[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 3 and Fire TV Stick Lite (sheldon/p)

Search This thread

bluedisc

Member
Oct 19, 2013
27
2
I flashed an old firmware, and I cannot drop files on to the firestick or use developer mode. The interface is not displaying the settings correctly.

I am trying to find a way to drop the new firmware files on to the firestick, which I can't do right now.

Does anyone know where I can find a three way microusb splitter? I need to use it for USB drive (get rom files on to firestick with trwp), keyboard (use twrp), and power.
 

Dismal.

Member
May 23, 2022
27
4
To avoid any possibility of it updating I want to avoid turning the device on before it is exploited. Does the script that is run check the OS version of since it is a new device I won't need to worry about compatibility
 
  • Like
Reactions: Wtfbob

Sus_i

Senior Member
Apr 9, 2013
1,854
811
Assuming it isn't already a new firmware...
You can still get vulnerable devices, even from amaz., if you have some luck ;)
I flashed an old firmware, and I cannot drop files on to the firestick or use developer mode. The interface is not displaying the settings correctly.
Maybe use the boot-recovery script from kamakiri folder and use adb to push files via usb cable.
Does the script that is run check the OS version of since it is a new device I won't need to worry about compatibility
You don't need to check/boot the OS, since the bootrom script will show a special error message if the stick is patched...
 

Sus_i

Senior Member
Apr 9, 2013
1,854
811
Which is why you shouldn't assume.
Thats BS.
I was answering to the following question, and I said yes, try it first...

Since he gets the new device anyways, why he shouldn't try the unlock first?
It doesn't hurt at all and after that we don't have to assume something, since he will see if it's patched or not...

they will give me another one, can I root it without even attach for the first time on tv? So I can avoid update?
 
  • Like
Reactions: RealPsygnosis

Dismal.

Member
May 23, 2022
27
4
You can still get vulnerable devices, even from amaz., if you have some luck ;)

Maybe use the boot-recovery script from kamakiri folder and use adb to push files via usb cable.

You don't need to check/boot the OS, since the bootrom script will show a special error message if the stick is patched...
I ordered it from Amazon will it more likely than not be vulnerable
 

Sus_i

Senior Member
Apr 9, 2013
1,854
811
I ordered it from Amazon will it more likely than not be vulnerable
Since you ordered it already, check it out. You will see it within seconds. Nobody knows if your stick is old or new warehouse stock. Depends from which box or pallet the warehouseman grabs your stick. ;)

If you want to be sure, walk into shops and compare serial numbers, try to find old stock.
 

Dismal.

Member
May 23, 2022
27
4
Since you ordered it already, check it out. You will see it within seconds. Nobody knows if your stick is old or new warehouse stock. Depends from which box or pallet the warehouseman grabs your stick. ;)

If you want to be sure, walk into shops and compare serial numbers, try to find old stock.
If I don't get one how do I know if it's old by serial number. What will a older serial look like
 

Sus_i

Senior Member
Apr 9, 2013
1,854
811
If I don't get one how do I know if it's old by serial number. What will a older serial look like
You can ask some users here or in a new thread for the serial from vulnerable sticks, then compare it with the one you get from amazon. Take a look in this thread for serials, can't recall but I guess I saw some serials somewhere.
 

ozfunghi

Member
Jun 6, 2016
25
13
Thats BS.
I was answering to the following question, and I said yes, try it first...

Since he gets the new device anyways, why he shouldn't try the unlock first?
It doesn't hurt at all and after that we don't have to assume something, since he will see if it's patched or not...
It's not BS, it's a fact.

You answered a question about rooting. You answered yes with a thumbs up and to try to unlock first. This gives the impression that it would all work out. It might very well not. Hence my response, assuming it doesn't have the new firmware. That's all i said. You then acknowledged that it is still possible to get the old version "with some luck".

In conclusion, i was simply trying to be clear that there is a condition to be met and to temper the expectations of it working since it all depends on the version he gets. No reason to be offended.
 
  • Like
Reactions: tw39515

Sus_i

Senior Member
Apr 9, 2013
1,854
811
It's not BS, it's a fact.

You answered a question about rooting. You answered yes with a thumbs up and to try to unlock first. This gives the impression that it would all work out.
"try the unlock first" isn't the same as "the unlock will work fine"
even with a thumbs-up infront of it.
The term "try" says it all, in my opinion.

In conclusion, i was simply trying to be clear that there is a condition to be met and to temper the expectations of it working since it all depends on the version he gets. No reason to be offended.
Liked your posting yesterday, for pointing this out...

Which is why you shouldn't assume.
but forgot to like this one, really helpful and very nice. Thank you very much.
 

ChriMo

Senior Member
Oct 13, 2014
473
124
... successfully rooted/flashed it (DSN number G071CQ132062xxxx).

