[UNLOCK][ROOT][TWRP][UNBRICK] FireTV 2 (sloane)

Search This thread

Rortiz2

Senior Member
Mar 1, 2018
2,033
1,239
Barcelona
Read this whole guide before starting.

This is for the 2nd gen Fire TV (sloane)

Current relase: amonet-sloane-v1.1

NOTE: This process does not require you to open your device if you're already rooted or you have TWRP.
NOTE: If something goes horribly wrong and your device gets bricked, you'll have to open it and unbrick it through bootrom (post 2).
NOTE: This process will modify the partition-table (GPT) of your device.

NOTE: Your device will be reset to factory defaults (including internal storage) during this process.
NOTE: Flashing prerooted ROM will disable unlocked TWRP. It's recommended to flash an stock update.bin
until that gets sorted out.

To update to the current release if you are already unlocked, just flash the zip in TWRP.

What you need:
  • A Linux installation or live-system
  • A a-a cable
1. Download the attached zip-file "amonet-sloane-v1.1zip".
2. Copy the zip-file to the internal storage of the box or copy the zip-file to an external SD/USB storage and connect it to the box.
3. Reboot the FireTV to rbox's TWRP recovery and flash the zip-file.

NOTE: If you are on firmware 5.2.7.3 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
If you chose the brick option, you need to continue with bootrom-step-minimal.sh:




NOTE: Please refer to the #2 post on how to prepare your environment before proceeding.
NOTE: If you use this method to unlock the device you don't need to flash the unlock-zip once you're in TWRP.

Once the zip-file finished flashing, disconnect the device and run:
Code:
sudo ./bootrom-step-minimal.sh
Then plug the device back in.

The device will reboot to hacked fastboot mode (Static Amazon White Logo + white blinking LED).
Then run:
Code:
sudo ./fastboot-step.sh


After that, the device will reboot to unlocked TWRP. Then go to Wipe > Format Data and type "YES".
You can now install Magisk from there.

Important information

NOTE: This has nothing to do with the unlock process.

You have 10 seconds to force TWRP to keep ADB over USB active by using
Code:
adb wait-for-recovery && adb shell setprop twrp.usb.mode 0

In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.

Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)

Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.

TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

It is still advised to disable OTA.

Very special thanks to @k4y0z and @t0x1cSH for making all this possible by porting the LK exploit to sloane and implementing the RPMB-key derivation for sloane.
Special thanks also to @xyz` for making all this possible and releasing the original amonet exploit for karnak.
Special thanks also to @retyre for porting the bootrom-exploit to mt8173.
Special thanks also to @Sus_i and @DanielF50 for testing.
Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
 

Attachments

  • amonet-sloane-v1.0.0.zip
    23.5 MB · Views: 171
  • amonet-sloane-v1.0.1.zip
    23.5 MB · Views: 71
  • amonet-sloane-v1.1.zip
    23.5 MB · Views: 352
Last edited:

Rortiz2

Senior Member
Mar 1, 2018
2,033
1,239
Barcelona
Unbricking / Unlocking with non-rooted Firmware

Prepare the environment, disable modemmanager and install the required packages:
Code:
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial adb fastboot dos2unix
Code:
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager

NOTE: If you use this method to unlock the device you don't need to flash the unlock-zip linked in the first post (OP).

If FireOS is still accessible there are other means of recovery, don't continue.

If your device shows one of the following symptoms:
  1. It doesn't show any life (screen stays dark)
  2. You see the white amazon logo, but cannot access FireOS.
If you have a Type 1 brick, you may not have to open the device, if your device comes up in bootrom-mode (See Checking USB connection below).
  1. Unplug the device from the wall
  2. Start bootrom-step.sh
  3. Plug in the power source and then the USB
NOTE: If you have issues running the scripts, you might have to run them using sudo.
Also try using different USB-ports (preferably USB-2.0-ports)


1. Extract the attached zip-file "amonet-sloane-v1.1.zip" and open a terminal in that directory.
2. Start the script:
Code:
sudo ./bootrom-step.sh
It should now say Waiting for bootrom.

3. Connect the USB A-A cable, short the board according to the picture, and connect the power supply.

4. When the script asks you to remove the short, remove the short and press enter.

5. Wait for the script to finish.
If it stalls at some point, stop it and restart the process from step 2.

6. Your device should now reboot into unlocked fastboot state.

7. Run
Code:
sudo ./fastboot-step.sh

8. Wait for the device to reboot into TWRP.

9. Format data and use TWRP to flash a custom ROM, Magisk or SuperSU.

Checking USB connection
In lsusb the boot-rom shows up as:
Code:
Bus 002 Device 013: ID 0e8d:0003 MediaTek Inc. MT6227 phone
If it shows up as:
Code:
Bus 002 Device 014: ID 0e8d:2000 MediaTek Inc. MT65xx Preloader
instead, you are in preloader-mode, try again.

dmesg lists the correct device as:
Code:
[ 6383.962057] usb 2-2: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00
 

Attachments

  • sloane.jpg
    sloane.jpg
    245.9 KB · Views: 465
Last edited:

Rortiz2

Senior Member
Mar 1, 2018
2,033
1,239
Barcelona
Unlocking with ADB + root

NOTE: Please refer to the #2 post on how to prepare your environment before proceeding.

