• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 4K (mantis)

Search This thread

The Fume

Member
Dec 30, 2019
6
1
so reading more through this thread it seems the proper way is to unlock it before doing anything at all. then do whatever u need to after that since the bootloader remains unlocked even if you let it update at that point. am i correct here?
 

soolcio

Member
Feb 26, 2007
14
1
London / Warsaw
Hello :)
I am kinda new to Fire Stick (hopefully not to android and rooting in general) and I would like to root it.
I bought my FireStick 4k about 2 years ago and since then the box has never been opened nor the stick was powered on. It put it in my drawer and I forgot about it. According to the first post my stick should be rootable (it definately has some old fw version and the serial number is VM139...)
I went through this thread (77 pages of posts) and I am still unsure if I get everything right.

Could you please guide me what to do next, I do not want it to OTA to 6.2.8.x to blow the fuses.
What are all the steps to unlock it, register it and avoid to obtain the OTA root patch.

Thank you for your help :) I would like to do it right and not break it and lose the ability to root the device.
 
Last edited:

Skel40

Senior Member
Dec 27, 2019
236
107
Moto G 5G
Do you think Amazon is going to temporarily disable the efuse on the future firmwares as it's on the newer update? Meaning aren't they going to re-enable with for example, the 5th os update on the interface? Or is it permanent after it's triggered? This is out of curiosity
 

The Fume

Member
Dec 30, 2019
6
1
Do you think Amazon is going to temporarily disable the efuse on the future firmwares as it's on the newer update? Meaning aren't they going to re-enable with for example, the 5th os update on the interface? Or is it permanent after it's triggered? This is out of curiosity
once an efuse is blown its done. you can not go back. and i would guess that even if they release a new update and you are on an older one even if you skip over this current one to say update to like 7 (if it ever comes) it will still blow the efuse going forward.
 

Michajin

Senior Member
Oct 23, 2012
1,263
508
so do these need to be setup on an account BEFORE unlocking them and installing twrp? i saw this on another website where they say you must set them up before doing so. i bought a few backups based on serial numbers (and got lucky they all were easily unlocked) and went ahead and unlocked them and installed twrp but have yet to use those i put them back in the box's in case i need them later on. but now i saw this other site saying they need to be setup first? but if i go ahead and set them up they will update then not be able to be unlocked?? hope i didnt hose 4 new ones by doing it first. thanks for any help
no, only issue may be trying to downgrade. the update doesn't relock it. i flashed 6.2.8.0 and still have total unlock and root. You can install earlier than 6.2.8.0 and still downgrade. You didnt need to set up to unlock them though.... The unlocking causes a factory reset at minimum....
 

rateo

New member
Dec 27, 2018
1
0
no, only issue may be trying to downgrade. the update doesn't relock it. i flashed 6.2.8.0 and still have total unlock and root. You can install earlier than 6.2.8.0 and still downgrade. You didnt need to set up to unlock them though.... The unlocking causes a factory reset at minimum....
yes, I unlocked and rooted out of the box and it remained that way even though it updated during first setup. Downgrade probably wouldn't be possible, but I dont need it because everything works this way
 
so do these need to be setup on an account BEFORE unlocking them and installing twrp? i saw this on another website where they say you must set them up before doing so. i bought a few backups based on serial numbers (and got lucky they all were easily unlocked) and went ahead and unlocked them and installed twrp but have yet to use those i put them back in the box's in case i need them later on. but now i saw this other site saying they need to be setup first? but if i go ahead and set them up they will update then not be able to be unlocked?? hope i didnt hose 4 new ones by doing it first. thanks for any help
Hey There ,

Not necessarily , if youre unlocked/rooted already you should be okay.... you can use twrp/adb to change or disable the OTA apk state. There are a few ways to get around this . download rbox prerooted 6.2.8.0 and if the OTA isnt disabled then adb shell pm disable ota immediately is probably best option.

Regards
 
Last edited:

emkorial

Senior Member
Mar 2, 2008
393
15
Hello :)
I am kinda new to Fire Stick (hopefully not to android and rooting in general) and I would like to root it.
I bought my FireStick 4k about 2 years ago and since then the box has never been opened nor the stick was powered on. It put it in my drawer and I forgot about it. According to the first post my stick should be rootable (it definately has some old fw version and the serial number is VM139...)
I went through this thread (77 pages of posts) and I am still unsure if I get everything right.

Could you please guide me what to do next, I do not want it to OTA to 6.2.8.x to blow the fuses.
What are all the steps to unlock it, register it and avoid to obtain the OTA root patch.

Thank you for your help :) I would like to do it right and not break it and lose the ability to root the device.

Take device out of box

Root it per the guide

After that you are fine. When you plug in the device it will update all the way up to the latest version but since you are already rooted, it will not blow the eFuse.

Once it is all updated you can flash whatever you want and disable updates
 

emkorial

Senior Member
Mar 2, 2008
393
15
once an efuse is blown its done. you can not go back. and i would guess that even if they release a new update and you are on an older one even if you skip over this current one to say update to like 7 (if it ever comes) it will still blow the efuse going forward.

Theoretically if we could identify the chip that has the eFuse in it, and a source to buy that chip, you could buy a new one with an intact eFuse, desolder the chip on the stick, and solder in your new one.
 

subhash_india

Member
Jul 1, 2021
20
2
Yes, this is the exact process I went through.
  • New Fire Stick out of the box, never updated
  • Unlocked bootloader, installed TWRP
  • Plugged in Fire Stick, let it self update all the way to 6.2.8.0
  • Went into Developer options, enabled ADB debugging
  • Connected to Fire Stick, flashed older ROM (currently running 6.2.6.6, going to go to 6.2.7.1 soon)
Where did you buy an unlockable stick?

I will say, based on my condition and what I am experiencing I am not 100% convinced that the downgrade is completely "clean", in that some app's, even using identical versions of the apps, that caused me no visual issues pre 6.2.8.0, ARE causing me issues after the upgrade and downgrade process. So I'm not completely convinced the downgrade process is 100% "clean". But my issue could also be caused by minor hardware difference between multiple sticks, so the fact I am having symptoms is not conclusive evidence that the downgrade is not clean.
For downgrade to work correctly

Flash FM (below 6.2.8.0)+Kamakiri+Magisk+Aftv-mm(opt) and reboot
 

Conti93

Member
Jun 2, 2020
5
2
Forlì
So, I have bought a new Fire TV Stick S/N G4N0VM071 etc, etc, and of course it's locked.
I mean, I didn't try unlocking it BEFORE turning it on at all, however the only thing I did was powering it on and verifying it was working, WITHOUT connecting it to internet (I stopped at the network selection screen). It said "update in progress", I guess that was a local update. Mmmh, who knows if that's what locked it or it comes already locked from the factory.

Anyway, since I had to rework a couple of tiny ass BGAs in my life:
VaNM9Fz.jpg

I was wondering if someone managed to desolder the flash and stick it on another board, would it be readable or is it encrypted?
That would be quite inconvenient, but it would work nonetheless to write the custom recovery in the flash.
 
  • Like
Reactions: Sus_i

Sus_i

Senior Member
Apr 9, 2013
1,108
433
So, I have bought a new Fire TV Stick S/N G4N0VM071 etc, etc, and of course it's locked.
I mean, I didn't try unlocking it BEFORE turning it on at all, however the only thing I did was powering it on and verifying it was working, WITHOUT connecting it to internet (I stopped at the network selection screen). It said "update in progress", I guess that was a local update. Mmmh, who knows if that's what locked it or it comes already locked from the factory.

Anyway, since I had to rework a couple of tiny ass BGAs in my life:
VaNM9Fz.jpg

Can you take a detailed picture from the board with the flash removed, please?

I was wondering if someone managed to desolder the flash and stick it on another board, would it be readable or is it encrypted?

It's readable, not encrypted at all. :)

That would be quite inconvenient, but it would work nonetheless to write the custom recovery in the flash.

You may be able to do almost all steps from the OP scripts, like downgrade LK, TZ and PL images to the exploitable version, flash boot and recovery images and so on, but in order to boot the downgraded images, you need to zero out the RPMB too (take a look into the main.py from OP).
 
Last edited:
  • Like
Reactions: Conti93

Conti93

Member
Jun 2, 2020
5
2
Forlì
It's readable, not encrypted at all. :)

Can you take a few detailed pictures from the board with the flash removed, please?
That's good news.

Sorry, the BGA in the photo is a Sony Effio of a FPV cam 😅
aJvqj4W.jpg


The Fire TV Stick flash looks like this:
UygjU3r.jpg


The "hard" part now is finding, ideally, a ZIF socket for the flash and something that can read it, I never had a look at a "flash reader" or something similar, if it does exist.
 
  • Like
Reactions: Sus_i

Sus_i

Senior Member
Apr 9, 2013
1,108
433
The Fire TV Stick flash looks like this:
Yes.
Would be great if you can take a picture from the Sticks mainboard with the flash removed. Maybe helpful sometimes, in order to trace the wiring of CLK, CMD and DAT0 on the board...
The "hard" part now is finding, ideally, a ZIF socket for the flash and something that can read it, I never had a look at a "flash reader" or something similar, if it does exist.
You can solder a few enameled copper wires to the CLK, CMD, DAT0, Vcc, VccQ and GND pads. ;)

Here is a propper tool for r/w the chip:

Some old root guide for the first gen. fireTV stick ever:
Won't work nowadays because of androids dm-verity.
 
  • Like
Reactions: Conti93

Conti93

Member
Jun 2, 2020
5
2
Forlì
Yes.
Would be great if you can take a picture from the Sticks mainboard with the flash removed. Maybe helpful sometimes, in order to trace the wiring of CLK, CMD and DAT0 on the board...

You can solder a few enameled copper wires to the CLK, CMD, DAT0, Vcc, VccQ and GND pads. ;)

Here is a propper tool for r/w the chip:

Some old root guide for the first gen. fireTV stick ever:
Won't work nowadays because of androids dm-verity.
Oh! It's an e-MMC! I'm dumb. I made practically the same thing when I bricked my 3DS in 2015.
mskwBLr.png


Thanks for the info, I'll probably buy another stick and desolder the eMMC on that, I'll keep you updated :)
 

Sus_i

Senior Member
Apr 9, 2013
1,108
433
Wait a sec, I didn't catch that, since Mantis has Android 7 (hence dm-verity enabled?) does that mean it won't work by manually writing TWRP on the eMMC?

EDIT: Oh, you were referring only to the rooting procedure, correct? TWRP should work without major issues, right? 🤔

The rooting procedure via eMMC adapter used for the first gen. fireTVstick won't work on a later android (dm-verity).

Ofc you can access the eMMC partitions, flash whatever to it, but the early stages of the bootprocess (LK) won't boot TWRP in case the bootloader is locked (it starts only factory signed images).

Only if you are able to do all unlock steps from OP (including the stuff from inside the kamakiri.zip.), only then TWRP recovery or a patched Boot.img will boot.

The biggest hurdle is obviously the downgrade of the antirollback protection a.k.a. RPMB (Replay Protected Memory Block)... without a downgrade you can't finish the unlock from OP. Take a look into the main.py to see how it works.
 

Top Liked Posts

  • 1
    I don't know what I will do with my firestick 4k now... this is a piece of junk .. even more after the update .. probably the ****tiest android device I have ever bought
    I guess we all know what amaz. can do via OTA updates and it was always advised to disable updates (even in the OP), valid from the first fireTV ever, till now... If you want to root it sometime, disable or block updates. Amaz. simply fix every vulnerable, that's only a matter of time.

    So you may use the stick... or put it in a drawer instead and wait for an update of the OP. You know, developing needs time... :)
    1
    man it'

    it's a shame there is no warning on the first post of this thread; guess it has not been updated for a while...
    I have read some latest comments and I now see it's not possible to root 6.2.8.1 (latest firmware)... :(
    I don't know what I will do with my firestick 4k now... this is a piece of junk .. even more after the update .. probably the ****tiest android device I have ever bought (I had Chinese tv sticks before that and they worked better than this piece of junk as they were all rooted).
    What's the problem of using it without root? Nobody cancelled sideloading yet.
    1
    yeah thank god sideloading is still possible.
    how can I block my firetv from auto update again without root?
    Go to your router and set static DNS to 127.0.0.1 for:
    d1s31zyz7dcc2d.cloudfront.net
    amzdigital-a.akamaihd.net
    amzdigitaldownloads.edgesuite.net
    softwareupdates.amazon.com
    updates.amazon.com

    Make sure your router DHCP gives out it's own IP as DNS server.
    Also Stick wont update without USB power adapter.

    So is stock FW 6.2.7.7 rootable? I can't find answer in here.
  • 1
    Thank you for the reply.

    I don't think I enabled ADB debugging. When I ran "adb devices" I got a message saying "unauthorized"

    I've never installed Launcher manager. So I'm out of luck for now :(
    There's a pad below cap 4 and 5 which you have to ground, if you "short" that pad to ground then it will not cause any heat, maybe you shoeted something else, and this stick does NOT heats up that easily.
    If your short is successful then it will only result in your stick not booting up (will show nothing), remove the short and power and your stick will start bootlooping again

    About you saying you haven't enabled ADB debugging (you have enabled it) that's why it saying unauthorized, otherwise it would have returned nothing.
    What else have you done to the stick.
    There are two reasons i know which could have cause this issue
    1. You tried to install an app (sideloaded) which caused the stick to not boot because that app is crashing in loop. (One major example is Google Play Services, NOT TALKING ABOUT MAGISK)
    2. You tried to disable apps, and used a script / app to debloat the stick or to replace the launcher, and you somehow managed to disable 3 of the launchers on this stick (maybe you also has disabled the system itself)
    1
    I'm assuming there is a left and right side of the shiny surface in #4 and I should short the right side of the shiny surface to the metal frame (or I could short the left side of #3 to the frame) ?
    Yeah, one of the sides between #3 and #4 :)
    But as i said, you're very late, your stick is probably brom patched...

    You may put the stick in a drawer and wait, developing needs time and if you're lucky there will be an update of the OP.
    1
    ...

    If you see "RuntimeError: ERROR: Serial protocol mismatch, expected 0001 got 0000" that means your short is no good and you need to try again (unplug Firestick, reposition short, restart script, plug back in)

    If you plug it in and the script just hangs at "Waiting for bootrom" without any further messages, it means the short was successful but the boot has been blocked due to the blown e-fuse. That's how you can tell if your stick is on 6.8.2.0 or 6.8.2.1. If that's the case, then unfortunately you can't install TWRP at this point or go any further.

    Thank you for the reply. I did try the shorting again. The shorting was successful, but I was still seeing "Waiting for bootrom" So now I know the e-fuse is blown :(

    I guess this Firestick goes into a drawer until a new exploit is found.
    1
    Is there a problem with passthrough?
    Thanks for the reply, I'll check the link you posted even though I did it this morning and it only refers to the fw 6.2.8.1.

    Starting from the fw 6.2.7.7 the stick doesn't process any longer the DTS audio and since I also use it with Kodi for watching movies I've on the NAS, I'm trying to avoid any fw update
    1
    Thanks for the reply, I'll check the link you posted even though I did it this morning and it only refers to the fw 6.2.8.1.
    You're right, sry, the updated apk was in this thread here:
  • 60
    NOTE: There have been multiple reports of devices with serial numbers containing VM190 or higher being shipped with DL-Mode disabled in BROM.
    These devices cannot be unlocked using kamakiri.
    These devices do not show up at all on USB when shorted.


