a common peripheral) and see whether the name or symlink in the rule was picked up properly.

Step 6: In general, lsusb lists the USB devices connected to the Linux box. For example, if you connect just the Arduino and run lsusb, you should see the Due show up as, say, 2341:003d. If everything works as planned (i.e., the AFTV3 gets into DFU mode), you should see the correct device show up when you run lsusb (1b8e:c003). If it does not, you now have to check all the failure points: whether the sketch was flashed properly, whether the Arduino's or breakout's SCL and SDA pins are working properly, whether the USB port is the issue, whether the jumper wire or cable is the issue, and whether your udev rule was set up properly. In the event of an unsuccessful outcome (i.e., Amlogic doesn't show up in lsusb), isolating the issue can be a bear.

There's only one way to find out. Gather the paraphernalia, test it out, and post here!

Thanks, this helps a lot. I'll have to take a little time to experiment with my setup to see if I can figure out the syntax, but I'm definitely planning to buy the breakout board and finally put my Arduino clone to work. I'll probably have more questions when that time comes. :confused: :)
 

retyre

Senior Member
Jan 14, 2011
280
303
Central FL
Finally got around to trying this. Works as described in the OP.

TBH, this is not nearly as complicated as the usual hardware root method for FTV devices. If you know your way around Linux and can connect jumper wires, you should have no trouble with this. Please post here if you have issues.
 
  • Like
Reactions: puppinoo

puppinoo

Senior Member
Jun 14, 2008
164
30
Finally got around to trying this. Works as described in the OP.

TBH, this is not nearly as complicated as the usual hardware root method for FTV devices. If you know your way around Linux and can connect jumper wires, you should have no trouble with this. Please post here if you have issues.

Great job. Waiting for my hdmi breakout to arrive so I can try. Can I ask you if you tried to downgrade or upgrade fw version? If not will it be easy to accomplish? I ask cause I blocked updates on my router since initial FW version and I don't want to risk now. But I'd like once rooted to upgrade to a version (possibly already rooted) with a feature added later to automatically switch framerate which my version actually lacks.

Regards.
Pino.
 

retyre

Senior Member
Jan 14, 2011
280
303
Central FL
Can I ask you if you tried to downgrade or upgrade fw version? If not will it be easy to accomplish? I ask cause I blocked updates on my router since initial FW version and I don't want to risk now. But I'd like once rooted to upgrade to a version (possibly already rooted) with a feature added later to automatically switch framerate which my version actually lacks.

I updated to the latest version (6.2.5.5) before trying this. The wiki indicated it was tested on that version, so I saw no harm. If 6.2.5.5 has a feature not found in earlier versions, you should unblock the DNS on your router and let the device update to 6.2.5.5 before you try this. Without a public link to any of the update files for AFTV3, how are you planning to downgrade/upgrade or flash a prerooted image?
 
  • Like
Reactions: puppinoo

BRICK0044

Senior Member
Jun 3, 2011
232
21
I updated to the latest version (6.2.5.5) before trying this. The wiki indicated it was tested on that version, so I saw no harm. If 6.2.5.5 has a feature not found in earlier versions, you should unblock the DNS on your router and let the device update to 6.2.5.5 before you try this. Without a public link to any of the update files for AFTV3, how are you planning to downgrade/upgrade or flash a prerooted image?

Glad it worked for you. Any chance you could show links to the board and Hdmi breakout? Thank you.

---------- Post added at 06:00 AM ---------- Previous post was at 05:56 AM ----------

Nevermind I found them in the Wiki.
 

ldeveraux

Senior Member
  • Nov 20, 2008
    2,414
    875
    Finally got around to trying this. Works as described in the OP.

    TBH, this is not nearly as complicated as the usual hardware root method for FTV devices. If you know your way around Linux and can connect jumper wires, you should have no trouble with this. Please post here if you have issues.

