[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 4K (mantis)

Search This thread

slack5

Member
Feb 14, 2022
8
0
My fire stick 4k is not stuck in black screen. It boots up but it never passes the fire tv animated logo.
I never altered the 4k firmware,IMagisk is not available.
I believe I already tried fastboot factory reset but if I realy did it didn't help I will definately try it when I get home (just to makse sure i tried it).

Is there someone who could generate Fire Stick 4k Scatter file?
I need it because I would try to do some tests in Spflash read contents from my stick.
 

slack5

Member
Feb 14, 2022
8
0
You should try to Factory reset by fastboot command.
There is no fastboot factory reset command.
I did try fastboot -w but it didn't help.
I believe I will have to flash sysyem partition in order to make my Fire Stick 4k work again.
Ufortunately I am not able to find appropriate system.img file that is meant to be flashed via fastboot or Spflash.
 
Last edited:

stevebgfra

New member
Mar 15, 2021
3
0
Hello,

My new firestick is on 6.2.8.9, and the kamikir ISO is stuck on waiting for boot downloader when running `./bootrom-step.sh`, with the aluminium fold in place. (never rooted before).

Should I conclude I won't be able to root?

(just wanted to support my xbox 360 wired controller)

thx
 

anphabvn

Member
May 13, 2022
32
3
Hello,

My new firestick is on 6.2.8.9, and the kamikir ISO is stuck on waiting for boot downloader when running `./bootrom-step.sh`, with the aluminium fold in place. (never rooted before).

Should I conclude I won't be able to root?

(just wanted to support my xbox 360 wired controller)

thx
Yes. you cant root now
 
Hi guys,

Major problems, three mantis and a lite device offline.
Tried reflashing firmware with magisk and the device won't pass setup at all. Can pair the remotes then get a message saying unauthorised and then I get pinged back to pairing remote again. Thought maybe disabling OObe but obviously can't get to adb etc.

Wondering if some new root/bootloader detection maybe prevalent with this new launcher telemetry / firmware. Has anyone else found any problems ie no WiFi, unable to pass setup stage etcetera.
Would see the point of possible user error with one device.... but four of them exactly same time?

Any help appreciated.

Kind regards
 

anphabvn

Member
May 13, 2022
32
3
Hi guys,

Major problems, three mantis and a lite device offline.
Tried reflashing firmware with magisk and the device won't pass setup at all. Can pair the remotes then get a message saying unauthorised and then I get pinged back to pairing remote again. Thought maybe disabling OObe but obviously can't get to adb etc.

Wondering if some new root/bootloader detection maybe prevalent with this new launcher telemetry / firmware. Has anyone else found any problems ie no WiFi, unable to pass setup stage etcetera.
Would see the point of possible user error with one device.... but four of them exactly same time?

Any help appreciated.

Kind regards
twrp factory reset?
 

Sus_i

Senior Member
Apr 9, 2013
1,662
710
I believe I have tried all possible ways mentioned in this thread in order to unlock the Bootloader an install TWRP and revive the system by flashing. Unfortunately nothing seems to work.
I don't know if you tried the bootrom-step from kamakiri 2.x (run the script and then connect the stick without a short, see post #1953 for details), but in case this won't work for you, spflashtool won't work too.
 
  • Like
Reactions: Kramar111
Twrp Format data, then newest firmware 6.2.8.9
followed by Magisk. Sends oobe into a loop. Like I said above. Pair remote OK, then when connect WiFi it let's you enter WiFi password and then says " loading...." then "unauthorised"
Before sending you back to remote pairing.

It's new to me.. I only updated to newest firmwares as some apps stopped working on the older firmware (6.2.7.1 the best imo).

Regards
 

anphabvn

Member
May 13, 2022
32
3
Twrp Format data, then newest firmware 6.2.8.9
followed by Magisk. Sends oobe into a loop. Like I said above. Pair remote OK, then when connect WiFi it let's you enter WiFi password and then says " loading...." then "unauthorised"
Before sending you back to remote pairing.

It's new to me.. I only updated to newest firmwares as some apps stopped working on the older firmware (6.2.7.1 the best imo).

Regards
Use filemanger of twrp delete OObe
 

anphabvn

Member
May 13, 2022
32
3
Twrp Format data, then newest firmware 6.2.8.9
followed by Magisk. Sends oobe into a loop. Like I said above. Pair remote OK, then when connect WiFi it let's you enter WiFi password and then says " loading...." then "unauthorised"
Before sending you back to remote pairing.

It's new to me.. I only updated to newest firmwares as some apps stopped working on the older firmware (6.2.7.1 the best imo).

