• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[UNLOCK][ROOT][TWRP][UNBRICK] FireTV 2 (sloane)

Search This thread

incognegro76

Member
Dec 24, 2010
21
8
Those kinds of erors are common for me. Change ubs port somethimes fixes my similar issues. Just start over and do it again.
That worked perfectly.

I was able to use recovery and then bootroom/fastboot to unbrick, then downgraded FireOS down to a rootable version but I had to wipe EVERYTHING in TWRP and rename the .bin stock OS to .zip. Then I installed it in TWRP and then Magisk/Amonet and rebooted to downgraded stock. Nervously connected a lan cable and entered Amazon credentials to setup. Then configured Magisk for SU over ADB to not prompt and then disabled OTA from my K-Lite Linux laptop. I even deleted the update that my FireTV had downloaded immediately when I connected it to the network, it was just waiting for a reboot to undo all the work I had just done!
 

010u

Member
Jul 14, 2016
5
0
The AA cable arrived last night and I tried a short. I succeeded in burning the Stock ROM. However, although the network succeeded in scanning, the connection was not successful. It seems that the LAN cable is not working well, and it is displayed that the update is being checked, and the error "Please unplug the power and try later"? I can't proceed from.

My AFTV2 OS 5.2.8.0
Brick method
Ubuntu on parallels
amonet-sloane-gptfix.zip
amonet-sloane-v1.1.zip
Run gpt-fix.sh> minimal.sh
After wiping data with Twrp
Flash amonet-sloane-v1.1.zip
Flash update-kindle-full_sloane-36.6.4.8_user_648594820.zip
(update-kindle-full_sloane-36.6.6.8_user_668694820.zip and)
(I also tried update-kindle-full_sloane-36.6.3.0_user_630508620.zip)
Flash Magisk-v23.0.zip
(I also tried without Magisk)
Reboot

It succeeds, but I cannot connect to the above network and cannot activate. (Cannot reach the HOME screen)

afterwards,
When I burned sloane-5.2.7.0-rooted_r1.zip, the setting screen disappeared and
Even if I put it back in the Stock ROM due to a short circuit, the setting screen is no longer reached.

I want to return to the Stock state once and solve the network problem.

How should I solve it?
Thank you.
 

LocoMexican

Senior Member
Mar 12, 2017
101
23
I want to return to the Stock state once and solve the network problem.

How should I solve it?
Thank you.
Try this:

1. Use the "short" (brick) method.
2. Run gpt-fix.sh. This should put you into TWRP.
3. Using TWRP, install Amonet-Sloane v1.1.
4. Using TWRP, "format" (not wipe) data.
5. Using TWRP, install your stock (not pre-rooted) ROM.
6. (a) If you want superuser permissions, using TWRP, install Magist.
(b) If you do not want superuser permissiions, do not run Magist.
7. Re-boot system.

If you want to revert to straignt stock, try this:

1. Use the "short" (brick) method.
2. Run gpt-fix.sh. This puts you into TWRP.
3. Using TWRP, "format" (not wipe) data.
4. Using TWRP, install the stock ROM of your choice.
5. Reboot system.

Good luck.
 

010u

Member
Jul 14, 2016
5
0
After flushing sloane-5.2.7.0-rooted_r1.zip
update-kindle-full_sloane-36.6.4.8_user_648594820.zip etc.
I flashed and restarted without Magisk (just in case), but it didn't start. I'm expecting that boot.img etc. was rewritten with sloane-5.2.7.0-rooted_r1.zip, but with stock ROM such as update-kindle-full_sloane-36.6.4.8_user_648594820.zip, boot.img etc. Will all return to stock?
 

010u

Member
Jul 14, 2016
5
0
thank you for your answer.

Before executing "7. Re-boot system"
Currently, I am ADB to TWRP again.

postscript:
After all, even if you flash Stock and restart it,
The OS did not boot.
After the white Amazon logo, the lamp on the base keeps blinking white,
The screen is blacked out.


If you id me print referring to the above, the following will be displayed.

