[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 3 and Fire TV Stick Lite (sheldon/p)

Search This thread

Xsavi

Senior Member
Mar 29, 2014
71
117
Georgia, USA
For anyone wondering, I purchased 2 FireTV sticks in the month of June. The unlock still works. Just make sure to not connect it to the network upon the first start. I immediately started the unlock process for this device once I recieved them.

They are currently running LineageOS and am gonna see about building my own custom ROM for this device. Some TV apps aren't supported, but that's nothing that root can't fix.
 

Criston

Senior Member
Nov 19, 2014
945
161
Guys I think i have corrupted the software by mistakenly unplugging my device while it was on finishing update screen and now its just stuck at fire tv animated logo i have even waited for more then 2 hours.

Is there any solution for this like flashing my firestick by using pc or by opening the stick have tried this method and got 0000 to 2001 something like that error.

By any chance will this guide be updated in near future for guys who are on updated firmware?😐

Edit - It started working again after I let it boot for 10-12 hours😅
 
Last edited:

paranormal11

Member
Aug 29, 2015
18
2
Hi, if i understand correctly is it possible to run the exploit in firmware higher than 7.2.7.3?
"Open up the main.py in kamakiri's modules folder and comment out (disable) line 73 to 76, i.e. set a # infont of each line. Then the script will skip reading the rpmb and proceed..."
is that correct?
i can execute the exploit and install android or i have to install twrp, make a downgrade and install android?
Thanks to all
 

Sus_i

Senior Member
Apr 9, 2013
1,657
706
Hi, if i understand correctly is it possible to run the exploit in firmware higher than 7.2.7.3?
No, it's not possible
"Open up the main.py in kamakiri's modules folder and comment out (disable) line 73 to 76, i.e. set a # infont of each line. Then the script will skip reading the rpmb and proceed..."
is that correct?
That is a quick fix if you get an error message about a failing rpmb downgrade on a vulnerable device.
i can execute the exploit and install android or i have to install twrp, make a downgrade and install android?
Thanks to all
No, you see if the stick gets 7.2.7.3 or later via stock recovery, then the exploit gets blocked.
But there is an easy workarround, just sell the stick and get another one, grab some old stock from a local shop.
 

paranormal11

Member
Aug 29, 2015
18
2
No, it's not possible

That is a quick fix if you get an error message about a failing rpmb downgrade on a vulnerable device.

No, you see if the stick gets 7.2.7.3 or later via stock recovery, then the exploit gets blocked.
But there is an easy workarround, just sell the stick and get another one, grab some old stock from a local shop.
Also the 7.2.7.3 firmware block the exploit? i must need to have a previous firmware version?
Right?
 

CoffeeSkwerl

Member
Mar 28, 2022
22
3
Errors Made,

After a personal loss, my installation was shelved, and as I re-attempted w/ fireOS, but soon realized I did not get ROM & GAPPS in the /sdcard/ folder in the firestick. TWRP loads, but sdcard folder is empty.
Using fireOS is it possible send or sideload zip files to the sdcard folder?
 

Rortiz2

Senior Member
Errors Made,

After a personal loss, my installation was shelved, and as I re-attempted w/ fireOS, but soon realized I did not get ROM & GAPPS in the /sdcard/ folder in the firestick. TWRP loads, but sdcard folder is empty.
Using fireOS is it possible send or sideload zip files to the sdcard folder?
Just use ADB sideload. adb shell twrp sideload to enter sideload mode and then adb sideload rom.zip.
 

CoffeeSkwerl

Member
Mar 28, 2022
22
3
Using fireOS through the root folder - via usb cable (FYI: I don't have the IP to ADB it wireless to stick)
Gets this error
# adb shell twrp sideload
adb : no devices/elmulators found
Rortiz2,
Thanks for your input; however, I am still unable to transfer any files to twrp on the stick. I have repeated the ADB sideload directions to send the ROM & GAPPS zips. Is there a way for the twrp on the firestick can recognize flash storage via the OTG cable connection?
 

dony71

Senior Member
Dec 1, 2010
290
15
I did update magisk and now my fire tv in boot loop
Trying to re-install TWRP but got this error below
Is fire tv died?