1. Extract the attached zip-file "amonet-sloane-v1.0.1.zip" and open a terminal in that directory.

NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder

2. Enable ADB in Developer Settings.

3. Start the script:
Code:
sudo ./step-1.sh

Your device will now reboot into recovery and perform a factory reset.

NOTE: If you are on firmware 5.2.7.3 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
If you chose the brick option, you need to continue with bootrom-step-minimal.sh:




NOTE: Please refer to the #2 post on how to prepare your environment before proceeding.
NOTE: If you use this method to unlock the device you don't need to flash the unlock-zip once you're in TWRP.

Once the zip-file finished flashing, disconnect the device and run:
Code:
sudo ./bootrom-step-minimal.sh
Then plug the device back in.

The device will reboot to hacked fastboot mode (Static Amazon White Logo + white blinking LED).
Then run:
Code:
sudo ./fastboot-step.sh

After that, the device will reboot to unlocked TWRP. Then go to Wipe > Format Data and type "YES".
If you used this method (brick), you're done with the unlock. Skip the step 4.

NOTE: Make sure you re-enable ADB after Factory Reset.

4. Start the script:
Code:
sudo ./step-2.sh

The exploit will now be flashed and your device will reboot into TWRP.
You can now install Magisk from there.
 
Last edited:

Rortiz2

Senior Member
Mar 1, 2018
2,033
1,239
Barcelona
There are three options for interacting with TWRP:
  1. A mouse/keyboard via USB
  2. ADB over ethernet/USB
  3. TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
  4. Via /cache/recovery/command
Example for /cache/recovery/command:
Code:
echo "--update_package=/path/to/zipfile" > /cache/recovery/command
echo "--wipe_cache" >> /cache/recovery/command
reboot recovery
If you somehow end in a bootloop you can boot into hacked fastboot or recovery using.
Code:
sudo ./boot-fastboot.sh
Code:
sudo ./boot-recovery.sh

NOTE: This will only work if the boot-exploit is still there.

Source Code:
 
Last edited:

DanielF50

Senior Member
Jul 22, 2010
384
121
Hampshire, England
Nice to see this released - it's been a while in the making... just glad that me and my multiple sloanes could be of service to the community 😅

edit: obviously Magisk works with a full unlock, but as Rortiz2 states above this must be flashed to boot_x - I would advise you pull your ROM's boot.img, patch it with MagiskManager & then flash this manually via hacked fastboot, otherwise it won't work & you'll probably brick your device again.
 
Last edited:
Nice to see this released - it's been a while in the making... just glad that me and my multiple sloanes could be of service to the community 😅

Yeah I'll second that, It works perfect and flawlessly. Be sure to follow the guide to the letter ..... .... It's good to see development continue to make progress on what I would say is the best amazon device of them all.
Well done. All your hardwork is greatly appreciated. @k4y0z , @Rortiz2 , @t0x1cSH, @Sus_i , @retyre , @diplomatic @DanielF50 without you guys continued attention and testing of these sticks/boxes we would be stuck with plain old boring devices.
Cheers again

regards
 
Last edited:

Michajin

Senior Member
Oct 23, 2012
1,245
486
Ok, so I ran into some issues. I flashed the zip in the pre-rooted TWRP. No errors and reboots into unlocked TWRP. From unlocked TWRP i format data and type yes, then reboot. Now i am at the black amazon fire logo and nothing happens. I think i missed or didnt understand the downgrading part to older than 5.2.7.3. So, i think i have to do the shorting method now? Also, does anyone know where i can find a old version <5.2.7.3 .bin to flash? Is there anyway to get back into unlocked TWRP now?
 

0815hoffi

Senior Member
Dec 22, 2019
403
121
Munich
github.com
Amazon Fire TV
  • Like
Reactions: Michajin

Michajin

Senior Member
Oct 23, 2012
1,245
486


All here, scroll down

Thanks, great resource. I am looking for stock though...

" NOTE: Flashing prerooted ROM will disable unlocked TWRP. It's recommended to flash an stock update.bin until that gets sorted out. "
 

Rortiz2

Senior Member
Mar 1, 2018
2,033
1,239
Barcelona
Ok, so I ran into some issues. I flashed the zip in the pre-rooted TWRP. No errors and reboots into unlocked TWRP. From unlocked TWRP i format data and type yes, then reboot. Now i am at the black amazon fire logo and nothing happens. I think i missed or didnt understand the downgrading part to older than 5.2.7.3. So, i think i have to do the shorting method now? Also, does anyone know where i can find a old version <5.2.7.3 .bin to flash? Is there anyway to get back into unlocked TWRP now?
If the zip flashed fine forget about the downgrading part. Are you able to boot unlocked TWRP using boot-recovery.sh?
Here's an stock update.bin: https://d1s31zyz7dcc2d.cloudfront.n...indle-full_sloane-36.6.4.8_user_648594820.bin
 
  • Like
Reactions: Michajin

Sus_i

Senior Member
  • Apr 9, 2013
    1,048
    393
    Next OTA update incoming...

