[UNLOCK][ROOT][TWRP][UNBRICK] FireTV 2 (sloane)

[Rortiz2]

Read this whole guide before starting.

This is for the 2nd gen Fire TV (sloane)

Current relase: amonet-sloane-v1.1

NOTE: This process does not require you to open your device if you're already rooted or you have TWRP.
NOTE: If something goes horribly wrong and your device gets bricked, you'll have to open it and unbrick it through bootrom (post 2).
NOTE: This process will modify the partition-table (GPT) of your device.
NOTE: Your device will be reset to factory defaults (including internal storage) during this process.
NOTE: Flashing prerooted ROM will disable unlocked TWRP. It's recommended to flash an stock update.bin until that gets sorted out.

To update to the current release if you are already unlocked, just flash the zip in TWRP.

What you need:

• A Linux installation or live-system
• A a-a cable

1. Download the attached zip-file "amonet-sloane-v1.1zip".
2. Copy the zip-file to the internal storage of the box or copy the zip-file to an external SD/USB storage and connect it to the box.
3. Reboot the FireTV to rbox's TWRP recovery and flash the zip-file.

NOTE: If you are on firmware 5.2.7.3 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
If you chose the brick option, you need to continue with bootrom-step-minimal.sh:

NOTE: Please refer to the #2 post on how to prepare your environment before proceeding.
NOTE: If you use this method to unlock the device you don't need to flash the unlock-zip once you're in TWRP.

Once the zip-file finished flashing, disconnect the device and run:

sudo ./bootrom-step-minimal.sh

Then plug the device back in.

The device will reboot to hacked fastboot mode (Static Amazon White Logo + white blinking LED).
Then run:

sudo ./fastboot-step.sh

After that, the device will reboot to unlocked TWRP. Then go to Wipe > Format Data and type "YES".
You can now install Magisk from there.

Important information

NOTE: This has nothing to do with the unlock process.

You have 10 seconds to force TWRP to keep ADB over USB active by using

adb wait-for-recovery && adb shell setprop twrp.usb.mode 0

In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.

Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)

Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.

TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

It is still advised to disable OTA.

Very special thanks to @k4y0z and @t0x1cSH for making all this possible by porting the LK exploit to sloane and implementing the RPMB-key derivation for sloane.
Special thanks also to @xyz` for making all this possible and releasing the original amonet exploit for karnak.
Special thanks also to @retyre for porting the bootrom-exploit to mt8173.
Special thanks also to @Sus_i and @DanielF50 for testing.
Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.

 

[Rortiz2]

Unbricking / Unlocking with non-rooted Firmware

Prepare the environment, disable modemmanager and install the required packages:

sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial adb fastboot dos2unix

sudo systemctl stop ModemManager
sudo systemctl disable ModemManager

NOTE: If you use this method to unlock the device you don't need to flash the unlock-zip linked in the first post (OP).

If FireOS is still accessible there are other means of recovery, don't continue.

If your device shows one of the following symptoms:

1. It doesn't show any life (screen stays dark)
2. You see the white amazon logo, but cannot access FireOS.

If you have a Type 1 brick, you may not have to open the device, if your device comes up in bootrom-mode (See Checking USB connection below).

1. Unplug the device from the wall
2. Start bootrom-step.sh
3. Plug in the power source and then the USB

NOTE: If you have issues running the scripts, you might have to run them using sudo.
Also try using different USB-ports (preferably USB-2.0-ports)

1. Extract the attached zip-file "amonet-sloane-v1.1.zip" and open a terminal in that directory.
2. Start the script:

sudo ./bootrom-step.sh

It should now say Waiting for bootrom.

3. Connect the USB A-A cable, short the board according to the picture (DAT0 with GND), and connect the power supply.

4. When the script asks you to remove the short, remove the short and press enter.

5. Wait for the script to finish.
If it stalls at some point, stop it and restart the process from step 2.

6. Your device should now reboot into unlocked fastboot state.

7. Run

sudo ./fastboot-step.sh

8. Wait for the device to reboot into TWRP.

9. Format data and use TWRP to flash a custom ROM, Magisk or SuperSU.

Checking USB connection
In lsusb the boot-rom shows up as:

Bus 002 Device 013: ID 0e8d:0003 MediaTek Inc. MT6227 phone

If it shows up as:

Bus 002 Device 014: ID 0e8d:2000 MediaTek Inc. MT65xx Preloader

instead, you are in preloader-mode, try again.

dmesg lists the correct device as:

[ 6383.962057] usb 2-2: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00

 

[Rortiz2]

Unlocking with ADB + root

NOTE: Please refer to the #2 post on how to prepare your environment before proceeding.

