[UNLOCK][ROOT][TWRP][UNBRICK][...] FireTV 2nd gen Cube (raven)

Search This thread

hasobist

Senior Member
Feb 1, 2021
71
19
When I created the magisk-patched boot.img in post#21, it was with a Canary build (before v25.2 was released). I think the Canary build may not have had signing enabled, which could be causing an issue with the official release.

I've created a new magisk-patched-boot.img from Magisk v25.2, for pre PS7242/2906 firmware. Download and unzip this into the 'images' directory of raven_boot. Then boot into FireOS and try installing Magisk Manager v25.2.

If that doesn't work, I can give you the steps for patching your own boot.img. It's easy, but requires a keyboard to navigate Magisk Manager on FireOS7, so I just post the patched images here to say people the hassle.

@hasobist Are you using the magisk image from post#21? I'm not sure if I need to create a second image for +PS7242/2906? The modules+Zygisk are broken in the image from the OP.

@JJ2017 which DFU entry device are you using? Arduino/ATmega/HDMI dongle? Just curious since this is the biggest barrier running this exploit.
Hello
Yes used the magisk_image from your post#21
Followed the instructions then bash menu used option 2 but then as JJ2017 mentioned would never download all the features of Magisk manager and is stuck at downloading and freeze so tried first installing Magisk manager as normal apk then your magisk_image version 7242/2906 and works great and when pop up asking to update Magisk manager just cancelled.
At present on OS version 7242/3315
If can have a magisk_image for the said version will give it a try or will try patching the image using Magisk manager.
As said a permanent root is always good as me never leave the cube on standby.
Thank you......
 

JJ2017

Senior Member
Jan 7, 2017
93
52
Huawei P20 Pro
Thanks for the replies and great news @Pro-me3us - the new patched Magisk image (@ post#40) did the trick.

IMG_20220818_203051.jpgIMG_20220818_203104.jpg
Photos are a bit unnecessary (sorry!) but I like to document my progress!

I am using a HDMI dongle made as per the instructions @ https://github.com/superna9999/linux/wiki/Amlogic-HDMI-Boot-Dongle - that in itself was quite a hassle - but got there eventually.
Great hack BTW - thanks for the work (y)
 
  • Like
Reactions: Pro-me3us

hasobist

Senior Member
Feb 1, 2021
71
19
Thanks for the replies and great news @Pro-me3us - the new patched Magisk image (@ post#40) did the trick.

View attachment 5689487View attachment 5689489
Photos are a bit unnecessary (sorry!) but I like to document my progress!

I am using a HDMI dongle made as per the instructions @ https://github.com/superna9999/linux/wiki/Amlogic-HDMI-Boot-Dongle - that in itself was quite a hassle - but got there eventually.
Great hack BTW - thanks for the work (y)
Wonderful
Did the Magisk manager download and complete installation post boot after using the bash menu option?
Cheers!
 

JJ2017

Senior Member
Jan 7, 2017
93
52
Huawei P20 Pro
Wonderful
Did the Magisk manager download and complete installation post boot after using the bash menu option?
Cheers!
Can't remember the exact process but several reboots were required - changes did seem to persist after reboots, thankfully. I put Magisk Manager 25.2 onto internal storage and installed it using Total Commander. Also needed to go into Magisk settings to switch on Zygisk button. After this, and reboot, the modules tab should be functional.... However, loading modules is a thorough PITA as the Amazon remote won't navigate the file explorer (my solution was messy so won't go into details here - I wonder how everyone else manages that part?!). Hope that answers your question?
 

Pro-me3us

Senior Member
May 12, 2022
174
178
Thanks for the replies and great news @Pro-me3us - the new patched Magisk image (@ post#40) did the trick.
Thanks for the confirmation! Now I remember, I was actually using a pre-canary build of Magisk Manager for post#21. So signing was definitely off or different. @hasobist I think you might still be using the original Magisk boot.img. Check JJ2017's images. The top Magisk number will indicate which image version you are using.

