[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 4K (mantis)

Search This thread

SweenWolf

Senior Member
Mar 18, 2016
681
588
Paradise
Amazon Fire TV
OK, so just to try and make this as idiot proof as possible for me:
  1. Plug the USB cable that I currently have going to the power strip into my Windows laptop. This will boot the stick
  2. Once it is booted, open a cmd prompt
  3. Run "adb devices"
  4. I will get some prompt on the TV, click OK using the Fire TV Remote
    (I don't think I need to push anything since I have the ROM already on the /sdcard of the stick)
  5. Type "adb reboot recovery", this will reboot me into TWRP
  6. Type "adb shell"
  7. Type "twrp install /sdcard/mantis-6.2.6.6_r1.zip" (this file is already there)
  8. Type "twrp wipe cache"
  9. Type "twrp wipe dalvik"
  10. Type "reboot -p"
At that point I should have a stick that is freshly flashed to 6.2.6.6, that may have OTA re-enabled

Two final questions before I dive into this:
  1. If OTA is re-enabled, how do I prevent it from updating before I get a chance to disable OTA?
  2. Do I need to deregister my firestick before I do this? I would prefer not to if it is not needed but if it has to be done, that's OK

Thanks again for the excellent help!
You do not have to deregister anything.

If OTA is reenabled, before rebooting go to network section and forget the network, or just turn off your router, simple as that
 

emkorial

Senior Member
Mar 2, 2008
425
16
OK, this is not good. Here is what happened:
  • I plugged the USB cable that I currently have going to the power strip into my Windows laptop. This booted the stick
  • Once it is booted, I opened a cmd prompt
  • Run "adb devices". NO DEVICES WERE FOUND
So I Googled and saw I needed to connect to the stick. (This step was missing from the instructions)

  1. So I typed "adb connect 192.168.68.104", and it connected.
  2. I typed adb devices, and it found the device!
  3. I clicked OK on the prompt that came on the TV
  4. I then typed "adb reboot recovery", and the stick rebooted me into TWRP
This is where it failed.
  1. I was at the TWRP screen asking me if I wanted to keep things read only and the slide bar to modify settings,
  2. I typed "adb shell" and got "error: no devices/emulators found"
  3. So I typed "adb connect 192.168.68.104" and I got "unnable to connect to 192.168.68.104:5555: cannot connect to 192.168.68.104:5555: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (10060)"
  4. I could not use the FireTV remote to navigate the TWRP screen, so I was just stuck
So I unplugged the stick from the laptop, plugged it back into the power strip, I got the two boot up screens, then a black screen for a while, before the Fire Stick home screen finally came up

So I got rebooted to TWRP, but at that point I am unable to communicate with the stick to issue the abd shell command and flash the ROM. And I cannot navigate TWRP to do anything via the UI. What am I doing wrong?
 

emkorial

Senior Member
Mar 2, 2008
425
16
Possibly when the Fire Stick rebooted into TWRP mode, did it get assigned a different IP address, and that why the adb connect failed? Just grasping at straws here
 

SweenWolf

Senior Member
Mar 18, 2016
681
588
Paradise
Amazon Fire TV
Possibly when the Fire Stick rebooted into TWRP mode, did it get assigned a different IP address, and that why the adb connect failed? Just grasping at straws here
SMH, Bluetooth and Wifi does not work in TWRP, you don't have to type the ip address as there won't be any.
The reason why i told you to connect using the cable is that it doesn't need any ip to connect, its a direct connection. You will have to type everything in the Console.
And make sure you are using a data cable i.e. it should have 4 wires in it
 
  • Like
Reactions: Kramar111

emkorial

Senior Member
Mar 2, 2008
425
16
SMH, Bluetooth and Wifi does not work in TWRP, you don't have to type the ip address as there won't be any.
The reason why i told you to connect using the cable is that it doesn't need any ip to connect, its a direct connection. You will have to type everything in the Console.
And make sure you are using a data cable i.e. it should have 4 wires in it

OK, that explains that

The firestick was directly plugged into the PC. I am used a USB data cable I just checked the pins with a flashlight and they are in there. Why would my laptop not be seeing the Firestick over the cable? Is there a Firestick "driver" I need installed?


