[UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 4K (mantis)

[The Fume]

so reading more through this thread it seems the proper way is to unlock it before doing anything at all. then do whatever u need to after that since the bootloader remains unlocked even if you let it update at that point. am i correct here?

 

[soolcio]

Hello
I am kinda new to Fire Stick (hopefully not to android and rooting in general) and I would like to root it.
I bought my FireStick 4k about 2 years ago and since then the box has never been opened nor the stick was powered on. It put it in my drawer and I forgot about it. According to the first post my stick should be rootable (it definately has some old fw version and the serial number is VM139...)
I went through this thread (77 pages of posts) and I am still unsure if I get everything right.

Could you please guide me what to do next, I do not want it to OTA to 6.2.8.x to blow the fuses.
What are all the steps to unlock it, register it and avoid to obtain the OTA root patch.

Thank you for your help I would like to do it right and not break it and lose the ability to root the device.

 

[Sus_i]

so reading more through this thread it seems the proper way is to unlock it before doing anything at all.

Yes, thats right...

 

[Skel40]

Do you think Amazon is going to temporarily disable the efuse on the future firmwares as it's on the newer update? Meaning aren't they going to re-enable with for example, the 5th os update on the interface? Or is it permanent after it's triggered? This is out of curiosity

 

[The Fume]

Do you think Amazon is going to temporarily disable the efuse on the future firmwares as it's on the newer update? Meaning aren't they going to re-enable with for example, the 5th os update on the interface? Or is it permanent after it's triggered? This is out of curiosity

once an efuse is blown its done. you can not go back. and i would guess that even if they release a new update and you are on an older one even if you skip over this current one to say update to like 7 (if it ever comes) it will still blow the efuse going forward.

 

[Skel40]

once an efuse is blown its done. you can not go back. and i would guess that even if they release a new update and you are on an older one even if you skip over this current one to say update to like 7 (if it ever comes) it will still blow the efuse going forward.

So no alternatives at all then? I'm sure glad I kept my 3 4K's unlocked beforehand

 

[Michajin]

so do these need to be setup on an account BEFORE unlocking them and installing twrp? i saw this on another website where they say you must set them up before doing so. i bought a few backups based on serial numbers (and got lucky they all were easily unlocked) and went ahead and unlocked them and installed twrp but have yet to use those i put them back in the box's in case i need them later on. but now i saw this other site saying they need to be setup first? but if i go ahead and set them up they will update then not be able to be unlocked?? hope i didnt hose 4 new ones by doing it first. thanks for any help

no, only issue may be trying to downgrade. the update doesn't relock it. i flashed 6.2.8.0 and still have total unlock and root. You can install earlier than 6.2.8.0 and still downgrade. You didnt need to set up to unlock them though.... The unlocking causes a factory reset at minimum....

 

[The Fume]

i meant if you update PRIOR to unlocking it only. if you updated already then you are stuck. not after unlocking

 

[rateo]

no, only issue may be trying to downgrade. the update doesn't relock it. i flashed 6.2.8.0 and still have total unlock and root. You can install earlier than 6.2.8.0 and still downgrade. You didnt need to set up to unlock them though.... The unlocking causes a factory reset at minimum....

yes, I unlocked and rooted out of the box and it remained that way even though it updated during first setup. Downgrade probably wouldn't be possible, but I dont need it because everything works this way

 

[Bertonumber1]

so do these need to be setup on an account BEFORE unlocking them and installing twrp? i saw this on another website where they say you must set them up before doing so. i bought a few backups based on serial numbers (and got lucky they all were easily unlocked) and went ahead and unlocked them and installed twrp but have yet to use those i put them back in the box's in case i need them later on. but now i saw this other site saying they need to be setup first? but if i go ahead and set them up they will update then not be able to be unlocked?? hope i didnt hose 4 new ones by doing it first. thanks for any help

Hey There ,

Not necessarily , if youre unlocked/rooted already you should be okay.... you can use twrp/adb to change or disable the OTA apk state. There are a few ways to get around this . download rbox prerooted 6.2.8.0 and if the OTA isnt disabled then adb shell pm disable ota immediately is probably best option.

Regards

 

[emkorial]

Hello
I am kinda new to Fire Stick (hopefully not to android and rooting in general) and I would like to root it.
I bought my FireStick 4k about 2 years ago and since then the box has never been opened nor the stick was powered on. It put it in my drawer and I forgot about it. According to the first post my stick should be rootable (it definately has some old fw version and the serial number is VM139...)
I went through this thread (77 pages of posts) and I am still unsure if I get everything right.

Could you please guide me what to do next, I do not want it to OTA to 6.2.8.x to blow the fuses.
What are all the steps to unlock it, register it and avoid to obtain the OTA root patch.

Thank you for your help I would like to do it right and not break it and lose the ability to root the device.

Take device out of box

Root it per the guide

After that you are fine. When you plug in the device it will update all the way up to the latest version but since you are already rooted, it will not blow the eFuse.

Once it is all updated you can flash whatever you want and disable updates

 

[emkorial]

once an efuse is blown its done. you can not go back. and i would guess that even if they release a new update and you are on an older one even if you skip over this current one to say update to like 7 (if it ever comes) it will still blow the efuse going forward.

Theoretically if we could identify the chip that has the eFuse in it, and a source to buy that chip, you could buy a new one with an intact eFuse, desolder the chip on the stick, and solder in your new one.

 

[subhash_india]

Yes, this is the exact process I went through.

• New Fire Stick out of the box, never updated
• Unlocked bootloader, installed TWRP
• Plugged in Fire Stick, let it self update all the way to 6.2.8.0
• Went into Developer options, enabled ADB debugging
• Connected to Fire Stick, flashed older ROM (currently running 6.2.6.6, going to go to 6.2.7.1 soon)

Where did you buy an unlockable stick?

