[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 4K (mantis)

Search This thread

Sus_i

Senior Member
Apr 9, 2013
1,601
688
I read VM190 or above/6.2.8.0 & above are unrootable.
I have just received the Firestick 4k from Amazon with VM242, it is still unopened. I want to learn as much as possible before I open the box.

Does the rootability only depend on the firmware version?

Am I right saying that, as long as the firmware is below 6.2.8.0 (assuming), AND I keep it away from OTA updates before the rooting process, it is good to go?
The note in OP is outdated and only valid for the unlock method via shorting.
Since Kamakiri 2 we are able to unlock without shorting, if the OS isn't updated to 6.2.8.7 (this OS patchs the new unlock method).

Keep the stick offline until you are able to try kamakiri 2.0.1 for mantis.
You can use this (up-to-date) guide here:
 

bibikalka

Senior Member
May 14, 2015
1,415
1,104
The note in OP is outdated and only valid for the unlock method via shorting.
Since Kamakiri 2 we are able to unlock without shorting, if the OS isn't updated to 6.2.8.7 (this OS patchs the new unlock method).

Keep the stick offline until you are able to try kamakiri 2.0.1 for mantis.
You can use this (up-to-date) guide here:

Wait, but these new instructions are not for a 4K device. Can one unlock a 4K stick with the new instructions???

Nevermind, I found the new instructions here:

Now, can I restore a 6.2.8.0+ device back to 6.2.7.7, say, via a TWRP image? I forget now the whole downgrade issue. They burned the fuse, but if I have root, I should be able to go back, right?
 
Last edited:

Sus_i

Senior Member
Apr 9, 2013
1,601
688
My apologies, "menu" wasn't a great choice of words. It gets stuck on the static "fire TV" logo screen. The initial one, before the animated version that should play directly afterwards.
The black white logo, ok.
If you can boot into TWRP, flash a stock rom, wipe data, then flash the kamakiri zip and then magisk if you like.
If TWRP isn't aviable, re-do the bootrom-step, then fastboot-step and then flash a stock rom + magisk.
 

Sus_i

Senior Member
Apr 9, 2013
1,601
688
Now, can I restore a 6.2.8.0+ device back to 6.2.7.7, say, via a TWRP image? I forget now the whole downgrade issue. They burned the fuse, but if I have root, I should be able to go back, right?
You can downgrade to any OS you like, in case you wipe data (and skip the initial update) too...
but this won't fix the burned efuse if it's already gone. The new goal for the burned-efuse sticks is to keep the preloader safe, in order to access bootrom ;)
 
  • Like
Reactions: bibikalka

jdawgx

New member
Apr 24, 2022
3
3
Below are the commands i've used to send and install prerooted image via TWRP without using any input devices. While the firestick is on TWRP and connected via usb, open Command Prompt, type each line and press enter.

adb push C:\<location of image>\<name of image>.zip / sdcard/
adb shell
twrp install /sdcard/<name of image>.zip
twrp wipe cache
twrp wipe dalvik
reboot -p

I hope this helps.
This worked to get me where I wanted. Thank you very, very much! I was able to find and install the latest prerooted image from here. Using your same steps, I installed Magisk 20.4 from here. Initially I tried installing the latest Magisk (v24.0), but that didn't allow the "su" command to work from within the OS. I then followed the steps here to get the Dual Shock 4 controller working, but, the "mount" commands provided at that site failed because it couldn't find the referenced folders, so what I had to do, after installing the Android Developer Tools on my PC and connecting the Fire Stick to the same PC via USB) was this (a slight modification of what's on the linked site):
adb shell
su
(NOTE: If you have never run the command su before, your Fire TV will display a popup asking for you to grant permission. Select “Grant” on the popup)
mount -o rw,remount /
mount -o rw,remount /system/
cp /sdcard/Vendor_054c_Product_05c4.kl /system/usr/keylayout/
mount -o ro,remount /
mount -o ro,remount /system/
rm /sdcard/Vendor_054c_Product_05c4.kl
exit
exit

Then, after rebooting the Fire Stick and re-pairing the DS4 controller, the Stick correctly handled the controller, and now I'm able to play games on the TV via Steam Link.

Just wanted to give this info for anyone else looking to accomplish this same thing. Thanks again for all your assistance @gojannz!
 
