[UNLOCK][ROOT][TWRP][UNBRICK] FireTV 2 (sloane)

Search This thread

Rortiz2

Senior Member
Mar 1, 2018
2,448
1,862
Barcelona
Hm, ok. So " your box is completely dead" means there's no way to fix it? Yes I got some errors about read-only too.
But the eMMC looks intact but in read-only mode?
Sorry for the questions I really can't follow as I am no specialist in linux/android stuff.
There is no known way to get rid of permanent write protection (so yeah, there's no way to fix it). I also have a box in the same state (which actually uses Samsung eMMC too) and we already tried a lot of things (we even tried using Samsung backdoor cmds) with no luck.

If you ever manage to dump the ext_csd, you can check the eMMC status with this tool. If the eMMC went into read-only mode, it'll show you the following output:
Code:
Permanent write protection,PERM_WRITE_PROTECT,1,R/W,[13:13],0x1
Temporary write protection,TMP_WRITE_PROTECT,1,R/W/E,[12:12],0x0
(0x1 means PERM_WRITE_PROTECT is enabled)
 
Last edited:

atdog69

Member
Jan 28, 2022
13
0
There is no known way to get rid of permanent write protection (so yeah, there's no way to fix it). I also have a box in the same state (which actually uses Samsung eMMC too) and we already tried a lot of things (we even tried using Samsung backdoor cmds) with no luck.

If you ever manage to dump the ext_csd, you can check the eMMC status with this tool. If the eMMC went into read-only mode, it'll show you the following output:
Code:
Permanent write protection,PERM_WRITE_PROTECT,1,R/W,[13:13],0x1
Temporary write protection,TMP_WRITE_PROTECT,1,R/W/E,[12:12],0x0
(0x1 means PERM_WRITE_PROTECT is enabled)
I think I'll give up now, 4 days of trying is enough.

At last there is one thing I would look into and that's the eMMC status if you can tell me how to "dump the ext_csd" ? I don't even know how to download that tool nor how to use it...
 

teddy12

New member
Jun 17, 2017
4
2
I was able to bring my Fire TV box back to life using the shorting method, the best way I found to successfully short the correct point was to use a medium-sized safety pin which gives you something stable to press onto the metal cover of the adjacent chip and also gives you a sharp point on the other end to short the right place on the circuit board.
 

First_Degree

Member
Jun 20, 2017
7
3
Couple questions, been a while since I dusted off the sloane:

Currently running latest rbox prerooted.
-Is it possible to unlock the bootloader without using adb? (i.e. do everything from rbox twrp on the device?)
-If so, what are the specific steps to unlock, update and root via magisk? (i.e. install amonet-sloane-v1.1.zip, clear cache/format/etc., then allow update via OTA, then install magisk renamed apk as zip from twrp?); specifics welcome for a dummy like me
-Sounds like 5.2.8.7 stock software update recently was pushed out - any word on issues with this latest version? I don't run custom launcher, but have considered experimenting with a vanilla ATV, but sounds like this update may block that...
-With root, has anyone been able to get this particular device to use the microsd as shared internal storage? I've seen some OTG options for newer revisions (4k stick, etc.), but haven't seen anything for Sloane with microsd. Even when installing apps to sd, still have a ton of stuff taking up space on the internal storage...

Apologies for the newbish nature of this post. Really have only used linux minimally, tried prepping environment (Win 10 PC), doing this with provided instructions via ADB. Was able to connect, and navigate to the correct directory, but had numerous issues executing the scripts (permission denied, etc.)

Appreciate any assistance!
 
  • Like
Reactions: Han-Droid

Sus_i

Senior Member
Apr 9, 2013
1,601
688
Currently running latest rbox prerooted.
-Is it possible to unlock the bootloader without using adb? (i.e. do everything from rbox twrp on the device?)
-If so, what are the specific steps to unlock, update and root via magisk? (i.e. install amonet-sloane-v1.1.zip, clear cache/format/etc.,
Yeah.
First thing I would do (after the amonet flash + format data) is to boot into the new recovery., i.e. not the rbox one. In case you can boot into it, flash also a new stock rom + magisk if you need root.

It's best if you have an usb a-a cable, as a backup option (second post) :p
 

First_Degree

Member
Jun 20, 2017
7
3
Yeah.
First thing I would do (after the amonet flash + format data) is to boot into the new recovery., i.e. not the rbox one. In case you can boot into it, flash also a new stock rom + magisk if you need root.

