• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 4K (mantis)

Search This thread

k4y0z

Senior Member
Nov 27, 2015
1,446
1,867
NOTE: There have been multiple reports of devices with serial numbers containing VM190 or higher being shipped with DL-Mode disabled in BROM.
These devices cannot be unlocked using kamakiri.
These devices do not show up at all on USB when shorted.


After the old bootrom-exploit (amonet) we've been using for unlocking all these Fire-gadgets is closed in more recent Mediatek SOCs like the one used in the FireTV Stick 4K, @xyz` has done it again and found another bootrom-exploit.
Together we proudly present kamakiri for the FireTV Stick 4K.

Before proceeding make sure to read and understand this entire post.

Running this exploit requires a patched linux-kernel on the PC you are using.
We have put together a Live-ISO that already contains all prerequisites required for running kamakiri.
You can find the current version of the ISO at:
https://github.com/amonet-kamakiri/fireiso/releases

It can be burned to a CD or to a USB-flashdrive.

Current Version: kamakiri-mantis-v1.2.zip

You will need to open the device and remove the heatshield on the side without the antennas (2 square bricks).
NOTE: It is not required to desolder or force the shield off, it is just clipped onto a frame. (The attached picture may be a bit misleading, since it also has the frame removed)

You will need something for shorting (wire, aluminum foil etc.)

  1. Boot the ISO
  2. Download and extract the exploit package.
  3. Open a terminal in the kamakiri directory
  4. Run
    Code:
    ./bootrom-step.sh
  5. Short one of the points in the attached photo to ground (the cage of the shielding).
    Ideally you want to use DAT0, since that is tiny it might be easier to short the point marked CLK instead.
    It is very important that you use a piece of soft wire or aluminum foil or something similar for shorting. Don't use tweezers as that makes it incredibly easy to knock of the capacitor off the PCB and kill the board!
  6. Connect the stick to your computer (while keeping it shorted)
  7. The script should tell you to release the short and hit enter
  8. Once finished run
    Code:
    ./fastboot-step.sh
  9. Your device will now reboot into TWRP

Important information

Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)

TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

It is still advised to disable OTA.

thanks to @hwmod for the picture
thanks to @Sus_i for providing an update.bin
thanks to @zeroepoch for developing aftv2-tools

XDA:DevDB Information
kamakiri, Tool/Utility for the Amazon Fire TV

Contributors
k4y0z, xyz`
Source Code: https://github.com/amonet-kamakiri/


Version Information
Status:
Stable
Current Stable Version: 1.0.0
Stable Release Date: 2019-10-05

Created 2019-10-05
Last Updated 2019-10-14
 

Attachments

  • kamakiri-mantis-v1.0.zip
    14.5 MB · Views: 2,310
  • FireTVStick_4k.jpg
    FireTVStick_4k.jpg
    192.9 KB · Views: 27,388
  • kamakiri-mantis-v1.1.zip
    14.5 MB · Views: 894
  • kamakiri-mantis-v1.2.zip
    15.1 MB · Views: 15,118
Last edited:

k4y0z

Senior Member
Nov 27, 2015
1,446
1,867
There are three options for interacting with TWRP:
  1. A mouse via USB-OTG
  2. TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
  3. Via /cache/recovery/command

Example for /cache/recovery/command:
Code:
echo "--update_package=/path/to/zipfile" > /cache/recovery/command
echo "--wipe_cache" >> /cache/recovery/command
reboot recovery

Should you somehow end in a bootloop, TWRP contains a special boot menu that will be displayed when you boot the stick with an OTG-cable connected.
It will give you 5 seconds to hit cancel and stay in TWRP or reboot into the OS otherwise.

NOTE:This will only work if the boot-exploit is still there.
 
Last edited:

Rortiz2

Senior Member
Mar 1, 2018
2,179
1,453
Barcelona
@k4y0z I wonder why this cannot be done in Ubuntu?
I'm able to install pyusb with:
Code:
sudo apt-get install python-usb python3-usb
And then the scripts start. Is due the kernel patch?
BTW: good work I still looking at the exploit in github and looks awesome lol.
 
