[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 3 and Fire TV Stick Lite (sheldon/p)

Search This thread

ChriMo

Senior Member
Oct 13, 2014
473
124
Update fails because the fireOS only downloads a diff partial update at the first try, the second attempt might work better...
Don't know if using Mobile Hotspot (speed not very high) is influencing but so far the Update failed at least 5 times. I will not care because only the remote IR setup is important and I guess this will not change/improve with new fireOS Updates.

NTFS/ext4 USB Sticks on my microUSB to USB-C OTG Adapter seem to be not recognized in FireOS using ES File Explorer (ADB-Debugging is on). In Lineage OS this worked. FireOS wants to format them in FAT32. Also Mouse over USB does not work in FireOS (in TWRP it works). So need to see if using USB-Space will work to move a TWRP backup away from internal space. Directly saving from TWRP to USB would also be desirable. I will see to find a Stick I can format in FAT32.
A 4 GB FAT32 Stick was not recognized or I was not able to mount it in FireOS; TWRP was able to see it.

EDIT just for the record: BT-Keyboard Layout (Language) is also not recognized or changeable in FireOS (like Lineage OS). The lack of ML support is surprising to me.

EDIT2 I had a hard time going into fastboot mode to flash LineageOS: I did a factory reset in FireOS (after having done a TWRP backup to USB-Stick). Then in MX Linux systemd I started the first steps until "sudo ./bootrom-step.sh" which shows "Waiting for device". When I connect the USB cable the FireStick went into TWRP and said "reboot in 5 sec." and then it did boot FireOS. Only after a while I discovered the USB-OTG adapter should be the culprit, as when connected directly the kamakiri script returned to work.

EDIT3 so have now LineageOS on the sheldonp, but since I had difficulties to connect the remote, I removed the batteries and then BT connecting worked. However the IR settings for the TV done in FireOS seem to be lost, when batteries are removed. Huge dealbreaker, because also battery changing will cause this. Need to look how others with sheldonp succeded using the IR remote under LineageOS.
 
Last edited:
  • Like
Reactions: Sus_i

menef8

Member
Nov 22, 2022
7
3
Hello, I need some help ... I have a happily rooted sheldon stick, until I changed the amz account to another.

The stick entered a bootloop, so I managed to factory reset, reflash magisk via TWRP, but then no root access, and, my bad I forgot that, I used magisk app to patch boot.

Now the stick starts with the white logo and won't boot, nor twrp, and (this is the ugly part) no fastboot.

Launching kamakiri bootrom-step.sh goes fine without errors, also gpt-fix.sh runs fine, but then no fastboot appear (also tried boot-fastboot.sh and boot-recovery.sh)
And no ADB either, the stick does not go past the white logo.

I think the only thing to do before ditching the stick is to reflash a fastboot image using kamakiri.

Can this be done? How? I would be grateful if someone could help on that
 

menef8

Member
Nov 22, 2022
7
3
Thats a common issue and usually PC releated. You may need to update the fastboot package...
I understand, but I've used the exact method described in post #1 with an Ubuntu 22.04 live stick and that worked flawlessly when I rooted the stick for the first time (just commented lines 73-76 in main.py).
But following your suggestion, to be sure I have tried:

1) another pc
2) using a FireISO stick instead of Ubuntu

They all work the same (fine), but no fastboot appear. The white logo remains for about 2 minutes and then the stick self-reboot (judging on what happens on the tv) in a bootloop.

But kamakiri bootrom-step.sh still works and flash its images, so maybe that a more consistent portion of the emmc could be flashed to revive the stick, at least I think ... am I wrong?
 
  • Like
Reactions: Sus_i

Sus_i

Senior Member
Apr 9, 2013
1,858
811
They all work the same (fine), but no fastboot appear. The white logo remains for about 2 minutes and then the stick self-reboot (judging on what happens on the tv) in a bootloop.

