[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 4K (mantis)

[Sirdey Ojas]

For the developers
Thank you for this exploit
I have read most of the posts
My apologies if my inquiry was already answered
I am trying to make all of this work without using an otg cable

I must admit it was a bit of a hassle but I could get the bootloader unlock and install TWRP
Reading all the other posts the hard part is done

After the exploit the stick is in TWRP and I can actually see my stick as "adb devices".Is there any way to "enable adb debugging" and "unknown sources", without booting up the installed rom, right after the exploit while still in TWRP?

 

[Sirdey Ojas]

Yeah if you do the unlock process, and install the magisk ATV addon module it should bypass Amazon altogether, even ftvlaunchx on a rooted firmware and custom launcher should work..... then you can just sideload or download whatever apps you need via easyfiretools or pc.

Note: you won't have access to appstore for things like prime. But it saves you a waste of money and let's you remove your doorstop and close the door

Sent from my SM-G935F using Tapatalk

I have unlocked the bootloader and installed TWRP. I am now in TWRP. Can you please help me what to do next to make my firestick usuable again?

I read your other reply thst goes to a Google drive. Still can't make head or tails. Please help.

I found

Fire TV Stick 4K (mantis) Prerooted Stock Images [6.2.7.7_r1]

As usual, this WILL void your warranty and I am NOT responsible for anything you do with this. Installing it properly won't brick your Fire TV, but doing stupid things with it might. First, you must be unlocked. You can follow the instructions...

forum.xda-developers.com

also found
https://forum.xda-developers.com/t/...t-services-and-tv-search-for-fireos-6.4019095/

I just want to know. How do I implement the
https://drive.google.com/drive/folders/1GbMTBHuFhwT_uyZaJs0ApsG_RQ5Wg_7F
After doing the exploit

Please help

 

[fabian19vs]

But since you've got another 4k stick, it should be way easier just to take some image backups via dd (from your working stick ofc) and flash the backups via fastboot.
To do this, you need to connect to your working stick with adb, then run:

adb shell
su
dd if=/dev/block/platform/soc/11230000.mmc/by-name/system of=/sdcard/system.img
dd if=/dev/block/platform/soc/11230000.mmc/by-name/vendor of=/sdcard/vendor.img
dd if=/dev/block/platform/soc/11230000.mmc/by-name/boot of=/sdcard/boot.img
exit
exit
adb pull /sdcard/boot.img
adb pull /sdcard/vendor.img
adb pull /sdcard/system.img
exit

I have a problem with pulling the img files from the working fire stick 4k:

C:\Program Files (x86)\Minimal ADB and Fastboot>adb shell
mantis:/ $ su
/system/bin/sh: su: not found
127|mantis:/ $ dd if=/dev/block/platform/soc/11230000.mmc/by-name/system of=/sdcard/system.img
dd: /dev/block/platform/soc/11230000.mmc/by-name/system: Permission denied
1|mantis:/ $ sudo dd if=/dev/block/platform/soc/11230000.mmc/by-name/system of=/sdcard/system.img
/system/bin/sh: sudo: not found
127|mantis:/ $ su dd if=/dev/block/platform/soc/11230000.mmc/by-name/system of=/sdcard/system.img
/system/bin/sh: su: not found
127|mantis:/ $ dd if=/dev/block/platform/soc/11230000.mmc/by-name/vendor of=/sdcard/vendor.img
dd: /dev/block/platform/soc/11230000.mmc/by-name/vendor: Permission denied
1|mantis:/ $ dd if=/dev/block/platform/soc/11230000.mmc/by-name/boot of=/sdcard/boot.img
dd: /dev/block/platform/soc/11230000.mmc/by-name/boot: Permission denied
1|mantis:/ $ exit

C:\Program Files (x86)\Minimal ADB and Fastboot>adb pull /sdcard/boot.img
adb: error: remote object '/sdcard/boot.img' does not exist

 

[0815hoffi]

You need Root Access.

mantis:/ $ su
/system/bin/sh: su: not found

 

[rpmuploads]

I doubt that is the reason, but anyway, this is what you can try:
You may be able to update a rom via fastboot, but you can't flash zip files...
I think you cannot flash system.new and vendor.new images from out of the zip too, because they are most likely sparse. If you want to flash sparse images, you need to convert them to img via sdat2img first.

