[UNBRICK] [ROOT] [TWRP] Fire TV 2 (sloane)

Search This thread

Rortiz2

Senior Member
Mar 1, 2018
2,407
1,793
Barcelona
This guide is only for the Fire TV 2 2015 (not stick) codenamed "sloane" with mt8173.
This will flash correct partitions and TWRP into it.
This WILL NOT clean RPMB neither will unlock the device.
I am not responsable of any physical damage in your device, YOU choose to make this modifications.

NOTE: Full unlock has been released, please refer to this thread: https://forum.xda-developers.com/t/unlock-root-twrp-unbrick-firetv-2-sloane.4222331/
NOTE: You will need to open the device so be prepared ;)
NOTE: This will flash 5.6.2.8 images meaning RPMB will be updated.


MATERIAL NEEDED:
  • Linux based system.
  • USB A-A Cable.
  • Something conductive (paperclip, tweezers, etc).
  • Something to open the device.

- Install python3, PySerial, adb, fastboot:
Code:
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial adb fastboot

- Uninstall/disable modemmanager:
Code:
sudo apt remove modemmanager

PROCEDURE:
0.
Open up the device. You can use a pick or a kinfe or any special tool to open it up.
1. Locate DAT0 in the attatched image. You will need to flip the motherboard.
2. Download amonet-mt8173-sloane from downloads and unpack it.
3. Open the unpacked folder of amonet, open a terminal inside it and type:
Code:
sudo ./bootrom-step.sh
4. Wait until you see something like:
Code:
[2019-02-07 14:35:59.478924] Waiting for bootrom
5. Once that message shows up, connect the A-A cable but not the power supply. After that, prepare the short and at same time you short DAT0 with GND, plug in the power supply to the wall.
6. The script will ask you to remove the short. When this happens, stop shorting DAT0 and then press enter.
7. Wait until it finishes.
8. The device should now reboot into TWRP. Please, consider now flashing a prerooted ROM or LineageOS 12.1 for get full TWRP.

NOTES:
In lsusb boot-rom shows up as:
Code:
Bus 001 Device 009: ID 0e8d:0003 MediaTek Inc. MT6227 phone
If you see:
Code:
Bus 001 Device 013: ID 0e8d:2000 MediaTek Inc. MT65xx Preloader
means you're in preloader mode. Try shorting again.

If somehow you have a corrupt gpt (shouldn't happen), just run:
Code:
sudo ./gpt-fix.sh

If TWRP freezes, DON'T UNPLUG THE THE POWER SUPPLY, instead, open an adb shell session and type the following command to restart TWRP:
Code:
killall recovery

Please, your bootloader is still LOCKED. If you flash custom kernels/unsigned boots (i.e: Magisk Manager, etc) the bootloader will refuse to load the boot image and you will be not able to boot in TWRP anymore unless you re-unbrick the device.

THANKS:
- @CFKod for his patience and for test the script;)
- @retyre & @k4y0z for the initial port to mt8173:)
- @xyz` for his original exploit for the HD8 2018.
- @Sus_i for locate DAT0, DAT1 and DAT2.
- @rbox for TWRP/Boot menu.

DOWNLOAD:
 

Attachments

  • sloane.jpg
    sloane.jpg
    245.9 KB · Views: 3,497
  • amonet-sloane-v1.3.zip
    13.1 MB · Views: 912
Last edited:

CFKod

Senior Member
Brick no more!!
thank you for your patience and knowledge.

My brick was because I wiped system.

I've added another photo, I simply shorted against the metal hole circled in the picture. This is so useful, it not only unbricks, it allows for downgrade of preloader
Meaning I was then able to resolve my lack of system with @rbox unbrick image.

Also it's so much quicker than flashing via mediatek inject. Wooooo
 

Attachments

  • photostudio_1571481431179.jpg
    photostudio_1571481431179.jpg
    89.2 KB · Views: 2,071
Last edited:

Sus_i

Senior Member
Apr 9, 2013
1,572
666
8. Now your device should start booting back to FireOS. Mount it and enjoy your unbricked TV.

Looks good. :good:

I suppose if step 8 (reboot to system) fails for someone, i.e. something in /system is messed up, the old unbrick solution from @rbox comes handy, in order to flash a system?

Don't know, don't own that box, but maybe it's possible to add a 'flash TWRP to recovery partition' to your unbrick solution? As last point, instead of boot system, boot to recovery... Then users could flash the latest prerooted rom from @rbox, and skip the old unbrick solution? Just a thought... as I said, I don't know details about that box. ;)

Edit: probably flash TWRP won't work, since the bootloader isn't unlocked?
 
