[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 4K (mantis)

Search This thread

k4y0z

Senior Member
Nov 27, 2015
1,468
1,996
NOTE: There have been multiple reports of devices with serial numbers containing VM190 or higher being shipped with DL-Mode disabled in BROM.
These devices cannot be unlocked using kamakiri.
These devices do not show up at all on USB when shorted.


After the old bootrom-exploit (amonet) we've been using for unlocking all these Fire-gadgets is closed in more recent Mediatek SOCs like the one used in the FireTV Stick 4K, @xyz` has done it again and found another bootrom-exploit.
Together we proudly present kamakiri for the FireTV Stick 4K.

Before proceeding make sure to read and understand this entire post.

Running this exploit requires a patched linux-kernel on the PC you are using.
We have put together a Live-ISO that already contains all prerequisites required for running kamakiri.
You can find the current version of the ISO at:
https://github.com/amonet-kamakiri/fireiso/releases

It can be burned to a CD or to a USB-flashdrive.

Current Version: kamakiri-mantis-v2.0.1.zip


You will need to open the device and remove the heatshield on the side without the antennas (2 square bricks).
NOTE: It is not required to desolder or force the shield off, it is just clipped onto a frame. (The attached picture may be a bit misleading, since it also has the frame removed)

You will need something for shorting (wire, aluminum foil etc.)

  1. Boot the ISO
  2. Download and extract the exploit package.
  3. Open a terminal in the kamakiri directory
  4. Run
    Code:
    ./bootrom-step.sh
  5. Short one of the points in the attached photo to ground (the cage of the shielding).
    Ideally you want to use DAT0, since that is tiny it might be easier to short the point marked CLK instead.
    It is very important that you use a piece of soft wire or aluminum foil or something similar for shorting. Don't use tweezers as that makes it incredibly easy to knock of the capacitor off the PCB and kill the board!
  6. Connect the stick to your computer (while keeping it shorted)
  7. The script should tell you to release the short and hit enter
  8. Once finished run
    Code:
    ./fastboot-step.sh
  9. Your device will now reboot into TWRP

Important information

Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)

TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

It is still advised to disable OTA.

thanks to @hwmod for the picture
thanks to @Sus_i for providing an update.bin
thanks to @zeroepoch for developing aftv2-tools

Contributors
k4y0z, xyz`
Source Code: https://github.com/amonet-kamakiri/
 

Attachments

  • kamakiri-mantis-v1.0.zip
    14.5 MB · Views: 3,299
  • FireTVStick_4k.jpg
    FireTVStick_4k.jpg
    192.9 KB · Views: 35,152
  • kamakiri-mantis-v1.1.zip
    14.5 MB · Views: 1,340
  • kamakiri-mantis-v1.2.zip
    15.1 MB · Views: 17,417
  • kamakiri-mantis-v2.0.zip
    16.6 MB · Views: 357
  • kamakiri-mantis-v2.0.1.zip
    16.6 MB · Views: 5,242
Last edited:

k4y0z

Senior Member
Nov 27, 2015
1,468
1,996
There are three options for interacting with TWRP:
  1. A mouse via USB-OTG
  2. TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
  3. Via /cache/recovery/command

Example for /cache/recovery/command:
Code:
echo "--update_package=/path/to/zipfile" > /cache/recovery/command
echo "--wipe_cache" >> /cache/recovery/command
reboot recovery

Should you somehow end in a bootloop, TWRP contains a special boot menu that will be displayed when you boot the stick with an OTG-cable connected.
It will give you 5 seconds to hit cancel and stay in TWRP or reboot into the OS otherwise.

NOTE:This will only work if the boot-exploit is still there.
 
Last edited:

k4y0z

Senior Member
Nov 27, 2015
1,468
1,996
Changelog:

Version 2.0.1 (04.03.2022)
  • Fix Boot Menu on TWRP-Install

Version 2.0 (02.03.2022)
  • Update PL and TZ
  • Update TWRP to 3.6.1_9-0
  • Add support for boot-recovery and boot-fastboot
  • Add support for fused devices with FireOS < 6.2.8.7

Version 1.2 (20.10.2019)
  • Update TZ from 6.2.6.6
  • Add support for updating via TWRP

Version 1.1 (17.10.2019)
  • Add delay to properly flush data to EMMC
 
Last edited:

bibikalka

Senior Member
May 14, 2015
1,427
1,112
@k4y0z

Excellent work as always!!! :highfive::highfive::highfive::highfive::highfive:

Now, any chance that you can create a fastboot exploit such that there'd be no need to open the case? Same story with Fire TV2 (tank), fastboot exploit?

Keep the good stuff coming!!! :D
 
  • Like
Reactions: Kramar111

rootuser11

Senior Member
Dec 12, 2011
419
84
Is this something that Amazon can fix with future updates? I am holding off until we have a more refined rom..
 

iLLNiSS

Senior Member
Aug 5, 2016
62
18
Does this permanently install anything? If I reboot after getting into TWRP the first time with fastboot the hacked fastboot splashscreen doesn't come back, it just boots FireOS normally with no options to boot TWRP.
 