But since you've got another 4k stick, it should be way easier just to take some image backups via dd (from your working stick ofc) and flash the backups via fastboot.
To do this, you need to connect to your working stick with adb, then run:

adb shell
su
dd if=/dev/block/platform/soc/11230000.mmc/by-name/system of=/sdcard/system.img
dd if=/dev/block/platform/soc/11230000.mmc/by-name/vendor of=/sdcard/vendor.img
dd if=/dev/block/platform/soc/11230000.mmc/by-name/boot of=/sdcard/boot.img
exit
exit
adb pull /sdcard/boot.img
adb pull /sdcard/vendor.img
adb pull /sdcard/system.img
exit

Then do the bootrom step on your broken stick again.
In fastboot run something like this:

fastboot flash system system.img
fastboot flash vendor vendor.img
fastboot flash boot boot.img
fastboot erase MISC

In case you get an error, you probably need to add a / infront of the target partition, i.e. like this: /system

Then run the fastboot-step...

Now you should have the same rom on your two sticks...
Report back if that works

Edit: added the fastboot step to the fastboot thing.
Edit2: added fb erase MISC

I am also stuck at the b/w logo boot, and I've tried this method, but I'm getting:

Invalid sparse file format at header magic

while flashing system and vendor.
Should I process the image files with sdat2img before flashing? (the ones extracted from the working stick -same model- via adb shell, su, dd ..)
I've tried to 'fastboot flash' both from fireiso and windows abd (latest platform tools) and the outcome is the exactly the same. See log below:

C:\Users\rui\Desktop\platform-tools>fastboot flash system system.img
< waiting for any device >
Invalid sparse file format at header magic
Sending sparse 'system' 1/8 (130823 KB)            OKAY [ 10.093s]
Writing 'system'                                   OKAY [ 16.474s]
Sending sparse 'system' 2/8 (126331 KB)            OKAY [ 10.358s]
Writing 'system'                                   OKAY [117.031s]
Sending sparse 'system' 3/8 (127082 KB)            OKAY [  8.252s]
Writing 'system'                                   OKAY [ 14.430s]
Sending sparse 'system' 4/8 (131069 KB)            OKAY [  6.006s]
Writing 'system'                                   OKAY [ 25.069s]
Sending sparse 'system' 5/8 (131068 KB)            OKAY [  5.959s]
Writing 'system'                                   OKAY [ 11.981s]
Sending sparse 'system' 6/8 (129349 KB)            OKAY [  5.772s]
Writing 'system'                                   OKAY [ 11.528s]
Sending sparse 'system' 7/8 (130117 KB)            OKAY [  5.912s]
Writing 'system'                                   OKAY [ 26.348s]
Sending sparse 'system' 8/8 (30616 KB)             OKAY [  1.466s]
Writing 'system'                                   OKAY [  3.073s]
Finished. Total time: 321.781s

C:\Users\rui\Desktop\platform-tools>fastboot flash vendor vendor.img
Invalid sparse file format at header magic
Sending sparse 'vendor' 1/1 (55075 KB)             OKAY [  3.666s]
Writing 'vendor'                                   OKAY [ 84.755s]
Finished. Total time: 93.959s

C:\Users\rui\Desktop\platform-tools>fastboot flash boot boot.img
Sending 'boot' (16384 KB)                          OKAY [  1.217s]
Writing 'boot'                                     OKAY [  0.998s]
Finished. Total time: 2.246s

C:\Users\rui\Desktop\platform-tools>fastboot erase MISC
Erasing 'MISC'                                     OKAY [  0.000s]
Finished. Total time: 0.016s

C:\Users\rui\Desktop\platform-tools>fastboot flash recovery twrp.img
Sending 'recovery' (11592 KB)                      OKAY [  0.499s]
Writing 'recovery'                                 OKAY [  0.718s]
Finished. Total time: 1.232s

C:\Users\rui\Desktop\platform-tools>fastboot reboot
Rebooting                                          OKAY [  0.000s]
Finished. Total time: 0.000s

After flashing and rebooting the situation is exactly the same (stuck at b/w logo)
Perhaps this error message regarding the partition's header magic is related with:

I was having a look through the clipboard log and from (910) to (2400) there is a jump and a kernel not match.

read_func hook
[910] [LK_BOOT] KERNEL partition magic not match
[910] no mkimg header in kernel image
[910]
read t
Unlock UFBL: device is unlocked
[2400] [LK_BOOT] ROOTFS partition magic not match

(another mantis user stuck at b/w logo boot in another thread, who was able to submit the logs)

I wonder if the header magic could be the culprit.