    I plan on trying this tonight. It's not clear in the instructions how to connect everything. Connect the arduino to a linux box via USB? Do I need to adb to enter the commands? I've got the breakout HDMI wired to the arduino, but then a standard HDMI cable from breakout to FireTV?
     

    retyre

    Senior Member
    Jan 14, 2011
    280
    303
    Central FL
    Let me clarify the first few steps in the OP (this is where I expect most of the challenge to be):
    -- This is what you will need to begin: Arduino Due (this is what I have), HDMI breakout board (this is what I used because I have the pendant; if you have the cube, you will need a male HDMI as in the wiki; if you have the pendant, you can also use the male with a coupler), M/M jumper wire (this is what I used), and a Linux box (I have Ubuntu 16.04.5 LTS installed).

    To install the Arduino IDE and upload the sketch, follow these steps in sequence:
    1. Download the Arduino IDE. (If you use v1.6.1 or earlier, you don't have to install the Due board separately.) For Linux, download v1.6.1 from here. (Note: You don't have to do this in Linux. For Windows, use this.)
    General note for Linux: It might just be easier to run everything as root (to sidestep permission issues): use sudo. As an example, sudo ./arduino to start the Arduino IDE instead of just ./arduino.
    2. Connect the Due to your PC's USB port, install the Windows driver (located inside arduino-1.6.1-windows.zip; no driver needed for Linux), and choose the correct Board (Native or Programming depending on which is connected; I usually use the Programming port) and Port.
    3. Download and extract the archive in the OP (FireFU.tgz).
    4. Upload the sketch (hdmi_arduino.ino, from the archive) to the Due. To do this, open hdmi_arduino.ino from File and choose Upload from Sketch or just click the right-arrow. Pull up the separator at the bottom to make it easier to view the progress window.
    6. Confirm that the upload and verification are successful.

    You will need Linux from this point forward.

    5. Check to see whether libusb is already installed:
    Code:
    dpkg -l libusb*
    If not, install it:
    Code:
    sudo apt-get install libusb-1.0-0
    6. Add the proper udev rules for Amlogic and fastboot as described in the OP's link. If you do not know how to manually add rules in /etc/udev/rules.d/, do the following:
    -- To automate the udev rule for Amlogic (from here):
    Code:
    sudo apt-get install git
    git clone https://github.com/khadas/utils
    cd utils
    ./INSTALL
    This will write the Amlogic rule (/etc/udev/rules.d/70-*). To add the fastboot rule, open the file (70-*) in an editor, copy-and-paste the line for Amlogic, and change the vendor and product id to match that for fastboot.

    To manually add the udev rules, create a new file (say, 70-firetv3.rules) with the following in it:
    SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", ATTR{idVendor}=="1b8e", ATTR{idProduct}=="c003", MODE:="0666"
    SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", ATTR{idVendor}=="18d1", ATTR{idProduct}=="0d02", MODE:="0666"

    -- Install fastboot and adb:
    Code:
    sudo apt-get install android-tools-adb android-tools-fastboot
    7. Reboot for the rules to take effect.
    8. Connect the following in order:
    -- jumper wire to SCL, SDA, and GND on the Due ... and to the breakout board (as described in the wiki)
    -- AFTV3's male HDMI to the breakout board's female HDMI (or the cube's female HDMI to the breakout board's male HDMI)
    -- power to the Due (I use external power, but connecting it to USB power should work just as well)
    -- micro USB to the AFTV3
    -- other end of the micro USB to the Linux box's USB port
    9. Check whether Amlogic, Inc. shows up:
    Code:
    lsusb
    10. If it does, you're more than halfway there. If it does not, disconnect everything but the jumper wire and repeat step 8.
     

    puppinoo

    Senior Member
    Jun 14, 2008
    164
    30
    I updated to the latest version (6.2.5.5) before trying this. The wiki indicated it was tested on that version, so I saw no harm. If 6.2.5.5 has a feature not found in earlier versions, you should unblock the DNS on your router and let the device update to 6.2.5.5 before you try this. Without a public link to any of the update files for AFTV3, how are you planning to downgrade/upgrade or flash a prerooted image?