  • Like
Reactions: k4y0z

bibikalka

Senior Member
May 14, 2015
1,370
1,090
@k4y0z

Excellent work as always!!! :highfive::highfive::highfive::highfive::highfive:

Now, any chance that you can create a fastboot exploit such that there'd be no need to open the case? Same story with Fire TV2 (tank), fastboot exploit?

Keep the good stuff coming!!! :D
 
  • Like
Reactions: Kramar111

iLLNiSS

Senior Member
Aug 5, 2016
62
18
Does this permanently install anything? If I reboot after getting into TWRP the first time with fastboot the hacked fastboot splashscreen doesn't come back, it just boots FireOS normally with no options to boot TWRP.
 
Last edited:

vanzan

Senior Member
Sep 3, 2012
149
14
Getting off the heatsink was a bit daunting especially because I didn't know there was also a sticky pad holding it on. Also spent ages trying to short the DAT0 point, got fed up and got it first time with CLK. Now I just need a rom to install!
 

Michajin

Senior Member
Oct 23, 2012
1,263
508
Does this permanently install anything? If I reboot after getting into TWRP the first time with fastboot the hacked fastboot splashscreen doesn't come back, it just boots FireOS normally with no options to boot TWRP.

Everytime i boot from power off with a OTG it gives the option for TWRP. It installed TWRP recovery. From there you can install root.

Try
ADB reboot recovery
 
  • Like
Reactions: puppinoo and k4y0z

k4y0z

Senior Member
Nov 27, 2015
1,446
1,867
@k4y0z

Excellent work as always!!! :highfive::highfive::highfive::highfive::highfive:

Now, any chance that you can create a fastboot exploit such that there'd be no need to open the case? Same story with Fire TV2 (tank), fastboot exploit?

Keep the good stuff coming!!! :D

Unfortunately the fastboot bug cannot be used like that on the 4K or we probably would have done so from the start ;)
I will look into the FireStick 2 when I get the time, but given the fastboot-bug is LK-Version specific and can be easily patched, I am unsure if it's worth the effort.
 
  • Like
Reactions: rotorbudd

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    Additional note:
    NEVER FLASH A STOCK ROM >= 6.2.8.0 AFTER FLASHING 6.2.8.1_r2 OR LATER! THIS WILL BLOW AN EFUSE.
    ;)
    1
    I don't know what I will do with my firestick 4k now... this is a piece of junk .. even more after the update .. probably the ****tiest android device I have ever bought
    I guess we all know what amaz. can do via OTA updates and it was always advised to disable updates (even in the OP), valid from the first fireTV ever, till now... If you want to root it sometime, disable or block updates. Amaz. simply fix every vulnerable, that's only a matter of time.

    So you may use the stick... or put it in a drawer instead and wait for an update of the OP. You know, developing needs time... :)
    1
    man it'

    it's a shame there is no warning on the first post of this thread; guess it has not been updated for a while...
    I have read some latest comments and I now see it's not possible to root 6.2.8.1 (latest firmware)... :(
    I don't know what I will do with my firestick 4k now... this is a piece of junk .. even more after the update .. probably the ****tiest android device I have ever bought (I had Chinese tv sticks before that and they worked better than this piece of junk as they were all rooted).
    What's the problem of using it without root? Nobody cancelled sideloading yet.
    1
    yeah thank god sideloading is still possible.
    how can I block my firetv from auto update again without root?
    Go to your router and set static DNS to 127.0.0.1 for:
    d1s31zyz7dcc2d.cloudfront.net
    amzdigital-a.akamaihd.net
    amzdigitaldownloads.edgesuite.net
    softwareupdates.amazon.com
    updates.amazon.com

    Make sure your router DHCP gives out it's own IP as DNS server.
    Also Stick wont update without USB power adapter.

