[UNLOCK][ROOT][TWRP][UNBRICK] FireTV 2 (sloane)

Search This thread
By:
Advanced…
R

Rortiz2

Senior Member
Mar 1, 2018
2,033
1,239
Barcelona
Read this whole guide before starting.

This is for the 2nd gen Fire TV (sloane)

Current relase: amonet-sloane-v1.1

NOTE: This process does not require you to open your device if you're already rooted or you have TWRP.
NOTE: If something goes horribly wrong and your device gets bricked, you'll have to open it and unbrick it through bootrom (post 2).
NOTE: This process will modify the partition-table (GPT) of your device.
NOTE: Your device will be reset to factory defaults (including internal storage) during this process.
NOTE: Flashing prerooted ROM will disable unlocked TWRP. It's recommended to flash an stock update.bin until that gets sorted out.

To update to the current release if you are already unlocked, just flash the zip in TWRP.

What you need:
  • A Linux installation or live-system
  • A a-a cable
1. Download the attached zip-file "amonet-sloane-v1.1zip".
2. Copy the zip-file to the internal storage of the box or copy the zip-file to an external SD/USB storage and connect it to the box.
3. Reboot the FireTV to rbox's TWRP recovery and flash the zip-file.

NOTE: If you are on firmware 5.2.7.3 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
If you chose the brick option, you need to continue with bootrom-step-minimal.sh:



NOTE: Please refer to the #2 post on how to prepare your environment before proceeding.
NOTE: If you use this method to unlock the device you don't need to flash the unlock-zip once you're in TWRP.

Once the zip-file finished flashing, disconnect the device and run:
Code: 
sudo ./bootrom-step-minimal.sh
Then plug the device back in.

The device will reboot to hacked fastboot mode (Static Amazon White Logo + white blinking LED).
Then run:
Code: 
sudo ./fastboot-step.sh


After that, the device will reboot to unlocked TWRP. Then go to Wipe > Format Data and type "YES".
You can now install Magisk from there.

Important information

NOTE: This has nothing to do with the unlock process.

You have 10 seconds to force TWRP to keep ADB over USB active by using
Code: 
adb wait-for-recovery && adb shell setprop twrp.usb.mode 0

In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.

Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)

Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.

TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

It is still advised to disable OTA.

Very special thanks to @k4y0z and @t0x1cSH for making all this possible by porting the LK exploit to sloane and implementing the RPMB-key derivation for sloane.
Special thanks also to @xyz` for making all this possible and releasing the original amonet exploit for karnak.
Special thanks also to @retyre for porting the bootrom-exploit to mt8173.
Special thanks also to @Sus_i and @DanielF50 for testing.
Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
 

Attachments

  • amonet-sloane-v1.0.0.zip
    23.5 MB · Views: 171
  • amonet-sloane-v1.0.1.zip
    23.5 MB · Views: 71
  • amonet-sloane-v1.1.zip
    23.5 MB · Views: 352
Last edited:
  • Like
Reactions: ggow, brick00444, ssurell and 5 others
R

Rortiz2

Senior Member
Mar 1, 2018
2,033
1,239
Barcelona
Unbricking / Unlocking with non-rooted Firmware

Prepare the environment, disable modemmanager and install the required packages:
Code: 
sudo apt update
sudo add-apt-repository universe
sudo apt install python3 python3-serial adb fastboot dos2unix
Code: 
sudo systemctl stop ModemManager
sudo systemctl disable ModemManager

NOTE: If you use this method to unlock the device you don't need to flash the unlock-zip linked in the first post (OP).

If FireOS is still accessible there are other means of recovery, don't continue.

If your device shows one of the following symptoms:
  1. It doesn't show any life (screen stays dark)
  2. You see the white amazon logo, but cannot access FireOS.
If you have a Type 1 brick, you may not have to open the device, if your device comes up in bootrom-mode (See Checking USB connection below).
  1. Unplug the device from the wall
  2. Start bootrom-step.sh
  3. Plug in the power source and then the USB
NOTE: If you have issues running the scripts, you might have to run them using sudo.
Also try using different USB-ports (preferably USB-2.0-ports)

1. Extract the attached zip-file "amonet-sloane-v1.1.zip" and open a terminal in that directory.
2. Start the script:
Code: 
sudo ./bootrom-step.sh
It should now say Waiting for bootrom.

