[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 4K (mantis)

Search This thread
Hello guys, I purchased my firestick 4k in the August of 2019 and have been updating it ever since, I rooted my phone with magisk and so i thought why can't i do the same with my firestick and that's how i found this thread. I'm on the latest update and hence i want to know if Amazon blocked this method, below I've attached the details of my firesticks software, i want to know if this process works with fireos 6.2.9.3 has it been patched @Sus_i , @Joe Ghost ?
Thank you,
RDY
As far as I know its not possible to root if the firmware is 6.2.9.0 or higher.

If I'm wrong please somebody tell me!
 
  • Like
Reactions: Sus_i

Sus_i

Senior Member
Apr 9, 2013
1,858
811
As far as I know its not possible to root if the firmware is 6.2.9.0 or higher.

If I'm wrong please somebody tell me!

6.2.8.0 or later patchs the shorting method and 6.2.8.7 or later patchs also the new non-shorting method.
 

potatoloco37

New member
Nov 29, 2022
4
2
i used this and it worked first try, without shorting

i have a question though, can i interact with twrp through the remote? or do i need an otg cable for a mouse



edit:if i need an otg cable then recommend a good one please
 
Last edited:
  • Like
Reactions: Sus_i

DrTrax

Senior Member
Jan 23, 2013
82
19
GT-i9250
Sony Xperia XZ2 Compact
Sorry to ask but I holded my FireTV 4k @ Firmware 6.2.9.1 and waiting for someone to tell that rooting or installing TWRP is possible.

Anyone had luck with an unusual method?

I know that MTK have the MTK mode where you can literally flash anything as long as the bootloader isn't bricked and my Windows PC DOES detect the MTK Preloader VCOM but it shut's off immediately. I remember back with my Elephone, you needed to launch a software which IMMEDIATELY holds this state otherwise it goes straight to boot.
 

potatoloco37

New member
Nov 29, 2022
4
2
i have no idea what firmware my stick was on since it hasnt been on, but apparently it was on the best version.

also i would recommend keeping the firestick off of the internet or not turning it on at all
 
  • Like
Reactions: Sus_i

llarr

Member
Dec 2, 2020
20
7
I just got around to setting up the stick I got on black friday and was also able to set it up without any need to short the pins or otg. My box said 2021 and was UK stock from amazon. I just followed these posts:
I did this successfully yesterday. Here are a few solutions I found:
  1. I didn't need to short the pins; the script unlocked the bootloader just fine on its own. This Fire TV Stick 4K was purchased last week.
  2. I could not build the live USB drive with Rufus in Windows. When I booted from the drive it gave some error about "IO charset ascii not found". FAT32 and NTFS were the only filesystem options in Rufus and neither of them worked. So I made the drive in Linux and it worked perfectly and took like 2 minutes. Imaging a USB drive in Linux is ridiculously easy, you literally copy the ISO file to the USB device with one command.
  3. You don't need an OTG cable. I got this ROM on the Fire Stick by using "adb push" to copy the G070VM0984752N1Q folder to /sdcard/TWRP/BACKUPS/, and then doing "twrp restore" from that backups directory in the adb shell. Then I used this fantastic guide to control the Fire Stick through ADB in order to pair the remote.
Just to add on point 2.) I was able to build the USB drive with Rufus in Windows. I just had to select "write in DD image mode" at the final prompt instead of accepting the default recommendation of "write in ISO image mode".

I had the Fire Stick plugged into the computer and used ADB for everything. First copy the files with "adb push". Type "adb help" to see the exact usage - in this case it's "adb push -p <local> <remote>" where <local> and <remote> are the G070VM0984752N1Q and /sdcard/TWRP/BACKUPS directories, respectively. It should show you the progress of the files being copied. Then use "adb shell" to gain access to the Fire Stick's terminal, and then within that, "cd" to the BACKUPS directory and run "twrp restore SDB G070VM0984752N1Q". "twrp" command usage is here. Hope that helps
Minor typo in this part where the switches should come after the backup name. eg: "twrp restore G070VM0984752N1Q SDB"
 
  • Like
Reactions: Joe Ghost and Sus_i

nomobytes

Member
Aug 2, 2017
38
31
theManhattan
Important information

Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)

TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).
<snip>

Contributors
k4y0z, xyz`
Source Code: https://github.com/amonet-kamakiri/
If you manually update to 6294/4339 you may need to flash tee1/tee2 to the latest tz.img, otherwise your device might hang at the initial FireTV logo. So you can extract it and dd it to /dev/block/mmcblk0p2 for tee1 and /dev/block/mmcblk0p3 for tee2.