DSN G071CQ152287xxxx RuntimeError: ERROR: Serial protocol mismatch, expected 0000 got 2001
Like others said, buying new tv sticks unpatched is becoming impossible. I bought two new ones and I get the serial protocol mismatch error, expected 0000 got 2001. We will need to find a new way to unlock the bootloader.
@Miguel_hrvs : can you still check the DSN number? Would be interesting since I still found G071CQ132062xxxx sheldon in a store and wonder if my assumption those might still be unlockable is correct?
 
Last edited:
  • Like
Reactions: Sus_i

Dismal.

Member
May 23, 2022
27
4
I have 2 questions:
1. When I have used TWRP it says swipe to confirm flash how do you swipe on a remote or is it different.
2. After it is unlocked is fire os still accessable to download the zip to be able to flash it. Or must it be transferred another way?
 

Sus_i

Senior Member
Apr 9, 2013
1,854
811
1. When I have used TWRP it says swipe to confirm flash how do you swipe on a remote or is it different.
You would need an otg adapter and an usb mouse or even better a keyboard with touchpad, if you like to use the TWRP GUI.
Another option is to use TWRP commandline via ADB shell over an usb connection to your PC. In this case there is no need for any swipes...
2. After it is unlocked is fire os still accessable to download the zip to be able to flash it. Or must it be transferred another way?
If you don't disable OTA updates, the fireOS will download and install full updates via TWRP.
You will see some errors too, since the fireOS downloads partial diff updates first, which won't install via TWRP.
 

Dismal.

Member
May 23, 2022
27
4
You would need an otg adapter and an usb mouse or even better a keyboard with touchpad, if you like to use the TWRP GUI.
Another option is to use TWRP commandline via ADB shell over an usb connection to your PC. In this case there is no need for any swipes...

If you don't disable OTA updates, the fireOS will download and install full updates via TWRP.
You will see some errors too, since the fireOS downloads partial diff updates first, which won't install via TWRP.
If it updates or doesn't matter since it already unlocked correct
 
  • Like
Reactions: Sus_i

ChriMo

Senior Member
Oct 13, 2014
473
124
All who have bought in the last months please report:
1) model (sheldon/p)
2) DSN number first 4-6 numbers after G071CQ (label at the bottom of the package, maybe different for sheldonp)
3) unlocking successful or unsuccessful

So maybe we can use this number to avoid opening the package when unlocking is unlikely, so to easier exchange for an older version.
 
  • Like
Reactions: Dismal. and Sus_i

Sus_i

Senior Member
Apr 9, 2013
1,854
811
All who have bought in the last months please report:
1) model (sheldon/p)
2) DSN number first 4-6 numbers after G071CQ (label at the bottom of the package, maybe different for sheldonp)
3) unlocking successful or unsuccessful

So maybe we can use this number to avoid opening the package when unlocking is unlikely, so to easier exchange for an older version.

(y)

About #2, You're right, sheldonp is different, my lite stick got G071CQ while the sheldonp got G071EL.
Maybe it's best to know the first string too, could be that there are more variations... idk.
 
  • Like
Reactions: ChriMo

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    @Sus_i

    I'm here following the suggestion from the 4k thread. I wanted to say running ubuntu 16.04 following the steps bootrom-step.sh is waiting for device, the stick does mount in the desktop as AFTMM but there are no contents.
    Should I be using a later Ubuntu?
    Make sure that you run all steps from sheldon OP with sudo and use the latest kamakiri zip for mantis (works not for fireOS 6.2.8.7 and above).
    1
    Bash:
    aax-eu.amazon-adsystem.com
    ab9hgnqkqtwh.eu.api.amazonvideo.com
    api.amazon.com
    api.github.com
    arcus-uswest.amazon.com
    aviary.amazon.de
    beb3d20a-dnsotls-ds.metric.gstatic.com
    cad9828c-dnsotls-ds.metric.gstatic.com
    cdn-gl.imrworldwide.com
    config.ioam.de
    d3h5bk8iotgjvw.cloudfront.net
    dcape-na.amazon.com
    det-ta-g7g.amazon.com
    device-messaging-na.amazon.com
    device-metrics-us.amazon.com
    dp-discovery-na-ext.amazon.com
    dp-gw-na.amazon.com
    freetimecaptiveportal.com
    ftv-smp.ntp-fireos.com
    ktpx-eu.amazon.com
    mas-ext-eu.amazon.com
    mas-sdk.amazon.com
    mobile-data.onetrust.io
    msh.amazon.co.uk
    prod.amazoncrl.com
    prod.us-east-1.sonar.prime-video.amazon.dev
    softwareupdates.amazon.com
    suggestqueries.google.com
    unagi-eu.amazon.com
    usji9q-dnsotls-ds.metric.gstatic.com
    wl.amazon-dss.com


    I am sure they may be different based on the region.
    1
    you must have the FireOS version required in the first post.
    You need to have a linux live system or a installed linux beacause the exploit need some installed packages which is unavailable in wsl.
    post says FireOs < 7.2.7.3 but My FireOs is 7.6.x.x
    Am i Out of luck? Or still i have chance
    cause i just installed Linux and downloaded all the file but i failed to check the Fireos Earlier. Or is there any Way to downgrade I googled that Amazon has stopped Downgrading FireOs.
    1
    (root or future downgrade or install Los)
    you can't do this if you install the latest amzn firmware
  • 40
    Read this whole guide before starting.
    This is for the 3rd gen Fire TV Stick (sheldonp) and Fire TV Stick Lite (sheldon).

