[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 2nd gen (tank)

[k4y0z]

Read this whole guide before starting.

This is for the 2nd gen Fire TV Stick (tank)

Current relase: amonet-tank-v1.2.2.zip

NOTE: Recent reports indicate a change that disables brom DL-mode
The change seems to have been introduced with devices that where manufactured in December 2019 or later.
The change is unrelated to the software-version and results in the device not showing up as a USB device when shorted.
Unfortunately these devices cannot currently be unlocked.
NOTE: If you are on version 1.0, don't update to 1.2.1 through TWRP, as there is a bug.
NOTE: This issue has been fixed in version 1.2.2
NOTE: When updating from version 1.0, don't install anything else before rebooting



To update to the current release if you are already unlocked, just flash the zip in TWRP.

What you need:

• A Linux installation or live-system
• A micro-USB cable
• Something conductive (paperclip, tweezers etc)
• Something to open the stick.

NOTE: Ideally you want to update your system to 5.2.6.9 before starting this process, since this flashes the 5.2.6.8 boot.img and people have reported issues with adb-authorization with older firmware.
Since version 1.2 this isn't required, because instead of flashing the 5.2.6.9 boot.img, your existing boot.img will be patched.
It is still recommended to first update to 5.2.6.9

Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work:

sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot

Make sure ModemManager is disabled or uninstalled:

sudo systemctl stop ModemManager
sudo systemctl disable ModemManager

NOTE: If you have issues running the scripts, you might have to run them using sudo.
Also try using different USB-ports (preferably USB-2.0-ports)

1. Extract the attached zip-file "amonet-tank-v1.2.2.zip" and open a terminal in that directory.
2. start the script:

./bootrom-step.sh

It should now say Waiting for bootrom.

Short CLK to GND (The metal shielding is also GND) according to the attached photo and plug it in.


NOTE:

In lsusb the boot-rom shows up as:

Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone

If it shows up as:

Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader

instead, you are in preloader-mode, try again.

dmesg lists the correct device as:

[ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00

4. When the script asks you to remove the short, remove the short and press enter.

5. Wait for the script to finish.
If it stalls at some point, stop it and restart the process from step 2.

6. Your device should now reboot into unlocked fastboot state.

7. Run

./fastboot-step.sh

8. Wait for the device to reboot into TWRP.

9. Use TWRP to flash custom ROM, Magisk etc.


NOTE:
Only ever flash boot/recovery images using TWRP, if you use FlashFire or other methods that are not aware of the exploit,
your device will likely not boot anymore (unless you flashed a signed image).
TWRP will patch recovery/boot-images on the fly.

NOTE:
This process does not disable OTA or does any other modifications to your system.
You will have to do that according to the other guides in this forum.


Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Thanks to @hwmod for doing initial investigations and providing the attached image.

 

[k4y0z]

Changelog

Version 1.2 (25.03.2019)

• Update TWRP to twrp-9.0 sources
• Implement downgrade-protection for LK/PL/TZ
• Add scripts to enter fastboot/recovery in case of bootloop
• Automatically restore boot-patch when you boot into recovery

Features.

• Hacked fastboot mode lets you use all fastboot commands (flash etc).
• Boots custom/unsigned kernel-images (need to be patched)
• For the devs: sets printk.disable_uart=0 (enables debug-output over UART).
• TWRP protects from accidental lk/preloader/tz downgrades
• Set bootmode via preloader

NOTE: Hacked fastboot can be reached via TWRP.

NOTE: Hacked fastboot won't patch your boot/recovery-images, so you can easily go back to stock.
Use TWRP for autopatching.

 

[k4y0z]

There are three options for interacting with TWRP:

1. A mouse via USB-OTG
2. TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
3. Via /cache/recovery/command

Example for /cache/recovery/command:

echo "--update_package=/path/to/zipfile" > /cache/recovery/command
echo "--wipe_cache" >> /cache/recovery/command
reboot recovery

Should you somehow end in a bootloop you can boot into hacked fastboot or recovery using.

sudo ./boot-fastboot.sh

sudo ./boot-recovery.sh

NOTE:This will only work if the boot-exploit is still there.

