What shows your TV or Display if you connect it to the sticks HDMI?
Do you see the logo screen with the ' hacked fastboot by... ' message down in the edge/corner of the display?
[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 2nd gen (tank)
- Thread starter k4y0z
- Start date
Do you see the logo screen with the ' hacked fastboot by... ' message down in the edge/corner of the display?
After the reboot to unlocked fastboot (when bootrom-step.sh finishes) i just see the normal amazon logo and the update loop starts again.
Same happens when i simply plug it in
Maybe try/run the boot-fastboot script, then connect the stick...
Check
fastboot devices
and if there is a device, run
fastboot erase userdata
fastboot erase cache
That may wipe the update loop.
If that won't work you may need to edit the main.py of amonet in order to clear the partitions or just to write the TWRP image.
Trying to run this command gives a blank result, apparently it's not detected but i can see the stick's internal storage through a file manager
Problem is, i don't really know what to edit in the script, it looks confusing for me
Thats odd. Seems something is messed up seriously.
If fastboot isn't aviable because the failed update let the stick always bootloop into the stock recovery, then flashing TWRP via bootrom-step is the only thing which may help to unbrick, idk.
@Rortiz2 may know how to edit the main.py in order to flash twrp to the recovery partition...
Considering how big the recovery partition is and how slow the bootrom I/O speeds can be, it will surely take up to hours. The following code snippet should be more than enough to flash TWRP. Make sure the file exists in the bin folder.
Code:
log("Flash recovery")
switch_user(dev)
flash_binary(dev, "../bin/twrp.img", gpt["recovery"][0], gpt["recovery"][1] * 0x200)Copy/Paste Rogers code between part #7 and #8 in the main.py (amonet/modules folder) and let it run until the end. If you get an error, take a screenshot and try again.
I ran the updated script, and after completion it still rebooted to the update loop
Is this normal or do i need to do something else?
What screens do you see on your display at boot?
Can you post the amonet.log here into code tags, it's somewhere in your amonet folder...
Code:
[2022-10-26 21:03:41.847693] Waiting for bootrom
[2022-10-26 21:03:48.135418] Found port = /dev/ttyACM0
[2022-10-26 21:03:48.137423] Handshake
[2022-10-26 21:03:48.141410] Disable watchdog
[2022-10-26 21:03:51.487357] Init crypto engine
[2022-10-26 21:03:51.730334] Disable caches
[2022-10-26 21:03:51.734332] Disable bootrom range checks
[2022-10-26 21:03:51.858995] Load payload from ../brom-payload/build/payload.bin = 0x4550 bytes
[2022-10-26 21:03:51.862244] Send payload
[2022-10-26 21:03:56.304274] Let's rock
[2022-10-26 21:03:56.309290] Wait for the payload to come online...
[2022-10-26 21:03:57.375304] all good
[2022-10-26 21:03:57.375540] Check GPT
[2022-10-26 21:03:57.699202] gpt_parsed = {'KB': (2048, 2048), 'DKB': (4096, 2048), 'EXPDB': (6144, 35584), 'UBOOT': (41728, 2048), 'boot': (43776, 32768), 'recovery': (76544, 32768), 'MISC': (109312, 1024), 'LOGO': (110336, 7168), 'TEE1': (117504, 10240), 'TEE2': (127744, 10240), 'system': (137984, 1761280), 'cache': (1899264, 512000), 'userdata': (2411264, 12858591), '': (0, 1)}
[2022-10-26 21:03:57.699331] Check boot0
[2022-10-26 21:03:57.927255] Check rpmb
[2022-10-26 21:03:58.137252] Clear preloader header
[2022-10-26 21:03:58.549300] Downgrade rpmb
[2022-10-26 21:03:58.552225] Recheck rpmb
[2022-10-26 21:03:59.447284] rpmb downgrade ok
[2022-10-26 21:03:59.447468] Flash lk-payload
[2022-10-26 21:03:59.790253] Flash tz
[2022-10-26 21:04:57.918712] Flash recovery
[2022-10-26 21:10:34.708266] Flash lk
[2022-10-26 21:10:53.054287] Inject microloader
[2022-10-26 21:10:53.470272] Force fastboot
[2022-10-26 21:10:53.769256] Flash preloader
[2022-10-26 21:10:59.006170] Reboot to unlocked fastbootAt boot, i see the normal amazon logo, and then the installing for latest software update screen, which will get stuck and show that it was not succesful, then cycle repeats
Cursed firestick I guess, lol
Before you trash that stick into the bin, you can use rogers code to flash stuff to other partitions.