It's best if you have an usb a-a cable, as a backup option (second post) :p
Appreciate the response!

Ok, notes so far (please keep me honest :)):

-step 1: boot into rbox twrp
-step 2: flash the amonet zip from rbox twrp (will likely be from sd card)
-step 3: format internal storage from rbox twrp
-step 4: reboot into new recovery
-step 5: flash new stock rom (from twrp)
-step 6: flash magisk (from twrp)
-step 7: reboot into updated, rooted device

Follow up questions:
-For step 4 above, do I need to trigger recovery via command line/adb from PC? (while connected USB A:A)
-For step 5 above, which stock rom do you recommend? latest (5.2.8.7, or the one just prior)?
-For step 5 and beyond, what post install wipe steps do you recommend? (wipe cache, etc.)
-While probably not the right place, per my original post, is there a way to make the system recognize the sd as shared/internal storage? I typically use adopted/external on Android devices if able, but the limited internal storage on this device has proven challenging

Again, apologies for the newbish questions, but trying to be conservative/thorough.

Thanks again for the support! Much appreciated!!
 
  • Like
Reactions: Han-Droid

Sus_i

Senior Member
Apr 9, 2013
1,601
688
Appreciate the response!

Ok, notes so far (please keep me honest :)):

-step 1: boot into rbox twrp
-step 2: flash the amonet zip from rbox twrp (will likely be from sd card)
-step 3: format internal storage from rbox twrp
-step 4: reboot into new recovery
-step 5: flash new stock rom (from twrp)
-step 6: flash magisk (from twrp)
-step 7: reboot into updated, rooted device
It should work just fine.
BUT it could be that you get some red errors, if you try to mount or format data (just after the amonet flashing). i.e. maybe you can't format data, then reboot into rbox twrp and the format should work...
Follow up questions:
-For step 4 above, do I need to trigger recovery via command line/adb from PC? (while connected USB A:A)
Yes, but twrp works also over network rj45 port...
Maybe you can use twrp shell too, see the advanced tab, open the shell and try reboot recovery
-For step 5 above, which stock rom do you recommend? latest (5.2.8.7, or the one just prior)?
this is 5.2.8.0, the latest for my box:
You need to rename the bin-file to zip.
-For step 5 and beyond, what post install wipe steps do you recommend? (wipe cache, etc.)
The amonet script edit the gpt and after this, data is a bit smaller, so the format data is important.
Flash a new OS is good, in order to remove rbox twrp, the bootmenu and the supersu install.
You can wipe cache and dalvik too, if you like.
-While probably not the right place, per my original post, is there a way to make the system recognize the sd as shared/internal storage? I typically use adopted/external on Android devices if able, but the limited internal storage on this device has proven challenging
Imo not as intSD, but fireOS will use it as extSD. Idk if there is a workarround for fireTVs.
Again, apologies for the newbish questions, but trying to be conservative/thorough.

Thanks again for the support! Much appreciated!!
If something goes wrong, take some pictures and report back ;)
 

First_Degree

Member
Jun 20, 2017
7
3
It should work just fine.
BUT it could be that you get some red errors, if you try to mount or format data (just after the amonet flashing). i.e. maybe you can't format data, then reboot into rbox twrp and the format should work...

Yes, but twrp works also over network rj45 port...
Maybe you can use twrp shell too, see the advanced tab, open the shell and try reboot recovery

this is 5.2.8.0, the latest for my box:
You need to rename the bin-file to zip.

The amonet script edit the gpt and after this, data is a bit smaller, so the format data is important.
Flash a new OS is good, in order to remove rbox twrp, the bootmenu and the supersu install.
You can wipe cache and dalvik too, if you like.

Imo not as intSD, but fireOS will use it as extSD. Idk if there is a workarround for fireTVs.

If something goes wrong, take some pictures and report back ;)
Got it done!

Quick notes on the experience:
-Did have to connect a usb mouse to swipe allow modification in the new twrp
-Initial Fire TV setup had to search for updates, so had to disable OTA URL block in router (disabled via shell-su once back in adb)
-Was able to eventually root with Magisk, but was not able to use latest Magisk (v24.1 renamed to .zip) - new twrp would hang at "checking for Digest file..."; they've moved to an apk/app format, and newer builds don't want to install via this version of twrp (Magisk also fails to update via Magisk app; error about about partition size)

Thanks again for the assistance!!

