[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 2nd gen (tank)

Search This thread

Sus_i

Senior Member
Apr 9, 2013
1,576
681
I'm touching the exact locations indicated by the picture not sure whats else it can be.
Maybe try it this way:
1. Don't run any script from OP.
2. Then add/keep the short and connect the USB.
3. Now take a look into lsusb:
- If you get MediaTek Inc. MT6227 phone message, run the bootrom-script with sudo...
- If you get something with preloader, unplug the stick and try again.
- If you get no message at all in lsusb while keeping the short, the BR-Mode is disabled, OP wont work for your stick.
 
  • Like
Reactions: brentonv

brentonv

Senior Member
Aug 7, 2018
102
21
Last time I looked into an OTA there was no efuse burner, so it shouldn't matter for the tank stick. There are also no image-updates (like TZ) required. I would just flash the 5.2.6.0... factory reset only if you get some issues..(y)
@Sus_i thanks mate,
I'm not sure what you mean by TZ "There are also no image-updates (like TZ) required."

And you think it's fine to run the exploit on an original 5.2.6.0 device. When I do this do you know if it's possible to retrieve the system image/bin file from the device. This is my preferred tank FireOS and it would be great if I could retrieve it
 
  • Like
Reactions: Sus_i

Sus_i

Senior Member
Apr 9, 2013
1,576
681
@Sus_i thanks mate,
I'm not sure what you mean by TZ "There are also no image-updates (like TZ) required."
The 4k stick needs sometimes an update of the TZ image, which is located inside the OTA... but there are no updates like that for the tank stick...
And you think it's fine to run the exploit on an original 5.2.6.0 device. When I do this do you know if it's possible to retrieve the system image/bin file from the device. This is my preferred tank FireOS and it would be great if I could retrieve it
Yes, it's fine, but I don't have an URL for the stock 5.2.6.0 rom.
You can take a TWRP backup if you like, in order to backup that OS.
If you want to be 100% safe, take also a dd image from system partition.
 
  • Like
Reactions: brentonv

brentonv

Senior Member
Aug 7, 2018
102
21
Yes, it's fine, but I don't have an URL for the stock 5.2.6.0 rom.
You can take a TWRP backup if you like, in order to backup that OS.
If you want to be 100% safe, take also a dd image from system partition.
I meant is the stock rom/bin file retrievable at all from a recovery folder or partition. From your response I assume not, but taking a TWRP/DD backup is a good idea
 
  • Like
Reactions: Sus_i

yass

Senior Member
Aug 14, 2005
85
14
Hello,

Im trying to root a Fire TV Stick 2, but Ive hit a snag. The initial steps are successfull, no problems until I reach the fasboot-step.sh. The process just hangs, no errors. I can only see the amazon bootlogo, and at the bottom left:

=> HACKED FASTBOOT mode: (0) - xyz, k4y0z, NW

Ive tried with and without sudo, tried doing the steps manually, but nothing seems to work. I can see the device with fastboot devices.

Anyone got any ideas with this issue?


Thanks in advance and best regards,
yass


EDIT: Nevermind solved the issue. The Debian system I was using had a 'faulty' fastboot iguess. Downloaded the platform tools from google and worked fine.
 
Last edited:
  • Like
Reactions: brentonv

Sus_i

Senior Member
Apr 9, 2013
1,576
681
@Sus_i can you please suggest the DD command for backing up system partition.
I'm not familiar with the recommended block size and options.
Thanks
Something like this should work to do a backup of system and boot (you need about 850mb free space on data):
Code:
adb shell
su
dd if=/dev/block/platform/mtk-msdc.0/by-name/system of=/sdcard/system.img
dd if=/dev/block/platform/mtk-msdc.0/by-name/boot of=/sdcard/boot.img
exit

Then adb pull both from the stick. In case you ever need it, if your TWRP backup doesn't work somehow, you can flash it back with dd in adb shell (push it back to sdcard) or via hacked fastboot, 'fastboot flash system system.img' from your PC, do the same for the corresponding boot.img.
 