Maybe it helps if you wipe the Cache partition, because there may be cache recovery commands for the recovery on it, causing this loop. Flashing a small (almost empty) image file to Cache may delete the commands over there...
and a new one again... 5.2.9.2 r 681822620 822620
Hi, i managed to follow the guide but lost power to stick after it had completed
I know get this error when i try to do it again
[2022-11-20 16:33:16.336204] Waiting for bootrom
[2022-11-20 16:33:21.871919] Found port = /dev/ttyACM0
[2022-11-20 16:33:21.872326] Handshake
[2022-11-20 16:33:21.873015] Disable watchdog
* * * Remove the short and press Enter * * *
[2022-11-20 16:33:27.323418] Init crypto engine
[2022-11-20 16:33:27.352025] Disable caches
[2022-11-20 16:33:27.352387] Disable bootrom range checks
[2022-11-20 16:33:27.363951] Load payload from ../brom-payload/build/payload.bin = 0x4550 bytes
[2022-11-20 16:33:27.365828] Send payload
[2022-11-20 16:33:27.894944] Let's rock
[2022-11-20 16:33:27.895496] Wait for the payload to come online...
[2022-11-20 16:33:28.397916] all good
[2022-11-20 16:33:28.398319] Check GPT
Traceback (most recent call last):
File "main.py", line 158, in <module>
main()
File "main.py", line 83, in main
switch_user(dev)
File "main.py", line 54, in switch_user
block = dev.emmc_read(0)
File "/root/Desktop/amonet-tank-v1.2.2/amonet/modules/common.py", line 193, in emmc_read
raise RuntimeError("read fail")
RuntimeError: read fail
Strangely enough when i plug stick in usb without shorting its goes through the steps to remove short. have i damaged the resistor or am i missing something,
I know get this error when i try to do it again
[2022-11-20 16:33:16.336204] Waiting for bootrom
[2022-11-20 16:33:21.871919] Found port = /dev/ttyACM0
[2022-11-20 16:33:21.872326] Handshake
[2022-11-20 16:33:21.873015] Disable watchdog
* * * Remove the short and press Enter * * *
[2022-11-20 16:33:27.323418] Init crypto engine
[2022-11-20 16:33:27.352025] Disable caches
[2022-11-20 16:33:27.352387] Disable bootrom range checks
[2022-11-20 16:33:27.363951] Load payload from ../brom-payload/build/payload.bin = 0x4550 bytes
[2022-11-20 16:33:27.365828] Send payload
[2022-11-20 16:33:27.894944] Let's rock
[2022-11-20 16:33:27.895496] Wait for the payload to come online...
[2022-11-20 16:33:28.397916] all good
[2022-11-20 16:33:28.398319] Check GPT
Traceback (most recent call last):
File "main.py", line 158, in <module>
main()
File "main.py", line 83, in main
switch_user(dev)
File "main.py", line 54, in switch_user
block = dev.emmc_read(0)
File "/root/Desktop/amonet-tank-v1.2.2/amonet/modules/common.py", line 193, in emmc_read
raise RuntimeError("read fail")
RuntimeError: read fail
Strangely enough when i plug stick in usb without shorting its goes through the steps to remove short. have i damaged the resistor or am i missing something,
Yes, broken resistor is probably the issue. Can you take a detailed picture?
Is there any hope for a FireTV 2nd generation OS 5.2.9.1 ?