As I had mentioned in this other thread, I became stuck at b/w logo after cloning the stick via twrp backup/restore.

 

[Sus_i]

I have a problem with pulling the img files from the working fire stick 4k

Make sure you allow superuser permission for adb shell in the magisk manager. Won't work without su.
Another option is to use adb shell while booted into twrp.

E̵d̵i̵t̵:̵ ̵I̵f̵ ̵y̵o̵u̵ ̵g̵e̵t̵ ̵t̵h̵e̵ ̵f̵o̵l̵l̵o̵w̵i̵n̵g̵ ̵e̵r̵r̵o̵r̵ ̵t̵o̵o̵,̵ ̵t̵r̵y̵ ̵t̵o̵ ̵f̵l̵a̵s̵h̵ ̵s̵p̵a̵r̵s̵e̵ ̵f̵i̵l̵e̵s̵.̵.̵.̵
Edit2: You have to flash sparse files, i.e. convert the dd backups infront of the flash. See this posting:

[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 4K (mantis)

NOTE: There have been multiple reports of devices with serial numbers containing VM190 or higher being shipped with DL-Mode disabled in BROM. These devices cannot be unlocked using kamakiri. These devices do not show up at all on USB when...

forum.xda-developers.com

I am also stuck at the b/w logo boot, and I've tried this method, but I'm getting:

Invalid sparse file format at header magic

while flashing system and vendor.

Already answered this in the post above. Maybe you can't flash sparse images with fastboot. But it could be the other way round too. Never messed with this on a mantis.

Did you extract them out of an OTA.bin or via dd?

Try to flash them as sparse... The error could be related to the file size (too big to flash).

Should I process the image files with sdat2img before flashing? (the ones extracted from the working stick -same model- via adb shell, su, dd ..)

Could be something with the size of the files (too big for a flash via fastboot, depends on the device). Maybe try to flash them sparse, i.e. convert the non-sparse dd backup back to sparse. Let me know what happens.

Edit: Flashing sparse works fine:

[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 4K (mantis)

NOTE: There have been multiple reports of devices with serial numbers containing VM190 or higher being shipped with DL-Mode disabled in BROM. These devices cannot be unlocked using kamakiri. These devices do not show up at all on USB when...

forum.xda-developers.com

Perhaps this error message regarding the partition's header magic is related with:

(another mantis user stuck at b/w logo boot in another thread, who was able to submit the logs)

I wonder if the header magic could be the culprit.

Already said it in the other thread... I had a look into the logs and I doubt that is the reason. The stick is unlocked, exploit and magisk installed. Due to the modifications, its ok that the magic doesn't match, compared to stock. The unlock allows to boot in this condition nevertheless.

 

[rpmuploads]

Did you extract them out of an OTA.bin or via dd?

I've extracted them via dd.

Try to flash them as sparse... The error could be related to the file size (too big to flash).

I flashed them as sparse (after converting with img2simg) and now the flashing went ok without any error

Nevertheless the problem persists.

 

[Sus_i]

I've extracted them via dd.
I flashed them as sparse (after converting with img2simg) and now the flashing went ok without any error

Alright. Thanks for testing.

 

[k4y0z]

I am also stuck at the b/w logo boot, and I've tried this method, but I'm getting:

C:\Users\rui\Desktop\platform-tools>fastboot flash boot boot.img
Sending 'boot' (16384 KB)                          OKAY [  1.217s]
Writing 'boot'                                     OKAY [  0.998s]
Finished. Total time: 2.246s

C:\Users\rui\Desktop\platform-tools>fastboot erase MISC
Erasing 'MISC'                                     OKAY [  0.000s]
Finished. Total time: 0.016s

C:\Users\rui\Desktop\platform-tools>fastboot flash recovery twrp.img
Sending 'recovery' (11592 KB)                      OKAY [  0.499s]
Writing 'recovery'                                 OKAY [  0.718s]
Finished. Total time: 1.232s

It looks like you're flashing a stock (unpatched) boot.img together with twrp, that probably won't work.
Also i would suggest to factory reset, i.e wipe userdata and cache:

fastboot format userdata
fastboot format cache

Then redo the unlock from the start.