  • Like
Reactions: brentonv

c1u3

New member
Jan 1, 2022
1
0
[2022-01-01 21:40:03.635151] Waiting for bootrom
[2022-01-01 21:40:27.458209] Found port = /dev/ttyACM0
[2022-01-01 21:40:27.460104] Handshake
[2022-01-01 21:40:27.465907] Disable watchdog

* * * Remove the short and press Enter * * *


[2022-01-01 21:40:32.979327] Init crypto engine
[2022-01-01 21:40:33.215700] Disable caches
[2022-01-01 21:40:33.218705] Disable bootrom range checks
[2022-01-01 21:40:33.348316] Load payload from ../brom-payload/build/payload.bin = 0x4550 bytes
[2022-01-01 21:40:33.376958] Send payload
[2022-01-01 21:40:39.483068] Let's rock
[2022-01-01 21:40:39.489928] Wait for the payload to come online...
[2022-01-01 21:40:40.556514] all good
[2022-01-01 21:40:40.558422] Check GPT
Traceback (most recent call last):
File "main.py", line 158, in <module>
main()
File "main.py", line 83, in main
switch_user(dev)
File "main.py", line 57, in switch_user
raise RuntimeError("what's wrong with your GPT?")
RuntimeError: what's wrong with your GPT?





Ran correct the first time. But since the device was not discoverable by my machine via a USB host adapter, I tried it direct and it worked. Didnt work the second time and it fails in the Check GPT method.
 

L8KERS24LIFE

New member
Jan 22, 2022
2
1
New here and tried my best for the last week to read as many posts as possible before reaching out.

My story is.. i followed all instruction and was able to root 2nd gen firestick. Of course, I updated Magisk in the stick instead of flashing in TWRP. (I knew i read it too, but forgot due to the excitement).

Now stuck at amazon logo.. tried flashboot, boot recovery... get to TWRP but Magisk already says installed...

so what step am i missing? any help would be greatly appreciated. Thank you.

oh and can't get boot recovery to recognize preload with otg cable. so when it boots to TWRP in recovery I can't seem to run commands
 
Last edited:

Sus_i

Senior Member
Apr 9, 2013
1,576
681
New here and tried my best for the last week to read as many posts as possible before reaching out.

My story is.. i followed all instruction and was able to root 2nd gen firestick. Of course, I updated Magisk in the stick instead of flashing in TWRP. (I knew i read it too, but forgot due to the excitement).

Now stuck at amazon logo.. tried flashboot, boot recovery... get to TWRP but Magisk already says installed...

so what step am i missing? any help would be greatly appreciated. Thank you.
Get into TWRP, flash a clean fireOS via update.bin file and then the magisk.zip.
oh and can't get boot recovery to recognize preload with otg cable. so when it boots to TWRP in recovery I can't seem to run commands
ADB and TWRP Commandline wont work via OTG...
 

bkasyap

Member
Sep 28, 2014
8
1
Read this whole guide before starting.

This is for the 2nd gen Fire TV Stick (tank)

Current relase: amonet-tank-v1.2.2.zip

NOTE: Recent reports indicate a change that disables brom DL-mode
The change seems to have been introduced with devices that where manufactured in December 2019 or later.
The change is unrelated to the software-version and results in the device not showing up as a USB device when shorted.
Unfortunately these devices cannot currently be unlocked.

NOTE: If you are on version 1.0, don't update to 1.2.1 through TWRP, as there is a bug.
NOTE: This issue has been fixed in version 1.2.2
NOTE: When updating from version 1.0, don't install anything else before rebooting



To update to the current release if you are already unlocked, just flash the zip in TWRP.

What you need:
  • A Linux installation or live-system
  • A micro-USB cable
  • Something conductive (paperclip, tweezers etc)
  • Something to open the stick.


NOTE: Ideally you want to update your system to 5.2.6.9 before starting this process, since this flashes the 5.2.6.8 boot.img and people have reported issues with adb-authorization with older firmware.
Since version 1.2 this isn't required, because instead of flashing the 5.2.6.9 boot.img, your existing boot.img will be patched.
It is still recommended to first update to 5.2.6.9


Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work:
Code:
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot

Make sure ModemManager is disabled or uninstalled:
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager


NOTE: If you have issues running the scripts, you might have to run them using sudo.
Also try using different USB-ports (preferably USB-2.0-ports)


1. Extract the attached zip-file "amonet-tank-v1.2.2.zip" and open a terminal in that directory.
2. start the script:
Code:
./bootrom-step.sh

It should now say Waiting for bootrom.

Short CLK to GND (The metal shielding is also GND) according to the attached photo and plug it in.


NOTE:

In lsusb the boot-rom shows up as:
Code:
Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone

If it shows up as:
Code:
Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader
instead, you are in preloader-mode, try again.

dmesg lists the correct device as:
Code:
[ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00


4. When the script asks you to remove the short, remove the short and press enter.

5. Wait for the script to finish.
If it stalls at some point, stop it and restart the process from step 2.

6. Your device should now reboot into unlocked fastboot state.

7. Run
Code:
./fastboot-step.sh

8. Wait for the device to reboot into TWRP.

9. Use TWRP to flash custom ROM, Magisk etc.


NOTE:
Only ever flash boot/recovery images using TWRP, if you use FlashFire or other methods that are not aware of the exploit,
your device will likely not boot anymore (unless you flashed a signed image).
TWRP will patch recovery/boot-images on the fly.