But kamakiri bootrom-step.sh still works and flash its images, so maybe that a more consistent portion of the emmc could be flashed to revive the stick, at least I think ... am I wrong?
You may get an idea of whats wrong if you take an UART bootlog via TTL to USB Serial Adapter at 921600 baud rate. The UART pads are easy to find on the board.
 

menef8

Member
Nov 22, 2022
7
3
You may get an idea of whats wrong if you take an UART bootlog via TTL to USB Serial Adapter at 921600 baud rate. The UART pads are easy to find on the board.
Ok ... I opened the stick ... but where are the UART pads?

CM221124-161341001.jpg
 

Sus_i

Senior Member
Apr 9, 2013
1,858
811
Ok ... I opened the stick ... but where are the UART pads?

View attachment 5769227
On the other side ;)
Take a look at this picture here
Thread:
On the pic you see the the three pads RX TX GND, almost similar to the sheldon stick... somewhere near the eMMC chip.
 

menef8

Member
Nov 22, 2022
7
3
On the other side ;)
Take a look at this picture here
Thread:
On the pic you see the the three pads RX TX GND, almost similar to the sheldon stick... somewhere near the eMMC chip.
A funny job ... here are the comms at 115k and 921k ...

In my limited understanding I would say that the line of garbage at 921k is nothing more than the same lines of 115k ... and therefore the bootloader has gone :)

now I need hope ... can I flash a boot loader through kamakiri?
 

Attachments

  • SERIAL_115200.txt
    157 bytes · Views: 16
  • SERIAL_921600.txt
    328 bytes · Views: 12

Sus_i

Senior Member
Apr 9, 2013
1,858
811
In my limited understanding I would say that the line of garbage at 921k is nothing more than the same lines of 115k ... and therefore the bootloader has gone :)

now I need hope ... can I flash a boot loader through kamakiri?
The bootrom log at 115200 looks fine, but the other log failed somehow.
I don't think that the bootloader is gone, as you said kamakiri bootrom-step worked fine, same as GPT fix, so at least the bootloader (MTK preloader and LK) is 100% there and the log should work fine.
I would check the UART and USB/serial settings, cable connections and try again...
Maybe disconnect the tx cable from the stick, try only with rx pad.
 

DP FH

Senior Member
Apr 11, 2013
139
30
Apricena
Xiaomi Mi 10T / 10T Pro
Bought a sheldon... whoops it auto-updated... gave it back to amz and bought another one.
Serial protocol 2001 ... :(
I read there is a downgrade exploit mentioned, so I will block updates and wait... my kindle waited 2 years...
So no way to unlock if serial protocol 2001 ?
 

wetwaffle_cz

New member
Nov 28, 2022
1
0
Is there any known way to do this even if the OS version is higher than 7.2.7.3? I assume there are some points one can short on the PCB or maybe a way to downgrade the OS? If so, how could I do it?
 

menef8

Member
Nov 22, 2022
7
3
The bootrom log at 115200 looks fine, but the other log failed somehow.
I don't think that the bootloader is gone, as you said kamakiri bootrom-step worked fine, same as GPT fix, so at least the bootloader (MTK preloader and LK) is 100% there and the log should work fine.
I would check the UART and USB/serial settings, cable connections and try again...
Maybe disconnect the tx cable from the stick, try only with rx pad.
You are right, disconnected TX wire and the stick started talking at 921K, here is the log, the file contains two boot sequences, line 539 is the point where self-restart happens
 

Attachments

  • SERIAL_921600.txt
    49.6 KB · Views: 10
  • Like
Reactions: Sus_i

Sus_i

Senior Member
Apr 9, 2013
1,858
811
You are right, disconnected TX wire and the stick started talking at 921K, here is the log, the file contains two boot sequences, line 539 is the point where self-restart happens
The log looks ok, except that the LK doesn't finish, doesn't jump to the kernel. The boot.img could be messed up somehow.