Edit: SweenWolf, you da man, when you mentioned not needed to go over the network, it made me think that the laptop was just providing power and not seeing the stick. I checked device manager and saw it wasn't reading the stick properly! So I google for a driver and found one on xda and installed it (https://forum.xda-developers.com/t/fire-stick-4k-mantis-driver-adb-for-win7-x64.4445315/), and now it shows up in Device Manager. And, I ran adb devices, and it saw the stick, WITHOUT having to connect to the IP Address first!! Which means (to me) the direct connection to the laptop is working! Progress!!

Thanks so much for the continued help, I feel like I am stumbling towards eventual success. I'm going to try the whole process again tomm, I have other things to attend to now. Stay tuned!! Looks like i need to get the driver set up for TWRP mode but the thread ha instructions on that so hopefully it goes smoothly
 
Last edited:

emkorial

Senior Member
Mar 2, 2008
425
16
OK, this is weird.

I plugged in the stick, rebooted to recovery, flashed the ROM, wiped cache, wiped dalvik, disabled OTA, an then rebooted the stick.

The stick came back, but all my apps were still there. And then about a minute after that it rebooted on it's own, and the brightness issue came right back (this was caused by an issue with the Prime Video app, so if it is keeping the apps, the problem is not getting fixed)

How do I do a FULL wipe of the stick so nothing carries over? What would the adb commands be to do that?
 

Sus_i

Senior Member
Apr 9, 2013
1,858
811
How do I do a FULL wipe of the stick so nothing carries over? What would the adb commands be to do that?
Boot into TWRP (via usb cable connected to your PC), then run something like this:
Code:
adb shell
twrp wipe data
twrp wipe cache
You can run 'twrp format data' too, if you like.
Done.

Full list of commands:
 
  • Like
Reactions: Kramar111

emkorial

Senior Member
Mar 2, 2008
425
16
Boot into TWRP (via usb cable connected to your PC), then run something like this:
Code:
adb shell
twrp wipe data
twrp wipe cache
You can run 'twrp format data' too, if you like.
Done.

Full list of commands:


Thanks, I thought I missed a wipe command in there somewhere!

Would I run "twrp wipe data" before or after, I flash the ROM? Or does it not matter? Would these be the steps, in this order?
  1. Type "adb shell"
  2. Type "twrp install /sdcard/mantis-6.2.6.6_r1.zip" (this file is already there)
  3. Type "type wipe data"
  4. Type "twrp wipe cache"
  5. Type "twrp wipe dalvik"
  6. Type "reboot -p"

Any risk of a brick or losing the remote pairing by wiping data ? Now that I have the driver issue worked out I am much more comfortable accessing the stick over USB and running the commands.

Thanks for the assist!
 

Sus_i

Senior Member
Apr 9, 2013
1,858
811
Thanks, I thought I missed a wipe command in there somewhere!

Would I run "twrp wipe data" before or after, I flash the ROM? Or does it not matter? Would these be the steps, in this order?
  1. Type "adb shell"
  2. Type "twrp install /sdcard/mantis-6.2.6.6_r1.zip" (this file is already there)
  3. Type "type wipe data"
  4. Type "twrp wipe cache"
  5. Type "twrp wipe dalvik"
  6. Type "reboot -p"
Yep, but you won't need to flash a rom if you wipe only data, dalvik and cache.
Any risk of a brick or losing the remote pairing by wiping data ?
It won't brick, but ofcourse you will lose all kind of data, incl. the remote pairing, wifi, adb dev. settings and the amaz. account... i.e. at the reboot the logon setup oobe waits for you.
You would need to skip the update thing too, or your 6.2.6.6 OS is gone.
 

emkorial

Senior Member
Mar 2, 2008
425
16
You would need to skip the update thing too, or your 6.2.6.6 OS is gone.

If I recall correctly, I might have to have it auto update to the latest version, then reflash 6.2.6.6 since you can't connect via ADB to disable OTA updates until you get to a home screen, and you can't get to a home screen until it updates. I think I had to do that before. But it is safe to do since the unlock blocks the efuse from blowing, correct?


So it would be :
  • Connect to stick
  • Wipe data, cache, and dalvik
  • Reboot and it will act like a brand new out of the box fire stick
  • Pair remote and go through setup, which will upgrade to whatever the latest FireOS version is
  • Once that it done, connect via ADB and enable ADB debugging
  • Reboot to TWRP
  • Flash 6.2.6.6, clear cache, clear dalvik
  • Disable OTA updates

That should leave me with a fresh 6.2.6.6 stick, and I then proceed from there.
We'll see what happens!
 