  • Like
Reactions: gojannz and Sus_i

HGSC12

New member
Mar 22, 2022
3
0
The black white logo, ok.
If you can boot into TWRP, flash a stock rom, wipe data, then flash the kamakiri zip and then magisk if you like.
If TWRP isn't aviable, re-do the bootrom-step, then fastboot-step and then flash a stock rom + magisk.
I booted into TWRP, flashed the stock rom found here, wiped data, and reflashed kamakiri. Unfortunately, there is no difference. I can still boot into TWRP, but if I try to boot to the OS it still gets stuck on the black/white logo. I tried leaving it powered on for a while and different patterns of wiping/reinstalling, but still no dice. Do you have any other suggestions? I really appreciate your help.
 

bibikalka

Senior Member
May 14, 2015
1,415
1,104
You can downgrade to any OS you like, in case you wipe data (and skip the initial update) too...
but this won't fix the burned efuse if it's already gone. The new goal for the burned-efuse sticks is to keep the preloader safe, in order to access bootrom ;)
OK - good to know! I have a perfectly set up 4k - with a custom kernel, EXFAT support, and everything else on 6.2.7.7. So I'll just open up the one I kept in the box, unlock it with kamakiri, clone the other one to it, and will be done! I really bought the new one as a back up in case the remote on the other goes breaks, but it looks like it's another gem that can be unlocked!
 
  • Like
Reactions: puppinoo and Sus_i

door_jam

Member
Jan 27, 2013
10
1
The note in OP is outdated and only valid for the unlock method via shorting.
Since Kamakiri 2 we are able to unlock without shorting, if the OS isn't updated to 6.2.8.7 (this OS patchs the new unlock method).

Keep the stick offline until you are able to try kamakiri 2.0.1 for mantis.
You can use this (up-to-date) guide here:
Thanks very much.

I just set up my new 4k stick. I kept it offline, as you instructed, while
- followed post #1 & installed TWRP successfully
- installed Magisk 20.4 via FireISO2 using TWRP install command (successful)

Then I tried to find a way to disable OTA before I head over to boot up the stick. Unfortunately, I could not find any solution.

I then followed this guide from AFTVnews to set up the stick while briefly connecting it to internet.

When I went to About My Fire TV (it came with FireOS 6.2.8.1/3387), under Check for Updates, it mentioned the update had been downloaded & will be updated in the next restart. This scared my shxx out.

I then ran these commands:
pm disable com.amazon.tv.forcedotaupdater.v2
pm clear com.amazon.tv.settings.
pm clear com.amazon.device.software.ota

Now back on About My Fire TV, Check for Updates: Last Checked - Never

Is it safe to assume that the last two of the commands above had deleted the OTA update (or just the last one)? I am good to reboot the stick, right?

Or, is it safer to flash rbox's prerooted image 6.2.8.1_r3 ?

[Update] I went back to About My Fire TV & hit Check for Updates (just to see if OTA checking is disabled), it did start to download the OTA again. And I stopped the internet right away.

If I install SweenWolfś Patch-6.2.8.1(No FOTA), will that be sufficient?
 
Last edited:
  • Like
Reactions: Sus_i

Sus_i

Senior Member
Apr 9, 2013
1,601
688
Is it safe to assume that the last two of the commands above had deleted the OTA update (or just the last one)? I am good to reboot the stick, right?

Or, is it safer to flash rbox's prerooted image 6.2.8.1_r3 ?

[Update] I went back to About My Fire TV & hit Check for Updates (just to see if OTA checking is disabled), it did start to download the OTA again. And I stopped the internet right away.

If I install SweenWolfś Patch-6.2.8.1(No FOTA), will that be sufficient?
Disabling OTA for rooted sticks on any fireOS version, this works always:
Code:
adb shell
su
pm disable com.amazon.device.software.ota
pm disable com.amazon.device.software.ota.override
pm disable com.amazon.tv.forcedotaupdater.v2
pm clear com.amazon.device.software.ota
exit
exit
 

Sus_i

Senior Member
Apr 9, 2013
1,601
688
OK - good to know! I have a perfectly set up 4k - with a custom kernel, EXFAT support, and everything else on 6.2.7.7. So I'll just open up the one I kept in the box, unlock it with kamakiri, clone the other one to it, and will be done! I really bought the new one as a back up in case the remote on the other goes breaks, but it looks like it's another gem that can be unlocked!
(y)
I don't know if 'clone stick' will work, but you can try it.
Years ago I did this on a fireOS 5 box, installed a TWRP backup from a different device...
Problem was (if I recall it right), that the second (cloned) box used the serial, macaddress and so on from the first device ;) Ofc it could be that this isn't the case for mediatek devices, idk.
 