    Thanks for advices. I didn't know updates URLs were still unknown. I just enabled updates and let it do its things. Now I'm on Build NS6255/1612 (hoping it's the original one and not some stealth tricky version just uploaded :D ). BTW I noticed the updates are incremental so it processed all the major ones one at a time. So maybe you could let it do until it reaches the version you like and after that you stop the updates. It's not a safe method I think (for them).
    BTW Thanks again for advice. Stuill waiting for HDMI Breakout.
     

    2WhlWzrd

    Senior Member
    Feb 20, 2016
    104
    28
    Arduino Documentation

    -- power to the Due (I use external power, but connecting it to USB power should work just as well)

    Documentation on the Arduino website states;

    "The Arduino Due can be powered via the USB connector or with an external power supply. The power source is selected automatically.
    External (non-USB) power can come either from an AC-to-DC adapter (wall-wart) or battery. The adapter can be connected by plugging a 2.1mm center-positive plug into the board's power jack.
    Leads from a battery can be inserted in the Gnd and Vin pin headers of the POWER connector.
    The board can operate on an external supply of 6 to 20 volts. If supplied with less than 7V, however, the 5V pin may supply less than five volts and the board may be unstable.
    If using more than 12V, the voltage regulator may overheat and damage the board. The recommended range is 7 to 12 volts"
     
    • Like
    Reactions: puppinoo

    Top Liked Posts

    • There are no posts matching your filters.
    • 11
      Today we’re excited to be bringing you something we’ve been working on for the last few months. Today, we’re introducing you to FireFU. FireFU is an exploit chain we’ve created to allow users to unlock (and root) their FireTV Cube and FireTV Pendant.

      FireFULogo.png


      https://blog.exploitee.rs/2018/rooting-the-firetv-cube-and-pendant-with-firefu/

      Exploit package
      This download is intended for users who are only seeking the binaries to perform the exploit.
      https://download.exploitee.rs/file/amazon/FireFU/FireFU.tgz

      Source Code
      This is for the users who are needing to recompile the exploit or are just curious about the process.
      https://gitlab.com/Exploiteers/FireFU_Exploit
      https://gitlab.com/Exploiteers/amlogic_usb_mmc
      3
      So I got it back to fastboot made where the lsusb said "Google, Inc". I manually flashed the recovery, but completely forgot to flash the boot.img. Now I can't get the device back to fastboot mode to flash the boot. If I hook up to a TV, it's stuck on the FireTV screen. Can I get back to fastboot mode to flash the boot img or did I brick it?

      I'm going to try installing the exploit again from the sh without backing up this time, see if I can't get back to fastboot. Then manually install boot,recovery if I need to.

      EDIT: This time it worked! The exploit installed, then rebooted to fastboot and I was able to root. Checked Magisk and root access granted. Thanks all for the help, this was more complex than I first thought!

      FYI: to get back into fastboot mode, you just need to enter DFU mode with the HDMI dongle (Arduino) attached then unplug the dongle when it entered DFU mode (check with lsusb) run the reboot tool ("$ aml_reboot fastboot"). Now it should be in fastboot and you can flash your boot / recovery image.
      3
      If it's waiting for the device in fastboot, it's most likely an issue with permissions. Have you added the udev rule for fastboot? Does the fastboot device show up in lsusb (as Google Inc. Celkon A88)? When you type fastboot devices, I'm guessing it says it doesn't have permissions for your device?

      And yes, you unplug the AFTV3 from the HDMI breakout before reset into fastboot.

      So I got it back to fastboot made where the lsusb said "Google, Inc". I manually flashed the recovery, but completely forgot to flash the boot.img. Now I can't get the device back to fastboot mode to flash the boot. If I hook up to a TV, it's stuck on the FireTV screen. Can I get back to fastboot mode to flash the boot img or did I brick it?

      I'm going to try installing the exploit again from the sh without backing up this time, see if I can't get back to fastboot. Then manually install boot,recovery if I need to.