Last edited:

Sus_i

Senior Member
Apr 9, 2013
1,858
811
If I recall correctly, I might have to have it auto update to the latest version, then reflash 6.2.6.6 since you can't connect via ADB to disable OTA updates until you get to a home screen, and you can't get to a home screen until it updates. I think I had to do that before. But it is safe to do since the unlock blocks the efuse from blowing.


So it would be :
  • Connect to stick
  • Wipe data, cache, and dalvik
  • Reboot and it will act like a brand new out of the box fire stick
  • Pair remote and go through setup, which will upgrade to whatever the latest FireOS version is
  • Once that it done, connect via ADB and enable ADB debugging
  • Reboot to TWRP
  • Flash 6.2.6.6, clear cache, clear dalvik
  • Disable OTA updates

That should leave me with a fresh 6.2.6.6 stick, and I then proceed from there.
We'll see what happens!
A messed up stick is what happens ;)

You may just skip the initial update... which is way better and very easy if you follow this guide:
 

emkorial

Senior Member
Mar 2, 2008
425
16
A messed up stick is what happens ;)

You may just skip the initial update... which is way better and very easy if you follow this guide:


Why would mess up the stick? I went through that process before, but that was back when the latest OS was (I believe) 6.2.8.0, which would blow the eFuse if applied, but if you unlocked the stick via the short, you could safely upgrade to that version without blowing the eFuse and you could then downgrade after that. Has that changed?

I'm not a fan of trying to perfectly time yanking an ethernet cable to avid the upgrade, are there any more reliable methods? Do the modified build prop version still work? As described at https://www.aftvnews.com/how-to-blo...k-by-setting-a-custom-fire-os-version-number/
 

emkorial

Senior Member
Mar 2, 2008
425
16
A messed up stick is what happens ;)


I found the original post, and it turns out it was you that said it was ok to upgrade and then downgrade :)

https://forum.xda-developers.com/t/...stick-4k-mantis.3978459/page-72#post-84832395

lol, yeah.
Idk why it is so hard, just to do the unlock first.. it will protect the efuse ;)
Then all options are possible, up- or downgrade, just nothing gets blocked.

However that was back when the OS upgrade version was 6.2.8.0, has there been later OS releases that do screw it up and prevent downgrading?
 
Last edited:

Sus_i

Senior Member
Apr 9, 2013
1,858
811
I found the original post, and it turns out it was you that said it was ok to upgrade and then downgrade :)
Yes, you are right.
Back then this was ok, however nowadays I would just skip the update...
However that was back when the OS upgrade version was 6.2.8.0, has there been later OS releases that do screw it up and prevent downgrading?
Maybe yes, idk, I guess it's best and easiest if you skip the update.
 

emkorial

Senior Member
Mar 2, 2008
425
16
Yes, you are right.
Back then this was ok, however nowadays I would just skip the update...

Maybe yes, idk, I guess it's best and easiest if you skip the update.

I will be trying the update "skip" shortly. My car broke down, so I've had to switch from electronics mode to car mechanic mode for the past few days,
 

emkorial

Senior Member
Mar 2, 2008
425
16
So after I wipe data, dalvik, and cache, and flash the ROM, then skip the update, finish setting up the stick, then block updates, and get everything set up totally stock on 6.2.6.6 with updates blocked, I should reboot into recovery and back that up so I can return to that state easily, right?

Would the ADB command to back that up be (from adb shell) "twrp backup partition S, D to STOCK_BACKUP"
Would the ADB command to restore that in the future be (from adb shell) "twrp restore S, D from existant STOCK_BACKUP"
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    But when I try to run 'su' or 'pm' I get "Not found". I tried 'su' and 'pm' via adb shell and twrp terminal with same results.
    You are in TWRP, and already have root. Package Manager isn't available until you boot FireOS.
    2
    What is the proper procedure to get it updated to 6.2.9.4?? I assume the DRM is out of date and Netflix and prime show a black screen. It also seems this root blocks updates, as it just boots to twrp and the update never happens.
    As you've got a stick with 6281 (already burned efuse = shorting method gone), there isn't a special procedure required, you would just need to flash the rom you like...

    If you go to 6.2.9.4 you may flash the TZ too (if there are DRM playback issues or black screens).
    Easiest way to do this is take/extract the TZ image from 6.2.9.4 rom and overwrite the TZ image from kamakiri 2.1 folder. Then re-do the bootrom/fastboot-step.
    I am perfectly ok with manually updating but can't seem to find the bins anywhere. Any help here would be appreciated.
    1
    As you've got a stick with 6281 (already burned efuse = shorting method gone), there isn't a special procedure required, you would just need to flash the rom you like...