Regards
" loading...." then "unauthorised"
Wrong wifi pass or your device is blacklisted
 

totbl

Senior Member
Oct 1, 2014
238
12
Could someone check something for me please? I'll attach a photo and could you tell me if the part I have circled is exposed like mine is? Because I had a small fine piece of steel that like an idiot I mislaid and I'm wondering could its absence be the cause of my bluetooth issues? Could be barking up the wrong tree altogether as I'm out of my comfort zone here.

A few notes on general unbricking as well as tips specific to bootloops, potentially "blacklisted" devices and "unable to update" and similar errors. (Also, using the device without logging in)
  1. The latest release of kamakiri includes two undocumented utilities that allow you to boot into the recovery or fastboot when you short the contacts shown in the main post. already have the kamakiri microloader installed. (boot-recovery.sh and boot-fastboot.sh)
  2. You can circumvent the entire OOBE (Out Of the Box Experience) and even skip the Amazon account login like this: After installing Magisk (I strongly recommend the pre-rooted images), boot into TWRP and do the following:
    Code:
    $ adb shell
    # echo "#!/bin/sh
    resetprop persist.service.adb.enable=1
    resetprop persist.sys.usb.config=mtp,adb
    sleep 30
    settings put global development_settings_enabled 1
    settings put global adb_enabled 1
    settings put secure install_non_market_apps 1" > /data/adb/service.d/enable-usb-debugging.sh
    # chmod +x /data/adb/service.d/enable-usb-debugging.sh
    This will create a shell script at /data/adb/service.d that should automatically enable ADB, disable debugging authentication and installation of apps from unknown sources on boot. With this, you can sideload other APKs (adb install <file>) and start them (adb shell am start <package name>). I provide no warranty that this works or does not damage your device. Use at your own risk. The provided script is a messy hack and needs cleaning up (most of the code is probably not needed). The device will potentially work less-than-ideal with this hack applied.
  3. You can disable the OOBE, this way your launcher should appear on boot and home button press:
    Code:
    adb shell pm disable com.amazon.tv.oobe
  4. I strongly recommend installing GAPPS with this module, as the market and the Amazon login don't seem to work at all for me (although I'm not sure whether this is due to my own device, maybe it's blacklisted or broken in some way).
Edit: cleaned usb debugging script up a bit
Edit 2: included a script that installs the USB debugging enabler script automatically. This is meant to be used from a Linux system such as fireiso. Note that this still only works when booted into TWRP with Magisk already installed.
Hey. How do I install this script? I'm on Linux Mint and booted into TWRP connected via USB.

I get errors when inputting commands you posted above and an error while trying to install the script.

Prerooted image. I'm locked out as this is blacklisted unfortunately.

Any help with be greatly appreciated.
 

MartK87

Senior Member
Jun 10, 2013
151
21
Before I go buying this, will it work with ANY 4k fire stick? Can people please link some ebay links of the exact confirmed working models? Would be really helpful. I realize theres certain serial numbers to avoid but i guess thats a gamble with buying one.
 

slack5

Member
Feb 14, 2022
8
0
I tried to find the scatter file for Fire Stick 4K but could not find it anywhere.
I am asking if someone who already rooted the 4k could upload the scatter file here.
 

MartK87

Senior Member
Jun 10, 2013
151
21
As usual... people been as much use as an ashtray for a motorbike. Ill take the gamble and just get the 4k 3rd gen
 

Sus_i

Senior Member
Apr 9, 2013
1,662
710
I tried to find the scatter file for Fire Stick 4K but could not find it anywhere.
I am asking if someone who already rooted the 4k could upload the scatter file here.
We don't use scatter files for the 4k stick, so you would need to dump the gpt 'with kamakiri' and then write a scatter file yourself... And again, if kamakiri won't work for your stick, spflashtool won't work too.
 
  • Like
Reactions: Kramar111

slack5

Member
Feb 14, 2022
8
0
We don't use scatter files for the 4k stick, so you would need to dump the gpt 'with kamakiri' and then write a scatter file yourself... And again, if kamakiri won't work for your stick, spflashtool won't work too.
In that case I am afraid I will have to go EMMC way. I have access to Z3X Easy Jtag box so I will investigate a bit towards flashing the FS4K via testpoints. I believe I would need to flash the appropriate preloader only. After that Kamakiri's solution should be working?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    VM241 with 6.2.8.1 out of the box here. After tweaking the script, I managed to get it working. After kamakiri succeeded, DRM stopped working, so for anybody with the same problem, here you go, this updates TZ back to whatever version was originally in your stick before kamakiri. Just flash it, credits to @Skel40 and @rbox since I extracted the TZ and cleaned script from his rooted rom.
    1
    Hey I used an old version some time ago. Is it recommened to use the newest version again with the new features etc. or do I dont need it?
    Idk if you need it, but you can flash the latest kamakiri.zip (+magisk) with twrp if you like, in order to update twrp recovery...
    Besides that,, 6.2.8.1 is still fine... later update = more bloat.
    1
    Then forget about this serial, back then it was a vulnerable stick but patched via an update...
    If the stick is really from amazon, it's maybe a refurbished one or maybe someone updated it and returned it after a quick read on xda. ;)

    New sticks should have something with VM201... or later.