On power up it go into Optimization and stays there. Let it run
for a couple days with no change. I try a few other methods using a keyboard
to get into a recovery but it didn't work. I am not a heavy software guy
so if there is someway of getting this to work again I would need
a step by step guide. Video even better.
Thank you,
Ken
On power up it go into Optimization and stays there. Let it run
for a couple days with no change. I try a few other methods using a keyboard
to get into a recovery but it didn't work. I am not a heavy software guy
so if there is someway of getting this to work again I would need
a step by step guide. Video even better.
Thank you,
Ken
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
1
hehe ok.
A steady hand is needed!
I think i need to read quite a bit more before doing this.
Was hoping i could root it and install IinageOS. -
67Read this whole guide before starting.
This is for the 2nd gen Fire TV Stick (tank)
Current relase: amonet-tank-v1.2.2.zip
NOTE: Recent reports indicate a change that disables brom DL-mode
The change seems to have been introduced with devices that where manufactured in December 2019 or later.
The change is unrelated to the software-version and results in the device not showing up as a USB device when shorted.
Unfortunately these devices cannot currently be unlocked.
NOTE: If you are on version 1.0, don't update to 1.2.1 through TWRP, as there is a bug.
NOTE: This issue has been fixed in version 1.2.2
NOTE: When updating from version 1.0, don't install anything else before rebooting
To update to the current release if you are already unlocked, just flash the zip in TWRP.
What you need:
- A Linux installation or live-system
- A micro-USB cable
- Something conductive (paperclip, tweezers etc)
- Something to open the stick.
NOTE:Ideally you want to update your system to 5.2.6.9 before starting this process, since this flashes the 5.2.6.8 boot.img and people have reported issues with adb-authorization with older firmware.
Since version 1.2 this isn't required, because instead of flashing the 5.2.6.9 boot.img, your existing boot.img will be patched.
It is still recommended to first update to 5.2.6.9
Install python3, PySerial, adb and fastboot. For Debian/Ubuntu something like this should work:
Code:sudo apt update sudo add-apt-repository universe sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot
Make sure ModemManager is disabled or uninstalled:
Code:sudo systemctl stop ModemManager sudo systemctl disable ModemManager
NOTE: If you have issues running the scripts, you might have to run them using sudo.
Also try using different USB-ports (preferably USB-2.0-ports)
1. Extract the attached zip-file "amonet-tank-v1.2.2.zip" and open a terminal in that directory.
2. start the script:
Code:./bootrom-step.sh
It should now say Waiting for bootrom.
Short CLK to GND (The metal shielding is also GND) according to the attached photo and plug it in.
NOTE:
In lsusb the boot-rom shows up as:
Code:Bus 002 Device 013: ID [b]0e8d:0003[/b] MediaTek Inc. MT6227 phone
If it shows up as:
instead, you are in preloader-mode, try again.Code:Bus 002 Device 014: ID [b]0e8d:2000[/b] MediaTek Inc. MT65xx Preloader
dmesg lists the correct device as:
Code:[ 6383.962057] usb 2-2: New USB device found, idVendor=[b]0e8d[/b], idProduct=[b]0003[/b], bcdDevice= 1.00
4. When the script asks you to remove the short, remove the short and press enter.
5. Wait for the script to finish.
If it stalls at some point, stop it and restart the process from step 2.
6. Your device should now reboot into unlocked fastboot state.
7. Run
Code:./fastboot-step.sh
8. Wait for the device to reboot into TWRP.
9. Use TWRP to flash custom ROM, Magisk etc.
NOTE:
Only ever flash boot/recovery images using TWRP, if you use FlashFire or other methods that are not aware of the exploit,
your device will likely not boot anymore (unless you flashed a signed image).
TWRP will patch recovery/boot-images on the fly.
NOTE:
This process does not disable OTA or does any other modifications to your system.
You will have to do that according to the other guides in this forum.
Very special thanks to @xyz` for making all this possible and putting up with the countless questions I have asked, helping me finish this.