      EDIT: This time it worked! The exploit installed, then rebooted to fastboot and I was able to root. Checked Magisk and root access granted. Thanks all for the help, this was more complex than I first thought!
      3
      Let me clarify the first few steps in the OP (this is where I expect most of the challenge to be):
      -- This is what you will need to begin: Arduino Due (this is what I have), HDMI breakout board (this is what I used because I have the pendant; if you have the cube, you will need a male HDMI as in the wiki; if you have the pendant, you can also use the male with a coupler), M/M jumper wire (this is what I used), and a Linux box (I have Ubuntu 16.04.5 LTS installed).

      To install the Arduino IDE and upload the sketch, follow these steps in sequence:
      1. Download the Arduino IDE. (If you use v1.6.1 or earlier, you don't have to install the Due board separately.) For Linux, download v1.6.1 from here. (Note: You don't have to do this in Linux. For Windows, use this.)
      General note for Linux: It might just be easier to run everything as root (to sidestep permission issues): use sudo. As an example, sudo ./arduino to start the Arduino IDE instead of just ./arduino.
      2. Connect the Due to your PC's USB port, install the Windows driver (located inside arduino-1.6.1-windows.zip; no driver needed for Linux), and choose the correct Board (Native or Programming depending on which is connected; I usually use the Programming port) and Port.
      3. Download and extract the archive in the OP (FireFU.tgz).
      4. Upload the sketch (hdmi_arduino.ino, from the archive) to the Due. To do this, open hdmi_arduino.ino from File and choose Upload from Sketch or just click the right-arrow. Pull up the separator at the bottom to make it easier to view the progress window.
      6. Confirm that the upload and verification are successful.

      You will need Linux from this point forward.

      5. Check to see whether libusb is already installed:
      Code:
      dpkg -l libusb*
      If not, install it:
      Code:
      sudo apt-get install libusb-1.0-0
      6. Add the proper udev rules for Amlogic and fastboot as described in the OP's link. If you do not know how to manually add rules in /etc/udev/rules.d/, do the following:
      -- To automate the udev rule for Amlogic (from here):
      Code:
      sudo apt-get install git
      git clone https://github.com/khadas/utils
      cd utils
      ./INSTALL
      This will write the Amlogic rule (/etc/udev/rules.d/70-*). To add the fastboot rule, open the file (70-*) in an editor, copy-and-paste the line for Amlogic, and change the vendor and product id to match that for fastboot.

      To manually add the udev rules, create a new file (say, 70-firetv3.rules) with the following in it:
      SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", ATTR{idVendor}=="1b8e", ATTR{idProduct}=="c003", MODE:="0666"
      SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", ATTR{idVendor}=="18d1", ATTR{idProduct}=="0d02", MODE:="0666"

      -- Install fastboot and adb:
      Code:
      sudo apt-get install android-tools-adb android-tools-fastboot
      7. Reboot for the rules to take effect.
      8. Connect the following in order:
      -- jumper wire to SCL, SDA, and GND on the Due ... and to the breakout board (as described in the wiki)
      -- AFTV3's male HDMI to the breakout board's female HDMI (or the cube's female HDMI to the breakout board's male HDMI)
      -- power to the Due (I use external power, but connecting it to USB power should work just as well)
      -- micro USB to the AFTV3
      -- other end of the micro USB to the Linux box's USB port
      9. Check whether Amlogic, Inc. shows up:
      Code:
      lsusb
      10. If it does, you're more than halfway there. If it does not, disconnect everything but the jumper wire and repeat step 8.
      2
      Does your rules file look exactly like this?
      SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", ATTR{idVendor}=="1b8e", ATTR{idProduct}=="c003", MODE:="0666"
      SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", ATTR{idVendor}=="18d1", ATTR{idProduct}=="0d02", MODE:="0666"

      Are you using Ubuntu 16.04 (if not, the rules syntax may be different)? Do you have the Due? In post #34, you indicated you were able to run the exploit (at least, initially). Did lsusb list Amlogic at that point? In general, the Amlogic device should be detected if the sketch was uploaded successfully and the jumper wires are connected as described. The udev rules are for permission rather than detection.

      It will help if you indicate clearly (in one post) your hardware/software setup, connections, shell commands, and output.