• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 2nd gen (tank)

Search This thread

k4y0z

Senior Member
Nov 27, 2015
1,446
1,863
Read this whole guide before starting.

This is for the 2nd gen Fire TV Stick (tank)

Current relase: amonet-tank-v1.2.2.zip

NOTE: Recent reports indicate a change that disables brom DL-mode
The change seems to have been introduced with devices that where manufactured in December 2019 or later.
The change is unrelated to the software-version and results in the device not showing up as a USB device when shorted.
Unfortunately these devices cannot currently be unlocked.

NOTE: If you are on version 1.0, don't update to 1.2.1 through TWRP, as there is a bug.
NOTE: This issue has been fixed in version 1.2.2
NOTE: When updating from version 1.0, don't install anything else before rebooting



To update to the current release if you are already unlocked, just flash the zip in TWRP.

What you need:
  • A Linux installation or live-system
  • A micro-USB cable
  • Something conductive (paperclip, tweezers etc)
  • Something to open the stick.


NOTE: Ideally you want to update your system to 5.2.6.9 before starting this process, since this flashes the 5.2.6.8 boot.img and people have reported issues with adb-authorization with older firmware.
Since version 1.2 this isn't required, because instead of flashing the 5.2.6.9 boot.img, your existing boot.img will be patched.
It is still recommended to first update to 5.2.6.9


Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work:
Code:
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot

Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager


NOTE: If you have issues running the scripts, you might have to run them using sudo.
Also try using different USB-ports (preferably USB-2.0-ports)


1. Extract the attached zip-file "amonet-tank-v1.2.2.zip" and open a terminal in that directory.
2. start the script:
Code:
./bootrom-step.sh

It should now say Waiting for bootrom.

Short CLK to GND (The metal shielding is also GND) according to the attached photo and plug it in.


NOTE:

In lsusb the boot-rom shows up as:
Code:
Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone

If it shows up as:
Code:
Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader
instead, you are in preloader-mode, try again.

dmesg lists the correct device as:
Code:
[ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00


4. When the script asks you to remove the short, remove the short and press enter.

5. Wait for the script to finish.
If it stalls at some point, stop it and restart the process from step 2.

6. Your device should now reboot into unlocked fastboot state.

7. Run
Code:
./fastboot-step.sh

8. Wait for the device to reboot into TWRP.

9. Use TWRP to flash custom ROM, Magisk etc.


NOTE:
Only ever flash boot/recovery images using TWRP, if you use FlashFire or other methods that are not aware of the exploit,
your device will likely not boot anymore (unless you flashed a signed image).
TWRP will patch recovery/boot-images on the fly.


NOTE:
This process does not disable OTA or does any other modifications to your system.
You will have to do that according to the other guides in this forum.


Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Thanks to @hwmod for doing initial investigations and providing the attached image.
 

Attachments

  • amonet-tank-v1.1.zip
    11.2 MB · Views: 2,150
  • amonet-tank-v1.2.1.zip
    8.7 MB · Views: 1,153
  • Fire-TV-Stick-2-(tank).jpg
    Fire-TV-Stick-2-(tank).jpg
    242 KB · Views: 25,596
  • amonet-tank-v1.2.2.zip
    8.7 MB · Views: 16,982
Last edited:

k4y0z

Senior Member
Nov 27, 2015
1,446
1,863
Changelog

Version 1.2 (25.03.2019)
  • Update TWRP to twrp-9.0 sources
  • Implement downgrade-protection for LK/PL/TZ
  • Add scripts to enter fastboot/recovery in case of bootloop
  • Automatically restore boot-patch when you boot into recovery

Features.

  • Hacked fastboot mode lets you use all fastboot commands (flash etc).
  • Boots custom/unsigned kernel-images (need to be patched)
  • For the devs: sets printk.disable_uart=0 (enables debug-output over UART).
  • TWRP protects from accidental lk/preloader/tz downgrades
  • Set bootmode via preloader

NOTE: Hacked fastboot can be reached via TWRP.

NOTE: Hacked fastboot won't patch your boot/recovery-images, so you can easily go back to stock.
Use TWRP for autopatching.
 