    If you go for a look in a shop, VM20113xxx sticks arrived with 6.2.8.1, earlier serials should be fine.
    Okay fetched it from ebay .
    Means once patched restore to factory defaults it still remains patched isn't it.
    For now Wolf launcher works well ain't know the launcher manager never worked using the launcher with on fire boot and works well so far and with a debloat serves the purpose.
    Will try for a new stick on sale a good deal with series mentioned by you
    Have a cube 2nd gen will try rooting the same.
    Thank you.......
  • 68
    NOTE: There have been multiple reports of devices with serial numbers containing VM190 or higher being shipped with DL-Mode disabled in BROM.
    These devices cannot be unlocked using kamakiri.
    These devices do not show up at all on USB when shorted.


    After the old bootrom-exploit (amonet) we've been using for unlocking all these Fire-gadgets is closed in more recent Mediatek SOCs like the one used in the FireTV Stick 4K, @xyz` has done it again and found another bootrom-exploit.
    Together we proudly present kamakiri for the FireTV Stick 4K.

    Before proceeding make sure to read and understand this entire post.

    Running this exploit requires a patched linux-kernel on the PC you are using.
    We have put together a Live-ISO that already contains all prerequisites required for running kamakiri.
    You can find the current version of the ISO at:
    https://github.com/amonet-kamakiri/fireiso/releases

    It can be burned to a CD or to a USB-flashdrive.

    Current Version: kamakiri-mantis-v2.0.1.zip


    You will need to open the device and remove the heatshield on the side without the antennas (2 square bricks).
    NOTE: It is not required to desolder or force the shield off, it is just clipped onto a frame. (The attached picture may be a bit misleading, since it also has the frame removed)

    You will need something for shorting (wire, aluminum foil etc.)

    1. Boot the ISO
    2. Download and extract the exploit package.
    3. Open a terminal in the kamakiri directory
    4. Run
      Code:
      ./bootrom-step.sh
    5. Short one of the points in the attached photo to ground (the cage of the shielding).
      Ideally you want to use DAT0, since that is tiny it might be easier to short the point marked CLK instead.
      It is very important that you use a piece of soft wire or aluminum foil or something similar for shorting. Don't use tweezers as that makes it incredibly easy to knock of the capacitor off the PCB and kill the board!
    6. Connect the stick to your computer (while keeping it shorted)
    7. The script should tell you to release the short and hit enter
    8. Once finished run
      Code:
      ./fastboot-step.sh
    9. Your device will now reboot into TWRP

    Important information

    Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.)

    TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

    For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

    It is still advised to disable OTA.

    thanks to @hwmod for the picture
    thanks to @Sus_i for providing an update.bin
    thanks to @zeroepoch for developing aftv2-tools

    Contributors
    k4y0z, xyz`
    Source Code: https://github.com/amonet-kamakiri/
    16
    There are three options for interacting with TWRP:
    1. A mouse via USB-OTG
    2. TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
    3. Via /cache/recovery/command

    Example for /cache/recovery/command:
    Code:
    echo "--update_package=/path/to/zipfile" > /cache/recovery/command
    echo "--wipe_cache" >> /cache/recovery/command
    reboot recovery

    Should you somehow end in a bootloop, TWRP contains a special boot menu that will be displayed when you boot the stick with an OTG-cable connected.
    It will give you 5 seconds to hit cancel and stay in TWRP or reboot into the OS otherwise.

    NOTE:This will only work if the boot-exploit is still there.
    12
    Well that was easy! And my stick isn't on the latest version, so I'll be able to get some update URLs and make a prerooted ROM hopefully this weekend.
    12
    I'v just uploaded a new Version of the unlock for mantis.
    It comes with an all new TWRP (3.6.1) and an unlock method that works even for fused devices with firmware version < 6.2.8.7, no shorting needed!
    For detailed instructions check https://forum.xda-developers.com/t/...k-3-and-fire-tv-stick-lite-sheldon-p.4410297/ (Use mantis-zip from here, will update instructions here in a bit)
    11
    Is this something that Amazon can fix with future updates? I am holding off until we have a more refined rom..

    No, the only way they can fix it is with a new hardware revision.