    Full OTA update package (latest stock) for sloane:
    Fire OS 5.2.7.7 (662663720).
    5.2.7.7 yipeee
    Seconds later bootloader is locked lol
    I'm currently on 5.2.7.4 I think I'll stay there. This is the os before big A started messing with adb and accessibility (launchers) you can just disable launcher and firehomestarter apk provided there is a settings apk installed (hoffis is great).
     
    • Like
    Reactions: Sus_i and tw39515

    Top Liked Posts

    • There are no posts matching your filters.
    • 8
      Read this whole guide before starting.

      This is for the 2nd gen Fire TV (sloane)

      Current relase: amonet-sloane-v1.1

      NOTE: This process does not require you to open your device if you're already rooted or you have TWRP.
      NOTE: If something goes horribly wrong and your device gets bricked, you'll have to open it and unbrick it through bootrom (post 2).
      NOTE: This process will modify the partition-table (GPT) of your device.

      NOTE: Your device will be reset to factory defaults (including internal storage) during this process.
      NOTE: Flashing prerooted ROM will disable unlocked TWRP. It's recommended to flash an stock update.bin
      until that gets sorted out.

      To update to the current release if you are already unlocked, just flash the zip in TWRP.

      What you need:
      • A Linux installation or live-system
      • A a-a cable
      1. Download the attached zip-file "amonet-sloane-v1.1zip".
      2. Copy the zip-file to the internal storage of the box or copy the zip-file to an external SD/USB storage and connect it to the box.
      3. Reboot the FireTV to rbox's TWRP recovery and flash the zip-file.

      NOTE: If you are on firmware 5.2.7.3 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
      If you chose the brick option, you need to continue with bootrom-step-minimal.sh:




      NOTE: Please refer to the #2 post on how to prepare your environment before proceeding.
      NOTE: If you use this method to unlock the device you don't need to flash the unlock-zip once you're in TWRP.

      Once the zip-file finished flashing, disconnect the device and run:
      Code:
      sudo ./bootrom-step-minimal.sh
      Then plug the device back in.

      The device will reboot to hacked fastboot mode (Static Amazon White Logo + white blinking LED).
      Then run:
      Code:
      sudo ./fastboot-step.sh


      After that, the device will reboot to unlocked TWRP. Then go to Wipe > Format Data and type "YES".
      You can now install Magisk from there.

      Important information

      NOTE: This has nothing to do with the unlock process.

      You have 10 seconds to force TWRP to keep ADB over USB active by using
      Code:
      adb wait-for-recovery && adb shell setprop twrp.usb.mode 0

      In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
      TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.

      Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)

      Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.

      TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

      For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

      It is still advised to disable OTA.

      Very special thanks to @k4y0z and @t0x1cSH for making all this possible by porting the LK exploit to sloane and implementing the RPMB-key derivation for sloane.
      Special thanks also to @xyz` for making all this possible and releasing the original amonet exploit for karnak.
      Special thanks also to @retyre for porting the bootrom-exploit to mt8173.
      Special thanks also to @Sus_i and @DanielF50 for testing.
      Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
      5
      When I tried to install Magisk in TWRP it failed. It isn't that big of a problem as I am running one of Rbox's pre rooted ROMs but just thought it was odd.

      It was Magisk 19.5? I believe, can't remember off the top of my head.
      You are probably using rbox-twrp instead unlocked twrp.
      I don't think there's any reason to use an old Magisk release either.

      Unfortunately the update overwrote the prerooted version with a standard unrooted version and you would have to go through the whole process again to unlock, but you would have to use the latest prerooted version once it is available so there no updates to mess it up. and then block future updates after that. I decided to just wait for the newest prerooted version so I don't have to go through the process again.

      The good thing is that it is a fully functional unit for reasonably cheap.
      Can you please stop giving nonsense advice?
      1. There is no reason to redo the unlock.
      2. We currently DO NOT recommend using the prerooted ROM together with the unlock.
      5
      In case someone needs some newer 'full OTA update' packages of the stock rom, only for sloane:

      Fire OS 5.2.7.3 (652614020).

      Fire OS 5.2.7.4 (656638420).

      Fire OS 5.2.7.6 (659654620).

      5.2.7.6 is the latest OS (as of today).
      Don't forget to rename the file, i.e. .bin to .zip.
      5
      According to Amazon the latest software update is Amazon Fire TV (2nd Generation): Fire OS 5.2.7.8 (664657320) not 5.2.8.8.
      but I haven't found a link for it yet.

      Me too. Where to find link for full stock Fire OS 5.2.7.8 (664657320)? I'd like to keep my practice demo up to date.

      Fire OS 5.2.7.8 (664657620) for sloane:


      md5: 087cef3f082b0017231e8b938feaeec7
      5
      I would advise you pull your ROM's boot.img, patch it with MagiskManager & then flash this manually via hacked fastboot, otherwise it won't work & you'll probably brick your device again.

      Don't worry, magisk flashing in TWRP works (now). ;)