NOTE:
This process does not disable OTA or does any other modifications to your system.
You will have to do that according to the other guides in this forum.



Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Thanks to @hwmod for doing initial investigations and providing the attached image.
I am able to flash the bootrom but the reboot to fast boot is not working please suggest what should I do. step 6 is not working as it is rebooting but not into fast boot.
 

Sus_i

Senior Member
Apr 9, 2013
1,576
681
I am able to flash the bootrom but the reboot to fast boot is not working please suggest what should I do. step 6 is not working as it is rebooting but not into fast boot.
Thats fine.
Take a look here:
 

jdson

New member
Dec 2, 2021
4
0
Hi,
My Fire TV Stick 2nd Gen is stuck on Fire TV logo with 3 dots.
I am trying to resolve it using this method. But, thing is I am unable to get my device detected when I Short CLK to GND also tried metal shielding. It just stays at 'Waiting for bootrom', nothing happens. In Device Manager it shows under 'Ports (COM & LPT) MediaTek USB Port (Com10)' & just repeats getting connected & disconnected.
Also, tried on another laptop it didn't work.
Can anyone guide me please.
Thanks.
 

GasLyx

New member
Nov 15, 2013
2
1
Hi,
My Fire TV Stick 2nd Gen is stuck on Fire TV logo with 3 dots.
I am trying to resolve it using this method. But, thing is I am unable to get my device detected when I Short CLK to GND also tried metal shielding. It just stays at 'Waiting for bootrom', nothing happens. In Device Manager it shows under 'Ports (COM & LPT) MediaTek USB Port (Com10)' & just repeats getting connected & disconnected.
Also, tried on another laptop it didn't work.
Can anyone guide me please.
Thanks.
Try adding 'sudo' before copying the script code.
 
  • Like
Reactions: Sus_i

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Hello everyone, does this unlock method work on 5.2.8.8?
    It isn't OS depended, but they shipped some patched devices out... and no one knows the answer without to try.
  • 66
    Read this whole guide before starting.

    This is for the 2nd gen Fire TV Stick (tank)

    Current relase: amonet-tank-v1.2.2.zip

    NOTE: Recent reports indicate a change that disables brom DL-mode
    The change seems to have been introduced with devices that where manufactured in December 2019 or later.
    The change is unrelated to the software-version and results in the device not showing up as a USB device when shorted.
    Unfortunately these devices cannot currently be unlocked.

    NOTE: If you are on version 1.0, don't update to 1.2.1 through TWRP, as there is a bug.
    NOTE: This issue has been fixed in version 1.2.2
    NOTE: When updating from version 1.0, don't install anything else before rebooting



    To update to the current release if you are already unlocked, just flash the zip in TWRP.

    What you need:
    • A Linux installation or live-system
    • A micro-USB cable
    • Something conductive (paperclip, tweezers etc)
    • Something to open the stick.


    NOTE: Ideally you want to update your system to 5.2.6.9 before starting this process, since this flashes the 5.2.6.8 boot.img and people have reported issues with adb-authorization with older firmware.
    Since version 1.2 this isn't required, because instead of flashing the 5.2.6.9 boot.img, your existing boot.img will be patched.
    It is still recommended to first update to 5.2.6.9


    Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work:
    Code:
    sudo apt update
    sudo add-apt-repository universe
    sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot

    Make sure ModemManager is disabled or uninstalled:
    Code:
    sudo systemctl stop ModemManager
    sudo systemctl disable ModemManager


    NOTE: If you have issues running the scripts, you might have to run them using sudo.
    Also try using different USB-ports (preferably USB-2.0-ports)


    1. Extract the attached zip-file "amonet-tank-v1.2.2.zip" and open a terminal in that directory.
    2. start the script:
    Code:
    ./bootrom-step.sh

    It should now say Waiting for bootrom.

    Short CLK to GND (The metal shielding is also GND) according to the attached photo and plug it in.


    NOTE:

    In lsusb the boot-rom shows up as:
    Code:
    Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone

    If it shows up as:
    Code:
    Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader
    instead, you are in preloader-mode, try again.

    dmesg lists the correct device as:
    Code:
    [ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00


    4. When the script asks you to remove the short, remove the short and press enter.

    5. Wait for the script to finish.
    If it stalls at some point, stop it and restart the process from step 2.

    6. Your device should now reboot into unlocked fastboot state.

    7. Run
    Code:
    ./fastboot-step.sh

    8. Wait for the device to reboot into TWRP.

    9. Use TWRP to flash custom ROM, Magisk etc.


    NOTE:
    Only ever flash boot/recovery images using TWRP, if you use FlashFire or other methods that are not aware of the exploit,
    your device will likely not boot anymore (unless you flashed a signed image).
    TWRP will patch recovery/boot-images on the fly.