Last edited:
  • Like
Reactions: happyghoul

Rortiz2

Senior Member
Mar 1, 2018
2,407
1,793
Barcelona
Looks good. :good:

I suppose if step 8 (reboot to system) fails for someone, i.e. something in /system is messed up, the old unbrick solution from @rbox comes handy, in order to flash a system?

Don't know, don't own that box, but maybe it's possible to add a 'flash TWRP to recovery partition' to your unbrick solution? As last point, instead of boot system, boot to recovery... Then users could flash the latest prerooted rom from @rbox, and skip the old unbrick solution? Just a thought... as I said, I don't know details about that box. ;)

Sure. I can use MISC flags for boot to recovery.
But the question is: Does the twrp can be loaded with newest preloader?
Also if my memory is OK, I remember it's a ramdisk;)
Cheers.
 

Sus_i

Senior Member
Apr 9, 2013
1,572
666
Sure. I can use MISC flags for boot to recovery.
But the question is: Does the twrp can be loaded with newest preloader?
Also if my memory is OK, I remember it's a ramdisk;)
Cheers.

If I remember right, @k4y0z said that the recovery is flashed out of the boot.img at first boot... and if the TWRP solution is a ramdisk like on the first fireTV, then flashing a TWRP image to the recovery partition will probably not work. Don't know. ;)
 

Rortiz2

Senior Member
Mar 1, 2018
2,407
1,793
Barcelona
If I remember right, @k4y0z said that the recovery is flashed out of the boot.img at first boot... and if the TWRP solution is a ramdisk like on the first fireTV, then flashing a TWRP image to the recovery partition will probably not work. Don't know. ;)

Correct. TWRP is actually a ramdisk.cpio.
rbox flashes it using his 2ndinit script which needs to be runned with "su".
This script, simply put SeLinux in permissive mode and boots TWRP at every boot:
https://github.com/androidrbox/firetv-2ndinit/blob/master/jni/2ndinit.c
As you said, flashing the ramdisk directly into /recovery partition will not work since in needs to be signed.
Cheers.
 

Sus_i

Senior Member
Apr 9, 2013
1,572
666
Correct. TWRP is actually a ramdisk.cpio.
rbox flashes it using his 2ndinit script which needs to be runned with "su".
This script, simply put SeLinux in permissive mode and boots TWRP at every boot:
https://github.com/androidrbox/firetv-2ndinit/blob/master/jni/2ndinit.c
As you said, flashing the ramdisk directly into /recovery partition will not work since in needs to be signed.
Cheers.

Ok. I know that from the 1gen stick/box.

Maybe there is a way to (push and) boot that recovery ramdisk as last step with your script, in order to have the option for flashing the latest prerooted?
Don't know... If you could manage that somehow, you can add the [ROOT] tag into the thread headline ;) :p
@rbox, what do you think?
 
  • Like
Reactions: Rortiz2

Rortiz2

Senior Member
Mar 1, 2018
2,407
1,793
Barcelona
Ok. I know that from the 1gen stick/box.

Maybe there is a way to (push and) boot that recovery ramdisk as last step with your script, in order to have the option for flashing the latest prerooted?
Don't know... If you could manage that somehow, you can add the [ROOT] tag into the thread headline ;) :p

@rbox, what do you think?

Yeah it will be pretty nice.
If we can't, we can downgrade preloader, run unbrick image via Preloader and then run a second part of the script that restores correct preloader.
Idk, just for throw ideas.
I added source code in the second post for rbox.
Cheers.
 

Rortiz2

Senior Member
Mar 1, 2018
2,407
1,793
Barcelona
@Sus_i I think I have an idea:)

https://forum.xda-developers.com/fire-tv/orig-development/firetv-2-recovery-installer-t3309785

That installer will help us since it talks with the preloader.

Well, I've a added an argv in the main.py that allows you to downgrade the preloader in order to be able to use rbox tools.
After the downgrade, the scripts reboots the TV and immediatelly it starts with the .sh by rbox that injects the necessary files into the /system/partition.

This is what should do the (let's say step-1.sh). When it finishes, the idea is that the user can run bootrom-step.sh to restore new preloader (shorting again obv) and allow the device to boot with the injected TWRP :)

What do you think?
Best regards!
 