Can you try to take a log 'booting fastboot' via bootrom-step?
 

menef8

Member
Nov 22, 2022
7
3
The log looks ok, except that the LK doesn't finish, doesn't jump to the kernel. The boot.img could be messed up somehow.

Can you try to take a log 'booting fastboot' via bootrom-step?
Things are getting harder: I said that bootrom-step.sh and gpt-fix.sh runs fine and that's true.
But when capturing UART comms they both fail! I tried more times and behave like that, so I decided to get serial log and screen output for all combinations, with and without serial attached.

I can't figure if this behaviour originates from the stick itself or is a conflict somewhere in Ubuntu when using serial comm and kamakiri at the same time...
 

Attachments

  • bootrom-step.tty.log
    7.3 KB · Views: 4
  • bootrom-step_without_serial.out.log
    1.1 KB · Views: 7
  • gpt-fix.tty.log
    7.6 KB · Views: 2
  • gpt-fix_without_serial.out.log
    955 bytes · Views: 6
  • bootrom-step_with_serial.out.log
    1.1 KB · Views: 7
  • gpt-fix_with_serial.out.log
    1.1 KB · Views: 7

Sus_i

Senior Member
Apr 9, 2013
1,858
811
Things are getting harder: I said that bootrom-step.sh and gpt-fix.sh runs fine and that's true.
But when capturing UART comms they both fail! I tried more times and behave like that, so I decided to get serial log and screen output for all combinations, with and without serial attached.
Forget about that. The reason for your issue is most likely a messed up boot.img, since there is no sign from kamakiris microloader in your logs. Thats probably also the reason why the LK bootloops and fastboot wont come up.

So I would say you need to flash a new boot.img via kamakiri main.py. Add the flash between step 5 and 6. @Rortiz2 mentioned somewhere how to do this, you may ask him if you like.

Maybe just flash the TWRP image too, as one of the last steps in the main.py. Both will take some time, but then you don't need the fastboot step and after that you should see the microloader and a jump to the kernel in your log.
 

VelvetB

Member
Jan 5, 2018
24
4
Boca Raton, FL
Moto E6
  • sheldonp End. Nov. 2022 SE USA DSN G071EL1521..... unlocking successful So looking at the 1522 that failed and my successful 1521, common sense would say the upgrade was some where in between, unless the locations and 3 letters makes a difference? BTW, can harm be done knowing a full serial number?

Agree @Sus_i Updated request:

All who have bought in the last months please report:
1) model (sheldon/p), date buyed and optionally the region or nation of the shop
2) DSN code: first 10 characters (label at the bottom of the package, sheldon usually G071CQ.... , sheldonp G071EL.... or G4N1EL....) and optionally made in/parts made in
3) unlocking successful or unsuccessful

My Report
  • sheldon mid Sept. 2022 UE Central Europe, DSN G071CQ1320 China, unlocking successful
  • sheldon begin Oct. 2022 UE Central Europe, DSN G071CQ1522 China, unlocking unsuccessful
  • sheldon mid. Oct. 2022 MW Central Europe, DSN G071CQ1320 China, not on sale / not buyed
  • sheldonp mid. Oct. 2022 MW Central Europe, DSN G071EL1520 China, not on sale / not buyed
  • sheldonp mid. Oct. 2022 MW Central Europe, DSN G4N1EL0614 Vietnam/China, not on sale / not buyed
As you can see the last three are not on sale anymore, otherwise I would have tested the G071CQ1320 or G4N1EL0614. Not sure if the Vietnam/China variant might be vulnerable, the G071CQ1320 almost for sure.
 
Last edited:

menef8

Member
Nov 22, 2022
7
3
Forget about that. The reason for your issue is most likely a messed up boot.img, since there is no sign from kamakiris microloader in your logs. Thats probably also the reason why the LK bootloops and fastboot wont come up.

So I would say you need to flash a new boot.img via kamakiri main.py. Add the flash between step 5 and 6. @Rortiz2 mentioned somewhere how to do this, you may ask him if you like.