    NOTE:
    This process does not disable OTA or does any other modifications to your system.
    You will have to do that according to the other guides in this forum.


    Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
    Thanks to @hwmod for doing initial investigations and providing the attached image.
    12
    There are three options for interacting with TWRP:
    1. A mouse via USB-OTG
    2. TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
    3. Via /cache/recovery/command

    Example for /cache/recovery/command:
    Code:
    echo "--update_package=/path/to/zipfile" > /cache/recovery/command
    echo "--wipe_cache" >> /cache/recovery/command
    reboot recovery

    Should you somehow end in a bootloop you can boot into hacked fastboot or recovery using.
    Code:
    sudo ./boot-fastboot.sh

    Code:
    sudo ./boot-recovery.sh

    NOTE:This will only work if the boot-exploit is still there.

    Source Code:
    https://github.com/chaosmaster/amonet
    https://github.com/chaosmaster/android_bootable_recovery
    9
    Changelog

    Version 1.2 (25.03.2019)
    • Update TWRP to twrp-9.0 sources
    • Implement downgrade-protection for LK/PL/TZ
    • Add scripts to enter fastboot/recovery in case of bootloop
    • Automatically restore boot-patch when you boot into recovery

    Features.

    • Hacked fastboot mode lets you use all fastboot commands (flash etc).
    • Boots custom/unsigned kernel-images (need to be patched)
    • For the devs: sets printk.disable_uart=0 (enables debug-output over UART).
    • TWRP protects from accidental lk/preloader/tz downgrades
    • Set bootmode via preloader

    NOTE: Hacked fastboot can be reached via TWRP.

    NOTE: Hacked fastboot won't patch your boot/recovery-images, so you can easily go back to stock.
    Use TWRP for autopatching.
    8
    Please read the instructions k4y0z wrote (1st page), then read the extra info below. It was my first time rooting a FireTV Stick via hardware and I had a lot of questions. Although, most answered via post replies throughout this thread. Here is a descriptive version of the rooting process for other beginners from what I learned.

    Any damages or issues resulting from rooting your own device falls on you!

    EDIT: I know this is long, but if you are a beginner DO NOT SKIM THROUGH.

    A Linux operating system is required. Ubuntu 19.04 is recommended and the following instructions are for Debian based systems like Ubuntu.

    The following packages were used (Check for updates):
    Amonet-tank-v1.2.2
    tank-5.2.6.9-rooted_r1
    Magisk-v19.2
    Everything was saved to the Downloads folder.

    Step 0: Open the FireTV Stick
    1. Use a plastic tool like an unused credit card. With a bit of force push the plastic tool into the edge (seam) of the FireTV Stick while slightly popping the side wall outwards until a snap. Continue on all sides until the plastic shell can be separated. Then, remove the motherboard. Disassembly video - Link
    2. On the side with the smaller metal shield, use a thin blunt knife or flathead. Start near the HDMI port above and below the black pad. There are small gaps that can be used to push the metal shield up. Continue around the metal shield until it is removed. Be careful not to scratch the board and leave the metal rim.
    3. Attach the micro USB cable to the FireTV Stick but not to a computer!
    4. Extract “amonet-tank-v1.2.2.zip” in the Downloads folder and open a Terminal on a Linux system.

    Step 1: Update Ubuntu
    Code:
    sudo apt update && sudo apt upgrade -y

    Step 2: Install Dependencies (Ignore if Android Studio is installed)
    Code:
    sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot

    Step 3: Stop and Disable ModemManager
    Code:
    sudo systemctl stop ModemManager
    sudo systemctl disable ModemManager

    Step 4: Short CLK to GND (Please read k4y0z instructions as well)
    1. Navigate to script directory:
      Code:
      cd ~/Downloads/amonet-tank-v1.2.2/amonet/
    2. Start the script:
      Code:
      sudo bash bootrom-step.sh
    3. When the Terminal prompt says "waiting for bootrom" (Easiest with two people)
    4. Place the removed metal shield next to the disassembled FireTV Stick. If it doesn't short, then use k4y0z suggested GND method.
    5. Use a paperclip (etc), and lightly touch the bottom metal piece of the CLK to the metal shield (CLK location, but use metal shield as GND). The CLK is tiny so be careful.
    6. Plug the USB cable connected to the FireTV Stick into the computer while holding the short!!! When I did it, I accidentally lost the short but it still worked (uncommon).
    7. The Terminal prompt will say when to "remove the short and press enter".
    8. Wait until the script finishes. If the script stalls, unplug USB and start the script again and short.
    9. Run fastboot script:
      Code:
      sudo bash fastboot-step.sh
    10. Next step has instructions.