 

[rpmuploads]

Also i would suggest to factory reset, i.e wipe userdata and cache:
Then redo the unlock from the start.

Many thanks for the suggestion @k4y0z. I'll try and report back.

It looks like you're flashing a stock (unpatched) boot.img together with twrp, that probably won't work.

Btw, the boot.img that I was flashing was extracted from another 4K stick that had been unlocked and it is working fine.

 

[Androoit]

I tried to unlock the bootloader yesterday using kamakiri on a new Fire TV Stick 4K purchased last week with VM190 in the serialnumber, it doesnt work anymore.
Because the bootrom is read only reactivating DL-Mode should be impossible?!
Are there any known workarounds?
If i can do something to help the devs, let me know

 

[SweenWolf]

If you are messing with your stick its always a good idea to keep a TWRP backup. I've read somewhere about amazon forcing the os upgrade on initial boot???
Few days ago i bricked my device, and man it wouldn't even start package manager, have no idea what went wrong. Logs gave me nothing, was showing something isn't available on the stick, how could that happen, i have disabled updates. After opening up my stick once again i couldn't even locate the pad, man it wasn't shining and i thought it corroded away. After doing everything and restoring twrp backup, pairing remote again, flashing stock image again. (Reason being, i cannot modify me system from TWRP, makes no affect on the system. TWRP shows something and system shows something making it seems like there are two partitions of the system itself, and i don't like to root my stick because i don't do ant changes on system level. And as i always have a pendrive attached to it, it opens TWRP menu, sometimes making system to crash, don't know why, and some apps like peacock TV doesn't work).
Sometimes things can go wrong so always keep a TWRP backup.
And if this methods of unbricking isn't available then i wouldn't even dare to modify any thing on this stick. There are many things which can break. So thank you guys yet again..

 

[rpmuploads]

It looks like you're flashing a stock (unpatched) boot.img together with twrp, that probably won't work.
Also i would suggest to factory reset, i.e wipe userdata and cache:

fastboot format userdata
fastboot format cache

Then redo the unlock from the start.

I've tried but I still do not get past the black and white Fire TV logo. You can find attached the terminal outputs of 2 attempts I made:

• terminal-unlock.log - unlock and install Magisk at the end
• terminal-revert stock.log - unlock and revert back to stock firmware (stock boot.img and no twrp)

This post by @Sus_i summarizes the several attempts I've already made in another thread:

Here is a quick TL/DR of this thread for you:
Some people tried to clone a 4k stick with a TWRP backup = fails.
A restore back to factory default / stock fails.
Wipe System, Cache, Dalvik, Data and a clean install of stock rom doesn't help.
Re-do of the unlock, stock-rom + magisk flash doesn't help.
GPT-fix + stock-rom + magisk flash doesn't help.
Format data, system and vendor via hacked BL + a clean stock-rom flash doesn't help.
TWRP and hacked BL works fine. Idme data looks good.

The fireSticks refuse to boot, so adb logcat isn't accessible.

Many thanks anyway for your help!

 

[k4y0z]

I've tried but I still do not get past the black and white Fire TV logo. You can find attached the terminal outputs of 2 attempts I made:

• terminal-unlock.log - unlock and install Magisk at the end
• terminal-revert stock.log - unlock and revert back to stock firmware (stock boot.img and no twrp)

This post by @Sus_i summarizes the several attempts I've already made in another thread:


Many thanks anyway for your help!

So TWRP works, but system doesn't boot up?
Maybe try flashing all the images that are included in the update.bin (including tee1, tee2, lk, and pl) using fastboot and also format MISC, cache and userdata.
That will obviously kill the unlock, but hopefully get the device booting again?

 

[rpmuploads]

So TWRP works, but system doesn't boot up?

Exactly, TWRP works fine but I'm stuck in the b/w firetv logo forever.

Maybe try flashing all the images that are included in the update.bin (including tee1, tee2, lk, and pl) using fastboot and also format MISC, cache and userdata.