Sus_i

Senior Member
Apr 9, 2013
1,572
666
@Sus_i I think I have an idea:)

https://forum.xda-developers.com/fire-tv/orig-development/firetv-2-recovery-installer-t3309785

That installer will help us since it talks with the preloader.

Well, I've a added an argv in the main.py that allows you to downgrade the preloader in order to be able to use rbox tools.
After the downgrade, the scripts reboots the TV and immediatelly it starts with the .sh by rbox that injects the necessary files into the /system/partition.

Yeah, sounds good, if the system is in good condition it should work fine.
If system is somewhat corrupt, maybe by an interrupted or failed update or so, I don't know if it will work.

Maybe we think to complex. I assume the amonet script can flash all partitions!? Why not flash a whole new system with that.
Since the prerooted rom is in sparse image format and the updater script does all the rooting stuff after flashing, we can't use that.
But maybe it's possible to write a dd image of a allready rooted /system partition with the amonet script.
Just an idea, don't know if that will work.
 

Rortiz2

Senior Member
Mar 1, 2018
2,407
1,793
Barcelona
Yeah, sounds good, if the system is in good condition it should work fine.
If system is somewhat corrupt, maybe by an interrupted or failed update or so, I don't know if it will work.

Maybe we think to complex. I assume the amonet script can flash all partitions!? Why not flash a whole new system with that.
Since the prerooted rom is in sparse image format and the updater script does all the rooting stuff after flashing, we can't use that.
But maybe it's possible to write a dd image of a allready rooted /system partition with the amonet script.
Just an idea, don't know if that will work.

/system doesn't need to be ok. We need a working boot.img that loads the 2ndinit.
We can't flash a system with bootROM, it will take 1 day lol.
Take this commit as reference:
https://github.com/R0rt1z2/amonet/commit/339bb4ab2055507f2ed72ebea3861dbdfef67484
 

Sus_i

Senior Member
Apr 9, 2013
1,572
666

Sus_i

Senior Member
Apr 9, 2013
1,572
666
Let's see if we can try today.
Also it will require to copy the ramdisk recovery to an external usb or external sd.
Regards!

Yes, have seen it on github, but both is possible with the second gen FireTV box... only the usb port could be a problem, if usb debugging is enabled (but I don't know if debugging is aviable at this early stage?).
 

Rortiz2

Senior Member
Mar 1, 2018
2,407
1,793
Barcelona
Yes, have seen it on github, but both is possible with the second gen FireTV box... only the usb port could be a problem, if usb debugging is enabled (but I don't know if debugging is aviable at this early stage?).

I don't think usb debugging is aviable at Preloader Stage;)
Basically would be this:
Format the sdcard/usb and copy the .cpio on it, then insert sdcard/usb into the TV.
Run first step:
Code:
sudo ./step-1.sh
It will downgrade preloader & inject 2ndinit.
After that, you disconnect the tv and run bootrom-step for restore working imgs:
Code:
sudo ./bootrom-step.sh
After that will reboot and since we have 2ndinit as pppd it will boot in TWRP.
From there you flash prerooted ROM and you're done:)
That's my idea but maybe doesn't work.
Cheers.
 

DanielF50

Senior Member
Jul 22, 2010
543
332
Hampshire, England
Google Pixel 6 Pro
Hey @Rortiz2, thanks for this! My sloane has been bricked for a few months after trying to root - this script ran & uploaded the boot.img to the device, but unfortunately it still won't boot (flashing with amazon logo).

I tried using your twrp test, but that results in terminal hanging at the below:

mpvvQfP.jpg


I was hoping I could get twrp running & then flash a pre-rooted image so that it clears whatever's wrong with the unit, but as above, I don't seem to be able to get it to boot :(

Any ideas?

Edit: welp, after cancelling the terminal command she now won't boot at all, lol... no signs of life but I'll keep this updated if I get can resurrect her.
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Friend. Do you have modem manager disabled per instructions.
    Did you remember to give the amonet folder with the files full root permissions with write
    access .


    I would also try the version of amonet Sloane that has gpx fix .

    Run the gpx fix .

    Then after that try the files again .


    Its extremely important though that the folder of the files are given full root , and
    write permissions. What I do is either in mint or ubuntu, in the amonet Sloane folder
    I right click and go on properties ,then I give each file in that folder write access.


    also make sure when entering commands to start the process that you begin with sudo
  • 17
    This guide is only for the Fire TV 2 2015 (not stick) codenamed "sloane" with mt8173.
    This will flash correct partitions and TWRP into it.
    This WILL NOT clean RPMB neither will unlock the device.
    I am not responsable of any physical damage in your device, YOU choose to make this modifications.

