• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!
  • Fill out your device list and let everyone know which phones you have!    Edit Your Device Inventory

[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 4K (mantis)

Search This thread

The Fume

Member
Dec 30, 2019
6
1
so reading more through this thread it seems the proper way is to unlock it before doing anything at all. then do whatever u need to after that since the bootloader remains unlocked even if you let it update at that point. am i correct here?
 

soolcio

Member
Feb 26, 2007
14
1
London / Warsaw
Hello :)
I am kinda new to Fire Stick (hopefully not to android and rooting in general) and I would like to root it.
I bought my FireStick 4k about 2 years ago and since then the box has never been opened nor the stick was powered on. It put it in my drawer and I forgot about it. According to the first post my stick should be rootable (it definately has some old fw version and the serial number is VM139...)
I went through this thread (77 pages of posts) and I am still unsure if I get everything right.

Could you please guide me what to do next, I do not want it to OTA to 6.2.8.x to blow the fuses.
What are all the steps to unlock it, register it and avoid to obtain the OTA root patch.

Thank you for your help :) I would like to do it right and not break it and lose the ability to root the device.
 
Last edited:

Skel40

Senior Member
Dec 27, 2019
219
101
Moto G 5G
Do you think Amazon is going to temporarily disable the efuse on the future firmwares as it's on the newer update? Meaning aren't they going to re-enable with for example, the 5th os update on the interface? Or is it permanent after it's triggered? This is out of curiosity
 

The Fume

Member
Dec 30, 2019
6
1
Do you think Amazon is going to temporarily disable the efuse on the future firmwares as it's on the newer update? Meaning aren't they going to re-enable with for example, the 5th os update on the interface? Or is it permanent after it's triggered? This is out of curiosity
once an efuse is blown its done. you can not go back. and i would guess that even if they release a new update and you are on an older one even if you skip over this current one to say update to like 7 (if it ever comes) it will still blow the efuse going forward.
 

Michajin

Senior Member
Oct 23, 2012
1,255
498
so do these need to be setup on an account BEFORE unlocking them and installing twrp? i saw this on another website where they say you must set them up before doing so. i bought a few backups based on serial numbers (and got lucky they all were easily unlocked) and went ahead and unlocked them and installed twrp but have yet to use those i put them back in the box's in case i need them later on. but now i saw this other site saying they need to be setup first? but if i go ahead and set them up they will update then not be able to be unlocked?? hope i didnt hose 4 new ones by doing it first. thanks for any help
no, only issue may be trying to downgrade. the update doesn't relock it. i flashed 6.2.8.0 and still have total unlock and root. You can install earlier than 6.2.8.0 and still downgrade. You didnt need to set up to unlock them though.... The unlocking causes a factory reset at minimum....
 

rateo

New member
Dec 27, 2018
1
0
no, only issue may be trying to downgrade. the update doesn't relock it. i flashed 6.2.8.0 and still have total unlock and root. You can install earlier than 6.2.8.0 and still downgrade. You didnt need to set up to unlock them though.... The unlocking causes a factory reset at minimum....
yes, I unlocked and rooted out of the box and it remained that way even though it updated during first setup. Downgrade probably wouldn't be possible, but I dont need it because everything works this way
 
so do these need to be setup on an account BEFORE unlocking them and installing twrp? i saw this on another website where they say you must set them up before doing so. i bought a few backups based on serial numbers (and got lucky they all were easily unlocked) and went ahead and unlocked them and installed twrp but have yet to use those i put them back in the box's in case i need them later on. but now i saw this other site saying they need to be setup first? but if i go ahead and set them up they will update then not be able to be unlocked?? hope i didnt hose 4 new ones by doing it first. thanks for any help
Hey There ,

Not necessarily , if youre unlocked/rooted already you should be okay.... you can use twrp/adb to change or disable the OTA apk state. There are a few ways to get around this . download rbox prerooted 6.2.8.0 and if the OTA isnt disabled then adb shell pm disable ota immediately is probably best option.