#idme print
board_id: ffffff0000000000
serial: 0
mac_addr: 0
mac_sec: 0
bt_mac_addr: 0
product_name: 0
productid: 0
productid2: 0
bootmode: 1
postmode: 0
bootcount: 258
manufacturing:
eth_mac_addr: 0
device_type_id: 0
unlock_code: unlock_code:
sensorcal:
4800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
wifi_mfg: 0
bt_mfg: 0
KB: KB:
30 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
DKB:
30 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
dev_flags: 0
fos_flags: 0
usr_flags: 0

# dd if = / sdcard / idme.bin of = / dev / block / mmcblk0boot1
dd: can't open'/sdcard/idme.bin': No such file or directory

It seems that it is being played from the network due to problems with the mac address and serial.
Is there a solution to the problem?
Thanking you in advance.
 
Last edited:

010u

Member
Jul 14, 2016
5
0
Flash the lineage rom ;)

postscript

After launching lineage 12.0, I was able to log in with ADB from USB. After all, the screen does not appear. .. .. Is it possible that TWRP is reflected and the OS is not reflected?


thank you for your answer.

I have various stock ROMs
I tried Lineage 12.0 and some Rooted.

Currently, Rooted5.2.7.6r1 is finally flushed.

However, the situation is the same for Lineage 12.0 and this time Rooted.

Amazon Logo> Normal boot or TWRP> Normal boot> Amazon Logo> Black out (Signal failed ??)

I waited for a while in Black out and pressed and held the home button on the remote control to pair. Then, the lamp of the terminal goes out and turns on every time the remote control button is pressed.

My guess is that the OS is up, but the video isn't being output properly. (TWRP and Amazon Logo are reflected)

Many apologies.
Do you have a solution to the problem?
Please give me some advice.
 
Last edited:

Sus_i

Senior Member
Apr 9, 2013
1,260
515
Many apologies.
Do you have a solution to the problem?
Please give me some advice.

I don't know whats going on with your fireTV.
It seems that it is seriously messed up, like your blank idme data shows.
But even if idme stuff is gone, you should still have a picture on your TV, at least for lineageOS and in twrp too.
I remember that my idme data was gone too back then, but fireOS was booting, it showed an empty stock launcher and stuff like the serial, LAN/WIFI/BT was f*cked up.

You know, it's Black Friday in a few days, you may get a new one ;)
 

abdi7451

Senior Member
Mar 12, 2013
244
57
Chicago
Hi, all. Please forgive the extremely n00bish questions. I've tried to read over the thread in it's entirety, along with scouring other leads on XDA.

I have a Sloane FireTV. It has always been stock. Never unlocked, never rooted, never bricked, never had TWRP or any other recovery. In other words, it is vanilla.

It has been updated to the latest FireOS, version 5.2.8.0.

Am I understanding this correctly:

It is not possible for me to unlock and root this device without downgrading it to some version of FireOS before 5.2.7.3. And in order for me to downgrade it through ADB, I would need for it to be rooted already. Since it isn't rooted already, it is not possible at all for me to unlock and root this device.

I've enabled USB debugging, plugged it into my computer with the A-A cable, ran

[email protected] ~/d/a/amonet> sudo ./step-1.sh [sudo] password for daruur: Testing root access... Trying to use mtk-su to get temp root... Pushing root files bin/mtk-su: 1 file pushed, 0 skipped. 168.9 MB/s (65144 bytes in 0.000s) bin/minisu.img: 1 file pushed, 0 skipped. 1983.9 MB/s (1048576 bytes in 0.001s) bin/busybox: 1 file pushed, 0 skipped. 1812.3 MB/s (989184 bytes in 0.001s) Failed critical init step 1 Failed critical init step 1

Any and all help/guidance is greatly appreciated.
 

Rortiz2

Senior Member
Mar 1, 2018
2,257
1,551
Barcelona
Hi, all. Please forgive the extremely n00bish questions. I've tried to read over the thread in it's entirety, along with scouring other leads on XDA.

I have a Sloane FireTV. It has always been stock. Never unlocked, never rooted, never bricked, never had TWRP or any other recovery. In other words, it is vanilla.

It has been updated to the latest FireOS, version 5.2.8.0.

Am I understanding this correctly:

It is not possible for me to unlock and root this device without downgrading it to some version of FireOS before 5.2.7.3. And in order for me to downgrade it through ADB, I would need for it to be rooted already. Since it isn't rooted already, it is not possible at all for me to unlock and root this device.