3. Connect the USB A-A cable, short the board according to the picture, and connect the power supply.

4. When the script asks you to remove the short, remove the short and press enter.

5. Wait for the script to finish.
If it stalls at some point, stop it and restart the process from step 2.

6. Your device should now reboot into unlocked fastboot state.

7. Run
Code: 
sudo ./fastboot-step.sh

8. Wait for the device to reboot into TWRP.

9. Format data and use TWRP to flash a custom ROM, Magisk or SuperSU.

Checking USB connection
In lsusb the boot-rom shows up as:
Code: 
Bus 002 Device 013: ID 0e8d:0003 MediaTek Inc. MT6227 phone
If it shows up as:
Code: 
Bus 002 Device 014: ID 0e8d:2000 MediaTek Inc. MT65xx Preloader
instead, you are in preloader-mode, try again.

dmesg lists the correct device as:
Code: 
[ 6383.962057] usb 2-2: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00
 

Attachments

  • sloane.jpg
    sloane.jpg
    245.9 KB · Views: 465
Last edited:
R

Rortiz2

Senior Member
Mar 1, 2018
2,033
1,239
Barcelona
Unlocking with ADB + root

NOTE: Please refer to the #2 post on how to prepare your environment before proceeding.

1. Extract the attached zip-file "amonet-sloane-v1.0.1.zip" and open a terminal in that directory.

NOTE: If you are already rooted, continue with the next step, otherwise get mtk-su by @diplomatic from here and place (the unpacked binary) into amonet/bin folder

2. Enable ADB in Developer Settings.

3. Start the script:
Code: 
sudo ./step-1.sh

Your device will now reboot into recovery and perform a factory reset.

NOTE: If you are on firmware 5.2.7.3 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
If you chose the brick option, you need to continue with bootrom-step-minimal.sh:



NOTE: Please refer to the #2 post on how to prepare your environment before proceeding.
NOTE: If you use this method to unlock the device you don't need to flash the unlock-zip once you're in TWRP.

Once the zip-file finished flashing, disconnect the device and run:
Code: 
sudo ./bootrom-step-minimal.sh
Then plug the device back in.

The device will reboot to hacked fastboot mode (Static Amazon White Logo + white blinking LED).
Then run:
Code: 
sudo ./fastboot-step.sh

After that, the device will reboot to unlocked TWRP. Then go to Wipe > Format Data and type "YES".
If you used this method (brick), you're done with the unlock. Skip the step 4.

NOTE: Make sure you re-enable ADB after Factory Reset.

4. Start the script:
Code: 
sudo ./step-2.sh

The exploit will now be flashed and your device will reboot into TWRP.
You can now install Magisk from there.
 
Last edited:
R

Rortiz2

Senior Member
Mar 1, 2018
2,033
1,239
Barcelona
There are three options for interacting with TWRP:
  1. A mouse/keyboard via USB
  2. ADB over ethernet/USB
  3. TWRP commandline via adb: https://twrp.me/faq/openrecoveryscript.html
  4. Via /cache/recovery/command
Example for /cache/recovery/command:
Code: 
echo "--update_package=/path/to/zipfile" > /cache/recovery/command
echo "--wipe_cache" >> /cache/recovery/command
reboot recovery
If you somehow end in a bootloop you can boot into hacked fastboot or recovery using.
Code: 
sudo ./boot-fastboot.sh
Code: 
sudo ./boot-recovery.sh

NOTE: This will only work if the boot-exploit is still there.

Source Code:
 
Last edited:
  • Like
Reactions: Bertonumber1 and DanielF50
D

DanielF50

Senior Member
Jul 22, 2010
384
121
Hampshire, England
Nice to see this released - it's been a while in the making... just glad that me and my multiple sloanes could be of service to the community 😅

edit: obviously Magisk works with a full unlock, but as Rortiz2 states above this must be flashed to boot_x - I would advise you pull your ROM's boot.img, patch it with MagiskManager & then flash this manually via hacked fastboot, otherwise it won't work & you'll probably brick your device again.
 
Last edited:
  • Like
Reactions: k4y0z, Rortiz2, Bertonumber1 and 1 other person
Bertonumber1

Bertonumber1

Senior Member
    • May 17, 2020
    734
    190
    Glasgow UK
    Samsung Galaxy Tab A series
    Samsung Galaxy S9+
    DanielF50 said:
    Nice to see this released - it's been a while in the making... just glad that me and my multiple sloanes could be of service to the community 😅
    Click to expand...

    Yeah I'll second that, It works perfect and flawlessly. Be sure to follow the guide to the letter ..... .... It's good to see development continue to make progress on what I would say is the best amazon device of them all.
    Well done. All your hardwork is greatly appreciated. @k4y0z , @Rortiz2 , @t0x1cSH, @Sus_i , @retyre , @diplomatic @DanielF50 without you guys continued attention and testing of these sticks/boxes we would be stuck with plain old boring devices.
    Cheers again

    regards
     
    Last edited:
    • Like
    Reactions: brick00444, DanielF50, k4y0z and 1 other person
    Michajin

    Michajin

    Senior Member
    Oct 23, 2012
    1,245
    486
    Ok, so I ran into some issues. I flashed the zip in the pre-rooted TWRP. No errors and reboots into unlocked TWRP. From unlocked TWRP i format data and type yes, then reboot. Now i am at the black amazon fire logo and nothing happens. I think i missed or didnt understand the downgrading part to older than 5.2.7.3. So, i think i have to do the shorting method now? Also, does anyone know where i can find a old version <5.2.7.3 .bin to flash? Is there anyway to get back into unlocked TWRP now?
     