Regards
 
Last edited:

emkorial

Senior Member
Mar 2, 2008
390
15
Hello :)
I am kinda new to Fire Stick (hopefully not to android and rooting in general) and I would like to root it.
I bought my FireStick 4k about 2 years ago and since then the box has never been opened nor the stick was powered on. It put it in my drawer and I forgot about it. According to the first post my stick should be rootable (it definately has some old fw version and the serial number is VM139...)
I went through this thread (77 pages of posts) and I am still unsure if I get everything right.

Could you please guide me what to do next, I do not want it to OTA to 6.2.8.x to blow the fuses.
What are all the steps to unlock it, register it and avoid to obtain the OTA root patch.

Thank you for your help :) I would like to do it right and not break it and lose the ability to root the device.

Take device out of box

Root it per the guide

After that you are fine. When you plug in the device it will update all the way up to the latest version but since you are already rooted, it will not blow the eFuse.

Once it is all updated you can flash whatever you want and disable updates
 

emkorial

Senior Member
Mar 2, 2008
390
15
once an efuse is blown its done. you can not go back. and i would guess that even if they release a new update and you are on an older one even if you skip over this current one to say update to like 7 (if it ever comes) it will still blow the efuse going forward.

Theoretically if we could identify the chip that has the eFuse in it, and a source to buy that chip, you could buy a new one with an intact eFuse, desolder the chip on the stick, and solder in your new one.
 

subhash_india

Member
Jul 1, 2021
10
1
Yes, this is the exact process I went through.
  • New Fire Stick out of the box, never updated
  • Unlocked bootloader, installed TWRP
  • Plugged in Fire Stick, let it self update all the way to 6.2.8.0
  • Went into Developer options, enabled ADB debugging
  • Connected to Fire Stick, flashed older ROM (currently running 6.2.6.6, going to go to 6.2.7.1 soon)
Where did you buy an unlockable stick?

I will say, based on my condition and what I am experiencing I am not 100% convinced that the downgrade is completely "clean", in that some app's, even using identical versions of the apps, that caused me no visual issues pre 6.2.8.0, ARE causing me issues after the upgrade and downgrade process. So I'm not completely convinced the downgrade process is 100% "clean". But my issue could also be caused by minor hardware difference between multiple sticks, so the fact I am having symptoms is not conclusive evidence that the downgrade is not clean.
For downgrade to work correctly

Flash FM (below 6.2.8.0)+Kamakiri+Magisk+Aftv-mm(opt) and reboot
 

Conti93

Member
Jun 2, 2020
5
2
Forlì
So, I have bought a new Fire TV Stick S/N G4N0VM071 etc, etc, and of course it's locked.
I mean, I didn't try unlocking it BEFORE turning it on at all, however the only thing I did was powering it on and verifying it was working, WITHOUT connecting it to internet (I stopped at the network selection screen). It said "update in progress", I guess that was a local update. Mmmh, who knows if that's what locked it or it comes already locked from the factory.

Anyway, since I had to rework a couple of tiny ass BGAs in my life:
VaNM9Fz.jpg

I was wondering if someone managed to desolder the flash and stick it on another board, would it be readable or is it encrypted?
That would be quite inconvenient, but it would work nonetheless to write the custom recovery in the flash.
 
  • Like
Reactions: Sus_i

Sus_i

Senior Member
Apr 9, 2013
1,081
420
So, I have bought a new Fire TV Stick S/N G4N0VM071 etc, etc, and of course it's locked.
I mean, I didn't try unlocking it BEFORE turning it on at all, however the only thing I did was powering it on and verifying it was working, WITHOUT connecting it to internet (I stopped at the network selection screen). It said "update in progress", I guess that was a local update. Mmmh, who knows if that's what locked it or it comes already locked from the factory.

Anyway, since I had to rework a couple of tiny ass BGAs in my life:
VaNM9Fz.jpg

Can you take a detailed picture from the board with the flash removed, please?

I was wondering if someone managed to desolder the flash and stick it on another board, would it be readable or is it encrypted?

It's readable, not encrypted at all. :)

That would be quite inconvenient, but it would work nonetheless to write the custom recovery in the flash.

You may be able to do almost all steps from the OP scripts, like downgrade LK, TZ and PL images to the exploitable version, flash boot and recovery images and so on, but in order to boot the downgraded images, you need to zero out the RPMB too (take a look into the main.py from OP).
 