Thanks to @hwmod for doing initial investigations and providing the attached image.12There are three options for interacting with TWRP:
- A mouse via USB-OTG
- TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
- Via /cache/recovery/command
Example for /cache/recovery/command:
Code:echo "--update_package=/path/to/zipfile" > /cache/recovery/command echo "--wipe_cache" >> /cache/recovery/command reboot recovery
Should you somehow end in a bootloop you can boot into hacked fastboot or recovery using.
Code:sudo ./boot-fastboot.sh
Code:sudo ./boot-recovery.sh
NOTE:This will only work if the boot-exploit is still there.
Source Code:
https://github.com/chaosmaster/amonet
https://github.com/chaosmaster/android_bootable_recovery9Changelog
Version 1.2 (25.03.2019)
- Update TWRP to twrp-9.0 sources
- Implement downgrade-protection for LK/PL/TZ
- Add scripts to enter fastboot/recovery in case of bootloop
- Automatically restore boot-patch when you boot into recovery
Features.
- Hacked fastboot mode lets you use all fastboot commands (flash etc).
- Boots custom/unsigned kernel-images (need to be patched)
- For the devs: sets printk.disable_uart=0 (enables debug-output over UART).
- TWRP protects from accidental lk/preloader/tz downgrades
- Set bootmode via preloader
NOTE: Hacked fastboot can be reached via TWRP.
NOTE: Hacked fastboot won't patch your boot/recovery-images, so you can easily go back to stock.
Use TWRP for autopatching.8Please read the instructions k4y0z wrote (1st page), then read the extra info below. It was my first time rooting a FireTV Stick via hardware and I had a lot of questions. Although, most answered via post replies throughout this thread. Here is a descriptive version of the rooting process for other beginners from what I learned.
Any damages or issues resulting from rooting your own device falls on you!
EDIT: I know this is long, but if you are a beginner DO NOT SKIM THROUGH.
A Linux operating system is required. Ubuntu 19.04 is recommended and the following instructions are for Debian based systems like Ubuntu.
The following packages were used (Check for updates):
Amonet-tank-v1.2.2
tank-5.2.6.9-rooted_r1
Magisk-v19.2
Everything was saved to the Downloads folder.
Step 0: Open the FireTV Stick
- Use a plastic tool like an unused credit card. With a bit of force push the plastic tool into the edge (seam) of the FireTV Stick while slightly popping the side wall outwards until a snap. Continue on all sides until the plastic shell can be separated. Then, remove the motherboard. Disassembly video - Link
- On the side with the smaller metal shield, use a thin blunt knife or flathead. Start near the HDMI port above and below the black pad. There are small gaps that can be used to push the metal shield up. Continue around the metal shield until it is removed. Be careful not to scratch the board and leave the metal rim.
- Attach the micro USB cable to the FireTV Stick but not to a computer!
- Extract “amonet-tank-v1.2.2.zip” in the Downloads folder and open a Terminal on a Linux system.
Step 1: Update Ubuntu
Code:sudo apt update && sudo apt upgrade -y
Step 2: Install Dependencies (Ignore if Android Studio is installed)
Code:sudo apt install python3 python3-serial android-tools-adb android-tools-fastboot
Step 3: Stop and Disable ModemManager
Code:sudo systemctl stop ModemManager sudo systemctl disable ModemManager
Step 4: Short CLK to GND (Please read k4y0z instructions as well)
- Navigate to script directory:
Code:
cd ~/Downloads/amonet-tank-v1.2.2/amonet/ - Start the script:
Code:
sudo bash bootrom-step.sh - When the Terminal prompt says "waiting for bootrom" (Easiest with two people)
- Place the removed metal shield next to the disassembled FireTV Stick. If it doesn't short, then use k4y0z suggested GND method.
- Use a paperclip (etc), and lightly touch the bottom metal piece of the CLK to the metal shield (CLK location, but use metal shield as GND). The CLK is tiny so be careful.