    So is stock FW 6.2.7.7 rootable? I can't find answer in here.
    1
    what do you mean by that? how can you power the device without the usb power adapter?
    Stick USB into TV USB port, not wall outlet and it will not update.
  • 60
    NOTE: There have been multiple reports of devices with serial numbers containing VM190 or higher being shipped with DL-Mode disabled in BROM.
    These devices cannot be unlocked using kamakiri.
    These devices do not show up at all on USB when shorted.


    After the old bootrom-exploit (amonet) we've been using for unlocking all these Fire-gadgets is closed in more recent Mediatek SOCs like the one used in the FireTV Stick 4K, @xyz` has done it again and found another bootrom-exploit.
    Together we proudly present kamakiri for the FireTV Stick 4K.

    Before proceeding make sure to read and understand this entire post.

    Running this exploit requires a patched linux-kernel on the PC you are using.
    We have put together a Live-ISO that already contains all prerequisites required for running kamakiri.
    You can find the current version of the ISO at:
    https://github.com/amonet-kamakiri/fireiso/releases

    It can be burned to a CD or to a USB-flashdrive.

    Current Version: kamakiri-mantis-v1.2.zip

    You will need to open the device and remove the heatshield on the side without the antennas (2 square bricks).
    NOTE: It is not required to desolder or force the shield off, it is just clipped onto a frame. (The attached picture may be a bit misleading, since it also has the frame removed)

    You will need something for shorting (wire, aluminum foil etc.)

    1. Boot the ISO
    2. Download and extract the exploit package.
    3. Open a terminal in the kamakiri directory
    4. Run
      Code:
      ./bootrom-step.sh
    5. Short one of the points in the attached photo to ground (the cage of the shielding).
      Ideally you want to use DAT0, since that is tiny it might be easier to short the point marked CLK instead.
      It is very important that you use a piece of soft wire or aluminum foil or something similar for shorting. Don't use tweezers as that makes it incredibly easy to knock of the capacitor off the PCB and kill the board!
    6. Connect the stick to your computer (while keeping it shorted)
    7. The script should tell you to release the short and hit enter
    8. Once finished run
      Code:
      ./fastboot-step.sh
    9. Your device will now reboot into TWRP

    Important information

    Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)

    TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

    For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

    It is still advised to disable OTA.

    thanks to @hwmod for the picture
    thanks to @Sus_i for providing an update.bin
    thanks to @zeroepoch for developing aftv2-tools

    XDA:DevDB Information
    kamakiri, Tool/Utility for the Amazon Fire TV

    Contributors
    k4y0z, xyz`
    Source Code: https://github.com/amonet-kamakiri/


    Version Information
    Status:
    Stable
    Current Stable Version: 1.0.0
    Stable Release Date: 2019-10-05

    Created 2019-10-05
    Last Updated 2019-10-14
    14
    There are three options for interacting with TWRP:
    1. A mouse via USB-OTG
    2. TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
    3. Via /cache/recovery/command

    Example for /cache/recovery/command:
    Code:
    echo "--update_package=/path/to/zipfile" > /cache/recovery/command
    echo "--wipe_cache" >> /cache/recovery/command
    reboot recovery

    Should you somehow end in a bootloop, TWRP contains a special boot menu that will be displayed when you boot the stick with an OTG-cable connected.
    It will give you 5 seconds to hit cancel and stay in TWRP or reboot into the OS otherwise.

    NOTE:This will only work if the boot-exploit is still there.
    12
    Well that was easy! And my stick isn't on the latest version, so I'll be able to get some update URLs and make a prerooted ROM hopefully this weekend.
    11
    Is this something that Amazon can fix with future updates? I am holding off until we have a more refined rom..

    No, the only way they can fix it is with a new hardware revision.
    10
    Can you tell us how to disable Ota update on the fire tv stick 4k after a successful root.
    And since there is no superuser installed how can this be done.
    ota can be disabled with root by following commands:
    Code:
    adb shell
    su
    pm disable com.amazon.tv.forcedotaupdater.v2
    pm disable com.amazon.device.software.ota
    pm disable com.amazon.device.software.ota.override