sudo ./bootrom-step.sh
[2022-06-20 11:15:08.873875] Waiting for device
[2022-06-20 11:15:31.857972] Found port = /dev/ttyACM0
[2022-06-20 11:15:31.868230] Handshake
Traceback (most recent call last):
File "/root/FireTV/kamakiri/modules/main.py", line 137, in <module>
main(dev)
File "/root/FireTV/kamakiri/modules/main.py", line 25, in main
load_pl_payload(dev)
File "/root/FireTV/kamakiri/modules/load_payload.py", line 45, in load_pl_payload
dev.handshake()
File "/root/FireTV/kamakiri/modules/common.py", line 116, in handshake
c = self._writeb(b'\xa0')
File "/root/FireTV/kamakiri/modules/common.py", line 111, in _writeb
return self.dev.read()
File "/usr/local/lib/python3.9/site-packages/serial/serialposix.py", line 595, in read
raise SerialException(
serial.serialutil.SerialException: device reports readiness to read but returned no data (device disconnected or multip
le access on port?)
 

xflbret

Senior Member
Mar 15, 2013
346
36
Tucson, AZ
I am inexplicably stuck on step 2. It keeps telling me "command not found" even though I use the ls command and it's right there in my face. How can something not be found when it's right there?!?!?!?!?!?!?!?!?
 

xflbret

Senior Member
Mar 15, 2013
346
36
Tucson, AZ
proof that I'm not crazy, or even doing this wrong...
 

Attachments

  • not crazy.jpg
    not crazy.jpg
    138.7 KB · Views: 40

CoffeeSkwerl

Member
Mar 28, 2022
22
3
I did update magisk and now my fire tv in boot loop
Trying to re-install TWRP but got this error below
Is fire tv died?

sudo ./bootrom-step.sh
[2022-06-20 11:15:08.873875] Waiting for device
[2022-06-20 11:15:31.857972] Found port = /dev/ttyACM0
[2022-06-20 11:15:31.868230] Handshake
Traceback (most recent call last):
File "/root/FireTV/kamakiri/modules/main.py", line 137, in <module>
main(dev)
File "/root/FireTV/kamakiri/modules/main.py", line 25, in main
load_pl_payload(dev)
File "/root/FireTV/kamakiri/modules/load_payload.py", line 45, in load_pl_payload
dev.handshake()
File "/root/FireTV/kamakiri/modules/common.py", line 116, in handshake
c = self._writeb(b'\xa0')
File "/root/FireTV/kamakiri/modules/common.py", line 111, in _writeb
return self.dev.read()
File "/usr/local/lib/python3.9/site-packages/serial/serialposix.py", line 595, in read
raise SerialException(
serial.serialutil.SerialException: device reports readiness to read but returned no data (device disconnected or multip
le access on port?)
I made that same mistake Sunday, so I had to open fireOS with a
- "fresh zip of kamakiri-Sheldon-1.0" (Yes, use a new zip)
- boot-recovery.sh
- gpt-fix.sh.
- Then followed by reinstalling LOS 18.1 zip
- Magisk apk, and it's good again.

BTW - I don't install the GAPPS (Less Goo - option)
 

xflbret

Senior Member
Mar 15, 2013
346
36
Tucson, AZ
Do a ls -l so we can see file permissions. I think the problem might be it's not an executable file, ls -l will show it.
I am happy to do that. I am getting ready for bed now. But, when I attack this again in a day or so I'll give it a shot. But, given that I booted from the Fire ISO 2.0, and I downloaded the kamakiri folder from where this thread told me to...shouldn't the permissions already be handled? If not, what do I have to do to make it so I can do what I need to do?
 

bloot

Senior Member
Feb 10, 2008
515
225
Barcelona
I am happy to do that. I am getting ready for bed now. But, when I attack this again in a day or so I'll give it a shot. But, given that I booted from the Fire ISO 2.0, and I downloaded the kamakiri folder from where this thread told me to...shouldn't the permissions already be handled? If not, what do I have to do to make it so I can do what I need to do?
Yeah it should already have executable permission, maybe that's not the problem anyway, that's why I wanted to see ls -l. In case it was the problem, you'd need to do a 'chmod +x bootrom-step.sh'

Did you install all the needed dependencies?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    For anyone who cares, I have modified the setup and fastboot scripts for use on macOS. You will need to download the installer for python.