Last edited:

vanzan

Senior Member
Sep 3, 2012
154
14
Nvidia Shield
Nexus 7 (2013)
Getting off the heatsink was a bit daunting especially because I didn't know there was also a sticky pad holding it on. Also spent ages trying to short the DAT0 point, got fed up and got it first time with CLK. Now I just need a rom to install!
 

Michajin

Senior Member
Oct 23, 2012
1,320
531
Does this permanently install anything? If I reboot after getting into TWRP the first time with fastboot the hacked fastboot splashscreen doesn't come back, it just boots FireOS normally with no options to boot TWRP.

Everytime i boot from power off with a OTG it gives the option for TWRP. It installed TWRP recovery. From there you can install root.

Try
ADB reboot recovery
 
  • Like
Reactions: puppinoo and k4y0z

k4y0z

Senior Member
Nov 27, 2015
1,468
1,996
@k4y0z

Excellent work as always!!! :highfive::highfive::highfive::highfive::highfive:

Now, any chance that you can create a fastboot exploit such that there'd be no need to open the case? Same story with Fire TV2 (tank), fastboot exploit?

Keep the good stuff coming!!! :D

Unfortunately the fastboot bug cannot be used like that on the 4K or we probably would have done so from the start ;)
I will look into the FireStick 2 when I get the time, but given the fastboot-bug is LK-Version specific and can be easily patched, I am unsure if it's worth the effort.
 
  • Like
Reactions: rotorbudd

iLLNiSS

Senior Member
Aug 5, 2016
62
18
Everytime i boot from power off with a OTG it gives the option for TWRP. It installed TWRP recovery. From there you can install root.

Try
ADB reboot recovery

I’m guessing I have to actually install TWRP once inside TWRP the first time? I don’t have an OTG cable so never did anything once inside the first time.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    I just got around to setting up the stick I got on black friday and was also able to set it up without any need to short the pins or otg. My box said 2021 and was UK stock from amazon. I just followed these posts:
    I did this successfully yesterday. Here are a few solutions I found:
    1. I didn't need to short the pins; the script unlocked the bootloader just fine on its own. This Fire TV Stick 4K was purchased last week.
    2. I could not build the live USB drive with Rufus in Windows. When I booted from the drive it gave some error about "IO charset ascii not found". FAT32 and NTFS were the only filesystem options in Rufus and neither of them worked. So I made the drive in Linux and it worked perfectly and took like 2 minutes. Imaging a USB drive in Linux is ridiculously easy, you literally copy the ISO file to the USB device with one command.
    3. You don't need an OTG cable. I got this ROM on the Fire Stick by using "adb push" to copy the G070VM0984752N1Q folder to /sdcard/TWRP/BACKUPS/, and then doing "twrp restore" from that backups directory in the adb shell. Then I used this fantastic guide to control the Fire Stick through ADB in order to pair the remote.
    Just to add on point 2.) I was able to build the USB drive with Rufus in Windows. I just had to select "write in DD image mode" at the final prompt instead of accepting the default recommendation of "write in ISO image mode".

    I had the Fire Stick plugged into the computer and used ADB for everything. First copy the files with "adb push". Type "adb help" to see the exact usage - in this case it's "adb push -p <local> <remote>" where <local> and <remote> are the G070VM0984752N1Q and /sdcard/TWRP/BACKUPS directories, respectively. It should show you the progress of the files being copied. Then use "adb shell" to gain access to the Fire Stick's terminal, and then within that, "cd" to the BACKUPS directory and run "twrp restore SDB G070VM0984752N1Q". "twrp" command usage is here. Hope that helps
    Minor typo in this part where the switches should come after the backup name. eg: "twrp restore G070VM0984752N1Q SDB"
    2
    As far as I know its not possible to root if the firmware is 6.2.9.0 or higher.

    If I'm wrong please somebody tell me!

    6.2.8.0 or later patchs the shorting method and 6.2.8.7 or later patchs also the new non-shorting method.
    2
    Hi, How were you able to flash with out OTG? I dont have OTG and im stuck in TWRP.
    I had the Fire Stick plugged into the computer and used ADB for everything. First copy the files with "adb push". Type "adb help" to see the exact usage - in this case it's "adb push -p <local> <remote>" where <local> and <remote> are the G070VM0984752N1Q and /sdcard/TWRP/BACKUPS directories, respectively. It should show you the progress of the files being copied. Then use "adb shell" to gain access to the Fire Stick's terminal, and then within that, "cd" to the BACKUPS directory and run "twrp restore SDB G070VM0984752N1Q". "twrp" command usage is here. Hope that helps
    1
    So I got the Fire Stick connected. I could not get ADB working when connected through the Ethernet adapter, so I just did direct USB Connection

    I rebooted into recovery, wiped data, wiped cache, wiped dalvik, flashed ROM. Rebooted. As promised I got the OOBE for the fire stick.

    I paired the remote, connected to my Wifi network, and then it displayed the "checking for updates screen for a moment, and then just skipped it entirely and went right to the login screen. No download progress bar, I didn't kill the connection, it just skipped right over it. Maybe the ROM has that screen disabled?

