- May 12, 2022
This release temporarily enables access to all the system features on the Fire TV 2nd gen Cube. This includes unrestricted U-boot & fastboot commands, Amlogic burn mode, TWRP, FireOS with ADB root and selinux permissive, Magisk support, and booting alternative OS's from USB. As this tool is non-persistent, it will need to be reloaded from a connected computer after any reboot.
NOTE: FireOS < 22.214.171.124 required
NOTE: This process does not require you to open your Fire TV 2nd gen Cube
- linux installation or live-system (Ubuntu 20+ recommended)
- micro-USB cable
- device to put Cube into device firmware upgrade (DFU) mode [read below]
libusb is needed to for your linux installation to detect the Cube over USB.
- sudo apt-get install libusb-1.0-0
- sudo apt-get install libusb-dev git
- sudo apt-get install git
- git clone https://github.com/khadas/utils
- cd utils
Entering the Cube's DFU mode
To get into DFU mode we need to pass a '[email protected]' command, to the Cube's Amlogic s922x SOC, through the I2C bus accessible via the HDMI port. This was first described in the FireFU exploit for the 1st gen Cube. Since then there are a few more options for devices to accomplish this:
- Arduino sketch to boot into DFU, compatible with ARM-based Arduino boards (Due, Teensy, Genuino)
- I2C emulator for ATmega boards (Arduino Duemilanove, ATmega48/88/168/328)
- DIY modified dummy HDMI dongle. Fully self-contained, and powered by the HDMI port.
- Download "raven_boot.zip" and the images zip that corresponds to your Cube FireOS version.
"images_7242-2906.zip" for FireOS 7242/2906+
"images_7212-1333.zip" for any version earlier than 7242/2906
- Unzip "raven_boot.zip", and then the images zip into the "raven_boot/images" directory. Open a terminal window in the raven_boot directory.
- Power off the Cube
- Connect the HDMI dongle / board (DFU entry device) to the Cube's HDMI port, and computer to the Cube's micro-USB port.
- Power on the Cube, type 'lsusb' in the terminal. Confirm 'ID 1b8e:c003 Amlogic, Inc.' is listed, indicating the Cube is in DFU mode.
- Reconnect the Cube and TV with HDMI cable.
- Type 'bash menu' in the terminal, and choose your boot mode.
For bash menu option 3) booting with Magisk support, install the Magisk Manager APK (v25+ recommended) from within FireOS. https://github.com/topjohnwu/Magisk/releases, ignore the notice about required additional steps.
IMPORTANT: This exploit is non-persistent and will require reconnecting your computer after a reboot. The exploit is run entirely in memory, and will not modify your Cube. DO NOT FLASH ANY MODIFIED IMAGES, OR INSTALL MAGISK through TWRP! This will cause an authentication error / soft brick when rebooting without the exploit present.
About the exploit
This exploit is based on a vulnerability in the Amlogic bootrom that allows for us to run unsigned code in the following boot stage (Bl2). To pause the automatic boot up process, before the Cube's saved Bl2 is loaded, we rely on Amlogic's device firmware upgrade mode (DFU). In DFU, only the boot code from the s922x SOC (Bl1) has been loaded into memory. We now use the vulnerability to load our modified Bl2, breaking the 'chain of trust', and disabling secure boot so that we can make modifications to the bootloader downstream. The last stage of the bootloader is U-boot (Bl33) which hands off the startup process to the boot.img. U-boot is modified to unlock any restrictions on u-boot and fastboot commands, giving us full access to system features. We can then use fastboot boot to load our modified boot images (TWRP, magisk-patched boot.img), into memory without modifying the Cube.
Visit GitHub for a more in depth write-up and resources used in this project
Additional thanks to
@tchebb - a bottomless encyclopedia of Amlogic knowledge, answering countless questions & troubleshooting
@k4y0z - helping get TWRP and Magisk working
@roligov - providing photos, additional FireOS updates, and testing