Kindly confirm.
 
Last edited:
  • Like
Reactions: Sus_i

crazzzzy

New member
Apr 8, 2011
3
4
Hi,
I was on 6.2.9.0 with updates disabled, I tried to update the device using openrecoverscript method to 6.2.9.4 and messed it. It is bootlooping at white fireTV logo.

the system is detecting preloader, but nothing happens.

I connect OTG cable and it is not prompting to load TWRP. I tried the latest kamakiri to recover but nothing seems to work.

Is there any way to recover the device.
 

crazzzzy

New member
Apr 8, 2011
3
4
How do you messed it up? Any error messages?

You can try the boot-recovery and the boot-fastboot script, otherwise you would need to re-do the bootrom-step + fastboot-step.
Thanks for replying,

I put wipe /system command in openrecoveryscript,.

I tried all the above step but none is detecting, though in windows device, it detect preloader.
 

Sus_i

Senior Member
Apr 9, 2013
1,858
811
Thanks for replying,

I put wipe /system command in openrecoveryscript,.

I tried all the above step but none is detecting, though in windows device, it detect preloader.
If you see preloader in windows device manager, you should see preloader in linux system too.
So you may try the bootrom-step (without a short) first (there is no reason why this shouldn't work) and then the fastboot-step.

If the bootrom-step works and you get problems booting fastboot, you may need to flash a boot.img with the bootrom-step (how-to somewhere in this thread and in the sheldon unbrick thread).
 

Joe Baliu

Member
Feb 23, 2010
29
1
While searching for a solution, I read forums in several languages. Russians say that most likely players with serial numbers starting with 190 (after VM) have problems. G070VM190. VM170, VM180 and all previous "series" reported still can be rooted!
I have seen in local store today
G0N0VM224 which is newer release than G0N0VM190, but I also saw G4N0VM1221 - is it pre or post G0N0VM190? What does G4/G0 stand for?
 

Sus_i

Senior Member
Apr 9, 2013
1,858
811
I have seen in local store today
G0N0VM224 which is newer release than G0N0VM190, but I also saw G4N0VM1221 - is it pre or post G0N0VM190? What does G4/G0 stand for?
Old kamakiri v1.x, i.e. root/unlock 'with shorting' gets blocked by:
-serial numbers starting with 190... or by update higher than 6280.

The new root/unlock method without any shorting (kamakiri v2.x) works on all devices, serial doesn't matter, as long as the installed fireOS is not at 6.2.8.7 or above, i.e. needs to be lower.

It's still very easy to get fireTV 4k sticks at a lower OS than 6.2.8.7, if you do the unlock infront of the setup/logon/update thing. Avoid any boot until the thing is rooted ;)
 
  • Like
Reactions: Kramar111

the_cj

New member
Dec 28, 2022
4
0
Also flashed mine, all good, the only thing I cannot get to work is the remote that came with it (worked before flashing the fire stick), if pressing and holding the home button, the PC sees it and can pair with it.
Luckily I have a 1st gen firestick, now that remote works fine, just typically not the new voice/with TV controls one that came with it.
Any suggestions?

For what it's worth, the 1st Gen Remote identifies as Amazon Fire TV Remote, the new one that came with the 4K stick shows as AR, wondering if the custom rom isn't aware of the identifiers of this new remote, guessing though.
 