    So I get it all set up, turn on ADB debugging, and connected to ADB. I go into adb shell to delete any cached update file (in case it downloaded one in the background) and disable OTA. But when I enter su, I get permission denied. I checked the applications list, and Magisk is not installed! I thought pre rooted ROM's would have it preinstalled. I flashed the 6.2.6.6 rooted image from https://forum.xda-developers.com/t/...is-prerooted-stock-images-6-2-8-1_r3.3983091/ which specifically says Magisk will always be installed. But it wasn't.

    I redid the entire process, and same thing. No Magisk. Some googling led me to this page (https://miguelmota.com/blog/rooting-a-fire-tv-stick-4k/#rooting-with-magisk) which had the Magisk download and instructions on how to flash it with TWRP. I followed those instructions, and was able to get su working. I then cleared the update cache and disabled the OTA updates

    One thing I noticed is the Magisk version is different from what it was before. Before I wiped I wrote down the APK versions of everything I had on the stick, previously Magisk was version 7.3.5-de969a9d, now it say version 7.5.1. Does that matter?
    So at this point I should have a totally clean 6.2.6.6 stick with nothing on it whatsoever.
    1
    I was able to get the twrp and the OTG mouse working, but I am still unable to install Magisk…it also said something about TWRP theme version is different than stock, or something of the sort.
    Seems something is messed up with your gpt.
    Take a look into this thread and search for 'gpt fix'
    You may need to run kamakiri again with this gpt fix...
  • 69
    NOTE: There have been multiple reports of devices with serial numbers containing VM190 or higher being shipped with DL-Mode disabled in BROM.
    These devices cannot be unlocked using kamakiri.
    These devices do not show up at all on USB when shorted.


    After the old bootrom-exploit (amonet) we've been using for unlocking all these Fire-gadgets is closed in more recent Mediatek SOCs like the one used in the FireTV Stick 4K, @xyz` has done it again and found another bootrom-exploit.
    Together we proudly present kamakiri for the FireTV Stick 4K.

    Before proceeding make sure to read and understand this entire post.

    Running this exploit requires a patched linux-kernel on the PC you are using.
    We have put together a Live-ISO that already contains all prerequisites required for running kamakiri.
    You can find the current version of the ISO at:
    https://github.com/amonet-kamakiri/fireiso/releases

    It can be burned to a CD or to a USB-flashdrive.

    Current Version: kamakiri-mantis-v2.0.1.zip


    You will need to open the device and remove the heatshield on the side without the antennas (2 square bricks).
    NOTE: It is not required to desolder or force the shield off, it is just clipped onto a frame. (The attached picture may be a bit misleading, since it also has the frame removed)

    You will need something for shorting (wire, aluminum foil etc.)

    1. Boot the ISO
    2. Download and extract the exploit package.
    3. Open a terminal in the kamakiri directory
    4. Run
      Code:
      ./bootrom-step.sh
    5. Short one of the points in the attached photo to ground (the cage of the shielding).
      Ideally you want to use DAT0, since that is tiny it might be easier to short the point marked CLK instead.
      It is very important that you use a piece of soft wire or aluminum foil or something similar for shorting. Don't use tweezers as that makes it incredibly easy to knock of the capacitor off the PCB and kill the board!
    6. Connect the stick to your computer (while keeping it shorted)
    7. The script should tell you to release the short and hit enter
    8. Once finished run
      Code:
      ./fastboot-step.sh
    9. Your device will now reboot into TWRP

    Important information

    Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)

    TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

    For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

    It is still advised to disable OTA.

    thanks to @hwmod for the picture
    thanks to @Sus_i for providing an update.bin
    thanks to @zeroepoch for developing aftv2-tools

    Contributors
    k4y0z, xyz`
    Source Code: https://github.com/amonet-kamakiri/
    16
    There are three options for interacting with TWRP:
    1. A mouse via USB-OTG
    2. TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
    3. Via /cache/recovery/command

    Example for /cache/recovery/command:
    Code:
    echo "--update_package=/path/to/zipfile" > /cache/recovery/command
    echo "--wipe_cache" >> /cache/recovery/command
    reboot recovery

    Should you somehow end in a bootloop, TWRP contains a special boot menu that will be displayed when you boot the stick with an OTG-cable connected.
    It will give you 5 seconds to hit cancel and stay in TWRP or reboot into the OS otherwise.

    NOTE:This will only work if the boot-exploit is still there.
    13
    I'v just uploaded a new Version of the unlock for mantis.
    It comes with an all new TWRP (3.6.1) and an unlock method that works even for fused devices with firmware version < 6.2.8.7, no shorting needed!
    For detailed instructions check https://forum.xda-developers.com/t/...k-3-and-fire-tv-stick-lite-sheldon-p.4410297/ (Use mantis-zip from here, will update instructions here in a bit)
    12
    Well that was easy! And my stick isn't on the latest version, so I'll be able to get some update URLs and make a prerooted ROM hopefully this weekend.
    11
    Is this something that Amazon can fix with future updates? I am holding off until we have a more refined rom..

    No, the only way they can fix it is with a new hardware revision.