Sus_i

Senior Member
Apr 9, 2013
1,601
688
I booted into TWRP, flashed the stock rom found here, wiped data, and reflashed kamakiri. Unfortunately, there is no difference. I can still boot into TWRP, but if I try to boot to the OS it still gets stuck on the black/white logo. I tried leaving it powered on for a while and different patterns of wiping/reinstalling, but still no dice. Do you have any other suggestions? I really appreciate your help.
You can try to flash a more recent stock rom
Code:
https://d1s31zyz7dcc2d.cloudfront.net/8a17993ff1335c5546eadfd080546e7b/update-kindle-mantis-NS6281_user_4812_0005940366468.bin
https://d1s31zyz7dcc2d.cloudfront.net/d4966e07e86cfd81861531207dcb4cde/update-kindle-mantis-NS6287_user_3770_0006544079492.bin

You can also try to format data instead of the wipe and you can try the kamakiri GPT-fix if you like (somewhere in this thread).
 

bibikalka

Senior Member
May 14, 2015
1,415
1,104
(y)
I don't know if 'clone stick' will work, but you can try it.
Years ago I did this on a fireOS 5 box, installed a TWRP backup from a different device...
Problem was (if I recall it right), that the second (cloned) box used the serial, macaddress and so on from the first device ;) Ofc it could be that this isn't the case for mediatek devices, idk.

I cloned HD7 2014 vintage before, and recently I cloned Fire stick 2 (tank) in TWRP. It works uneventfully, and the serial is still proper, because it's not stored in any of the cloned partitions. So that's the fastest way to keep all the customizations.
 
  • Like
Reactions: Sus_i

digobertoldi

New member
Apr 12, 2014
4
1
Hello everybody, im new here. I have a fire tv stick 4k updated to the latest version, which prevents the installation of new launchers and I would like to know if I can follow this thread to root my device and install new launchers with it. Can someone help me? thx
 

Noisemaker00

Senior Member
Apr 9, 2013
66
21
The note in OP is outdated and only valid for the unlock method via shorting.
Since Kamakiri 2 we are able to unlock without shorting, if the OS isn't updated to 6.2.8.7 (this OS patchs the new unlock method).

Keep the stick offline until you are able to try kamakiri 2.0.1 for mantis.
You can use this (up-to-date) guide here:
In your opinion, a device with VM201 (local store item) may have a FireOS version < 6.2.8.7?
 

Noisemaker00

Senior Member
Apr 9, 2013
66
21
the script
Code:
bootrom-step.sh
keep saying
Code:
RuntimeError("donwload failure,giving up")
what does it means? the device is patched?
I do not boot up the device to check the firmware version to avoid any type of update
 

Sus_i

Senior Member
Apr 9, 2013
1,601
688
the script
Code:
bootrom-step.sh
keep saying
Code:
RuntimeError("donwload failure,giving up")
what does it means? the device is patched?
I do not boot up the device to check the firmware version to avoid any type of update
If you mean 'downgrade failure'
then you can try to disable the rpmb recheck in the main.py
 