- Plug the USB cable connected to the FireTV Stick into the computer while holding the short!!! When I did it, I accidentally lost the short but it still worked (uncommon).
- The Terminal prompt will say when to "remove the short and press enter".
- Wait until the script finishes. If the script stalls, unplug USB and start the script again and short.
- Run fastboot script:
Code:
sudo bash fastboot-step.sh - Next step has instructions.
Step 5: Using Fastboot to install Roms and Magisk
- Wait for the FireStick to reboot into TWRP
- Push Tank’s prerooted rom zip file onto the FireTV Stick sd card:
Code:
adb push ~/Downloads/tank-5.2.6.9-rooted_r1.zip /sdcard/ - Push Magisk zip file:
Code:
adb push ~/Downloads/Magisk-v19.2.zip /sdcard/ - Go into ADB Shell:
Code:
adb shell - Install rom:
Code:
twrp install /sdcard/tank-5.2.6.9-rooted_r1.zip - Install Magisk:
Code:
twrp install /sdcard/Magisk-v19.2.zip - EDIT: STOP! DO NOT WIPE ANYTHING OTHER THEN WHAT WAS STATED OR SKIP WIPING ENTIRELY IF YOU'RE A BEGINNER! You can skip wiping and reboot (#9 & #10) or decide if you want to wipe the cache and dalvik only (advanced):
Code:
twrp wipe cache -
Code:
twrp wipe dalvik -
Code:
reboot -p - Unplug USB and plug the disassembled FireTV Stick into a monitor or TV. Use the power brick and handle with care.
- The "Optimizing Storage" screen will display and will take 10 minutes to complete.
Optimizing Storage Screen Hangs Issue*
Try plugging the FireTV Stick's USB to a different power brick temporarily.
Otherwise and unfortunately, the following instructions will erase your apps and will force you to re-register your FireTV Stick.
- Unplug the FireTV Stick USB from the power brick only and open a Terminal window.
- Navigate to script directory:
Code:
cd ~/Downloads/amonet-tank-v1.2.2/amonet/ - Run the boot recovery script to boot into twrp:
Code:
sudo bash boot-recovery.sh - When the Terminal prompt says "Waiting for preloader", plug the USB into the computer.
- Go into ADB Shell:
Code:
adb shell -
Code:
twrp wipe data -
Code:
twrp wipe cache -
Code:
twrp wipe dalvik - Install rom:
Code:
twrp install /sdcard/tank-5.2.6.9-rooted_r1.zip - Install Magisk:
Code:
twrp install /sdcard/Magisk-v19.2.zip -
Code:
reboot -p - Plug FireTV Stick into a TV or Monitor and wait for the "Optimizing Storage" screen to finish and re-register your device.
TWRP Can Be Accessed Anytime via Boot Recovery Script*
Run the boot-recovery script and plug the FireTV Stick into the computer.
How to backup TWRP**
I haven't made a backup yet via the command line. But I assume it would go as follow and if anyone wants to help, please do.
- Unplug the FireTV Stick USB from the power brick only and open a Terminal window.
- Navigate to script directory:
Code:
cd ~/Downloads/amonet-tank-v1.2.2/amonet/ - Run the boot recovery script to boot into twrp:
Code:
sudo bash boot-recovery.sh - When the Terminal prompt says "Waiting for preloader", plug the USB into the computer.
- Go into ADB Shell:
Code:
adb shell - Create a TWRP backup (everything):
OR here is a list of partitions that can be backed up.Code:
twrp backup twrp
Here is a list of bloatware to disable***
Be extremely careful. Disabling the wrong thing can break your FireTV Stick! - Link
- Enable ADB debugging via FireTV Stick Settings and get the ip address under About.
- Connect to the FireTV Stick via Wifi:
Code:adb kill-server adb start-server adb connect <ip-address>:5555 # Grant access via prompt on TV or monitor. adb shell su - If su command does not work in shell, then open Magisk app and grant root access to shell (in sidebar menu).
- Disable bloat as shown in the link above. Be careful!!