I patched a version for +PS7273/2906 and added it to post#40. Unzip that into your images folder, and reboot.

As said a permanent root is always good as me never leave the cube on standby.
Sorry, I wasn't dismissing the suggestion. I agree that having to connect a computer after each reboot to unlock/root is a major short coming of this exploit. This is just as far as we could get with the information that was out there.

Making this unlock/root persistent will more than likely require a bug in the bootloader (U-boot). There was such a bug used in the FireFU exploit for the 1st gen Cube and Pendant. But Amazon patched it before the 2nd gen Cube was released. Breaking secure boot is a deceptively very difficult thing to accomplish. These days it's usually security researchers doing it, they publish their findings online, and then that is used by less talented regular folk like me to apply to a specific device, and post it on XDA :)

Currently, I don't know of any bugs that could be used to make this unlock/root persistent. I just check check every few weeks to see if there are any new U-Boot bugs that might have promise.

The only current potential solution I can think of is to setup a cheap mini computer, like a Ras Pi Zero to detect when the Cube is in DFU mode. And use an HDMI passthrough dongle like Goapy made to avoid having to unplug/replug the HDMI cable. Then write a script for the Pi zero that runs the exploit when DFU mode is detected. Essentially a hardware mod that doesn't require opening up the Cube. But the cost of a Pi zero + SDcard + USBcord + power supply + HDMI passthrough dongle, and the complexity and skill needed to construct it, makes it too unattractive of a solution for me.
 
  • Like
Reactions: hasobist

Pro-me3us

Senior Member
May 12, 2022
174
178
However, loading modules is a thorough PITA as the Amazon remote won't navigate the file explorer (my solution was messy so won't go into details here - I wonder how everyone else manages that part?!).
Yeah this is exactly what I was referring to when patching a boot.img. Since mouse toggle doesn't work in Amazon's file manager, I connected a USB keyboard to the Cube.

When Magisk Manager opens the Amazon file manager, I first press 'select' on the remote, then 'tab' on the keyboard, then I press down on the remote direction pad to get to Downloads, and select. Fortunately, after you have done this once, Magisk remembers to always open that location the next time.

EDIT: forgot that instead of connecting a keyboard to press tab, there is also:
Code:
ADB shell input keyevent KEYCODE_TAB
It's case sensitive.

Or you can use ScrCpy, which is integrated into ADBLink2
 
Last edited:
  • Like
Reactions: hasobist and JJ2017

hasobist

Senior Member
Feb 1, 2021
71
19
Can't remember the exact process but several reboots were required - changes did seem to persist after reboots, thankfully. I put Magisk Manager 25.2 onto internal storage and installed it using Total Commander. Also needed to go into Magisk settings to switch on Zygisk button. After this, and reboot, the modules tab should be functional.... However, loading modules is a thorough PITA as the Amazon remote won't navigate the file explorer (my solution was messy so won't go into details here - I wonder how everyone else manages that part?!). Hope that answers your question?
Hello
Did you not lose root after reboot?
May be Mouse toggle with ES file explorer will help worked for me need some tinkering it works.
Wonderful you got it working cheers.......
 

JJ2017

Senior Member
Jan 7, 2017
93
52
Huawei P20 Pro
Hello
Did you not lose root after reboot?
May be Mouse toggle with ES file explorer will help worked for me need some tinkering it works.
Wonderful you got it working cheers.......
Always rebooted using the hack - bash menu - option 2 - so I assume root was there (but didn't expicitly test). I also assume that a regular reboot (no hack) will result in loss of root as patched boot file won't be present. I think changes made by 'App Systemizer' Magisk module might persist into a non-hack (regular) boot - I think Pro-me3us said this in this thread somewhere.
Thanks for the tip on ES file explorer - will look into that
 
  • Like
Reactions: hasobist
D

Deleted member 11959327

Guest
EDIT: forgot that instead of connecting a keyboard to press tab, there is also:
Code:
ADB shell input keyevent KEYCODE_TAB
It's case sensitive.