Now I'm off to investigate removing bloat/moving more stuff to the sd card
 

Sus_i

Senior Member
Apr 9, 2013
1,601
688
(y)
Quick notes on the experience:
-Did have to connect a usb mouse to swipe allow modification in the new twrp
Another way is to use the command from OP (within 10 seconds), in order to use adb via usb... then the swipe isn't needed.
adb wait-for-recovery && adb shell setprop twrp.usb.mode 0
Now I'm off to investigate removing bloat/moving more stuff to the sd card
Take a twrp backup, in case something goes wrong ;)
 
  • Like
Reactions: First_Degree

Sus_i

Senior Member
Apr 9, 2013
1,601
688
I followed steps 1 - 7 everything went fine, but upon reboot i cant get past amazon checking for updates and cant get back in twrp. @First_Degree which OTA URL did you block in router.
Maybe this is something you can try...
 

tw39515

Senior Member
Oct 14, 2006
616
148
HTC Leo
T-Mobile Samsung Galaxy S III

teamfresno

Senior Member
Apr 14, 2015
115
23
Do you guys just flash newer versions of Magisk via TWRP or through the app? I've never used Magisk and it's alerting me to update on the app. Thanks!
 

teamfresno

Senior Member
Apr 14, 2015
115
23
If the update is about the app (Magisk Manager) you can update that, but if the update is for Magisk Itself then do not update, your device will break.
update only via TWRP

Thanks. I opened the app up and it looks like it's an update for the app. I have v23 installed and v24.3 is the update. That's the newest version of Magisk. I'll probably just leave it alone. If anything instead of updating just the app, I'll probably just flash v24.3 if I end up doing it. Thanks again!
 

LocoMexican

Senior Member
Mar 12, 2017
116
31
I tried to flash Magisk 24.2 and then 24.3 via TWRP. Neither one got past "checking digest" and would not install. I'm sticking with version 23.0, at least for now.
 
I tried to flash Magisk 24.2 and then 24.3 via TWRP. Neither one got past "checking digest" and would not install. I'm sticking with version 23.0, at least for now.
Ive found the latest magisk to have problems also stick to v20-23.0

There is also the fact johnwu had decided to remove the magisk hide root feature.

There are several Magisk Alpha alternatives such as shamiko if your interested in hiding root from certain apps that call it.

Regards
 

LocoMexican

Senior Member
Mar 12, 2017
116
31
I've just set up a new sloan with latest update, magisk and a couple of other apps. I can't stand all the bloat. Please give me a hint on where I might find a custom launcher or other apk that will allow me to disable some of the bloatware. I'll be forever indebted. Thanks.
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    My daughter's device took an update three days ago. I needed to install an new apk, and when I went to check that "developers options" was correctly checked so I could install apk from unknown sources, I couldn't find "Developers Options" anywhere on the device? I think the new update removed that option from the settings menu. Any ideas on what happened to developers options? Your thoughts are appreciated.
    It's still there, it's just hidden now like regular android devices


    A short guide to unhide it:
    1
    Tried this out. Works fine. Thanks for the info.
  • 10
    Read this whole guide before starting.

    This is for the 2nd gen Fire TV (sloane)

    Current relase: amonet-sloane-v1.1

    NOTE: This process does not require you to open your device if you're already rooted or you have TWRP.
    NOTE: If something goes horribly wrong and your device gets bricked, you'll have to open it and unbrick it through bootrom (post 2).
    NOTE: This process will modify the partition-table (GPT) of your device.

    NOTE: Your device will be reset to factory defaults (including internal storage) during this process.
    NOTE: Flashing prerooted ROM will disable unlocked TWRP. It's recommended to flash an stock update.bin
    until that gets sorted out.

    To update to the current release if you are already unlocked, just flash the zip in TWRP.

    What you need:
    • A Linux installation or live-system
    • A a-a cable
    1. Download the attached zip-file "amonet-sloane-v1.1zip".
    2. Copy the zip-file to the internal storage of the box or copy the zip-file to an external SD/USB storage and connect it to the box.
    3. Reboot the FireTV to rbox's TWRP recovery and flash the zip-file.