    If you go to 6.2.9.4 you may flash the TZ too (if there are DRM playback issues or black screens).
    Easiest way to do this is take/extract the TZ image from 6.2.9.4 rom and overwrite the TZ image from kamakiri 2.1 folder. Then re-do the bootrom/fastboot-step.

    Done and done. Thanks, this is exactly what I was looking for. Now, is there a semi up to date list of what system apps can be deleted? Time to go looking.
    1
    Done and done. Thanks, this is exactly what I was looking for. Now, is there a semi up to date list of what system apps can be deleted? Time to go looking.
    Maybe use adb shell pm disable instead, so it's easy to enable again if something goes wrong ;)
  • 70
    NOTE: There have been multiple reports of devices with serial numbers containing VM190 or higher being shipped with DL-Mode disabled in BROM.
    These devices cannot be unlocked using kamakiri.
    These devices do not show up at all on USB when shorted.


    After the old bootrom-exploit (amonet) we've been using for unlocking all these Fire-gadgets is closed in more recent Mediatek SOCs like the one used in the FireTV Stick 4K, @xyz` has done it again and found another bootrom-exploit.
    Together we proudly present kamakiri for the FireTV Stick 4K.

    Before proceeding make sure to read and understand this entire post.

    Running this exploit requires a patched linux-kernel on the PC you are using.
    We have put together a Live-ISO that already contains all prerequisites required for running kamakiri.
    You can find the current version of the ISO at:
    https://github.com/amonet-kamakiri/fireiso/releases

    It can be burned to a CD or to a USB-flashdrive.

    Current Version: kamakiri-mantis-v2.0.1.zip


    You will need to open the device and remove the heatshield on the side without the antennas (2 square bricks).
    NOTE: It is not required to desolder or force the shield off, it is just clipped onto a frame. (The attached picture may be a bit misleading, since it also has the frame removed)

    You will need something for shorting (wire, aluminum foil etc.)

    1. Boot the ISO
    2. Download and extract the exploit package.
    3. Open a terminal in the kamakiri directory
    4. Run
      Code:
      ./bootrom-step.sh
    5. Short one of the points in the attached photo to ground (the cage of the shielding).
      Ideally you want to use DAT0, since that is tiny it might be easier to short the point marked CLK instead.
      It is very important that you use a piece of soft wire or aluminum foil or something similar for shorting. Don't use tweezers as that makes it incredibly easy to knock of the capacitor off the PCB and kill the board!
    6. Connect the stick to your computer (while keeping it shorted)
    7. The script should tell you to release the short and hit enter
    8. Once finished run
      Code:
      ./fastboot-step.sh
    9. Your device will now reboot into TWRP

    Important information

    Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)

    TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

    For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

    It is still advised to disable OTA.

    thanks to @hwmod for the picture
    thanks to @Sus_i for providing an update.bin
    thanks to @zeroepoch for developing aftv2-tools

    Contributors
    k4y0z, xyz`
    Source Code: https://github.com/amonet-kamakiri/
    16
    There are three options for interacting with TWRP:
    1. A mouse via USB-OTG
    2. TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
    3. Via /cache/recovery/command

    Example for /cache/recovery/command:
    Code:
    echo "--update_package=/path/to/zipfile" > /cache/recovery/command
    echo "--wipe_cache" >> /cache/recovery/command
    reboot recovery

    Should you somehow end in a bootloop, TWRP contains a special boot menu that will be displayed when you boot the stick with an OTG-cable connected.
    It will give you 5 seconds to hit cancel and stay in TWRP or reboot into the OS otherwise.

    NOTE:This will only work if the boot-exploit is still there.
    13
    I'v just uploaded a new Version of the unlock for mantis.
    It comes with an all new TWRP (3.6.1) and an unlock method that works even for fused devices with firmware version < 6.2.8.7, no shorting needed!
    For detailed instructions check https://forum.xda-developers.com/t/...k-3-and-fire-tv-stick-lite-sheldon-p.4410297/ (Use mantis-zip from here, will update instructions here in a bit)
    12
    Well that was easy! And my stick isn't on the latest version, so I'll be able to get some update URLs and make a prerooted ROM hopefully this weekend.
    11
    Is this something that Amazon can fix with future updates? I am holding off until we have a more refined rom..

    No, the only way they can fix it is with a new hardware revision.