I have something in my notes that I did:

input tap 200 300

in order to select the file. I don't remember exactly what the problem was, but this solution worked quickly.
 
  • Like
Reactions: hasobist

hasobist

Senior Member
Feb 1, 2021
71
19
When I created the magisk-patched boot.img in post#21, it was with a Canary build (before v25.2 was released). I think the Canary build may not have had signing enabled, which could be causing an issue with the official release.

I've created a new magisk-patched-boot.img from Magisk v25.2, for pre PS7242/2906 firmware. Download and unzip this into the 'images' directory of raven_boot. Then boot into FireOS and try installing Magisk Manager v25.2.

If that doesn't work, I can give you the steps for patching your own boot.img. It's easy, but requires a keyboard to navigate Magisk Manager on FireOS7, so I just post the patched images here to save people the hassle.

@hasobist Are you using the magisk image from post#21? I'm not sure if I need to create a second image for +PS7242/2906? The modules+Zygisk are broken in the image from the OP.

@JJ2017 which DFU entry device are you using? Arduino/ATmega/HDMI dongle? Just curious since this is the biggest barrier running this exploit.

EDIT: uploaded v25.2 Magisk patched boot.img for +PS7242/2906
Hello pro-me3us
Tried the patched Magisk v25.2 boot.img #40, ain't works no root whereas the previous patch provided is stuck at Downloading magisk and the patched boot.img in OP works but no access to modules.
Shall I factory reset and try?
I'm on version PS7242/3515
Thank you.......
 

Pro-me3us

Senior Member
May 12, 2022
174
178
Tried the patched Magisk v25.2 boot.img #40, ain't works no root whereas the previous patch provided is stuck at Downloading magisk and the patched boot.img in OP works but no access to modules.
Shall I factory reset and try?
I'm on version PS7242/3515
No don't factory reset, that's not necessary.

I should probably just remove the images from post#21 because they will only work with that one pre-canary release that is no longer available.

To use the v25.2 patched images from post#40, try uninstalling Magisk Manager from within FireOS. Then download and install Magisk Manager v25.2 from github. Download magisk_v25-2_boot_7242-2906.zip from post#40, and unzip it into the images folder of your raven_boot directory. Then reboot the Cube with the bash menu script.

I think the PS7242/2906 patched image should work with 3515 and 3516. If it doesn't, then you just need to patch your own boot image. To do that:

1) extract the boot image
You can use bash menu
Code:
6) Download partitions with Amlogic burn mode
4) Boot [24MB]
14) Begin download
The boot.img will be downloaded to /raven_boot/backups. And then you will need to copy it to the download directory on the Cube.

Or you can use ADB with root access to extract the boot image
Code:
ADB shell dd if=/dev/block/boot of=/sdcard/Download/boot.img
This will copy the boot.img directly to the Cube's download folder.

2) patch the boot.img with magisk manager
Open Magisk Manager, and choose install Magisk.
Leave VBmeta unchecked, and check use recovery mode.
Select a file to patch, and navigate to Download folder, to the boot.img you extracted.

3) move the new magisk patched boot.img from the Cube's Download folder to raven_boot/images on your computer running the exploit. Rename it magisk_boot.img
 

hasobist

Senior Member
Feb 1, 2021
71
19
The second part did the trick patching the image using Magisk and works ain't know why the patched image in post #40 doesn't perhaps tried it multiple times nevertheless ended well.
Thank you loads for the detailed instructions.
Attached the files in the OTA update thread.
Hoping for a permanent root one day, keep the good work going.
Thank you.......
 
