[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 4K (mantis)
- Thread starter k4y0z
- Start date
tito_puente
Senior Member
But wasn't it originally said that the exploit with the short circuit was an unrecoverable hardware bug?
Thank you. It fixed our streaming issue. I discovered the DRM issue on day 1 of our vacation and it was a huge bummer kids couldn’t watch Disney+.
In case anyone needs some quick instructions.
adb reboot recovery
adb push path_to_the_tz.zip /sdcard
adb shell
# twrp install /sdcard/the_tz.zip
adb reboot
[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 4K (mantis)
NOTE: There have been multiple reports of devices with serial numbers containing VM190 or higher being shipped with DL-Mode disabled in BROM. These devices cannot be unlocked using kamakiri. These devices do not show up at all on USB when...
forum.xda-developers.com
[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 4K (mantis)
NOTE: There have been multiple reports of devices with serial numbers containing VM190 or higher being shipped with DL-Mode disabled in BROM. These devices cannot be unlocked using kamakiri. These devices do not show up at all on USB when...
This says it is for the sheldon version, will that work with mantis?
Also, for a device that is already rooted, how do you reboot the device into TWRP to flash a new ROM? DO you boot the live ISO, plug in the fire stick, and run ./fastboot-step.sh?
Hello
The first part of your question,The script does work to unlock Firetv 4k without short so you ain't need to open the stick.
The second part of your question, when you boot the Firetv 4k it gives 5 seconds to boot into recovery a mouse connected via usb dongle helps in selecting the option to recovery once lapsed it boots to OS.
The third part of your question just follow the instructions in the unlock thread.
Just read through the previous posts of this thread you'll find most of the answers.
Hope it helps.......
Last edited:
I was asking if it works on Mantis. And does it work if the eFuse is already blown?
Your second part is for my already unlocked Fire Stick. When I plug the device in, I do not get any option to select anything, so plugging a mouse won't do anything. The only way I was able to get to recovery before was performing the entire exploit. How do you get into recovery after you have already performed the exploit/unlocked the device?
Would I boot a laptop with the ISO from the unlock thread, plug in the Fire Stick, and then run adb commands from there to fastboot into recovery?
Thanks for any help. I need to re-flash the 6.6 Fire OS.
Hello
Which version of OS you're currently on and check the serial no of the stick nevertheless it's worth giving a try.
If your Firetv 4k is unlocked and the script Kamakari-mantis-v2.0.1 ended successfully it should provide you with an option ,try connecting it to the TV and check on screen whether you get the option.
You can burn the ISO to USB to make a bootable USB and boot via USB using a Desktop or a Laptop.
As said earler read through the thread you have the unanswered answered.
Hope it helps.......
Still trying to understand what you are saying ... Let me break it down
- I have a Fire Stick. It has been unlocked and rooted following the instruction for the exploit. I had flashed the 6.6 OS. It all worked great
- I now need to RE FLASH 6.6 on the same stick.
- How do I get to an ADB shell to do so? Once I can get to an adb shell I know I can fastboot recovery the device to and the run the TWRP commands needed to re flash 6.6, but I don't know how to get to the adb shell in the first place to issue those commands. Plugging the stick into the TV just boots it as a normal fire stick.
Can you clarify? You say "Once in TWRP", how do I get into TWRP? I need to issue command from an adb shell anyway, I will not be using a mouse.
You have already unlocked and rooted your stick so i think you know the basics.
If you are already rooted that means you have magisk installed on your firestick (theres no other meaning of root in this case) then boot up your firestick normally, open "Magisk Manager" click on three dots menu (on top right of the screen) and then choose reboot to recovery.
If you don't have magisk installed (means you don't have root) then you can use adb to reboot into TWRP (do not boot into Fastboot if you don't want to brick your stick) now in order to do that follow one of the Options.
Option 1 (if you dont have a pc)
Download "Remote ADB Shell" on your Firestick (watch on youtube on how to do that)
Open remote adb shell and in the IP address field enter "localhost" or "127.0.0.1" and in the port enter "5555" and connect.
Your stick will show a popup, click on allow.
Once in shell, type "reboot recovery"
It will reboot into TWRP, from there you can flash any rom of your choice.
Option TWO (if you have a pc)
Get "Minimal ADB and Fastboot" from XDA or get "platform tools" from Android developers site, then install it.
Once installed open the command prompt and type
"adb devices" this will start adb server and show list of devices.
Make sure your pc and firestick is connected to same wifi, get the ip address of your stick.
Type in the ip address along with port like
"adb connect 192.168.22.40:5555"
Change 192.168.22.40 to ip address of your stick.
Allow the debugging prompt on your firestick.