Last edited:
Dec 29, 2022
11
4
Hi.
I was able to install TWRP on my newly acquired unused 4K with fireiso2.0.0+kamakiri-mantis-v2.0.1 without any problem, but on my old 4K (6.2.8.1) I get downgrade failure.
Is it possible that TWRP cannot be installed on this terminal?
IMG_20221229_093206.jpg
 

Attachments

  • IMG_20221229_094612.jpg
    IMG_20221229_094612.jpg
    188.7 KB · Views: 5

llarr

Member
Dec 2, 2020
20
7
Also flashed mine, all good, the only thing I cannot get to work is the remote that came with it (worked before flashing the fire stick), if pressing and holding the home button, the PC sees it and can pair with it.
Luckily I have a 1st gen firestick, now that remote works fine, just typically not the new voice/with TV controls one that came with it.
Any suggestions?

For what it's worth, the 1st Gen Remote identifies as Amazon Fire TV Remote, the new one that came with the 4K stick shows as AR, wondering if the custom rom isn't aware of the identifiers of this new remote, guessing though.
Might help if you say what firmware version you are running. If you flashed something too old it may be that it doesn't support the newer remote.
 

the_cj

New member
Dec 28, 2022
4
0
Might help if you say what firmware version you are running. If you flashed something too old it may be that it doesn't support the newer remote.
Yeah might help, meant to add the version to initial post but must have had brain fade.
[Guide] [ROM] (mantis) Fire TV Stick 4K Prerooted Android TV Rom (6.2.7.6) is the currently installed ROM, bar the remote issue, everything works perfectly.


Evidently I missed the post about other users having issues pairing the remote on page 11, seems I am not alone in this, maybe find an alternate ROM,
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    What is the proper procedure to get it updated to 6.2.9.4?? I assume the DRM is out of date and Netflix and prime show a black screen. It also seems this root blocks updates, as it just boots to twrp and the update never happens.
    As you've got a stick with 6281 (already burned efuse = shorting method gone), there isn't a special procedure required, you would just need to flash the rom you like...

    If you go to 6.2.9.4 you may flash the TZ too (if there are DRM playback issues or black screens).
    Easiest way to do this is take/extract the TZ image from 6.2.9.4 rom and overwrite the TZ image from kamakiri 2.1 folder. Then re-do the bootrom/fastboot-step.
    I am perfectly ok with manually updating but can't seem to find the bins anywhere. Any help here would be appreciated.
    2
    Can someone can give me the "ls" output of folloing command - with ADB Shell + SU - of a rooted decive - FireOS version does not matter... Its just about the correct settings for chmod/chmod/chcon
    Nevermid... Just noticed that Pretoriano80's Kernel (which I'am at 6.2.7.7 - 3033) as insecure ADB - Therefore no ADB RSA Keys are needed - And no popub came up - Even if file (on FireTV) /data/misc/adb/adb_keys is deleted/renamed.
    For testing: With stock Kernel 3033 the RSA PopUp came up again (with deleted /data/misc/adb/adb_keys),
    and new file /data/misc/adb/adb_keys is created with correct permissions...

    Can I trigger the stick to forget the previous saved authentication?
    :ROFLMAO: Again we are fiddling at the same place - I wonder why? :)

    Even if its not needed for your case anymore - To reset the RSA Key its needed to delete/rename files on the sending and receving side (one side should be enough as well, but to keep it clear... both)

    WinPC: C:\Users\<USER>\.android - Files: adbkey + adbkey.pub
    Linux/Android/FireTV: /data/misc/adb/ - File: adb_keys
    FireISO: /root/.android/ - Files: adbkey + adbkey.pub (of course temporary)

    On WInPC its reported that adbkey + adbkey.pub may are saved at other places.
    If they are not in mentioned folder search on system drive for them....
    2
    But when I try to run 'su' or 'pm' I get "Not found". I tried 'su' and 'pm' via adb shell and twrp terminal with same results.
    You are in TWRP, and already have root. Package Manager isn't available until you boot FireOS.
    1
    Done and done. Thanks, this is exactly what I was looking for. Now, is there a semi up to date list of what system apps can be deleted? Time to go looking.
    Maybe use adb shell pm disable instead, so it's easy to enable again if something goes wrong ;)
    1
    ****, I didnt notice the serial number before buying it. Mine is VM252. There is not a chance its rootable, right?
    Look here