  • Like
Reactions: Pro-me3us

Pro-me3us

Senior Member
May 12, 2022
174
178
I repatched and packed the image. Thank you to @hasobist for confirming it is now working with PS7242/3515 too. I replaced the PS7242/2906 zip with the updated working version in post#40.

I also deleted the outdated canary images in post#21.
 
Last edited:
  • Like
Reactions: hasobist

Michajin

Senior Member
Oct 23, 2012
1,364
547
If anyone is interested in trying this, you can find the cube2 on eBay, refurbished for $40 (I have 2 of then). They are Verizon resales and have Verizon recommendations but function the same. They come with the original launcher old os. I thought I would share this, in case if a brick to minimize risk.
 
  • Like
Reactions: Sus_i

Pro-me3us

Senior Member
May 12, 2022
174
178
Woot has the 2nd gen Cubes on sale for $45. I have no idea what firmware they include, but doubt it's recent.

Since this exploit never writes anything to the Cube (it's all run in RAM), there is zero chance of a brick. Bricking a device is only a concern when you start modifying a device's eMMC to make a bootloader unlock/root persist after a reboot.

Now if you use your root access to start making direct changes to the System/Vendor partitions (instead of using Magisk), you will trip DM-verity.
 

fire_cuber

Member
Dec 28, 2020
30
30
48
Too bad I had hoped that I can eventually remove this annoying sound from the boot animation.
I assume that there is no other way?

With the Fire TV Stick 4k I was able to exchange the boot animation with one without sound thanks to root.
 

Pro-me3us

Senior Member
May 12, 2022
174
178
Too bad I had hoped that I can eventually remove this annoying sound from the boot animation.
I assume that there is no other way?
You can change the boot animation the Magisk way. Grab your boot animation of choice, or edit your own. Then push it here:
Code:
adb shell push bootanimation.zip /data/adb/modules/BootAnimation/system/media/bootanimation.zip

This creates a new "BootAnimation" Magisk module that you will see in the list when you open Magisk. And every time you boot the exploit with Magisk support, the boot animation will load (and only then). Making system/vendor changes like this, you won't trip DM-verity and you can keep booting the Cube with or without this exploit.

DM-verity isn't an issue when loading this exploit, Magisk disables it, but the assumption is that you don't want to make it impossible to boot the Cube without loading the exploit. So you should keep modifications limited to the data partition.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 13
    RavenMenuV2.png

    Raven Boot v2.0 now includes persistent root. A huge thank you to @Functioner for getting it working! This package includes unrestricted U-Boot, fastboot & Amlogic burn mode commands, as well as TWRP and Magisk support. The Raven boot tool includes options to root your Cube, gain temporary root access without modifying your device, and a number of options for recovery and backup.



    Setup-01.jpeg


    NOTE: FireOS < 7.2.7.3 required
    A newer method is available that works up to PS7292, that doesn't use DFU or a DFU device, but has no DFU recovery options