Maybe just flash the TWRP image too, as one of the last steps in the main.py. Both will take some time, but then you don't need the fastboot step and after that you should see the microloader and a jump to the kernel in your log.
Solved! I have read post from @Rortiz2 and figure out how to.

I just copied boot.emmc.win in bin and rename as boot.img, then added these lines in main.py between step 6 and 8, before the microloader flash:

log("Flash boot")
switch_user(dev)
flash_binary(dev, "../bin/boot.img", gpt["boot"][0], gpt["boot"][1] * 0x200)

After bootrom-step.sh finishes proceed with fastboot-step and voilà

Thank you for you support
 
Last edited:
  • Like
Reactions: Sus_i

disco_y2k

Senior Member
Nov 18, 2007
149
26
I tried following the OP's instructions on several Linux laptops and even tried FireISO. I have followed the instructions to the letter and I always end up with the same result. It appears that everything loaded fine, but I get a Hacked Bootloader message on the TV screen? Any ideas what I am doing wrong? Thanks in advance!
 

Attachments

  • 001.jpg
    001.jpg
    865 KB · Views: 54
  • 002.jpg
    002.jpg
    354.7 KB · Views: 54

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Bash:
    aax-eu.amazon-adsystem.com
    ab9hgnqkqtwh.eu.api.amazonvideo.com
    api.amazon.com
    api.github.com
    arcus-uswest.amazon.com
    aviary.amazon.de
    beb3d20a-dnsotls-ds.metric.gstatic.com
    cad9828c-dnsotls-ds.metric.gstatic.com
    cdn-gl.imrworldwide.com
    config.ioam.de
    d3h5bk8iotgjvw.cloudfront.net
    dcape-na.amazon.com
    det-ta-g7g.amazon.com
    device-messaging-na.amazon.com
    device-metrics-us.amazon.com
    dp-discovery-na-ext.amazon.com
    dp-gw-na.amazon.com
    freetimecaptiveportal.com
    ftv-smp.ntp-fireos.com
    ktpx-eu.amazon.com
    mas-ext-eu.amazon.com
    mas-sdk.amazon.com
    mobile-data.onetrust.io
    msh.amazon.co.uk
    prod.amazoncrl.com
    prod.us-east-1.sonar.prime-video.amazon.dev
    softwareupdates.amazon.com
    suggestqueries.google.com
    unagi-eu.amazon.com
    usji9q-dnsotls-ds.metric.gstatic.com
    wl.amazon-dss.com


    I am sure they may be different based on the region.
    1
    you must have the FireOS version required in the first post.
    You need to have a linux live system or a installed linux beacause the exploit need some installed packages which is unavailable in wsl.
    post says FireOs < 7.2.7.3 but My FireOs is 7.6.x.x
    Am i Out of luck? Or still i have chance
    cause i just installed Linux and downloaded all the file but i failed to check the Fireos Earlier. Or is there any Way to downgrade I googled that Amazon has stopped Downgrading FireOs.
    1
    (root or future downgrade or install Los)
    you can't do this if you install the latest amzn firmware
  • 40
    Read this whole guide before starting.
    This is for the 3rd gen Fire TV Stick (sheldonp) and Fire TV Stick Lite (sheldon).

    NOTE: FireOS < 7.2.7.3 required

    NOTE: This process does not require you to open your device.

    What you need:
    • A Linux installation or live-system
    • A micro-USB cable

    Install python3, PySerial, PyUSB, adb, fastboot. For Debian/Ubuntu something like this should work:
    • sudo apt update
    • sudo add-apt-repository universe
    • sudo apt install python3 python3-serial python3-usb adb fastboot dos2unix

    Make sure ModemManager is disabled or uninstalled:
    • sudo systemctl stop ModemManager
    • sudo systemctl disable ModemManager

    NOTE: If you have issues running the scripts, you might have to run them using sudo.
    Also try using different USB-ports (preferably USB-2.0-ports)


    1. Extract the attached zip-file "kamakiri-sheldon-1.0.zip" and open a terminal in that directory.

    2. Start the script:
    • sudo ./bootrom-step.sh
    It should now say Waiting for device.

    3. Plug in the stick (powered off) and wait for the script to finish.
    If it fails at some point, stop it and restart the process from step 2.