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    Hey guys.
    Big thanks to the dev. I've succesully rooted my firetv with this script and fixed some stuff. So I've made a guide for who need some help https://github.com/daboynb/Root_firestick .
    2
    I have a 4k, I didn't think this thread applied when researching.
    Yes, the mantis OP of this thread needs an update and the instructions for sheldon are up-to-date...
    You can read some details here:
    1
    So after 6.2.8.7 shorting method won’t work?
    No. Shorting (kamakiri 1.x) gets blocked via 6.2.8.0 (or later) or by factory if the serial is VM190 and later.
    The new kamakiri 2.x gets blocked with 6.2.8.7 or later.
    1
    Wow, thank you! I did not think of that. I've gone through only five pages of this thread. Let me just go through the other 93 pages and eventually I will find an answer! Thanks again and God Bless :)
    I guess you need to read @Rortiz2 post again... ;)
    He said you may take a look at the forums, not only this thread! :p
    1
    I believe I have tried all possible ways mentioned in this thread in order to unlock the Bootloader an install TWRP and revive the system by flashing. Unfortunately nothing seems to work.
    I don't know if you tried the bootrom-step from kamakiri 2.x (run the script and then connect the stick without a short, see post #1953 for details), but in case this won't work for you, spflashtool won't work too.
  • 68
    NOTE: There have been multiple reports of devices with serial numbers containing VM190 or higher being shipped with DL-Mode disabled in BROM.
    These devices cannot be unlocked using kamakiri.
    These devices do not show up at all on USB when shorted.


    After the old bootrom-exploit (amonet) we've been using for unlocking all these Fire-gadgets is closed in more recent Mediatek SOCs like the one used in the FireTV Stick 4K, @xyz` has done it again and found another bootrom-exploit.
    Together we proudly present kamakiri for the FireTV Stick 4K.

    Before proceeding make sure to read and understand this entire post.

    Running this exploit requires a patched linux-kernel on the PC you are using.
    We have put together a Live-ISO that already contains all prerequisites required for running kamakiri.
    You can find the current version of the ISO at:
    https://github.com/amonet-kamakiri/fireiso/releases

    It can be burned to a CD or to a USB-flashdrive.

    Current Version: kamakiri-mantis-v2.0.1.zip


    You will need to open the device and remove the heatshield on the side without the antennas (2 square bricks).
    NOTE: It is not required to desolder or force the shield off, it is just clipped onto a frame. (The attached picture may be a bit misleading, since it also has the frame removed)

    You will need something for shorting (wire, aluminum foil etc.)

    1. Boot the ISO
    2. Download and extract the exploit package.
    3. Open a terminal in the kamakiri directory
    4. Run
      Code:
      ./bootrom-step.sh
    5. Short one of the points in the attached photo to ground (the cage of the shielding).
      Ideally you want to use DAT0, since that is tiny it might be easier to short the point marked CLK instead.
      It is very important that you use a piece of soft wire or aluminum foil or something similar for shorting. Don't use tweezers as that makes it incredibly easy to knock of the capacitor off the PCB and kill the board!
    6. Connect the stick to your computer (while keeping it shorted)
    7. The script should tell you to release the short and hit enter
    8. Once finished run
      Code:
      ./fastboot-step.sh
    9. Your device will now reboot into TWRP

    Important information

    Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)

    TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

    For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

    It is still advised to disable OTA.

    thanks to @hwmod for the picture
    thanks to @Sus_i for providing an update.bin
    thanks to @zeroepoch for developing aftv2-tools

    Contributors
    k4y0z, xyz`
    Source Code: https://github.com/amonet-kamakiri/
    16
    There are three options for interacting with TWRP:
    1. A mouse via USB-OTG
    2. TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
    3. Via /cache/recovery/command

    Example for /cache/recovery/command:
    Code:
    echo "--update_package=/path/to/zipfile" > /cache/recovery/command
    echo "--wipe_cache" >> /cache/recovery/command
    reboot recovery

    Should you somehow end in a bootloop, TWRP contains a special boot menu that will be displayed when you boot the stick with an OTG-cable connected.
    It will give you 5 seconds to hit cancel and stay in TWRP or reboot into the OS otherwise.

    NOTE:This will only work if the boot-exploit is still there.
    12
    Well that was easy! And my stick isn't on the latest version, so I'll be able to get some update URLs and make a prerooted ROM hopefully this weekend.
    12
    I'v just uploaded a new Version of the unlock for mantis.
    It comes with an all new TWRP (3.6.1) and an unlock method that works even for fused devices with firmware version < 6.2.8.7, no shorting needed!
    For detailed instructions check https://forum.xda-developers.com/t/...k-3-and-fire-tv-stick-lite-sheldon-p.4410297/ (Use mantis-zip from here, will update instructions here in a bit)
    11
    Is this something that Amazon can fix with future updates? I am holding off until we have a more refined rom..

    No, the only way they can fix it is with a new hardware revision.