    You will then have to issue 2 commands in terminal before you can run the included scripts.

    pip3 install pyserial
    pip3 install pyusb

    Now follow the instructions on the main page.

    *NOTE: I have also included the android SDK tools in the download. You don't need to do anything with them as their use is baked into the scripts.
    1
    hello everyone. im a first time user of amazon fire stick. got the lite yesterday and upon unpacking the item i immediately followed the steps in the original post. i was able to boot into TWRP custom recovery and install custom ROM lineageOS and gapps. i can also successfuly go back to stock by flashing the amazon image.

    the only thing i cant figure out - how do i root this thing? i've installed the magisk apk but im lost on what to do next. is there a zip i can flash to root this? thank you.
    rename magisk.apk to magisk.zip and flash it using TWRP
    1
    I am inexplicably stuck on step 2. It keeps telling me "command not found" even though I use the ls command and it's right there in my face. How can something not be found when it's right there?!?!?!?!?!?!?!?!?

    I had this problem too, and got around it by just looking at the contents of the two .sh files and executing them myself one by one. Later, I found @bloot 's suggestion that the problem may have been permissions not being set to executable - and upon checking, yes that was it I think. In my case I wonder if permissions were not set properly because I downloaded and extracted the zip onto a FAT flash drive from within windows, before using it in the linux environment (I used the FireISO btw).
    1
    I have a sheldon bought on prime day for $20 in the hopes of hacking it -- so first of all, huge thanks to @xyz` @k4y0z @Rortiz2 @t0x1cSH and @Sus_i for your great work helping the rest of us make the most of this hardware!

    I read the 23-page thread before starting, then successfully ran the OP sequence. No error messages, and it booted into TWRP. But now I have a couple of questions for anyone who may be able to help shed some light on the problem I eventually ran into:

    The fire stick shows a coloured logo, then 'loading', then enters its first-time setup screen where it begins with "press >|| to start"; then it allows me to choose a language, followed by a wifi connection. But once connected, it then goes no further, and returns to the "press >|| to start" screen (ie not an actual reboot, just back to the beginning of the setup). Then it just goes in a loop from allowing be to choose a language then back to "press >|| to start".

    If I turn off the wifi connection it has learnt, it does go a step further to asking for a connection again. Once connected, it's back to the "press >|| to start" again. This makes me wonder if a bungled attempt to disable OTA (see below) has caused this loop?

    * While still in TWRP (sans mouse) I installed Magisk. This seemed to work (ie no error messages). I used what is currently the latest Magisk v25.1 -- which apparently is a substantial rewrite compared to v24.3 which I saw others used back in March (Could this new v25.1 somehow be the cause of the problem ?)

    * I thought the most thorough approach to disabling OTA might be to remove the files, so I followed these steps to remove these two files:
    adb shell rm -rf /system_root/system/priv-app/DeviceSoftwareOTA
    adb shell rm -rf /system_root/system/priv-app/com.amazon.tv.forcedotaupdater.v2
    I notice that these two removed files aren't exactly the same as those that @Sus_i recommended disabling, viz:
    - pm disable com.amazon.device.software.ota
    - pm disable com.amazon.device.software.ota.override
    - pm disable com.amazon.tv.forcedotaupdater.v2

    Could that be relevant in this case?
    1
    I want to Install twrp and lineageos but there ist no way?
    Let us know if you find a way...
  • 34
    Read this whole guide before starting.
    This is for the 3rd gen Fire TV Stick (sheldonp) and Fire TV Stick Lite (sheldon).

    NOTE: FireOS < 7.2.7.3 required

    NOTE: This process does not require you to open your device.

