Read this whole guide before starting.
This is for the 2nd gen Fire TV (sloane)
Current relase: amonet-sloane-v1.1
NOTE: This process does not require you to open your device if you're already rooted or you have TWRP.
NOTE: If something goes horribly wrong and your device gets bricked, you'll have to open it and unbrick it through bootrom (post 2).
NOTE: This process will modify the partition-table (GPT) of your device.
NOTE: Your device will be reset to factory defaults (including internal storage) during this process.
NOTE: Flashing prerooted ROM will disable unlocked TWRP. It's recommended to flash an stock update.bin until that gets sorted out.
To update to the current release if you are already unlocked, just flash the zip in TWRP.
What you need:
2. Copy the zip-file to the internal storage of the box or copy the zip-file to an external SD/USB storage and connect it to the box.
3. Reboot the FireTV to rbox's TWRP recovery and flash the zip-file.
NOTE: If you are on firmware 5.2.7.3 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
If you chose the brick option, you need to continue with bootrom-step-minimal.sh:
NOTE: Please refer to the #2 post on how to prepare your environment before proceeding.
NOTE: If you use this method to unlock the device you don't need to flash the unlock-zip once you're in TWRP.
Once the zip-file finished flashing, disconnect the device and run:
Then plug the device back in.
The device will reboot to hacked fastboot mode (Static Amazon White Logo + white blinking LED).
Then run:
After that, the device will reboot to unlocked TWRP. Then go to Wipe > Format Data and type "YES".
You can now install Magisk from there.
Important information
NOTE: This has nothing to do with the unlock process.
You have 10 seconds to force TWRP to keep ADB over USB active by using
In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.
Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)
Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.
TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).
For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).
It is still advised to disable OTA.
Very special thanks to @k4y0z and @t0x1cSH for making all this possible by porting the LK exploit to sloane and implementing the RPMB-key derivation for sloane.
Special thanks also to @xyz` for making all this possible and releasing the original amonet exploit for karnak.
Special thanks also to @retyre for porting the bootrom-exploit to mt8173.
Special thanks also to @Sus_i and @DanielF50 for testing.
Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
This is for the 2nd gen Fire TV (sloane)
Current relase: amonet-sloane-v1.1
NOTE: This process does not require you to open your device if you're already rooted or you have TWRP.
NOTE: If something goes horribly wrong and your device gets bricked, you'll have to open it and unbrick it through bootrom (post 2).
NOTE: This process will modify the partition-table (GPT) of your device.
NOTE: Your device will be reset to factory defaults (including internal storage) during this process.
NOTE: Flashing prerooted ROM will disable unlocked TWRP. It's recommended to flash an stock update.bin until that gets sorted out.
To update to the current release if you are already unlocked, just flash the zip in TWRP.
What you need:
- A Linux installation or live-system
- A a-a cable
2. Copy the zip-file to the internal storage of the box or copy the zip-file to an external SD/USB storage and connect it to the box.
3. Reboot the FireTV to rbox's TWRP recovery and flash the zip-file.
NOTE: If you are on firmware 5.2.7.3 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
If you chose the brick option, you need to continue with bootrom-step-minimal.sh:
NOTE: Please refer to the #2 post on how to prepare your environment before proceeding.
NOTE: If you use this method to unlock the device you don't need to flash the unlock-zip once you're in TWRP.
Once the zip-file finished flashing, disconnect the device and run:
Code:
sudo ./bootrom-step-minimal.sh
The device will reboot to hacked fastboot mode (Static Amazon White Logo + white blinking LED).
Then run:
Code:
sudo ./fastboot-step.sh
After that, the device will reboot to unlocked TWRP. Then go to Wipe > Format Data and type "YES".
You can now install Magisk from there.
Important information
NOTE: This has nothing to do with the unlock process.
You have 10 seconds to force TWRP to keep ADB over USB active by using
Code:
adb wait-for-recovery && adb shell setprop twrp.usb.mode 0
In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.
Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)
Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.
TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).
For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).
It is still advised to disable OTA.
Very special thanks to @k4y0z and @t0x1cSH for making all this possible by porting the LK exploit to sloane and implementing the RPMB-key derivation for sloane.
Special thanks also to @xyz` for making all this possible and releasing the original amonet exploit for karnak.
Special thanks also to @retyre for porting the bootrom-exploit to mt8173.
Special thanks also to @Sus_i and @DanielF50 for testing.
Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
Attachments
Last edited: