• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 4K (mantis)

Search This thread

jack4455667788

New member
Feb 14, 2021
1
0
Ok, the main page (OP) does NOT say that any firestick 4k that has 6.2.8.0 (or above) installed cannot use this rooting method... Shouldn't that be changed?

I understand the efuse prevents downgrading, but my questions are :

1. What happens if you try this rooting method with an old (compatible?) firestick 4k that has the latest OS installed (like mine :()?
2. Has the efuse prevented the mediatek cpu from going into "dfu" mode, or just disabled downgrading?

Thanks!
 

Sus_i

Senior Member
Apr 9, 2013
1,110
434
I understand the efuse prevents downgrading, but my questions are :
The efuse disables only the bootrom (mtk phone) mode.
1. What happens if you try this rooting method with an old (compatible?) firestick 4k that has the latest OS installed (like mine :()?
Nothing happens.
2. Has the efuse prevented the mediatek cpu from going into "dfu" mode, or just disabled downgrading?

Thanks!
Yes, thats it, MTK phone mode gets disabled, which blocks the bootrom exploit from OP.
 

nomobytes

Member
Aug 2, 2017
23
10
theManhattan
Consider that TWRP blocks the critical partitions from being flashed. This was a problem when TZ required an update to fix license issues and was addressed in the kamakiri-mantis-v1.2 release, after an exhaustive analysis. See posts #400-416.
 
Last edited:
  • Like
Reactions: puppinoo and Sus_i

Pretoriano80

Senior Member
Jun 9, 2010
3,221
2,900
Consider that TWRP blocks the critical partitions from being flashed. This was a problem when TZ required an update to fix license issues and was addressed in the kamakiri-mantis-v1.2 release, after an exhaustive analysis. See posts #400-416.
The problem is that if updating TZ is mandatory on newer updates, that would be more complicated that it was in the past, because we also have the e-fuse thing now.

However, there's still no kernel sources for the new updated, so maybe it's still experimental, who knows...
 
  • Like
Reactions: Sus_i

Pretoriano80

Senior Member
Jun 9, 2010
3,221
2,900
I thought the problem is something about DRM, playback issues with prime and netflix?

@Pretoriano80 Any changes in the efuse script in 6281?
I had only a quick look at ramdisk and system image and the e-fuse script looks the same.
I would have to check the new system image against the previous one, but if something changed at lower levels, than it's not easy ro track it down.
 
  • Like
Reactions: Sus_i

Sus_i

Senior Member
Apr 9, 2013
1,110
434
The freeze and subsequent restart is triggered by attempting to play DRM material. I just wanted to clarify the behavior.
I see, Thanks.
Whats the resolution of your TVset? 4k?

Can you test/try this modded stock rom with your setup?
It will use the same TZ image, but with the old UI...
 
Last edited:
  • Like
Reactions: puppinoo

SweenWolf

Senior Member
Mar 18, 2016
534
375
Paradise
Amazon Fire TV
I see, Thanks.
Whats the resolution of your TVset? 4k?

Can you test/try this modded stock rom with your setup?
It will use the same TZ image, but with the old UI...
I took logs for Netflix, no videos were loaded straight up hanged the stick.
Config:
6.2.8.1 (stock, non-rooted, only system and vender updated)
 

Attachments

  • 6281_netflix_errlog.txt
    74.3 KB · Views: 10
  • Like
Reactions: Sus_i
Can someone tell me if this rooting method also can help when my 4K stick is stuck on the white amazon logo?
The stick works fine for almost 2 years and now from one day to another it doesn't work anymore.
When I want to boot it up it gets stuck on the white amazon logo. Hardreset isn't possible because the remote doesn't connect to the device.
Can it help to root the device? Or is there any other option to Hardreset the 4k Stick?
 

Sus_i

Senior Member
Apr 9, 2013
1,110
434
The freeze and subsequent restart is triggered by attempting to play DRM material. I just wanted to clarify the behavior.
I took logs for Netflix, no videos were loaded straight up hanged the stick.
Config:
6.2.8.1 (stock, non-rooted, only system and vender updated)

Ok, updated my stick to 6281 stock and then I've got the same blackscreen freeze and/or reboot thing...