Source Code:
https://github.com/chaosmaster/amonet
https://github.com/chaosmaster/android_bootable_recovery

 

[krsmit0]

how would you get to twrp after rebooting to system?

 

[k4y0z]

how would you get to twrp after rebooting to system?

adb reboot recovery

 

[krsmit0]

adb reboot recovery

ok, made it to recovery. not sure how to navigate recovery.

 

[k4y0z]

ok, made it to recovery. not sure how to navigate recovery.

Either via adb shell, or a mouse via USB-OTG

 

[krsmit0]

Either via adb shell, or a mouse via USB-OTG

found this, thanks, didnt know about this

https://twrp.me/faq/openrecoveryscript.html

 

[Pix12]

Oh nice! I'll try it later today!

 

[krsmit0]

first one worked fine. second seemed to go ok but i cant get back in with adb. device unauthorized. i went through the process again to get back to recovery and i copied the adb_keys from the one that worked to the other one. permissions and ownership are the same, but it still says unauthorized. i also dont get the prompt to allow connection on the stick itself. i have connected with this stick through adb before this.

UPDATE: Factory reset didnt bring back the adb debug prompt. but an update did. I was on an older version.

 

[k4y0z]

first one worked fine. second seemed to go ok but i cant get back in with adb. device unauthorized. i went through the process again to get back to recovery and i copied the adb_keys from the one that worked to the other one. permissions and ownership are the same, but it still says unauthorized. i also dont get the prompt to allow connection on the stick itself. i have connected with this stick through adb before this.

Mhh, what Firmware are you on?
Does it still boot normally?
Have you tried adb both over network and USB?
Can you make sure, adb is enabled in developer settings?
If that doesn't help could you try factory reset?

 

[krsmit0]

Either via adb shell, or a mouse via USB-OTG

Mhh, what Firmware are you on?
Does it still boot normally?
Have you tried adb both over network and USB?
Can you make sure, adb is enabled in developer settings?
If that doesn't help could you try factory reset?

it took an update to resolve it. factory reset didnt work. i was not getting the adb authorization prompt so i couldnt boot to recovery. i have it back up and running.

 

[k4y0z]

it took an update to resolve it. factory reset didnt work. i was not getting the adb authorization prompt so i couldnt boot to recovery. i have it back up and running.

fastboot-step flashes the 5.2.6.8 boot.img, maybe that was causing an issue with older firmware.
Glad you got it solved. Now we also know updates are working fine (Allthough disabling OTA might not be the worst idea)

 

[AFTVnews.com]

The photo has the points labeled but doesn't specify what gets shorted. Are you supposed to short CLK to GND?

 

[k4y0z]

The photo has the points labeled but doesn't specify what gets shorted. Are you supposed to short CLK to GND?

Yes, exactly.
I have updated the OP.

 

[xenyz]

Wow, nice one @k4y0z. I'm so happy this little device can now have an unlocked bootloader; it's going to open up many possibilities on a device that is so inexpensive.

 

[narvaeztiamson]

My Firestick 4k bootloops

Sir i have a serious problem with my Firestick 4k. I experimented to sideload google play services on my FS 4k and it installed successfully. But when i restart my device it bootloops on and on to Firestick logo. Any solution sir? Damn i must have not do that. Please sir help me. I think i must hard reset the Firestick 4k but how?

 

[Chillalil]

Will the Playing with Fire pack work without any changes?

 

[LLStarks]

Any chance a similar exploit can be done on the 1st gen stick (montoya)?

 

[rbox]

Yes, exactly.
I have updated the OP.

It looks like there is a test point attached to the trace that looks like it's going to what's labeled as CLK. Is that what you can use to short, or do you have to short the thing you are pointing to?

Have you modified anything, or is this the stock stuff that the original exploit used? Are these .bin files what I would get if I were to compile everything from the github?