    After the old bootrom-exploit (amonet) we've been using for unlocking all these Fire-gadgets is closed in more recent Mediatek SOCs like the one used in the FireTV Stick 4K, @xyz` has done it again and found another bootrom-exploit.
    Together we proudly present kamakiri for the FireTV Stick 4K.

    Before proceeding make sure to read and understand this entire post.

    Running this exploit requires a patched linux-kernel on the PC you are using.
    We have put together a Live-ISO that already contains all prerequisites required for running kamakiri.
    You can find the current version of the ISO at:
    https://github.com/amonet-kamakiri/fireiso/releases

    It can be burned to a CD or to a USB-flashdrive.

    Current Version: kamakiri-mantis-v1.2.zip

    You will need to open the device and remove the heatshield on the side without the antennas (2 square bricks).
    NOTE: It is not required to desolder or force the shield off, it is just clipped onto a frame. (The attached picture may be a bit misleading, since it also has the frame removed)

    You will need something for shorting (wire, aluminum foil etc.)

    1. Boot the ISO
    2. Download and extract the exploit package.
    3. Open a terminal in the kamakiri directory
    4. Run
      Code:
      ./bootrom-step.sh
    5. Short one of the points in the attached photo to ground (the cage of the shielding).
      Ideally you want to use DAT0, since that is tiny it might be easier to short the point marked CLK instead.
      It is very important that you use a piece of soft wire or aluminum foil or something similar for shorting. Don't use tweezers as that makes it incredibly easy to knock of the capacitor off the PCB and kill the board!
    6. Connect the stick to your computer (while keeping it shorted)
    7. The script should tell you to release the short and hit enter
    8. Once finished run
      Code:
      ./fastboot-step.sh
    9. Your device will now reboot into TWRP

    Important information

    Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)

    TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

    For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

    It is still advised to disable OTA.

    thanks to @hwmod for the picture
    thanks to @Sus_i for providing an update.bin
    thanks to @zeroepoch for developing aftv2-tools

    XDA:DevDB Information
    kamakiri, Tool/Utility for the Amazon Fire TV

    Contributors
    k4y0z, xyz`
    Source Code: https://github.com/amonet-kamakiri/


    Version Information
    Status:
    Stable
    Current Stable Version: 1.0.0
    Stable Release Date: 2019-10-05

    Created 2019-10-05
    Last Updated 2019-10-14
    14
    There are three options for interacting with TWRP:
    1. A mouse via USB-OTG
    2. TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
    3. Via /cache/recovery/command

    Example for /cache/recovery/command:
    Code:
    echo "--update_package=/path/to/zipfile" > /cache/recovery/command
    echo "--wipe_cache" >> /cache/recovery/command
    reboot recovery

    Should you somehow end in a bootloop, TWRP contains a special boot menu that will be displayed when you boot the stick with an OTG-cable connected.
    It will give you 5 seconds to hit cancel and stay in TWRP or reboot into the OS otherwise.

    NOTE:This will only work if the boot-exploit is still there.
    12
    Well that was easy! And my stick isn't on the latest version, so I'll be able to get some update URLs and make a prerooted ROM hopefully this weekend.
    11
    Is this something that Amazon can fix with future updates? I am holding off until we have a more refined rom..

    No, the only way they can fix it is with a new hardware revision.
    10
    Can you tell us how to disable Ota update on the fire tv stick 4k after a successful root.
    And since there is no superuser installed how can this be done.
    ota can be disabled with root by following commands:
    Code:
    adb shell
    su
    pm disable com.amazon.tv.forcedotaupdater.v2
    pm disable com.amazon.device.software.ota
    pm disable com.amazon.device.software.ota.override