I've enabled USB debugging, plugged it into my computer with the A-A cable, ran

[email protected] ~/d/a/amonet> sudo ./step-1.sh [sudo] password for daruur: Testing root access... Trying to use mtk-su to get temp root... Pushing root files bin/mtk-su: 1 file pushed, 0 skipped. 168.9 MB/s (65144 bytes in 0.000s) bin/minisu.img: 1 file pushed, 0 skipped. 1983.9 MB/s (1048576 bytes in 0.001s) bin/busybox: 1 file pushed, 0 skipped. 1812.3 MB/s (989184 bytes in 0.001s) Failed critical init step 1 Failed critical init step 1

Any and all help/guidance is greatly appreciated.
Since your firmware is too new (and you can't root with mtk-su nor any other SW root method) you'll need to open up the device to short it and follow the directions of the second post.
 
  • Love
Reactions: abdi7451

yozh

Senior Member
Apr 23, 2006
545
8
Short Island
Hello,

I flashed 5.2.7.6 on my box and was able to get to unrooted, but its still not updating to the latest firmware. Any ideas why ?
 

DanielF50

Senior Member
Jul 22, 2010
459
207
Hampshire, England
Google Pixel 6 Pro
It seems that it is being played from the network due to problems with the mac address and serial.
Is there a solution to the problem?

You could possibly write all of this information back to the IDME temporarily (I think it clears after a full wipe/reset).

eg, if I used:

Code:
adb shell
su
idme mac_addr A12B3C445D6E

"idme print" would return:

Code:
mac_addr: A1:2B:3C:44:5D:6E

You could do this for every parameter and it MIGHT boot to FireOS, but I'm not 100% - see below.

---

Stock IDME data is as follows:

Code:
board_id: 0024001040000015
serial:  redacted
mac_addr: redacted
mac_sec: redacted
bt_mac_addr: redacted
product_name: 0
productid: 0
productid2: 0
bootmode: 1
postmode: 0
bootcount: 0
manufacturing:  PSN=8101redacted
eth_mac_addr: redacted
device_type_id: A12GXV8XMS007S
unlock_code:
sensorcal:
4800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
wifi_mfg: 62760002000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF37D89FC0FF7FFD9BFFFFFFFFFFFFFFFFFFFF22FF0020FFFFB101000000000000FFD700000000000000000F0000000000000000BA840C220000008310220000007A061C00007A071E0000780A1E00007E051E000076181E0000751F1E0000790A1C0000790E1F00007B091E000077171E00007E0A1E000079151E00000000C3C4C4C40000C4C40000C4C4000000000000C5C5000000000000000000008383FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000FFFFFFFFFFFFFF
bt_mfg: 00004676620160002310000007800006059003401f401f00048000ffffff00000000000000000000000000000000000000000000000000000000000000000000
KB:
4b 42 50 46 b8 13 00 00 c8 13
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
DKB:
30 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
dev_flags: 0
fos_flags: 0
usr_flags: 0


---

NOTES:

"serial" - you may be able to find your serial somehow (create backup in twrp? I don't know), or you can just make one up. These always start with "G070GV" and are then followed by 10 alphanumeric characters in the order 00000000AA OR 000000000A, for example "012345678A" or "01234567AB" would turn into "G070GV012345678A" or "G070GV01234567AB" - just make it up. Amazon pulls this from somewhere other than the IDME, which is how they can block stolen/blacklisted devices.

"mac_addr, bt_mac_addr & mac_eth" are all regular length MAC addresses (12 characters) - just make something up, as above.

"mac_sec" is always a set of 20 alphanumeric characters in a random order - I don't think it makes a difference on what this is set to (eg: AB12345CDE6789FGH012)?

"manufacturing" always starts with: " PSN=8101" (note the space infront of PSN!) which is then followed by 8 alphanumeric characters in order sequence 0000000A OR 000000AA OR 00000AAA (for example, these ones I just made up: 8473833A, OR 847383AF, OR 84738AFE) so the full data entry would be something like "PSN=8101847383A" or "PSN=810184738AFE" but I am also unsure if this matters what this is set to.