Last edited:
  • Like
Reactions: Conti93

Conti93

Member
Jun 2, 2020
5
2
Forlì
It's readable, not encrypted at all. :)

Can you take a few detailed pictures from the board with the flash removed, please?
That's good news.

Sorry, the BGA in the photo is a Sony Effio of a FPV cam 😅
aJvqj4W.jpg


The Fire TV Stick flash looks like this:
UygjU3r.jpg


The "hard" part now is finding, ideally, a ZIF socket for the flash and something that can read it, I never had a look at a "flash reader" or something similar, if it does exist.
 
  • Like
Reactions: Sus_i

Sus_i

Senior Member
Apr 9, 2013
1,081
420
The Fire TV Stick flash looks like this:
Yes.
Would be great if you can take a picture from the Sticks mainboard with the flash removed. Maybe helpful sometimes, in order to trace the wiring of CLK, CMD and DAT0 on the board...
The "hard" part now is finding, ideally, a ZIF socket for the flash and something that can read it, I never had a look at a "flash reader" or something similar, if it does exist.
You can solder a few enameled copper wires to the CLK, CMD, DAT0, Vcc, VccQ and GND pads. ;)

Here is a propper tool for r/w the chip:

Some old root guide for the first gen. fireTV stick ever:
Won't work nowadays because of androids dm-verity.
 
  • Like
Reactions: Conti93

Conti93

Member
Jun 2, 2020
5
2
Forlì
Yes.
Would be great if you can take a picture from the Sticks mainboard with the flash removed. Maybe helpful sometimes, in order to trace the wiring of CLK, CMD and DAT0 on the board...

You can solder a few enameled copper wires to the CLK, CMD, DAT0, Vcc, VccQ and GND pads. ;)

Here is a propper tool for r/w the chip:

Some old root guide for the first gen. fireTV stick ever:
Won't work nowadays because of androids dm-verity.
Oh! It's an e-MMC! I'm dumb. I made practically the same thing when I bricked my 3DS in 2015.
mskwBLr.png


Thanks for the info, I'll probably buy another stick and desolder the eMMC on that, I'll keep you updated :)
 

Sus_i

Senior Member
Apr 9, 2013
1,081
420
Wait a sec, I didn't catch that, since Mantis has Android 7 (hence dm-verity enabled?) does that mean it won't work by manually writing TWRP on the eMMC?

EDIT: Oh, you were referring only to the rooting procedure, correct? TWRP should work without major issues, right? 🤔

The rooting procedure via eMMC adapter used for the first gen. fireTVstick won't work on a later android (dm-verity).

Ofc you can access the eMMC partitions, flash whatever to it, but the early stages of the bootprocess (LK) won't boot TWRP in case the bootloader is locked (it starts only factory signed images).

Only if you are able to do all unlock steps from OP (including the stuff from inside the kamakiri.zip.), only then TWRP recovery or a patched Boot.img will boot.

The biggest hurdle is obviously the downgrade of the antirollback protection a.k.a. RPMB (Replay Protected Memory Block)... without a downgrade you can't finish the unlock from OP. Take a look into the main.py to see how it works.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 4
    I updated my prerooted thread with 6.2.8.1_r2. This includes the new TZ and video playback seems to work.
    3
    Disabling TWRP Cache recovery commands might be a good idea, but probably the best thing the users should do is disabling any kind of OTA updates (system apps and firmware),because we don't know what Amazon might do to workaround the efuse service disabling.
    Yes, I guess they could easily push a system app that does the same thing as the ewriter prog.
    Btw, TZ updating is a one way trip or it can be downgraded?
    Yes, downgrade is not a problem, TZ flashs to TEE1 and 2, stuff on KB isn't changed.
    3
    Edit: Besides that, 6281 enforces DRM (requires an updated TZ). All the older OS versions should work fine without the TZ update (for now).
    Basically there's no good reason to update to 6.2.8.1 unless Amazon forces us to do it. xD
    3
    Are you saying its still not safe to update the TZ?
    At least we need to stop flashing any kind of stock rom, but your prerooted rom should be safe...
    I remmeber in the past I've included TZ updates once or twice.
    Yes, I remember it.
    If you provide a prerooted 6.2.8.1 with an updated 6.2.8.1 TZ (all older TZ images won't work), we'll see what happens.
    I guess it will work fine.