Last edited:

k4y0z

Senior Member
Nov 27, 2015
1,446
1,863
There are three options for interacting with TWRP:
  1. A mouse via USB-OTG
  2. TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
  3. Via /cache/recovery/command

Example for /cache/recovery/command:
Code:
echo "--update_package=/path/to/zipfile" > /cache/recovery/command
echo "--wipe_cache" >> /cache/recovery/command
reboot recovery

Should you somehow end in a bootloop you can boot into hacked fastboot or recovery using.
Code:
sudo ./boot-fastboot.sh

Code:
sudo ./boot-recovery.sh

NOTE:This will only work if the boot-exploit is still there.

Source Code:
https://github.com/chaosmaster/amonet
https://github.com/chaosmaster/android_bootable_recovery
 
Last edited:

krsmit0

Senior Member
Apr 26, 2012
242
68
first one worked fine. second seemed to go ok but i cant get back in with adb. device unauthorized. i went through the process again to get back to recovery and i copied the adb_keys from the one that worked to the other one. permissions and ownership are the same, but it still says unauthorized. i also dont get the prompt to allow connection on the stick itself. i have connected with this stick through adb before this.

UPDATE: Factory reset didnt bring back the adb debug prompt. but an update did. I was on an older version.
 
Last edited:

k4y0z

Senior Member
Nov 27, 2015
1,446
1,863
first one worked fine. second seemed to go ok but i cant get back in with adb. device unauthorized. i went through the process again to get back to recovery and i copied the adb_keys from the one that worked to the other one. permissions and ownership are the same, but it still says unauthorized. i also dont get the prompt to allow connection on the stick itself. i have connected with this stick through adb before this.
Mhh, what Firmware are you on?
Does it still boot normally?
Have you tried adb both over network and USB?
Can you make sure, adb is enabled in developer settings?
If that doesn't help could you try factory reset?
 

krsmit0

Senior Member
Apr 26, 2012
242
68
Either via adb shell, or a mouse via USB-OTG

Mhh, what Firmware are you on?
Does it still boot normally?
Have you tried adb both over network and USB?
Can you make sure, adb is enabled in developer settings?
If that doesn't help could you try factory reset?

it took an update to resolve it. factory reset didnt work. i was not getting the adb authorization prompt so i couldnt boot to recovery. i have it back up and running.
 

k4y0z

Senior Member
Nov 27, 2015
1,446
1,863
it took an update to resolve it. factory reset didnt work. i was not getting the adb authorization prompt so i couldnt boot to recovery. i have it back up and running.

fastboot-step flashes the 5.2.6.8 boot.img, maybe that was causing an issue with older firmware.
Glad you got it solved. Now we also know updates are working fine (Allthough disabling OTA might not be the worst idea)
 

xenyz

Senior Member
Oct 30, 2010
1,368
1,446
Wow, nice one @k4y0z. I'm so happy this little device can now have an unlocked bootloader; it's going to open up many possibilities on a device that is so inexpensive.
 
Feb 1, 2016
5
0
My Firestick 4k bootloops

Sir i have a serious problem with my Firestick 4k. I experimented to sideload google play services on my FS 4k and it installed successfully. But when i restart my device it bootloops on and on to Firestick logo. Any solution sir? Damn i must have not do that. Please sir help me. I think i must hard reset the Firestick 4k but how?
 

rbox

Recognized Developer
Apr 22, 2011
1,775
2,595
Yes, exactly.
I have updated the OP.

It looks like there is a test point attached to the trace that looks like it's going to what's labeled as CLK. Is that what you can use to short, or do you have to short the thing you are pointing to?

Have you modified anything, or is this the stock stuff that the original exploit used? Are these .bin files what I would get if I were to compile everything from the github?
 
Last edited:
  • Like
Reactions: puppinoo

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Hi,
    I am testing the waters for firestick modding ... I have a 2nd generation(i am guessing this based on the remote control it pairs to, It pairs to the remote without the power button and volume button) which fails at this point(enclosed attachent).

    I would like to know if my device is salvageable or its beyond the point of no return ?

    I would like to get it boot with some ROM.

    Let me know If this is the right thread ... if not please direct me to the right thread that will help my revive my device back to life.

    appreciate your help ...

    --- Update ---

    FYI ... I connected this firestick to my linux machine and the 'lsusb' gives the following ID's

    Bus 003 Device 014: ID 1949:0221 Lab126, Inc.
    This is the right thread to unbrick your stick.
    Go to post #1, it has all the step mentioned.

    Download these two files.