    NOTE: Full unlock has been released, please refer to this thread: https://forum.xda-developers.com/t/unlock-root-twrp-unbrick-firetv-2-sloane.4222331/
    NOTE: You will need to open the device so be prepared ;)
    NOTE: This will flash 5.6.2.8 images meaning RPMB will be updated.


    MATERIAL NEEDED:
    • Linux based system.
    • USB A-A Cable.
    • Something conductive (paperclip, tweezers, etc).
    • Something to open the device.

    - Install python3, PySerial, adb, fastboot:
    Code:
    sudo apt update
    sudo add-apt-repository universe
    sudo apt install python3 python3-serial adb fastboot

    - Uninstall/disable modemmanager:
    Code:
    sudo apt remove modemmanager

    PROCEDURE:
    0.
    Open up the device. You can use a pick or a kinfe or any special tool to open it up.
    1. Locate DAT0 in the attatched image. You will need to flip the motherboard.
    2. Download amonet-mt8173-sloane from downloads and unpack it.
    3. Open the unpacked folder of amonet, open a terminal inside it and type:
    Code:
    sudo ./bootrom-step.sh
    4. Wait until you see something like:
    Code:
    [2019-02-07 14:35:59.478924] Waiting for bootrom
    5. Once that message shows up, connect the A-A cable but not the power supply. After that, prepare the short and at same time you short DAT0 with GND, plug in the power supply to the wall.
    6. The script will ask you to remove the short. When this happens, stop shorting DAT0 and then press enter.
    7. Wait until it finishes.
    8. The device should now reboot into TWRP. Please, consider now flashing a prerooted ROM or LineageOS 12.1 for get full TWRP.

    NOTES:
    In lsusb boot-rom shows up as:
    Code:
    Bus 001 Device 009: ID 0e8d:0003 MediaTek Inc. MT6227 phone
    If you see:
    Code:
    Bus 001 Device 013: ID 0e8d:2000 MediaTek Inc. MT65xx Preloader
    means you're in preloader mode. Try shorting again.

    If somehow you have a corrupt gpt (shouldn't happen), just run:
    Code:
    sudo ./gpt-fix.sh

    If TWRP freezes, DON'T UNPLUG THE THE POWER SUPPLY, instead, open an adb shell session and type the following command to restart TWRP:
    Code:
    killall recovery

    Please, your bootloader is still LOCKED. If you flash custom kernels/unsigned boots (i.e: Magisk Manager, etc) the bootloader will refuse to load the boot image and you will be not able to boot in TWRP anymore unless you re-unbrick the device.

    THANKS:
    - @CFKod for his patience and for test the script;)
    - @retyre & @k4y0z for the initial port to mt8173:)
    - @xyz` for his original exploit for the HD8 2018.
    - @Sus_i for locate DAT0, DAT1 and DAT2.
    - @rbox for TWRP/Boot menu.

    DOWNLOAD:
    5
    Rortiz2 , k4y0z I would like to donate one of my "Sloane" boxes to either of you. I really appreciate what you guys do for everyone. The box goes through the unbrick fine and install roms fine but I can't get it to boot. It gets through the twrp screen and then the fire tv splash screen then goes black screen. I will pay shipping and you can have it. Thanks again for all you do. Pm me if you want it.

    Thanks dude, I appreciate it a lot.
    Anyway, if @k4y0z wants it will be better, I'm almost sure that he can unlock the bootloader of sloane. Obviously if he wants and has time.:)
    I will wait for his response.
    Cheers.
    4
    Brick no more!!
    thank you for your patience and knowledge.

    My brick was because I wiped system.

    I've added another photo, I simply shorted against the metal hole circled in the picture. This is so useful, it not only unbricks, it allows for downgrade of preloader
    Meaning I was then able to resolve my lack of system with @rbox unbrick image.

    Also it's so much quicker than flashing via mediatek inject. Wooooo
    4
    Rortiz2 , k4y0z I would like to donate one of my "Sloane" boxes to either of you. I really appreciate what you guys do for everyone. The box goes through the unbrick fine and install roms fine but I can't get it to boot. It gets through the twrp screen and then the fire tv splash screen then goes black screen. I will pay shipping and you can have it. Thanks again for all you do. Pm me if you want it.
    2
    @Rortiz2 What issues did you have with clearing RPMB?
    That has worked unmodified an all the other devices.