1. Extract the attached zip-file "amonet-sloane-v1.0.1.zip" and open a terminal in that directory.

NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder

2. Enable ADB in Developer Settings.

3. Start the script:

sudo ./step-1.sh

Your device will now reboot into recovery and perform a factory reset.

NOTE: If you are on firmware 5.2.7.3 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
If you chose the brick option, you need to continue with bootrom-step-minimal.sh:

NOTE: Please refer to the #2 post on how to prepare your environment before proceeding.
NOTE: If you use this method to unlock the device you don't need to flash the unlock-zip once you're in TWRP.

Once the zip-file finished flashing, disconnect the device and run:

sudo ./bootrom-step-minimal.sh

Then plug the device back in.

The device will reboot to hacked fastboot mode (Static Amazon White Logo + white blinking LED).
Then run:

sudo ./fastboot-step.sh

After that, the device will reboot to unlocked TWRP. Then go to Wipe > Format Data and type "YES".
If you used this method (brick), you're done with the unlock. Skip the step 4.

NOTE: Make sure you re-enable ADB after Factory Reset.

4. Start the script:

sudo ./step-2.sh

The exploit will now be flashed and your device will reboot into TWRP.
You can now install Magisk from there.

 

[Rortiz2]

There are three options for interacting with TWRP:

1. A mouse/keyboard via USB
2. ADB over ethernet/USB
3. TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
4. Via /cache/recovery/command

Example for /cache/recovery/command:

echo "--update_package=/path/to/zipfile" > /cache/recovery/command
echo "--wipe_cache" >> /cache/recovery/command
reboot recovery

If you somehow end in a bootloop you can boot into hacked fastboot or recovery using.

sudo ./boot-fastboot.sh

sudo ./boot-recovery.sh

NOTE: This will only work if the boot-exploit is still there.

Source Code:

• https://github.com/chaosmaster/amonet-sloane
• https://github.com/R0rt1z2/android_device_amazon_sloane
• https://github.com/chaosmaster/android_bootable_recovery

 

[k4y0z]

Reserved

 

[DanielF50]

Nice to see this released - it's been a while in the making... just glad that me and my multiple sloanes could be of service to the community

edit: obviously Magisk works with a full unlock, but as Rortiz2 states above this must be flashed to boot_x - I would advise you pull your ROM's boot.img, patch it with MagiskManager & then flash this manually via hacked fastboot, otherwise it won't work & you'll probably brick your device again.

 

[Bertonumber1]

Nice to see this released - it's been a while in the making... just glad that me and my multiple sloanes could be of service to the community

Yeah I'll second that, It works perfect and flawlessly. Be sure to follow the guide to the letter ..... .... It's good to see development continue to make progress on what I would say is the best amazon device of them all.
Well done. All your hardwork is greatly appreciated. @k4y0z , @Rortiz2 , @t0x1cSH, @Sus_i , @retyre , @diplomatic @DanielF50 without you guys continued attention and testing of these sticks/boxes we would be stuck with plain old boring devices.
Cheers again

regards

 

[Sus_i]

I would advise you pull your ROM's boot.img, patch it with MagiskManager & then flash this manually via hacked fastboot, otherwise it won't work & you'll probably brick your device again.

Don't worry, magisk flashing in TWRP works (now).

 

[Michajin]

Time to pull the Sloanes out of the drawer!

 

[Michajin]

Ok, so I ran into some issues. I flashed the zip in the pre-rooted TWRP. No errors and reboots into unlocked TWRP. From unlocked TWRP i format data and type yes, then reboot. Now i am at the black amazon fire logo and nothing happens. I think i missed or didnt understand the downgrading part to older than 5.2.7.3. So, i think i have to do the shorting method now? Also, does anyone know where i can find a old version <5.2.7.3 .bin to flash? Is there anyway to get back into unlocked TWRP now?