So I've tested all the newer TZ images up to 6276 (the last TZ without the efuse-thing) and none of them worked.
That's some kind of bad news I guess.
 

SweenWolf

Senior Member
Mar 18, 2016
534
375
Paradise
Amazon Fire TV
Ok, updated my stick to 6281 stock and then I've got the same blackscreen freeze and/or reboot thing...

So I've tested all the newer TZ images up to 6276 (the last TZ without the efuse-thing) and none of them worked.
That's some kind of bad news I guess.
Yeah, i think tz is incompatible with newer images, i have no idea how or if we can patch the file. I also have no idea what kind of file is that.

Also i reverted back to 7.1. And the problem returned. I am unable to write to system if i use 7.1 or 7.3 and seems like their are two separate partition, on 8.0 and 8.1 there are no such issues. I have no time to look into those issues.
I was going to stay at 8.1 but issues with TZ.

My main plan WAS
patch all the files in the system (non signed) and OTA also so no more updates.
If FOTA is patched it will never ask for update, and patching OTA so no System update is downloaded manually. So it has no way to download any files related to OS.
I patch boot image to remove efuse startup and with efuse and writer also removed it would never blow the fuse.
And then just flash back the patched boot image by hacked bl.
I know TWRP prevents TZ updates and all, but even on stock if theres no files to patch, then what will it patch.
And i could unlock anytime.

This was my theory, what do you want to say about it, I'm now trying to gather more info about the subjects.
 

nomobytes

Member
Aug 2, 2017
23
10
theManhattan
Ok, updated my stick to 6281 stock and then I've got the same blackscreen freeze and/or reboot thing...

So I've tested all the newer TZ images up to 6276 (the last TZ without the efuse-thing) and none of them worked.
That's some kind of bad news I guess.
The resolution of my set is 1080p, and as I reported, all flashing has been done under TWRP, using stock or @rbox firmware. TZ is tricky as it can update KB. (post #411)
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Thank you for the reply.

    I don't think I enabled ADB debugging. When I ran "adb devices" I got a message saying "unauthorized"

    I've never installed Launcher manager. So I'm out of luck for now :(
    There's a pad below cap 4 and 5 which you have to ground, if you "short" that pad to ground then it will not cause any heat, maybe you shoeted something else, and this stick does NOT heats up that easily.
    If your short is successful then it will only result in your stick not booting up (will show nothing), remove the short and power and your stick will start bootlooping again

    About you saying you haven't enabled ADB debugging (you have enabled it) that's why it saying unauthorized, otherwise it would have returned nothing.
    What else have you done to the stick.
    There are two reasons i know which could have cause this issue
    1. You tried to install an app (sideloaded) which caused the stick to not boot because that app is crashing in loop. (One major example is Google Play Services, NOT TALKING ABOUT MAGISK)
    2. You tried to disable apps, and used a script / app to debloat the stick or to replace the launcher, and you somehow managed to disable 3 of the launchers on this stick (maybe you also has disabled the system itself)
    1
    I'm assuming there is a left and right side of the shiny surface in #4 and I should short the right side of the shiny surface to the metal frame (or I could short the left side of #3 to the frame) ?
    Yeah, one of the sides between #3 and #4 :)
    But as i said, you're very late, your stick is probably brom patched...

    You may put the stick in a drawer and wait, developing needs time and if you're lucky there will be an update of the OP.
    1
    ...

    If you see "RuntimeError: ERROR: Serial protocol mismatch, expected 0001 got 0000" that means your short is no good and you need to try again (unplug Firestick, reposition short, restart script, plug back in)

    If you plug it in and the script just hangs at "Waiting for bootrom" without any further messages, it means the short was successful but the boot has been blocked due to the blown e-fuse. That's how you can tell if your stick is on 6.8.2.0 or 6.8.2.1. If that's the case, then unfortunately you can't install TWRP at this point or go any further.

    Thank you for the reply. I did try the shorting again. The shorting was successful, but I was still seeing "Waiting for bootrom" So now I know the e-fuse is blown :(

    I guess this Firestick goes into a drawer until a new exploit is found.
    1
    Is there a problem with passthrough?
    Thanks for the reply, I'll check the link you posted even though I did it this morning and it only refers to the fw 6.2.8.1.