And then type
"adb reboot recovery"
You will reboot into TWRP
Option 3 (from stick itself with the help of OTG)
Connect a Y type OTG to your Firestick, boot your firestick, you will be greeted with an option to reboot into recovery for 5 seconds, you can press cancel to "reboot to recovery" you will need a mouse connected to OTG to do that.
Thanks, this is much more comprehensive.
I do have Magisk installed. So I just launch Magisk (I have never done this) and select reboot into recovery, and that will reboot me into TWRP and I can flash 6.2.6.6? I already copied the ROM file up to the stick. Do you use the fire TV remote to navigate Magisk and TWRP?
And if I do that, how to I access adb afterwords to run the commands to disable OTA updates? Or do I even need to? The ROM I am flashing is the 6.2.6.6 rooted one from https://forum.xda-developers.com/t/...is-prerooted-stock-images-6-2-8-1_r3.3983091/, does that have OTA disable already?
Or, could I just skip using MAgisk and try one of the options you listed. I think option 2 would be the best for me, so basically to reflash 6.2.6.6 I would do the following:
- Get "Minimal ADB and Fastboot" and install it.
- Once installed open the command prompt and type "adb devices" this will start adb server and show list of devices.
- Make sure your pc and firestick is connected to same wifi, get the ip address of your stick.
- Type in the ip address along with port like "adb connect [ip address of my stick]:5555"
- Allow the debugging prompt on your firestick.
- And then type the following
- adb reboot recovery
- After it reboots type
- adb devices (I should see the SN of my stick)
- adb shell
- twrp install /sdcard/mantis-6.2.6.6_r1.zip
- twrp wipe cache
- twrp wipe dalvik
- reboot -p
- adb shell
- su
- pm disable com.amazon.tv.forcedotaupdater.v2
- pm disable com.amazon.device.software.ota
- pm disable com.amazon.device.software.ota.override
And I would be back in business? It's insane, I went to watch a freaking Thursday football game, it tells me I need to update an app, and because of THAT it screws up the display on my Firestick (it is like 300% brightness now), I need to go through all this
One question, do I need to deregister my FireStick before doing all this?
Last edited:
Just flash, if ota packages are reenabled then disable them.
Just do this.
Pull out the data cable from your TV/Power brick and connect it to your computer.
Your stick will be powered by the usb ports of the computer and will start booting. Once its booted, open cmd/ps/terminal
Type "adb devices"
Accept prompt on your tv
Then type command to push with (adb push)
Reboot to recovery using (adb reboot recovery)
Get into shell by using (adb shell)
Flash the zip using (twrp install)
Reboot using (reboot)
OK, so just to try and make this as idiot proof as possible for me:
- Plug the USB cable that I currently have going to the power strip into my Windows laptop. This will boot the stick
- Once it is booted, open a cmd prompt
- Run "adb devices"
- I will get some prompt on the TV, click OK using the Fire TV Remote
(I don't think I need to push anything since I have the ROM already on the /sdcard of the stick) - Type "adb reboot recovery", this will reboot me into TWRP
- Type "adb shell"
- Type "twrp install /sdcard/mantis-6.2.6.6_r1.zip" (this file is already there)
- Type "twrp wipe cache"
- Type "twrp wipe dalvik"
- Type "reboot -p"
Two final questions before I dive into this:
- If OTA is re-enabled, how do I prevent it from updating before I get a chance to disable OTA?
- Do I need to deregister my firestick before I do this? I would prefer not to if it is not needed but if it has to be done, that's OK
Thanks again for the excellent help!
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
3
Not adb sideload. You need to boot TWRP, start adb shell and then use TWRP commandline via USB cable
Boot the fireISO,
open a terminal in the kamakiri folder,
run ./boot-recovery.sh
and connect the stick via fireTV usb cable.
TWRP will boot and if you type adb shell in the terminal, then you can use TWRP commandline.
Now you've got a terminal open, TWRP is running.
Download magisk from here:
If adb shell is running quit with exit, then rename the apk to zip and push it to sdcard via adb push command.
Then start adb shell and use:
twrp wipe data
twrp wipe cache
twrp install /sdcard/name-of-the-zip.zip
Now you should be able to skip the initial update again and magisk is installed.
Note: Never ever flash something via an APP from inside fireOS, especially not magisk updates. Only TWRP will work. Also never wipe system2
As you've got a stick with 6281 (already burned efuse = shorting method gone), there isn't a special procedure required, you would just need to flash the rom you like...
If you go to 6.2.9.4 you may flash the TZ too (if there are DRM playback issues or black screens).
Easiest way to do this is take/extract the TZ image from 6.2.9.4 rom and overwrite the TZ image from kamakiri 2.1 folder. Then re-do the bootrom/fastboot-step.