    0815hoffi

    0815hoffi

    Senior Member
    Dec 22, 2019
    403
    121
    Munich
    github.com
    Amazon Fire TV
    • Like
    Reactions: Michajin
    Michajin

    Michajin

    Senior Member
    Oct 23, 2012
    1,245
    486
    0815hoffi said:


    All here, scroll down

    aftvhacks.de

    Fire TV & Fire TV Stick Downloads: APKs von Apps & Games

    Fire TV Downloads Sammlung von Android Apps (APK-Dateien), die man herunterladen und auf dem Amazon Fire TV und Fire TV Stick 4k installieren kann.
    aftvhacks.de aftvhacks.de
    Click to expand...
    Thanks, great resource. I am looking for stock though...

    " NOTE: Flashing prerooted ROM will disable unlocked TWRP. It's recommended to flash an stock update.bin until that gets sorted out. "
     
    R

    Rortiz2

    Senior Member
    Mar 1, 2018
    2,033
    1,239
    Barcelona
    Michajin said:
    Ok, so I ran into some issues. I flashed the zip in the pre-rooted TWRP. No errors and reboots into unlocked TWRP. From unlocked TWRP i format data and type yes, then reboot. Now i am at the black amazon fire logo and nothing happens. I think i missed or didnt understand the downgrading part to older than 5.2.7.3. So, i think i have to do the shorting method now? Also, does anyone know where i can find a old version <5.2.7.3 .bin to flash? Is there anyway to get back into unlocked TWRP now?
    Click to expand...
    If the zip flashed fine forget about the downgrading part. Are you able to boot unlocked TWRP using boot-recovery.sh?
    Here's an stock update.bin: https://d1s31zyz7dcc2d.cloudfront.n...indle-full_sloane-36.6.4.8_user_648594820.bin
     
    • Like
    Reactions: Michajin
    S

    Sus_i

    Senior Member
    • Apr 9, 2013
    1,048
    393
    In case someone needs some newer 'full OTA update' packages of the stock rom, only for sloane:

    Fire OS 5.2.7.3 (652614020).

    Fire OS 5.2.7.4 (656638420).

    Fire OS 5.2.7.6 (659654620).

    5.2.7.6 is the latest OS (as of today).
    Don't forget to rename the file, i.e. .bin to .zip.
     
    • Like
    Reactions: brick00444, k4y0z, Bertonumber1 and 2 others
    Bertonumber1

    Bertonumber1

    Senior Member
    • May 17, 2020
    734
    190
    Glasgow UK
    Samsung Galaxy Tab A series
    Samsung Galaxy S9+
    Sus_i said:
    Next OTA update incoming...

    Full OTA update package (latest stock) for sloane:
    Fire OS 5.2.7.7 (662663720).
    Click to expand...
    5.2.7.7 yipeee
    Seconds later bootloader is locked lol
    I'm currently on 5.2.7.4 I think I'll stay there. This is the os before big A started messing with adb and accessibility (launchers) you can just disable launcher and firehomestarter apk provided there is a settings apk installed (hoffis is great).
     
    • Like
    Reactions: Sus_i and tw39515
    You must log in or register to reply here.

    Similar threads

    K
    [UNLOCK][ROOT][TWRP][UNBRICK] Fire TV Stick 4K (mantis)
    Replies
    2K
    Views
    249K
    E
    emkorial
    R
    FireTV Partial Bootloader Unlock
    Replies
    47
    Views
    40K
    S
    smurat_82
    R
    FireTV 1 (bueller) Full Bootloader Unlock
    Replies
    130
    Views
    90K
    T
    T1g3rbl000d
    R
    FireTV 2 Recovery Installer [v3]
    Replies
    108
    Views
    69K
    S
    Sus_i
    N
    [NEWBIE GUIDE] How to Unlock Bootloader/Root and install Addons FireStick 4k
    Replies
    64
    Views
    28K
    E
    emkorial

    Top Liked Posts

    24 Hours All time
    • There are no posts matching your filters.
    • 8
      R
      Rortiz2
      Read this whole guide before starting.