    Starting from the fw 6.2.7.7 the stick doesn't process any longer the DTS audio and since I also use it with Kodi for watching movies I've on the NAS, I'm trying to avoid any fw update
    1
    Thanks for the reply, I'll check the link you posted even though I did it this morning and it only refers to the fw 6.2.8.1.
    You're right, sry, the updated apk was in this thread here:
  • 60
    NOTE: There have been multiple reports of devices with serial numbers containing VM190 or higher being shipped with DL-Mode disabled in BROM.
    These devices cannot be unlocked using kamakiri.
    These devices do not show up at all on USB when shorted.


    After the old bootrom-exploit (amonet) we've been using for unlocking all these Fire-gadgets is closed in more recent Mediatek SOCs like the one used in the FireTV Stick 4K, @xyz` has done it again and found another bootrom-exploit.
    Together we proudly present kamakiri for the FireTV Stick 4K.

    Before proceeding make sure to read and understand this entire post.

    Running this exploit requires a patched linux-kernel on the PC you are using.
    We have put together a Live-ISO that already contains all prerequisites required for running kamakiri.
    You can find the current version of the ISO at:
    https://github.com/amonet-kamakiri/fireiso/releases

    It can be burned to a CD or to a USB-flashdrive.

    Current Version: kamakiri-mantis-v1.2.zip

    You will need to open the device and remove the heatshield on the side without the antennas (2 square bricks).
    NOTE: It is not required to desolder or force the shield off, it is just clipped onto a frame. (The attached picture may be a bit misleading, since it also has the frame removed)

    You will need something for shorting (wire, aluminum foil etc.)

    1. Boot the ISO
    2. Download and extract the exploit package.
    3. Open a terminal in the kamakiri directory
    4. Run
      Code:
      ./bootrom-step.sh
    5. Short one of the points in the attached photo to ground (the cage of the shielding).
      Ideally you want to use DAT0, since that is tiny it might be easier to short the point marked CLK instead.
      It is very important that you use a piece of soft wire or aluminum foil or something similar for shorting. Don't use tweezers as that makes it incredibly easy to knock of the capacitor off the PCB and kill the board!
    6. Connect the stick to your computer (while keeping it shorted)
    7. The script should tell you to release the short and hit enter
    8. Once finished run
      Code:
      ./fastboot-step.sh
    9. Your device will now reboot into TWRP

    Important information

    Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)

    TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

    For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

    It is still advised to disable OTA.

    thanks to @hwmod for the picture
    thanks to @Sus_i for providing an update.bin
    thanks to @zeroepoch for developing aftv2-tools

    XDA:DevDB Information
    kamakiri, Tool/Utility for the Amazon Fire TV

    Contributors
    k4y0z, xyz`
    Source Code: https://github.com/amonet-kamakiri/


    Version Information
    Status:
    Stable
    Current Stable Version: 1.0.0
    Stable Release Date: 2019-10-05

    Created 2019-10-05
    Last Updated 2019-10-14
    14
    There are three options for interacting with TWRP:
    1. A mouse via USB-OTG
    2. TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
    3. Via /cache/recovery/command

    Example for /cache/recovery/command:
    Code:
    echo "--update_package=/path/to/zipfile" > /cache/recovery/command
    echo "--wipe_cache" >> /cache/recovery/command
    reboot recovery

    Should you somehow end in a bootloop, TWRP contains a special boot menu that will be displayed when you boot the stick with an OTG-cable connected.
    It will give you 5 seconds to hit cancel and stay in TWRP or reboot into the OS otherwise.

    NOTE:This will only work if the boot-exploit is still there.
    12
    Well that was easy! And my stick isn't on the latest version, so I'll be able to get some update URLs and make a prerooted ROM hopefully this weekend.
    11
    Is this something that Amazon can fix with future updates? I am holding off until we have a more refined rom..

    No, the only way they can fix it is with a new hardware revision.
    10
    Can you tell us how to disable Ota update on the fire tv stick 4k after a successful root.
    And since there is no superuser installed how can this be done.
    ota can be disabled with root by following commands:
    Code:
    adb shell
    su
    pm disable com.amazon.tv.forcedotaupdater.v2
    pm disable com.amazon.device.software.ota
    pm disable com.amazon.device.software.ota.override