Fire TV Stick 4K Firmware and apps. Official Cloud Front direct links
Fire TV Stick 4K Stock Firmware files...
forum.xda-developers.com
2
su is aviable as soon as you grant access
Any update of the 'magisk manager' (app) is ok...
The update/upgrade of 'magisk' will only work via TWRP.2
You are in TWRP, and already have root. Package Manager isn't available until you boot FireOS.2
Nevermid... Just noticed that Pretoriano80's Kernel (which I'am at 6.2.7.7 - 3033) as insecure ADB - Therefore no ADB RSA Keys are needed - And no popub came up - Even if file (on FireTV) /data/misc/adb/adb_keys is deleted/renamed.
For testing: With stock Kernel 3033 the RSA PopUp came up again (with deleted /data/misc/adb/adb_keys),
and new file /data/misc/adb/adb_keys is created with correct permissions...
Again we are fiddling at the same place - I wonder why?
Even if its not needed for your case anymore - To reset the RSA Key its needed to delete/rename files on the sending and receving side (one side should be enough as well, but to keep it clear... both)
WinPC: C:\Users\<USER>\.android - Files: adbkey + adbkey.pub
Linux/Android/FireTV: /data/misc/adb/ - File: adb_keys
FireISO: /root/.android/ - Files: adbkey + adbkey.pub (of course temporary)
On WInPC its reported that adbkey + adbkey.pub may are saved at other places.
If they are not in mentioned folder search on system drive for them.... -
69NOTE: There have been multiple reports of devices with serial numbers containing VM190 or higher being shipped with DL-Mode disabled in BROM.
These devices cannot be unlocked using kamakiri.
These devices do not show up at all on USB when shorted.
After the old bootrom-exploit (amonet) we've been using for unlocking all these Fire-gadgets is closed in more recent Mediatek SOCs like the one used in the FireTV Stick 4K, @xyz` has done it again and found another bootrom-exploit.
Together we proudly present kamakiri for the FireTV Stick 4K.
Before proceeding make sure to read and understand this entire post.
Running this exploit requires a patched linux-kernel on the PC you are using.
We have put together a Live-ISO that already contains all prerequisites required for running kamakiri.
You can find the current version of the ISO at:
https://github.com/amonet-kamakiri/fireiso/releases
It can be burned to a CD or to a USB-flashdrive.
Current Version: kamakiri-mantis-v2.0.1.zip
You will need to open the device and remove the heatshield on the side without the antennas (2 square bricks).
NOTE: It is not required to desolder or force the shield off, it is just clipped onto a frame. (The attached picture may be a bit misleading, since it also has the frame removed)
You will need something for shorting (wire, aluminum foil etc.)
- Boot the ISO
- Download and extract the exploit package.
- Open a terminal in the kamakiri directory
- Run
Code:./bootrom-step.sh - Short one of the points in the attached photo to ground (the cage of the shielding).
Ideally you want to use DAT0, since that is tiny it might be easier to short the point marked CLK instead.
It is very important that you use a piece of soft wire or aluminum foil or something similar for shorting. Don't use tweezers as that makes it incredibly easy to knock of the capacitor off the PCB and kill the board! - Connect the stick to your computer (while keeping it shorted)
- The script should tell you to release the short and hit enter
- Once finished run
Code:./fastboot-step.sh - Your device will now reboot into TWRP
Important information
Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)
TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).
For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).
It is still advised to disable OTA.
thanks to @hwmod for the picture
thanks to @Sus_i for providing an update.bin
thanks to @zeroepoch for developing aftv2-tools
Contributors
k4y0z, xyz`
Source Code: https://github.com/amonet-kamakiri/16There are three options for interacting with TWRP:
- A mouse via USB-OTG
- TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
- Via /cache/recovery/command
Example for /cache/recovery/command:
Code:echo "--update_package=/path/to/zipfile" > /cache/recovery/command echo "--wipe_cache" >> /cache/recovery/command reboot recovery
Should you somehow end in a bootloop, TWRP contains a special boot menu that will be displayed when you boot the stick with an OTG-cable connected.
It will give you 5 seconds to hit cancel and stay in TWRP or reboot into the OS otherwise.
NOTE:This will only work if the boot-exploit is still there.13I'v just uploaded a new Version of the unlock for mantis.
It comes with an all new TWRP (3.6.1) and an unlock method that works even for fused devices with firmware version < 6.2.8.7, no shorting needed!
For detailed instructions check https://forum.xda-developers.com/t/...k-3-and-fire-tv-stick-lite-sheldon-p.4410297/ (Use mantis-zip from here, will update instructions here in a bit)11