    What you need:
    • A Linux installation or live-system
    • A micro-USB cable

    Install python3, PySerial, PyUSB, adb, fastboot. For Debian/Ubuntu something like this should work:
    • sudo apt update
    • sudo add-apt-repository universe
    • sudo apt install python3 python3-serial python3-usb adb fastboot dos2unix

    Make sure ModemManager is disabled or uninstalled:
    • sudo systemctl stop ModemManager
    • sudo systemctl disable ModemManager

    NOTE: If you have issues running the scripts, you might have to run them using sudo.
    Also try using different USB-ports (preferably USB-2.0-ports)


    1. Extract the attached zip-file "kamakiri-sheldon-1.0.zip" and open a terminal in that directory.

    2. Start the script:
    • sudo ./bootrom-step.sh
    It should now say Waiting for device.

    3. Plug in the stick (powered off) and wait for the script to finish.
    If it fails at some point, stop it and restart the process from step 2.

    4. Your device should now reboot into unlocked fastboot state.

    5. Run:
    • ./fastboot-step.sh

    6. Wait for the device to reboot into TWRP.

    7. Use TWRP to flash custom ROMs, Magisk etc.

    NOTE: Only ever flash boot/recovery images using TWRP, if you use FlashFire or other methods that are not aware of the exploit, your device will likely not boot anymore (unless you flashed a signed image). TWRP will patch recovery/boot-images on the fly.

    NOTE: NEVER erase Preloader, otherwise you’ll hard brick the device and you won’t be able to unbrick it (since bootrom isn’t accessible).

    Important information

    Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)

    TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

    For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

    It is still advised to disable OTA.

    special thanks to @Sus_i for all the testing and support.

    Contributors
    @xyz`
    @k4y0z
    @Rortiz2
    @t0x1cSH
    6
    Yeah, probably just needs a more recent FireOS installed the TZ in kamakiri is from 7.2.4.9
    Had a look into all fw bin's, TZ is the same until the newest 7.2.7.3 got an updated one...

    @etami @yacinecino @Tech0308 and all other people with the netflix/disney error):
    Can you provide more Information, i.e. what kind of stick (sheldon or sheldonp) and the installed fireOS, please!?
    Make sure (check in stettings) that the stick hasn't got an update already, because the latest OS will need the updated TZ.

    FYI, disable updates with:

    Code:
    adb shell
    su
    pm disable com.amazon.device.software.ota
    pm disable com.amazon.device.software.ota.override
    pm disable com.amazon.tv.forcedotaupdater.v2
    exit
    exit

    Maybe someone of you with a sheldonp device can install 7.2.4.9 from here, without to flash magisk behind the OS update please, to see if it works?

    Users with sheldon can flash this too, but you need to change this prop first from twrp shell:
    Code:
    adb shell
    resetprop ro.product.device sheldonp
    exit
    4
    @k4y0z will a similar unlocking method be used for the Max once we receive the 7.2.7.3 update?
    No, the Max isn't vulnerable to the preloader-exploit
    3
    I have the same problem since I flashed only TWRP alone and didn't installed anything on it just to be sure that my sheldon don't update ,Now any application who try to check DRM on stock firmware cause a bug and a reboot of the system. like netflix and disney+ or live tv with DRM..
    Could be that this is TZ related...
    We saw the same on mantis 4k fireTV stick, hangs and wont play if the TZ image on tee partition is too old compared to the installed fireOS version. Anyways, your problem sounds different to @Tech0308 problem.

    @Tech0308 You don't see this without a magisk install, then everything plays fine?
    3
    @Sus_i and @bloot and @Tech0308 and @Rortiz2 just to say all your painstaking coaching and my reading paid off (for me anyway😊) Instead of magisk, flashed the older 7.2.4.2/2907 update (from before ota update processes became protected) and set LM to block updates. It also fixed the issues with Netflix, Disney etc. Will look to flash Lineage custom rom sometime, now that I know how, and also put Linux on one of my laptops. Thanks heaps!

    Open TWRP, then mount /system, go to file explorer, go to navigate to priv-app and delete the folder
    "com.amazon.device.software.ota"
    Usually you should be good to go now, but goto /data/app and check for same folder (it will have something as suffix) if its present then delete it, your ota should be blocked.
    @SweenWolf thanks for your suggested fix . . . appreciate your work (and that of your good mate TDUK😊) LM and Debloat Tool are must-haves. This other way to block updates, is it somehow more permanent or safer than thru LM or Debloat Tool?