I will say, based on my condition and what I am experiencing I am not 100% convinced that the downgrade is completely "clean", in that some app's, even using identical versions of the apps, that caused me no visual issues pre 6.2.8.0, ARE causing me issues after the upgrade and downgrade process. So I'm not completely convinced the downgrade process is 100% "clean". But my issue could also be caused by minor hardware difference between multiple sticks, so the fact I am having symptoms is not conclusive evidence that the downgrade is not clean.

For downgrade to work correctly

Flash FM (below 6.2.8.0)+Kamakiri+Magisk+Aftv-mm(opt) and reboot

 

[Conti93]

So, I have bought a new Fire TV Stick S/N G4N0VM071 etc, etc, and of course it's locked.
I mean, I didn't try unlocking it BEFORE turning it on at all, however the only thing I did was powering it on and verifying it was working, WITHOUT connecting it to internet (I stopped at the network selection screen). It said "update in progress", I guess that was a local update. Mmmh, who knows if that's what locked it or it comes already locked from the factory.

Anyway, since I had to rework a couple of tiny ass BGAs in my life:

I was wondering if someone managed to desolder the flash and stick it on another board, would it be readable or is it encrypted?
That would be quite inconvenient, but it would work nonetheless to write the custom recovery in the flash.

 

[Sus_i]

So, I have bought a new Fire TV Stick S/N G4N0VM071 etc, etc, and of course it's locked.
I mean, I didn't try unlocking it BEFORE turning it on at all, however the only thing I did was powering it on and verifying it was working, WITHOUT connecting it to internet (I stopped at the network selection screen). It said "update in progress", I guess that was a local update. Mmmh, who knows if that's what locked it or it comes already locked from the factory.

Anyway, since I had to rework a couple of tiny ass BGAs in my life:

Can you take a detailed picture from the board with the flash removed, please?

I was wondering if someone managed to desolder the flash and stick it on another board, would it be readable or is it encrypted?

It's readable, not encrypted at all.

That would be quite inconvenient, but it would work nonetheless to write the custom recovery in the flash.

You may be able to do almost all steps from the OP scripts, like downgrade LK, TZ and PL images to the exploitable version, flash boot and recovery images and so on, but in order to boot the downgraded images, you need to zero out the RPMB too (take a look into the main.py from OP).

 

[Conti93]

It's readable, not encrypted at all.

Can you take a few detailed pictures from the board with the flash removed, please?

That's good news.

Sorry, the BGA in the photo is a Sony Effio of a FPV cam

The Fire TV Stick flash looks like this:

The "hard" part now is finding, ideally, a ZIF socket for the flash and something that can read it, I never had a look at a "flash reader" or something similar, if it does exist.

 

[Sus_i]

The Fire TV Stick flash looks like this:

Yes.
Would be great if you can take a picture from the Sticks mainboard with the flash removed. Maybe helpful sometimes, in order to trace the wiring of CLK, CMD and DAT0 on the board...

The "hard" part now is finding, ideally, a ZIF socket for the flash and something that can read it, I never had a look at a "flash reader" or something similar, if it does exist.

You can solder a few enameled copper wires to the CLK, CMD, DAT0, Vcc, VccQ and GND pads.

Here is a propper tool for r/w the chip:

Interfacing with e-MMC Storage Devices - Exploitee.rs

www.exploitee.rs

Some old root guide for the first gen. fireTV stick ever:

Amazon Fire TV Stick - Exploitee.rs

www.exploitee.rs

Won't work nowadays because of androids dm-verity.

 

[Conti93]

Yes.
Would be great if you can take a picture from the Sticks mainboard with the flash removed. Maybe helpful sometimes, in order to trace the wiring of CLK, CMD and DAT0 on the board...

You can solder a few enameled copper wires to the CLK, CMD, DAT0, Vcc, VccQ and GND pads.

Here is a propper tool for r/w the chip:

Interfacing with e-MMC Storage Devices - Exploitee.rs

www.exploitee.rs

Some old root guide for the first gen. fireTV stick ever:

Amazon Fire TV Stick - Exploitee.rs

www.exploitee.rs

Won't work nowadays because of androids dm-verity.

Oh! It's an e-MMC! I'm dumb. I made practically the same thing when I bricked my 3DS in 2015.

Thanks for the info, I'll probably buy another stick and desolder the eMMC on that, I'll keep you updated

 

[Conti93]

[...]
Won't work nowadays because of androids dm-verity.

Wait a sec, I didn't catch that, since Mantis has Android 7 (hence dm-verity enabled?) does that mean it won't work by manually writing TWRP on the eMMC?

EDIT: Oh, you were referring only to the rooting procedure, correct? TWRP should work without major issues, right?

 

[Sus_i]

Wait a sec, I didn't catch that, since Mantis has Android 7 (hence dm-verity enabled?) does that mean it won't work by manually writing TWRP on the eMMC?

EDIT: Oh, you were referring only to the rooting procedure, correct? TWRP should work without major issues, right?

The rooting procedure via eMMC adapter used for the first gen. fireTVstick won't work on a later android (dm-verity).

Ofc you can access the eMMC partitions, flash whatever to it, but the early stages of the bootprocess (LK) won't boot TWRP in case the bootloader is locked (it starts only factory signed images).

Only if you are able to do all unlock steps from OP (including the stuff from inside the kamakiri.zip.), only then TWRP recovery or a patched Boot.img will boot.

The biggest hurdle is obviously the downgrade of the antirollback protection a.k.a. RPMB (Replay Protected Memory Block)... without a downgrade you can't finish the unlock from OP. Take a look into the main.py to see how it works.