    4. Your device should now reboot into unlocked fastboot state.

    5. Run:
    • ./fastboot-step.sh

    6. Wait for the device to reboot into TWRP.

    7. Use TWRP to flash custom ROMs, Magisk etc.

    NOTE: Only ever flash boot/recovery images using TWRP, if you use FlashFire or other methods that are not aware of the exploit, your device will likely not boot anymore (unless you flashed a signed image). TWRP will patch recovery/boot-images on the fly.

    NOTE: NEVER erase Preloader, otherwise you’ll hard brick the device and you won’t be able to unbrick it (since bootrom isn’t accessible).

    Important information

    Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)

    TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

    For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

    It is still advised to disable OTA.

    special thanks to @Sus_i for all the testing and support.

    Contributors
    @xyz`
    @k4y0z
    @Rortiz2
    @t0x1cSH
    7
    Yeah, probably just needs a more recent FireOS installed the TZ in kamakiri is from 7.2.4.9
    Had a look into all fw bin's, TZ is the same until the newest 7.2.7.3 got an updated one...

    @etami @yacinecino @Tech0308 and all other people with the netflix/disney error):
    Can you provide more Information, i.e. what kind of stick (sheldon or sheldonp) and the installed fireOS, please!?
    Make sure (check in stettings) that the stick hasn't got an update already, because the latest OS will need the updated TZ.

    FYI, disable updates with:

    Code:
    adb shell
    su
    pm disable com.amazon.device.software.ota
    pm disable com.amazon.device.software.ota.override
    pm disable com.amazon.tv.forcedotaupdater.v2
    exit
    exit

    Maybe someone of you with a sheldonp device can install 7.2.4.9 from here, without to flash magisk behind the OS update please, to see if it works?

    Users with sheldon can flash this too, but you need to change this prop first from twrp shell:
    Code:
    adb shell
    resetprop ro.product.device sheldonp
    exit
    4
    @k4y0z will a similar unlocking method be used for the Max once we receive the 7.2.7.3 update?
    No, the Max isn't vulnerable to the preloader-exploit
    3
    @Sus_i and @bloot and @Tech0308 and @Rortiz2 just to say all your painstaking coaching and my reading paid off (for me anyway😊) Instead of magisk, flashed the older 7.2.4.2/2907 update (from before ota update processes became protected) and set LM to block updates. It also fixed the issues with Netflix, Disney etc. Will look to flash Lineage custom rom sometime, now that I know how, and also put Linux on one of my laptops. Thanks heaps!

    Open TWRP, then mount /system, go to file explorer, go to navigate to priv-app and delete the folder
    "com.amazon.device.software.ota"
    Usually you should be good to go now, but goto /data/app and check for same folder (it will have something as suffix) if its present then delete it, your ota should be blocked.
    @SweenWolf thanks for your suggested fix . . . appreciate your work (and that of your good mate TDUK😊) LM and Debloat Tool are must-haves. This other way to block updates, is it somehow more permanent or safer than thru LM or Debloat Tool?
    3
    I have the same problem since I flashed only TWRP alone and didn't installed anything on it just to be sure that my sheldon don't update ,Now any application who try to check DRM on stock firmware cause a bug and a reboot of the system. like netflix and disney+ or live tv with DRM..
    Could be that this is TZ related...
    We saw the same on mantis 4k fireTV stick, hangs and wont play if the TZ image on tee partition is too old compared to the installed fireOS version. Anyways, your problem sounds different to @Tech0308 problem.

    @Tech0308 You don't see this without a magisk install, then everything plays fine?