    Step 5: Using Fastboot to install Roms and Magisk
    1. Wait for the FireStick to reboot into TWRP
    2. Push Tank’s prerooted rom zip file onto the FireTV Stick sd card:
      Code:
      adb push ~/Downloads/tank-5.2.6.9-rooted_r1.zip /sdcard/
    3. Push Magisk zip file:
      Code:
      adb push ~/Downloads/Magisk-v19.2.zip /sdcard/
    4. Go into ADB Shell:
      Code:
      adb shell
    5. Install rom:
      Code:
      twrp install /sdcard/tank-5.2.6.9-rooted_r1.zip
    6. Install Magisk:
      Code:
      twrp install /sdcard/Magisk-v19.2.zip
    7. EDIT: STOP! DO NOT WIPE ANYTHING OTHER THEN WHAT WAS STATED OR SKIP WIPING ENTIRELY IF YOU'RE A BEGINNER! You can skip wiping and reboot (#9 & #10) or decide if you want to wipe the cache and dalvik only (advanced):
      Code:
      twrp wipe cache
    8. Code:
      twrp wipe dalvik
    9. Code:
      reboot -p
    10. Unplug USB and plug the disassembled FireTV Stick into a monitor or TV. Use the power brick and handle with care.
    11. The "Optimizing Storage" screen will display and will take 10 minutes to complete.

    Optimizing Storage Screen Hangs Issue*
    Try plugging the FireTV Stick's USB to a different power brick temporarily.

    Otherwise and unfortunately, the following instructions will erase your apps and will force you to re-register your FireTV Stick.
    1. Unplug the FireTV Stick USB from the power brick only and open a Terminal window.
    2. Navigate to script directory:
      Code:
      cd ~/Downloads/amonet-tank-v1.2.2/amonet/
    3. Run the boot recovery script to boot into twrp:
      Code:
      sudo bash boot-recovery.sh
    4. When the Terminal prompt says "Waiting for preloader", plug the USB into the computer.
    5. Go into ADB Shell:
      Code:
      adb shell
    6. Code:
      twrp wipe data
    7. Code:
      twrp wipe cache
    8. Code:
      twrp wipe dalvik
    9. Install rom:
      Code:
      twrp install /sdcard/tank-5.2.6.9-rooted_r1.zip
    10. Install Magisk:
      Code:
      twrp install /sdcard/Magisk-v19.2.zip
    11. Code:
      reboot -p
    12. Plug FireTV Stick into a TV or Monitor and wait for the "Optimizing Storage" screen to finish and re-register your device.

    TWRP Can Be Accessed Anytime via Boot Recovery Script*
    Run the boot-recovery script and plug the FireTV Stick into the computer.

    How to backup TWRP**
    I haven't made a backup yet via the command line. But I assume it would go as follow and if anyone wants to help, please do.
    1. Unplug the FireTV Stick USB from the power brick only and open a Terminal window.
    2. Navigate to script directory:
      Code:
      cd ~/Downloads/amonet-tank-v1.2.2/amonet/
    3. Run the boot recovery script to boot into twrp:
      Code:
      sudo bash boot-recovery.sh
    4. When the Terminal prompt says "Waiting for preloader", plug the USB into the computer.
    5. Go into ADB Shell:
      Code:
      adb shell
    6. Create a TWRP backup (everything):
      Code:
      twrp backup twrp
      OR here is a list of partitions that can be backed up.

    Here is a list of bloatware to disable***
    Be extremely careful. Disabling the wrong thing can break your FireTV Stick! - Link

    1. Enable ADB debugging via FireTV Stick Settings and get the ip address under About.
    2. Connect to the FireTV Stick via Wifi:
      Code:
      adb kill-server
      adb start-server
      adb connect <ip-address>:5555 # Grant access via prompt on TV or monitor.
      adb shell
      su
    3. If su command does not work in shell, then open Magisk app and grant root access to shell (in sidebar menu).
    4. Disable bloat as shown in the link above. Be careful!!
    5
    I have not ported my bootmenu recovery to this device yet. I'll try to work on getting the device added to my build system and see what I can put together. Unfortunately I don't have any time this weekend, I'll see if I can get something going next weekend.