    NOTE: This process does not require you to open your Fire TV 2nd gen Cube

    Changelog:
    v2.2 April 7th, 2023​
    • Minor update to Magisk 25.208
      • Hopping back on official signed Magisk app line
        v2.0 and v2.1 use an unofficial Magisk build that will result in a signature mismatch when updating.
        If you are using Raven root v2.0/2.1, delete the file /data/adb/magisk.db on your Cube,
        before updating to Raven root v2.2.
    • Added USB booting for flash drives that use aml_autoscripts, for future development.
    v2.1 February 18th, 2023​
    • Updated TWRP v3.6.1-9-0 ---> v3.7.0-9.0
    • Fixed problem with TWRP not always displaying all the partitions under 'Mount/Backup'
      • Always mounts 'Internal Storage' to /sdcard now
    • Fixed bash menu to always use the included fastboot binary
    • Cube's physical buttons can be used on bootup
      • Volume Up ---> Fastboot
      • Volume Down ---> TWRP recovery
      • Action button ---> Amlogic Update
    **Hold down button for ~5sec after power-on, and before the blue LEDs / 1st Amazon logo​
    v2.0 February 9th, 2023​
    • Root is now persistent, does not require computer after every reboot
    • One click option to install root access, TWRP, Magisk & OTA blocker module
    • Magisk updates
      • Zygisk is working (July 1st, 2022)
      • Magisk can be installed from TWRP or direct installed from within Magisk Manager
      • Created module to block Amazon OTA updates via etc/hosts and hiding the OTA apk
      • updated quick access images to Magisk v25.2
    • TWRP updates
      • Bootloader flashing is blocked, so that full OTA firmware bins can be easily flashed (tested up to PS7624/3337)
      • Removed firmware downgrade checks & warnings
      • Added NTFS support for flash drives within TWRP
    • Added options to backup entire reserved partition, and mmcblk0boot0 & mmcblk0boot1 boot partitions in Amlogic update
    • Added emergency boot to Fastboot/Update modes
    v1.0 May 15th, 2022​
    • Temporary unrestricted fastboot, u-boot & update commands
    • Boot with root access or Magisk support
    • Boot to TWRP for backup & recovery
    • Backup Cube using Amlogic Update


    What's needed:
    • linux installation or live-system (Ubuntu 20.04.x recommended)
    • micro-USB cable
    • device to put Cube into device firmware upgrade (DFU) mode [read below]
    equipment1.jpeg



    libusb is needed for your linux installation to detect the Cube over USB.
    • sudo apt-get install libusb-1.0-0
    To automatically set the proper udev rules for Amlogic install Khadas utils:
    1. sudo apt-get install libusb-dev git
    2. sudo apt-get install git
    3. git clone https://github.com/khadas/utils
    4. cd utils
    5. ./INSTALL


    ***NOTE: If you previously installed Magisk on your Cube from raven_boot v1.0, first run adb shell rm /data/adb/magisk.db to prevent any conflicts with the new Magisk version.

    Instructions
    1. Download the latest raven_boot.zip and unzip it. Open a terminal window from the unzipped raven_boot directory

    2. Power off the Cube and connect your DFU device to the Cube's HDMI port. Connect the USB cable (microUSB to USB-type A) to computer & Cube

    3. Power on the Cube, type lsusb in the terminal to confirm ID 1b8e:c003 Amlogic, Inc. is present, indicating the Cube is in DFU mode

    4. Unplug the DFU device from the HDMI port, reconnect the Cube to TV with HDMI cord. Keep the computer connected.

    5. In the terminal type bash menu, and choose option 1) to automatically root the Cube.
    To preserve the Cube's persistent root, be sure to confirm that both TWRP & Magisk are installed.

    Quick Access
    For options 2) and 3) to gain temporary root, download the images zip file that corresponds to your current FireOS version, and unzip the contents into raven_boot/images directory.​
    For Cubes running FireOS 7242/2896 or later get ---> images_7242-2906_v2.0.zip​
    For FireOS versions 7201/942 to 7242/2216 get ---> images_7229-1853_v2.0.zip​

    magisk.png
    root_access.png

    Magisk v25.206 is included with Raven boot, it's recommened that you use this version or newer. For instructions on how to update your firmware and keep root access, read here


    About the exploit
    This exploit is based on a vulnerability in the Amlogic bootrom that allows for us to run unsigned code in the next boot stage (Bl2). To pause the automatic boot up process, before the Cube's saved Bl2 is loaded, we rely on Amlogic's device firmware upgrade mode (DFU). In DFU, only the boot code from the Amlogic s922x SOC (Bl1) has been loaded into memory. We then use the vulnerability to load our modified Bl2, breaking the 'chain of trust', and disabling secure boot so that we can make modifications to the bootloader downstream. The last stage of the bootloader is U-boot (Bl33) which hands off the startup process to the kernel (boot.img). U-boot is modified to unlock any restrictions on u-boot and fastboot commands, giving us full access to system features. We can then use fastboot boot to load our modified boot images (TWRP, magisk-patched boot.img), into memory without modifying the Cube's eMMC.