    NOTE: FireOS < 7.2.7.3 required

    NOTE: This process does not require you to open your device.

    What you need:
    • A Linux installation or live-system
    • A micro-USB cable

    Install python3, PySerial, PyUSB, adb, fastboot. For Debian/Ubuntu something like this should work:
    • sudo apt update
    • sudo add-apt-repository universe
    • sudo apt install python3 python3-serial python3-usb adb fastboot dos2unix

    Make sure ModemManager is disabled or uninstalled:
    • sudo systemctl stop ModemManager
    • sudo systemctl disable ModemManager

    NOTE: If you have issues running the scripts, you might have to run them using sudo.
    Also try using different USB-ports (preferably USB-2.0-ports)


    1. Extract the attached zip-file "kamakiri-sheldon-1.0.zip" and open a terminal in that directory.

    2. Start the script:
    • sudo ./bootrom-step.sh
    It should now say Waiting for device.

    3. Plug in the stick (powered off) and wait for the script to finish.
    If it fails at some point, stop it and restart the process from step 2.

    4. Your device should now reboot into unlocked fastboot state.

    5. Run:
    • ./fastboot-step.sh

    6. Wait for the device to reboot into TWRP.

    7. Use TWRP to flash custom ROMs, Magisk etc.

    NOTE: Only ever flash boot/recovery images using TWRP, if you use FlashFire or other methods that are not aware of the exploit, your device will likely not boot anymore (unless you flashed a signed image). TWRP will patch recovery/boot-images on the fly.

    NOTE: NEVER erase Preloader, otherwise you’ll hard brick the device and you won’t be able to unbrick it (since bootrom isn’t accessible).

    Important information

    Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)

    TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

    For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

    It is still advised to disable OTA.

    special thanks to @Sus_i for all the testing and support.

    Contributors
    @xyz`
    @k4y0z
    @Rortiz2
    @t0x1cSH
    7
    Yeah, probably just needs a more recent FireOS installed the TZ in kamakiri is from 7.2.4.9
    Had a look into all fw bin's, TZ is the same until the newest 7.2.7.3 got an updated one...

    @etami @yacinecino @Tech0308 and all other people with the netflix/disney error):
    Can you provide more Information, i.e. what kind of stick (sheldon or sheldonp) and the installed fireOS, please!?
    Make sure (check in stettings) that the stick hasn't got an update already, because the latest OS will need the updated TZ.

    FYI, disable updates with:

    Code:
    adb shell
    su
    pm disable com.amazon.device.software.ota
    pm disable com.amazon.device.software.ota.override
    pm disable com.amazon.tv.forcedotaupdater.v2
    exit
    exit

    Maybe someone of you with a sheldonp device can install 7.2.4.9 from here, without to flash magisk behind the OS update please, to see if it works?

    Users with sheldon can flash this too, but you need to change this prop first from twrp shell:
    Code:
    adb shell
    resetprop ro.product.device sheldonp
    exit
    4
    @k4y0z will a similar unlocking method be used for the Max once we receive the 7.2.7.3 update?
    No, the Max isn't vulnerable to the preloader-exploit
    3
    @Sus_i and @bloot and @Tech0308 and @Rortiz2 just to say all your painstaking coaching and my reading paid off (for me anyway😊) Instead of magisk, flashed the older 7.2.4.2/2907 update (from before ota update processes became protected) and set LM to block updates. It also fixed the issues with Netflix, Disney etc. Will look to flash Lineage custom rom sometime, now that I know how, and also put Linux on one of my laptops. Thanks heaps!

    Open TWRP, then mount /system, go to file explorer, go to navigate to priv-app and delete the folder
    "com.amazon.device.software.ota"
    Usually you should be good to go now, but goto /data/app and check for same folder (it will have something as suffix) if its present then delete it, your ota should be blocked.
    @SweenWolf thanks for your suggested fix . . . appreciate your work (and that of your good mate TDUK😊) LM and Debloat Tool are must-haves. This other way to block updates, is it somehow more permanent or safer than thru LM or Debloat Tool?
    3
    I have the same problem since I flashed only TWRP alone and didn't installed anything on it just to be sure that my sheldon don't update ,Now any application who try to check DRM on stock firmware cause a bug and a reboot of the system. like netflix and disney+ or live tv with DRM..
    Could be that this is TZ related...
    We saw the same on mantis 4k fireTV stick, hangs and wont play if the TZ image on tee partition is too old compared to the installed fireOS version. Anyways, your problem sounds different to @Tech0308 problem.

    @Tech0308 You don't see this without a magisk install, then everything plays fine?