[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 4K (mantis)

k4y0z

Senior Member
Nov 27, 2015
1,400
1,786
143
NOTE: There have been multiple reports of devices with serial numbers containing VM190 or higher being shipped with DL-Mode disabled in BROM.
These devices cannot be unlocked using kamakiri.
These devices do not show up at all on USB when shorted.


After the old bootrom-exploit (amonet) we've been using for unlocking all these Fire-gadgets is closed in more recent Mediatek SOCs like the one used in the FireTV Stick 4K, @xyz` has done it again and found another bootrom-exploit.
Together we proudly present kamakiri for the FireTV Stick 4K.

Before proceeding make sure to read and understand this entire post.

Running this exploit requires a patched linux-kernel on the PC you are using.
We have put together a Live-ISO that already contains all prerequisites required for running kamakiri.
You can find the current version of the ISO at:
https://github.com/amonet-kamakiri/fireiso/releases

It can be burned to a CD or to a USB-flashdrive.

Current Version: kamakiri-mantis-v1.2.zip

You will need to open the device and remove the heatshield on the side without the antennas (2 square bricks).
NOTE: It is not required to desolder or force the shield off, it is just clipped onto a frame. (The attached picture may be a bit misleading, since it also has the frame removed)

You will need something for shorting (wire, aluminum foil etc.)

  1. Boot the ISO
  2. Download and extract the exploit package.
  3. Open a terminal in the kamakiri directory
  4. Run
    Code:
    ./bootrom-step.sh
  5. Short one of the points in the attached photo to ground (the cage of the shielding).
    Ideally you want to use DAT0, since that is tiny it might be easier to short the point marked CLK instead.
    It is very important that you use a piece of soft wire or aluminum foil or something similar for shorting. Don't use tweezers as that makes it incredibly easy to knock of the capacitor off the PCB and kill the board!
  6. Connect the stick to your computer (while keeping it shorted)
  7. The script should tell you to release the short and hit enter
  8. Once finished run
    Code:
    ./fastboot-step.sh
  9. Your device will now reboot into TWRP

Important information

Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)

TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

It is still advised to disable OTA.

thanks to @hwmod for the picture
thanks to @Sus_i for providing an update.bin
thanks to @zeroepoch for developing aftv2-tools

XDA:DevDB Information
kamakiri, Tool/Utility for the Amazon Fire TV

Contributors
k4y0z, xyz`
Source Code: https://github.com/amonet-kamakiri/


Version Information
Status:
Stable
Current Stable Version: 1.0.0
Stable Release Date: 2019-10-05

Created 2019-10-05
Last Updated 2019-10-14
 

Attachments

Last edited:

k4y0z

Senior Member
Nov 27, 2015
1,400
1,786
143
There are three options for interacting with TWRP:
  1. A mouse via USB-OTG
  2. TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
  3. Via /cache/recovery/command

Example for /cache/recovery/command:
Code:
echo "--update_package=/path/to/zipfile" > /cache/recovery/command
echo "--wipe_cache" >> /cache/recovery/command
reboot recovery
Should you somehow end in a bootloop, TWRP contains a special boot menu that will be displayed when you boot the stick with an OTG-cable connected.
It will give you 5 seconds to hit cancel and stay in TWRP or reboot into the OS otherwise.

NOTE:This will only work if the boot-exploit is still there.
 
Last edited:

Rortiz2

Senior Member
Mar 1, 2018
1,999
1,199
113
Barcelona
@k4y0z I wonder why this cannot be done in Ubuntu?
I'm able to install pyusb with:
Code:
sudo apt-get install python-usb python3-usb
And then the scripts start. Is due the kernel patch?
BTW: good work I still looking at the exploit in github and looks awesome lol.
 
  • Like
Reactions: k4y0z

bibikalka

Senior Member
May 14, 2015
1,327
1,069
133
@k4y0z

Excellent work as always!!! :highfive::highfive::highfive::highfive::highfive:

Now, any chance that you can create a fastboot exploit such that there'd be no need to open the case? Same story with Fire TV2 (tank), fastboot exploit?

Keep the good stuff coming!!! :D
 
  • Like
Reactions: Kramar111

iLLNiSS

Senior Member
Aug 5, 2016
62
18
0
Does this permanently install anything? If I reboot after getting into TWRP the first time with fastboot the hacked fastboot splashscreen doesn't come back, it just boots FireOS normally with no options to boot TWRP.
 
Last edited:

vanzan

Senior Member
Sep 3, 2012
149
14
48
Getting off the heatsink was a bit daunting especially because I didn't know there was also a sticky pad holding it on. Also spent ages trying to short the DAT0 point, got fed up and got it first time with CLK. Now I just need a rom to install!
 

Michajin

Senior Member
Oct 23, 2012
1,161
430
103
Does this permanently install anything? If I reboot after getting into TWRP the first time with fastboot the hacked fastboot splashscreen doesn't come back, it just boots FireOS normally with no options to boot TWRP.
Everytime i boot from power off with a OTG it gives the option for TWRP. It installed TWRP recovery. From there you can install root.

Try
ADB reboot recovery
 
  • Like
Reactions: puppinoo and k4y0z

k4y0z

Senior Member
Nov 27, 2015
1,400
1,786
143
@k4y0z

Excellent work as always!!! :highfive::highfive::highfive::highfive::highfive:

Now, any chance that you can create a fastboot exploit such that there'd be no need to open the case? Same story with Fire TV2 (tank), fastboot exploit?

Keep the good stuff coming!!! :D
Unfortunately the fastboot bug cannot be used like that on the 4K or we probably would have done so from the start ;)
I will look into the FireStick 2 when I get the time, but given the fastboot-bug is LK-Version specific and can be easily patched, I am unsure if it's worth the effort.
 
  • Like
Reactions: rotorbudd

iLLNiSS

Senior Member
Aug 5, 2016
62
18
0
Everytime i boot from power off with a OTG it gives the option for TWRP. It installed TWRP recovery. From there you can install root.

Try
ADB reboot recovery
I’m guessing I have to actually install TWRP once inside TWRP the first time? I don’t have an OTG cable so never did anything once inside the first time.