    NOTE: If you are on firmware 5.2.7.3 or newer, a downgrade is necessary, this requires bricking the device temporarily. (The screen won't come on at all)
    If you chose the brick option, you need to continue with bootrom-step-minimal.sh:




    NOTE: Please refer to the #2 post on how to prepare your environment before proceeding.
    NOTE: If you use this method to unlock the device you don't need to flash the unlock-zip once you're in TWRP.

    Once the zip-file finished flashing, disconnect the device and run:
    Code:
    sudo ./bootrom-step-minimal.sh
    Then plug the device back in.

    The device will reboot to hacked fastboot mode (Static Amazon White Logo + white blinking LED).
    Then run:
    Code:
    sudo ./fastboot-step.sh


    After that, the device will reboot to unlocked TWRP. Then go to Wipe > Format Data and type "YES".
    You can now install Magisk from there.

    Important information

    NOTE: This has nothing to do with the unlock process.

    You have 10 seconds to force TWRP to keep ADB over USB active by using
    Code:
    adb wait-for-recovery && adb shell setprop twrp.usb.mode 0

    In the new partitioning scheme your boot/recovery-images will be in boot_x/recovery_x respectively, while boot/recovery will hold the exploit.
    TWRP takes care of remapping these for you, so installing zips/images from TWRP will work as expected.

    Don't flash boot/recovery images from FireOS (FlashFire, MagiskManager etc.) (If you do anyway, make sure you flash them to boot_x/recovery_x)

    Should you accidentally overwrite the wrong boot, but your TWRP is still working, rebooting into TWRP will fix that automatically.

    TWRP will prevent updates from overwriting LK/Preloader/TZ, so generally installing an update should work without issues (only full updates, incremental updates won't work).

    For ROM developers there is still an option to overwrite these, which should only be done after thorough testing and if needed (LK should never be updated).

    It is still advised to disable OTA.

    Very special thanks to @k4y0z and @t0x1cSH for making all this possible by porting the LK exploit to sloane and implementing the RPMB-key derivation for sloane.
    Special thanks also to @xyz` for making all this possible and releasing the original amonet exploit for karnak.
    Special thanks also to @retyre for porting the bootrom-exploit to mt8173.
    Special thanks also to @Sus_i and @DanielF50 for testing.
    Special thanks also to @diplomatic for his wonderfull mtk-su, allowing you to unlock without opening the device.
    5
    I would advise you pull your ROM's boot.img, patch it with MagiskManager & then flash this manually via hacked fastboot, otherwise it won't work & you'll probably brick your device again.

    Don't worry, magisk flashing in TWRP works (now). ;)
    5
    When I tried to install Magisk in TWRP it failed. It isn't that big of a problem as I am running one of Rbox's pre rooted ROMs but just thought it was odd.

    It was Magisk 19.5? I believe, can't remember off the top of my head.
    You are probably using rbox-twrp instead unlocked twrp.
    I don't think there's any reason to use an old Magisk release either.

    Unfortunately the update overwrote the prerooted version with a standard unrooted version and you would have to go through the whole process again to unlock, but you would have to use the latest prerooted version once it is available so there no updates to mess it up. and then block future updates after that. I decided to just wait for the newest prerooted version so I don't have to go through the process again.

    The good thing is that it is a fully functional unit for reasonably cheap.
    Can you please stop giving nonsense advice?
    1. There is no reason to redo the unlock.
    2. We currently DO NOT recommend using the prerooted ROM together with the unlock.
    5
    In case someone needs some newer 'full OTA update' packages of the stock rom, only for sloane:

    Fire OS 5.2.7.3 (652614020).

    Fire OS 5.2.7.4 (656638420).

    Fire OS 5.2.7.6 (659654620).

    5.2.7.6 is the latest OS (as of today).
    Don't forget to rename the file, i.e. .bin to .zip.
    5
    According to Amazon the latest software update is Amazon Fire TV (2nd Generation): Fire OS 5.2.7.8 (664657320) not 5.2.8.8.
    but I haven't found a link for it yet.

    Me too. Where to find link for full stock Fire OS 5.2.7.8 (664657320)? I'd like to keep my practice demo up to date.

    Fire OS 5.2.7.8 (664657620) for sloane:


    md5: 087cef3f082b0017231e8b938feaeec7