    Then start following steps from

    1. Extract the attached zip-file "amonet-tank-v1.2.2.zip" and open a terminal in that directory.

    In the first post

    Now because you have booted your stick it is showing Lab126
    You will have to open your device and short it in order to revive it
    1
    Clarifications Sought :
    Steps 1-5
    ... are to be carried out from a laptop to which the device is connected ?

    Step 6 ... How do i make out if the device has booted into unlocked fastboot state ? ... for there is no Screen(like its there in Smartphone)

    Step 7 ...
    hope this is to be run on the laptop just like the first script we ran in Step 2 ...

    Step 8 ...
    is the TWRP permanently installed on to the device ?

    Step 8-9 ... Again how do i know its reboot into TWRP ? ... again for the lack of a screen interface.
    You do step #1 to #9 with your PC running linux (fireISO)...
    i.e. you don't need a TV screen, you're able to run all commands in the terminal, including adb push/pull, adb shell / twrp install commands (aka. twrp commandline). ;)
    1
    @Sus_i ...
    Can't the Steps 1-9 be done from any standard Linux OS ?
    Yes, but then you have to follow the OP carefully, in order to install all necessary packages and disable modemmanger just infront of the bootrom-step. You also need to use sudo for the bootrom-step, or it won't work.

    I was of the understanding shorting was required only until Step 4 ... !
    Shorting is only required for the bootrom-step...
  • 65
    Read this whole guide before starting.

    This is for the 2nd gen Fire TV Stick (tank)

    Current relase: amonet-tank-v1.2.2.zip

    NOTE: Recent reports indicate a change that disables brom DL-mode
    The change seems to have been introduced with devices that where manufactured in December 2019 or later.
    The change is unrelated to the software-version and results in the device not showing up as a USB device when shorted.
    Unfortunately these devices cannot currently be unlocked.

    NOTE: If you are on version 1.0, don't update to 1.2.1 through TWRP, as there is a bug.
    NOTE: This issue has been fixed in version 1.2.2
    NOTE: When updating from version 1.0, don't install anything else before rebooting



    To update to the current release if you are already unlocked, just flash the zip in TWRP.

    What you need:
    • A Linux installation or live-system
    • A micro-USB cable
    • Something conductive (paperclip, tweezers etc)
    • Something to open the stick.


    NOTE: Ideally you want to update your system to 5.2.6.9 before starting this process, since this flashes the 5.2.6.8 boot.img and people have reported issues with adb-authorization with older firmware.
    Since version 1.2 this isn't required, because instead of flashing the 5.2.6.9 boot.img, your existing boot.img will be patched.
    It is still recommended to first update to 5.2.6.9


    Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work:
    Code:
    sudo apt update
    sudo add-apt-repository universe
    sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot

    Make sure ModemManager is disabled or uninstalled:
    Code:
    sudo systemctl stop ModemManager
    sudo systemctl disable ModemManager


    NOTE: If you have issues running the scripts, you might have to run them using sudo.
    Also try using different USB-ports (preferably USB-2.0-ports)


    1. Extract the attached zip-file "amonet-tank-v1.2.2.zip" and open a terminal in that directory.
    2. start the script:
    Code:
    ./bootrom-step.sh

    It should now say Waiting for bootrom.

    Short CLK to GND (The metal shielding is also GND) according to the attached photo and plug it in.


    NOTE:

    In lsusb the boot-rom shows up as:
    Code:
    Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone

    If it shows up as:
    Code:
    Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader
    instead, you are in preloader-mode, try again.

    dmesg lists the correct device as:
    Code:
    [ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00


    4. When the script asks you to remove the short, remove the short and press enter.

    5. Wait for the script to finish.
    If it stalls at some point, stop it and restart the process from step 2.

    6. Your device should now reboot into unlocked fastboot state.

    7. Run
    Code:
    ./fastboot-step.sh

    8. Wait for the device to reboot into TWRP.

    9. Use TWRP to flash custom ROM, Magisk etc.


    NOTE:
    Only ever flash boot/recovery images using TWRP, if you use FlashFire or other methods that are not aware of the exploit,
    your device will likely not boot anymore (unless you flashed a signed image).
    TWRP will patch recovery/boot-images on the fly.


    NOTE:
    This process does not disable OTA or does any other modifications to your system.
    You will have to do that according to the other guides in this forum.


    Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
    Thanks to @hwmod for doing initial investigations and providing the attached image.
    12
    There are three options for interacting with TWRP:
    1. A mouse via USB-OTG
    2. TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
    3. Via /cache/recovery/command

    Example for /cache/recovery/command:
    Code:
    echo "--update_package=/path/to/zipfile" > /cache/recovery/command
    echo "--wipe_cache" >> /cache/recovery/command
    reboot recovery

    Should you somehow end in a bootloop you can boot into hacked fastboot or recovery using.
    Code:
    sudo ./boot-fastboot.sh

    Code:
    sudo ./boot-recovery.sh

    NOTE:This will only work if the boot-exploit is still there.

    Source Code:
    https://github.com/chaosmaster/amonet
    https://github.com/chaosmaster/android_bootable_recovery
    9
    Changelog

    Version 1.2 (25.03.2019)
    • Update TWRP to twrp-9.0 sources
    • Implement downgrade-protection for LK/PL/TZ
    • Add scripts to enter fastboot/recovery in case of bootloop
    • Automatically restore boot-patch when you boot into recovery

    Features.

    • Hacked fastboot mode lets you use all fastboot commands (flash etc).
    • Boots custom/unsigned kernel-images (need to be patched)
    • For the devs: sets printk.disable_uart=0 (enables debug-output over UART).
    • TWRP protects from accidental lk/preloader/tz downgrades
    • Set bootmode via preloader

    NOTE: Hacked fastboot can be reached via TWRP.

    NOTE: Hacked fastboot won't patch your boot/recovery-images, so you can easily go back to stock.
    Use TWRP for autopatching.
    8
    Please read the instructions k4y0z wrote (1st page), then read the extra info below. It was my first time rooting a FireTV Stick via hardware and I had a lot of questions. Although, most answered via post replies throughout this thread. Here is a descriptive version of the rooting process for other beginners from what I learned.

    Any damages or issues resulting from rooting your own device falls on you!

    EDIT: I know this is long, but if you are a beginner DO NOT SKIM THROUGH.

    A Linux operating system is required. Ubuntu 19.04 is recommended and the following instructions are for Debian based systems like Ubuntu.

    The following packages were used (Check for updates):
    Amonet-tank-v1.2.2
    tank-5.2.6.9-rooted_r1
    Magisk-v19.2
    Everything was saved to the Downloads folder.

    Step 0: Open the FireTV Stick
    1. Use a plastic tool like an unused credit card. With a bit of force push the plastic tool into the edge (seam) of the FireTV Stick while slightly popping the side wall outwards until a snap. Continue on all sides until the plastic shell can be separated. Then, remove the motherboard. Disassembly video - Link
    2. On the side with the smaller metal shield, use a thin blunt knife or flathead. Start near the HDMI port above and below the black pad. There are small gaps that can be used to push the metal shield up. Continue around the metal shield until it is removed. Be careful not to scratch the board and leave the metal rim.
    3. Attach the micro USB cable to the FireTV Stick but not to a computer!
    4. Extract “amonet-tank-v1.2.2.zip” in the Downloads folder and open a Terminal on a Linux system.

    Step 1: Update Ubuntu
    Code:
    sudo apt update && sudo apt upgrade -y

    Step 2: Install Dependencies (Ignore if Android Studio is installed)
    Code:
    sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot

    Step 3: Stop and Disable ModemManager
    Code:
    sudo systemctl stop ModemManager
    sudo systemctl disable ModemManager

    Step 4: Short CLK to GND (Please read k4y0z instructions as well)
    1. Navigate to script directory:
      Code:
      cd ~/Downloads/amonet-tank-v1.2.2/amonet/
    2. Start the script:
      Code:
      sudo bash bootrom-step.sh
    3. When the Terminal prompt says "waiting for bootrom" (Easiest with two people)
    4. Place the removed metal shield next to the disassembled FireTV Stick. If it doesn't short, then use k4y0z suggested GND method.
    5. Use a paperclip (etc), and lightly touch the bottom metal piece of the CLK to the metal shield (CLK location, but use metal shield as GND). The CLK is tiny so be careful.
    6. Plug the USB cable connected to the FireTV Stick into the computer while holding the short!!! When I did it, I accidentally lost the short but it still worked (uncommon).
    7. The Terminal prompt will say when to "remove the short and press enter".
    8. Wait until the script finishes. If the script stalls, unplug USB and start the script again and short.
    9. Run fastboot script:
      Code:
      sudo bash fastboot-step.sh
    10. Next step has instructions.