 

[0815hoffi]

http://aftvhacks.de/downloads/rooting/fire-tv-2/sloane-5.2.7.0-rooted_r1.zip

http://aftvhacks.de/downloads/rooting/fire-tv-2/sloane-5.2.6.7-rooted_r1.zip

All here, scroll down

Fire TV & Fire TV Stick Downloads: APKs von Apps & Games

Fire TV Downloads Sammlung von Android Apps (APK-Dateien), die man herunterladen und auf dem Amazon Fire TV und Fire TV Stick 4k installieren kann.

aftvhacks.de

 

[Michajin]

http://aftvhacks.de/downloads/rooting/fire-tv-2/sloane-5.2.7.0-rooted_r1.zip

http://aftvhacks.de/downloads/rooting/fire-tv-2/sloane-5.2.6.7-rooted_r1.zip

All here, scroll down

Fire TV & Fire TV Stick Downloads: APKs von Apps & Games

Fire TV Downloads Sammlung von Android Apps (APK-Dateien), die man herunterladen und auf dem Amazon Fire TV und Fire TV Stick 4k installieren kann.

aftvhacks.de

Thanks, great resource. I am looking for stock though...

" NOTE: Flashing prerooted ROM will disable unlocked TWRP. It's recommended to flash an stock update.bin until that gets sorted out. "

 

[Rortiz2]

Ok, so I ran into some issues. I flashed the zip in the pre-rooted TWRP. No errors and reboots into unlocked TWRP. From unlocked TWRP i format data and type yes, then reboot. Now i am at the black amazon fire logo and nothing happens. I think i missed or didnt understand the downgrading part to older than 5.2.7.3. So, i think i have to do the shorting method now? Also, does anyone know where i can find a old version <5.2.7.3 .bin to flash? Is there anyway to get back into unlocked TWRP now?

If the zip flashed fine forget about the downgrading part. Are you able to boot unlocked TWRP using boot-recovery.sh?
Here's an stock update.bin: https://d1s31zyz7dcc2d.cloudfront.n...indle-full_sloane-36.6.4.8_user_648594820.bin

 

[Michajin]

If the zip flashed fine forget about the downgrading part. Are you able to boot unlocked TWRP using boot-recovery.sh?
Here's an stock update.bin: https://d1s31zyz7dcc2d.cloudfront.n...indle-full_sloane-36.6.4.8_user_648594820.bin

yes, boot-recovery works perfect. That is exactly what I needed thanks!

 

[Sus_i]

In case someone needs some newer 'full OTA update' packages of the stock rom, only for sloane:

Fire OS 5.2.7.3 (652614020).

https://d1s31zyz7dcc2d.cloudfront.net/7af0a9a31621db60bf48d23e680751d3/update-kindle-full_sloane-36.6.5.2_user_652614020.bin

Fire OS 5.2.7.4 (656638420).

https://d1s31zyz7dcc2d.cloudfront.net/7758ad70f668023cc93ddee2655c6226/update-kindle-full_sloane-36.6.5.6_user_656638420.bin

Fire OS 5.2.7.6 (659654620).

https://d1s31zyz7dcc2d.cloudfront.net/c5b513d2116f5ad2942426ab79bb437b/update-kindle-full_sloane-36.6.5.9_user_659654620.bin

5.2.7.6 is the latest OS (as of today).
Don't forget to rename the file, i.e. .bin to .zip.

 

[DanielF50]

Don't worry, magisk flashing in TWRP works (now).

Oh, awesome news!

 

[Bertonumber1]

Hey guys, So do users of the new unlocked twrp to only use the clean update.bin files provided by @Sus_i and not the rbox prerooted stock (supersu) roms? Just to clarify for the sake of Magisk clashing with Supersu prerooted firmware incase it throws some nasty surprises.

Regards

 

[Sus_i]

Next OTA update incoming...

Full OTA update package (latest stock) for sloane:
Fire OS 5.2.7.7 (662663720).

https://d1s31zyz7dcc2d.cloudfront.net/b9f7c8f9a8a4ba1f34da8ce7a8077474/update-kindle-full_sloane-36.6.6.2_user_662663720.bin

 

[Bertonumber1]

Next OTA update incoming...

Full OTA update package (latest stock) for sloane:
Fire OS 5.2.7.7 (662663720).

https://d1s31zyz7dcc2d.cloudfront.net/b9f7c8f9a8a4ba1f34da8ce7a8077474/update-kindle-full_sloane-36.6.6.2_user_662663720.bin

5.2.7.7 yipeee
Seconds later bootloader is locked lol
I'm currently on 5.2.7.4 I think I'll stay there. This is the os before big A started messing with adb and accessibility (launchers) you can just disable launcher and firehomestarter apk provided there is a settings apk installed (hoffis is great).

 

[tw39515]

lol