      This is for the 2nd gen Fire TV (sloane)

      Current relase: amonet-sloane-v1.1

      NOTE: This process does not require you to open your device if you're already rooted or you have TWRP.
      NOTE: If something goes horribly wrong and your device gets bricked, you'll have to open it and unbrick it through bootrom (post 2).
      NOTE: This process will modify the partition-table (GPT) of your device.
      NOTE: Your device will be reset to factory defaults (including internal storage) during this process.
      NOTE: Flashing prerooted ROM will disable unlocked TWRP. It's recommended to flash an stock update.bin       until that gets sorted out.

      To update to the current release if you are already unlocked, just flash the zip in TWRP.

      What you need:
      • A Linux installation or live-system
      • A a-a cable
      1. Download the attached zip-file "amonet-sloane-v1.1zip".
      2. Copy the zip-file to the internal storage of the box or copy the zip-file to an external SD/USB storage and connect it to the box.
      3. Reboot the FireTV to rbox's TWRP recovery and flash the zip-file.

      NOTE: If you are on firmware 5.2.7.3 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
      If you chose the brick option, you need to continue with bootrom-step-minimal.sh:



      NOTE: Please refer to the #2 post on how to prepare your environment before proceeding.
      NOTE: If you use this method to unlock the device you don't need to flash the unlock-zip once you're in TWRP.

      Once the zip-file finished flashing, disconnect the device and run:
      Code: 
      sudo ./bootrom-step-minimal.sh
      Then plug the device back in.

      The device will reboot to hacked fastboot mode (Static Amazon White Logo + white blinking LED).
      Then run:
      Code: 
      sudo ./fastboot-step.sh


      After that, the device will reboot to unlocked TWRP. Then go to Wipe > Format Data and type "YES".
      You can now install Magisk from there.

      Important information

      NOTE: This has nothing to do with the unlock process.

      You have 10 seconds to force TWRP to keep ADB over USB active by using
      Code: 
      adb wait-for-recovery && adb shell setprop twrp.usb.mode 0

      In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
      TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.

      Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)

      Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.

      TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

      For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

      It is still advised to disable OTA.

      Very special thanks to @k4y0z and @t0x1cSH for making all this possible by porting the LK exploit to sloane and implementing the RPMB-key derivation for sloane.
      Special thanks also to @xyz` for making all this possible and releasing the original amonet exploit for karnak.
      Special thanks also to @retyre for porting the bootrom-exploit to mt8173.
      Special thanks also to @Sus_i and @DanielF50 for testing.
      Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
      View
      5
      K
      k4y0z
      Kbuskill! said:
      When I tried to install Magisk in TWRP it failed. It isn't that big of a problem as I am running one of Rbox's pre rooted ROMs but just thought it was odd.

      It was Magisk 19.5? I believe, can't remember off the top of my head.
      Click to expand...
      You are probably using rbox-twrp instead unlocked twrp.
      I don't think there's any reason to use an old Magisk release either.

      comm-ents said:
      Unfortunately the update overwrote the prerooted version with a standard unrooted version and you would have to go through the whole process again to unlock, but you would have to use the latest prerooted version once it is available so there no updates to mess it up. and then block future updates after that. I decided to just wait for the newest prerooted version so I don't have to go through the process again.

      The good thing is that it is a fully functional unit for reasonably cheap.
      Click to expand...
      Can you please stop giving nonsense advice?
      1. There is no reason to redo the unlock.
      2. We currently DO NOT recommend using the prerooted ROM together with the unlock.
      View
      5
      S
      Sus_i
      In case someone needs some newer 'full OTA update' packages of the stock rom, only for sloane:

      Fire OS 5.2.7.3 (652614020).

      Fire OS 5.2.7.4 (656638420).

      Fire OS 5.2.7.6 (659654620).

      5.2.7.6 is the latest OS (as of today).
      Don't forget to rename the file, i.e. .bin to .zip.
      View
      5
      S
      Sus_i
      meohmy said:
      According to Amazon the latest software update is Amazon Fire TV (2nd Generation): Fire OS 5.2.7.8 (664657320) not 5.2.8.8.
      but I haven't found a link for it yet.
      Click to expand...

      LocoMexican said:
      Me too. Where to find link for full stock Fire OS 5.2.7.8 (664657320)? I'd like to keep my practice demo up to date.
      Click to expand...

      Fire OS 5.2.7.8 (664657620) for sloane:


      md5: 087cef3f082b0017231e8b938feaeec7
      View
      5
      S
      Sus_i
      DanielF50 said:
      I would advise you pull your ROM's boot.img, patch it with MagiskManager & then flash this manually via hacked fastboot, otherwise it won't work & you'll probably brick your device again.
      Click to expand...

      Don't worry, magisk flashing in TWRP works (now). ;)
      View

    New posts