    Step 5: Using Fastboot to install Roms and Magisk
    1. Wait for the FireStick to reboot into TWRP
    2. Push Tank’s prerooted rom zip file onto the FireTV Stick sd card:
      Code:
      adb push ~/Downloads/tank-5.2.6.9-rooted_r1.zip /sdcard/
    3. Push Magisk zip file:
      Code:
      adb push ~/Downloads/Magisk-v19.2.zip /sdcard/
    4. Go into ADB Shell:
      Code:
      adb shell
    5. Install rom:
      Code:
      twrp install /sdcard/tank-5.2.6.9-rooted_r1.zip
    6. Install Magisk:
      Code:
      twrp install /sdcard/Magisk-v19.2.zip
    7. EDIT: STOP! DO NOT WIPE ANYTHING OTHER THEN WHAT WAS STATED OR SKIP WIPING ENTIRELY IF YOU'RE A BEGINNER! You can skip wiping and reboot (#9 & #10) or decide if you want to wipe the cache and dalvik only (advanced):
      Code:
      twrp wipe cache
    8. Code:
      twrp wipe dalvik
    9. Code:
      reboot -p
    10. Unplug USB and plug the disassembled FireTV Stick into a monitor or TV. Use the power brick and handle with care.
    11. The "Optimizing Storage" screen will display and will take 10 minutes to complete.

    Optimizing Storage Screen Hangs Issue*
    Try plugging the FireTV Stick's USB to a different power brick temporarily.

    Otherwise and unfortunately, the following instructions will erase your apps and will force you to re-register your FireTV Stick.
    1. Unplug the FireTV Stick USB from the power brick only and open a Terminal window.
    2. Navigate to script directory:
      Code:
      cd ~/Downloads/amonet-tank-v1.2.2/amonet/
    3. Run the boot recovery script to boot into twrp:
      Code:
      sudo bash boot-recovery.sh
    4. When the Terminal prompt says "Waiting for preloader", plug the USB into the computer.
    5. Go into ADB Shell:
      Code:
      adb shell
    6. Code:
      twrp wipe data
    7. Code:
      twrp wipe cache
    8. Code:
      twrp wipe dalvik
    9. Install rom:
      Code:
      twrp install /sdcard/tank-5.2.6.9-rooted_r1.zip
    10. Install Magisk:
      Code:
      twrp install /sdcard/Magisk-v19.2.zip
    11. Code:
      reboot -p
    12. Plug FireTV Stick into a TV or Monitor and wait for the "Optimizing Storage" screen to finish and re-register your device.

    TWRP Can Be Accessed Anytime via Boot Recovery Script*
    Run the boot-recovery script and plug the FireTV Stick into the computer.

    How to backup TWRP**
    I haven't made a backup yet via the command line. But I assume it would go as follow and if anyone wants to help, please do.
    1. Unplug the FireTV Stick USB from the power brick only and open a Terminal window.
    2. Navigate to script directory:
      Code:
      cd ~/Downloads/amonet-tank-v1.2.2/amonet/
    3. Run the boot recovery script to boot into twrp:
      Code:
      sudo bash boot-recovery.sh
    4. When the Terminal prompt says "Waiting for preloader", plug the USB into the computer.
    5. Go into ADB Shell:
      Code:
      adb shell
    6. Create a TWRP backup (everything):
      Code:
      twrp backup twrp
      OR here is a list of partitions that can be backed up.

    Here is a list of bloatware to disable***
    Be extremely careful. Disabling the wrong thing can break your FireTV Stick! - Link

    1. Enable ADB debugging via FireTV Stick Settings and get the ip address under About.
    2. Connect to the FireTV Stick via Wifi:
      Code:
      adb kill-server
      adb start-server
      adb connect <ip-address>:5555 # Grant access via prompt on TV or monitor.
      adb shell
      su
    3. If su command does not work in shell, then open Magisk app and grant root access to shell (in sidebar menu).
    4. Disable bloat as shown in the link above. Be careful!!
    5
    I have not ported my bootmenu recovery to this device yet. I'll try to work on getting the device added to my build system and see what I can put together. Unfortunately I don't have any time this weekend, I'll see if I can get something going next weekend.