---

As you are going to need to rewrite most of this information to your IDME, the commands would consist of:

idme board_id 0024001040000015

idme serial G070GVYOUR OWN HERE

idme mac_addr YOUR OWN HERE

idme mac_sec YOUR OWN HERE

idme bt_mac_addr YOUR OWN HERE

idme manufacturing PSN=8101YOUR OWN HERE (REMEMBER THE DOUBLE SPACE)

idme eth_mac_addr YOUR OWN HERE

idme device_type_id A12GXV8XMS007S

idme wifi_mfg 62760002000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF37D89FC0FF7FFD9BFFFFFFFFFFFFFFFFFFFF22FF0020FFFFB101000000000000FFD700000000000000000F0000000000000000BA840C220000008310220000007A061C00007A071E0000780A1E00007E051E000076181E0000751F1E0000790A1C0000790E1F00007B091E000077171E00007E0A1E000079151E00000000C3C4C4C40000C4C40000C4C4000000000000C5C5000000000000000000008383FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000FFFFFFFFFFFFFF

idme bt_mfg 00004676620160002310000007800006059003401f401f00048000ffffff00000000000000000000000000000000000000000000000000000000000000000000

idme KB 4b 42 50 46 b8 13 00 00 c8 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

---

Long post, but maybe it will help you out.

---

EDIT 30/11/21: I have now attached a BLANK IDME backup .bin file.

You will NEED to download & edit this file with a HEX editor (thanks @Sus_i!), add all your own parameters (see: #NOTES above) & after doing so, you can then place "boot1.bin" on the sloanes internal SD card (adb push while in twrp) or external SD card (copy via pc, then mount in twrp). Finally, you can then run the below commands to write it to the correct partition. This should then stick after a factory reset too, hopefully.


If you do not edit this file, your serial/MAC address's/mac_sec/psn will all be "00000000" and will probably wont work.

To dd flash this bin file to your device (once edited), run these commands in shell via usb/network or twrp terminal:

Code:
echo 0 > /sys/block/mmcblk0boot1/force_ro

If boot1.bin is on internal SD:

Code:
dd if=/sdcard/boot1.bin of=/dev/block/mmcblk0boot1

If boot1.bin is on external microSD:

Code:
dd if=/external_sd/boot1.bin of=/dev/block/mmcblk0boot1

Obviously just reboot after running this command, and the new IDME should have been written to boot1.
 

Attachments

  • boot1.bin
    4 MB · Views: 0
Last edited:

DanielF50

Senior Member
Jul 22, 2010
459
207
Hampshire, England
Google Pixel 6 Pro
Nice guide (y)
A dd backup of boot1, edited with a Hex Editor works too and is the only way to fix KB (which is a 1:1 copy of the data on KB partiton).
Ah, good to know!

I don't have a dd backup of any of my sloanes idme otherwise I'd clear it out and upload a blank one. I might be able to get one later and update the post though 👍
 
  • Like
Reactions: Sus_i

Sus_i

Senior Member
Apr 9, 2013
1,260
515
Hello,

I flashed 5.2.7.6 on my box and was able to get to unrooted, but its still not updating to the latest firmware. Any ideas why ?
I guess you missed the note in the prerooted rom thread!?
Managing Stock Recovery
Starting with 5.0.5_r3, stock recovery gets disabled. This means you cannot reboot in to stock recovery manually or automatically because of a system update. This will make it safer for people who forget to disable updates. You should still disable updates though. If for whatever reason, you want to reenable it, or verify it is disabled, you can use the manage_recovery program.
With a disabled stock recovery, the box wont update at all.

You can try to boot the recovery:
Code:
adb shell
reboot recovery
Take a look on the TV what happens...
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    i m on 5.2.8.0 using firetv 2 sloane, i never rooted.
    pls guide me from where i should start, i mean basic steps for rooting the device.
  • 10
    Read this whole guide before starting.

    This is for the 2nd gen Fire TV (sloane)

    Current relase: amonet-sloane-v1.1

    NOTE: This process does not require you to open your device if you're already rooted or you have TWRP.
    NOTE: If something goes horribly wrong and your device gets bricked, you'll have to open it and unbrick it through bootrom (post 2).
    NOTE: This process will modify the partition-table (GPT) of your device.