    One user reported that his VM252 is blocked for rooting out of the box.
    But how knows? Main key should be FireOS lower than 6.2.8.7.
    Some information can give you the production year... Some say that 2019 would be good to go.
    But with any later production e.g. 2021 the chances are sinking...
  • 70
    NOTE: There have been multiple reports of devices with serial numbers containing VM190 or higher being shipped with DL-Mode disabled in BROM.
    These devices cannot be unlocked using kamakiri.
    These devices do not show up at all on USB when shorted.


    After the old bootrom-exploit (amonet) we've been using for unlocking all these Fire-gadgets is closed in more recent Mediatek SOCs like the one used in the FireTV Stick 4K, @xyz` has done it again and found another bootrom-exploit.
    Together we proudly present kamakiri for the FireTV Stick 4K.

    Before proceeding make sure to read and understand this entire post.

    Running this exploit requires a patched linux-kernel on the PC you are using.
    We have put together a Live-ISO that already contains all prerequisites required for running kamakiri.
    You can find the current version of the ISO at:
    https://github.com/amonet-kamakiri/fireiso/releases

    It can be burned to a CD or to a USB-flashdrive.

    Current Version: kamakiri-mantis-v2.0.1.zip


    You will need to open the device and remove the heatshield on the side without the antennas (2 square bricks).
    NOTE: It is not required to desolder or force the shield off, it is just clipped onto a frame. (The attached picture may be a bit misleading, since it also has the frame removed)

    You will need something for shorting (wire, aluminum foil etc.)

    1. Boot the ISO
    2. Download and extract the exploit package.
    3. Open a terminal in the kamakiri directory
    4. Run
      Code:
      ./bootrom-step.sh
    5. Short one of the points in the attached photo to ground (the cage of the shielding).
      Ideally you want to use DAT0, since that is tiny it might be easier to short the point marked CLK instead.
      It is very important that you use a piece of soft wire or aluminum foil or something similar for shorting. Don't use tweezers as that makes it incredibly easy to knock of the capacitor off the PCB and kill the board!
    6. Connect the stick to your computer (while keeping it shorted)
    7. The script should tell you to release the short and hit enter
    8. Once finished run
      Code:
      ./fastboot-step.sh
    9. Your device will now reboot into TWRP

    Important information

    Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)

    TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

    For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

    It is still advised to disable OTA.

    thanks to @hwmod for the picture
    thanks to @Sus_i for providing an update.bin
    thanks to @zeroepoch for developing aftv2-tools

    Contributors
    k4y0z, xyz`
    Source Code: https://github.com/amonet-kamakiri/
    16
    There are three options for interacting with TWRP:
    1. A mouse via USB-OTG
    2. TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
    3. Via /cache/recovery/command

    Example for /cache/recovery/command:
    Code:
    echo "--update_package=/path/to/zipfile" > /cache/recovery/command
    echo "--wipe_cache" >> /cache/recovery/command
    reboot recovery

    Should you somehow end in a bootloop, TWRP contains a special boot menu that will be displayed when you boot the stick with an OTG-cable connected.
    It will give you 5 seconds to hit cancel and stay in TWRP or reboot into the OS otherwise.

    NOTE:This will only work if the boot-exploit is still there.
    13
    I'v just uploaded a new Version of the unlock for mantis.
    It comes with an all new TWRP (3.6.1) and an unlock method that works even for fused devices with firmware version < 6.2.8.7, no shorting needed!
    For detailed instructions check https://forum.xda-developers.com/t/...k-3-and-fire-tv-stick-lite-sheldon-p.4410297/ (Use mantis-zip from here, will update instructions here in a bit)
    12
    Well that was easy! And my stick isn't on the latest version, so I'll be able to get some update URLs and make a prerooted ROM hopefully this weekend.
    11
    Is this something that Amazon can fix with future updates? I am holding off until we have a more refined rom..

    No, the only way they can fix it is with a new hardware revision.