    Edit: Maybe we need to disable TWRP cache recovery commands too, in order to protect people with an enabled OTA updater...
    2
    Can you add a warning, that people who have installed this version at one point should refrain from installing any stock >= 6.2.8.0 if they want to keep their efuse?

    Sure
  • 60
    NOTE: There have been multiple reports of devices with serial numbers containing VM190 or higher being shipped with DL-Mode disabled in BROM.
    These devices cannot be unlocked using kamakiri.
    These devices do not show up at all on USB when shorted.


    After the old bootrom-exploit (amonet) we've been using for unlocking all these Fire-gadgets is closed in more recent Mediatek SOCs like the one used in the FireTV Stick 4K, @xyz` has done it again and found another bootrom-exploit.
    Together we proudly present kamakiri for the FireTV Stick 4K.

    Before proceeding make sure to read and understand this entire post.

    Running this exploit requires a patched linux-kernel on the PC you are using.
    We have put together a Live-ISO that already contains all prerequisites required for running kamakiri.
    You can find the current version of the ISO at:
    https://github.com/amonet-kamakiri/fireiso/releases

    It can be burned to a CD or to a USB-flashdrive.

    Current Version: kamakiri-mantis-v1.2.zip

    You will need to open the device and remove the heatshield on the side without the antennas (2 square bricks).
    NOTE: It is not required to desolder or force the shield off, it is just clipped onto a frame. (The attached picture may be a bit misleading, since it also has the frame removed)

    You will need something for shorting (wire, aluminum foil etc.)

    1. Boot the ISO
    2. Download and extract the exploit package.
    3. Open a terminal in the kamakiri directory
    4. Run
      Code:
      ./bootrom-step.sh
    5. Short one of the points in the attached photo to ground (the cage of the shielding).
      Ideally you want to use DAT0, since that is tiny it might be easier to short the point marked CLK instead.
      It is very important that you use a piece of soft wire or aluminum foil or something similar for shorting. Don't use tweezers as that makes it incredibly easy to knock of the capacitor off the PCB and kill the board!
    6. Connect the stick to your computer (while keeping it shorted)
    7. The script should tell you to release the short and hit enter
    8. Once finished run
      Code:
      ./fastboot-step.sh
    9. Your device will now reboot into TWRP

    Important information

    Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)

    TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

    For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

    It is still advised to disable OTA.

    thanks to @hwmod for the picture
    thanks to @Sus_i for providing an update.bin
    thanks to @zeroepoch for developing aftv2-tools

    XDA:DevDB Information
    kamakiri, Tool/Utility for the Amazon Fire TV

    Contributors
    k4y0z, xyz`
    Source Code: https://github.com/amonet-kamakiri/


    Version Information
    Status:
    Stable
    Current Stable Version: 1.0.0
    Stable Release Date: 2019-10-05

    Created 2019-10-05
    Last Updated 2019-10-14
    14
    There are three options for interacting with TWRP:
    1. A mouse via USB-OTG
    2. TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
    3. Via /cache/recovery/command

    Example for /cache/recovery/command:
    Code:
    echo "--update_package=/path/to/zipfile" > /cache/recovery/command
    echo "--wipe_cache" >> /cache/recovery/command
    reboot recovery

    Should you somehow end in a bootloop, TWRP contains a special boot menu that will be displayed when you boot the stick with an OTG-cable connected.
    It will give you 5 seconds to hit cancel and stay in TWRP or reboot into the OS otherwise.

    NOTE:This will only work if the boot-exploit is still there.
    12
    Well that was easy! And my stick isn't on the latest version, so I'll be able to get some update URLs and make a prerooted ROM hopefully this weekend.
    11
    Is this something that Amazon can fix with future updates? I am holding off until we have a more refined rom..

    No, the only way they can fix it is with a new hardware revision.
    10
    Can you tell us how to disable Ota update on the fire tv stick 4k after a successful root.
    And since there is no superuser installed how can this be done.
    ota can be disabled with root by following commands:
    Code:
    adb shell
    su
    pm disable com.amazon.tv.forcedotaupdater.v2
    pm disable com.amazon.device.software.ota
    pm disable com.amazon.device.software.ota.override