I already tried a similar approach, which was to extract each and every partition from another working stick (same model), using:

dd if=/dev/block/platform/soc/11230000.mmc/by-name/...

and then converting them with to sparse images and flashing via fastboot. The outcome was the same (stuck at b/w logo).

I'll try your suggestion and flash the images included in the update.bin instead.
Analysing a stock update, I see in META-INF/com/updater-script the following:

block_image_update("/dev/block/platform/soc/11230000.mmc/by-name/system", package_extract_file("system.transfer.list"), "system.new.dat", "system.patch.dat") ||
  abort("E1001: Failed to update system image.");
show_progress(0.100000, 0);
ui_print("Patching vendor image unconditionally...");
block_image_update("/dev/block/platform/soc/11230000.mmc/by-name/vendor", package_extract_file("vendor.transfer.list"), "vendor.new.dat", "vendor.patch.dat") ||
  abort("E2001: Failed to update vendor image.");
show_progress(0.050000, 5);
package_extract_file("boot.img", "/dev/block/platform/soc/11230000.mmc/by-name/boot");
show_progress(0.200000, 10);
package_extract_file("images/logo.bin", "/dev/block/platform/soc/11230000.mmc/by-name/logo");
package_extract_file("images/lk.bin", "/dev/block/platform/soc/11230000.mmc/by-name/lk");
package_extract_file("images/tz.img", "/dev/block/platform/soc/11230000.mmc/by-name/tee1");
package_extract_file("images/tz.img", "/dev/block/platform/soc/11230000.mmc/by-name/tee2");
package_extract_file("images/preloader.img", "/dev/block/platform/soc/11230000.mmc/mmcblk0boot0");

and I'll proceed accordingly, i.e. tz.img goes into tee1 and tee2, etc.

 

[k4y0z]

I already tried a similar approach, which was to extract each and every partition from another working stick (same model), using:

dd if=/dev/block/platform/soc/11230000.mmc/by-name/...

and then converting them with to sparse images and flashing via fastboot. The outcome was the same (stuck at b/w logo).

Some partitions like kb and dkb are device-specific, I don't know what happens when you clone them from another device.
You can try wiping them (after taking a backup).

 

[Sus_i]

Some partitions like kb and dkb are device-specific, I don't know what happens when you clone them from another device.

At some point during sloane testing, my boot1 idme stuff was gone, i.e. empty. I used an idme copy from another user and restored/edited my serial, mac and such stuff with a hex editor. Tried to clone KB from another device (i.e. used idme copy KB command) but got only a white screen without any sign of the launcher at the reboot. Then I looked into it with a hex editor and the data in KB is just a plain copy of the device-specific idme KB part., so I was able to restore it in my blank boot1 with my old dd backup of KB. DKB is unused on sloane (unlike on mantis).

Flashing TZ and wiping KB and DKB should be safe and easy to restore with the idme command, as long boot1/idme is fine.

 

[k4y0z]

At some point during sloane testing, my boot1 idme stuff was gone, i.e. empty. I used an idme copy from another user and restored/edited my serial, mac and such stuff with a hex editor. Tried to clone KB from another device (i.e. used idme write KB command) but got only a white screen without any sign of the launcher at the reboot.

That sounds similar to what @rpmuploads is experiencing

Then I looked into it with a hex editor and the data in KB is just a plain copy of the device-specific idme KB part., so I was able to restore it in my blank boot1 with my old dd backup of KB. DKB is unused on sloane (unlike on mantis).

Flashing TZ and wiping KB and DKB should be safe and easy to restore with the idme command, as long boot1/idme is fine.

Yes, IDME contains a copy of kb/dkb and IIRC if the kb/dkb-partitions are empty they will be automatically restored from idme.
This could also be done manually using the idme copy KB and idme copy DKB commands

 

[Sus_i]

This could also be done manually using the idme copy KB and idme copy DKB commands

Yeah, I remember, idme copy is what I did, not idme write

 

[marcge 63]

I tried to unlock the bootloader yesterday using kamakiri on a new Fire TV Stick 4K purchased last week with VM190 in the serialnumber, it doesnt work anymore.
Because the bootrom is read only reactivating DL-Mode should be impossible?!
Are there any known workarounds?
If i can do something to help the devs, let me know

Same for me.... Serial with VM190 get me error at the connection at "waiting for bootrom" step, with short or without, I get an error instantly.