    NOTE: Your device will be reset to factory defaults (including internal storage) during this process.
    NOTE: Flashing prerooted ROM will disable unlocked TWRP. It's recommended to flash an stock update.bin
    until that gets sorted out.

    To update to the current release if you are already unlocked, just flash the zip in TWRP.

    What you need:
    • A Linux installation or live-system
    • A a-a cable
    1. Download the attached zip-file "amonet-sloane-v1.1zip".
    2. Copy the zip-file to the internal storage of the box or copy the zip-file to an external SD/USB storage and connect it to the box.
    3. Reboot the FireTV to rbox's TWRP recovery and flash the zip-file.

    NOTE: If you are on firmware 5.2.7.3 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
    If you chose the brick option, you need to continue with bootrom-step-minimal.sh:




    NOTE: Please refer to the #2 post on how to prepare your environment before proceeding.
    NOTE: If you use this method to unlock the device you don't need to flash the unlock-zip once you're in TWRP.

    Once the zip-file finished flashing, disconnect the device and run:
    Code:
    sudo ./bootrom-step-minimal.sh
    Then plug the device back in.

    The device will reboot to hacked fastboot mode (Static Amazon White Logo + white blinking LED).
    Then run:
    Code:
    sudo ./fastboot-step.sh


    After that, the device will reboot to unlocked TWRP. Then go to Wipe > Format Data and type "YES".
    You can now install Magisk from there.

    Important information

    NOTE: This has nothing to do with the unlock process.

    You have 10 seconds to force TWRP to keep ADB over USB active by using
    Code:
    adb wait-for-recovery && adb shell setprop twrp.usb.mode 0

    In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
    TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.

    Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)

    Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.

    TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

    For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

    It is still advised to disable OTA.

    Very special thanks to @k4y0z and @t0x1cSH for making all this possible by porting the LK exploit to sloane and implementing the RPMB-key derivation for sloane.
    Special thanks also to @xyz` for making all this possible and releasing the original amonet exploit for karnak.
    Special thanks also to @retyre for porting the bootrom-exploit to mt8173.
    Special thanks also to @Sus_i and @DanielF50 for testing.
    Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
    5
    I would advise you pull your ROM's boot.img, patch it with MagiskManager & then flash this manually via hacked fastboot, otherwise it won't work & you'll probably brick your device again.

    Don't worry, magisk flashing in TWRP works (now). ;)
    5
    When I tried to install Magisk in TWRP it failed. It isn't that big of a problem as I am running one of Rbox's pre rooted ROMs but just thought it was odd.

    It was Magisk 19.5? I believe, can't remember off the top of my head.
    You are probably using rbox-twrp instead unlocked twrp.
    I don't think there's any reason to use an old Magisk release either.

    Unfortunately the update overwrote the prerooted version with a standard unrooted version and you would have to go through the whole process again to unlock, but you would have to use the latest prerooted version once it is available so there no updates to mess it up. and then block future updates after that. I decided to just wait for the newest prerooted version so I don't have to go through the process again.

    The good thing is that it is a fully functional unit for reasonably cheap.
    Can you please stop giving nonsense advice?
    1. There is no reason to redo the unlock.
    2. We currently DO NOT recommend using the prerooted ROM together with the unlock.
    5
    In case someone needs some newer 'full OTA update' packages of the stock rom, only for sloane:

    Fire OS 5.2.7.3 (652614020).

    Fire OS 5.2.7.4 (656638420).

    Fire OS 5.2.7.6 (659654620).

    5.2.7.6 is the latest OS (as of today).
    Don't forget to rename the file, i.e. .bin to .zip.
    5
    According to Amazon the latest software update is Amazon Fire TV (2nd Generation): Fire OS 5.2.7.8 (664657320) not 5.2.8.8.
    but I haven't found a link for it yet.

    Me too. Where to find link for full stock Fire OS 5.2.7.8 (664657320)? I'd like to keep my practice demo up to date.

    Fire OS 5.2.7.8 (664657620) for sloane:


    md5: 087cef3f082b0017231e8b938feaeec7