    Visit GitHub for a more in depth write-up and resources used in this project

    Contributors
    @Functioner
    @Zenofex
    @npjohnson
    @zeewox
    @Pro-me3us

    Additional thanks to
    @tchebb - a bottomless encyclopedia of Amlogic knowledge, answering countless questions & troubleshooting
    @roligov - providing photos, additional FireOS updates, and testing
    @osm0sis, @canyie, @vvb2060 & @yujincheng08 - the Magisk team for being awesome, troubleshooting and making a number of code changes to get all features working on the Cube
    @k4y0z - helping troubleshoot some TWRP and Magisk issues
    4
    EDIT: This procedure has been revised, please follow the instructions here

    Flashing OTA Firmware with TWRP
    To upgrade the Cube firmware past PS7273+ and keep this exploit working, we need to avoid flashing any bootloader version newer than PS7242/3516. The following procedure removes the bootloader flashing instructions from the OTA firmware, so that everything but the bootloader is updated. After updating, the Cube will still boot normally with or without the exploit loaded. Tested & working up to PS7614/3227.

    Modify the firmware:
    1) Download 2nd gen Cube full firmware (XDA or Github), change extention .bin to .zip, and open the file.

    2) Open /META-INF/com/google/android/updater-script in a text editor, delete the following block of code:
    Code:
    # Bootloader
    if (getprop("ro.boot.secure_cpu") == "0")
    then
        ui_print("Copying bootloader for non secure device...");
        write_bootloader_image(package_extract_file("images/u-boot.bin"), "bootloader");
    else
        ui_print("Copying bootloader for secure device...");
        write_bootloader_image(package_extract_file("images/u-boot.bin.signed"), "bootloader");
    endif;

    3) Save modified updater-script to the firmware .zip.



    TWRP Flashing procedure:
    1) Boot Cube into TWRP with the bash menu script [Option (3, Suboption (1].
    Code:
    adb push <firmware-filename.zip> /sdcard
    adb shell
    twrp install <firmware-filename.zip>
    Done! reboot

    *2) Flashing can also be done through the TWRP gui using the 'install' button if you prefer


    IMPORTANT: Keep system updates blocked, and only flash firmware through TWRP using this procedure. Firmware upgrades don't require wiping data/cache/dalvik, but if you are downgrading firmware, wiping data may be advisable.


    Note: Amazon added package protection in +PS7273. To remove this, boot into FireOS with root access, edit /data/system/PackageManagerDenyList, delete the list of applications, and save.

    The list of protected applications will be regenerated after every reboot (obtained from Amazon server), to prevent this:
    Code:
    adb shell pm disable-user com.fireos.arcus.proxy

    Custom launcher use, and the ability to disable/enable any system app will work when booting with or without the exploit.
    4
    D
    Deleted member 11959327
    Otherwise I'll modify the sot23 version that I have coming tomorrow, replacing the sot23 at24cs02 with an 8-lead version that I can pull from some waste board.

    I did ^this^ because the 8-lead version that I ordered still hasn't arrived yet. See before/after images below. It was a success and I was able to get the exploit running.

    While swapping out the eeprom, I noticed that the ddc (display data channel) pair of lines was terminated in the plug, even though this edid emulator device supports passthrough. The ddc pair carries at least two kinds of data, edid and hdcp.

    Presumably ddc is terminated because otherwise there would be a serial wire device conflict on the i2c bus at address 0x50, since both the edid emulator device and the sink would each have a eeprom (or prom) at that address.

    But since for dfu usage the address is changed to 0x52, I figured the ddc lines could be reconnected and the 0x52 serial device could just ride on a passthrough i2c bus. So, I wired the sda and scl lines as passthrough lines.

    I hoped that this would mean that I could repeatedly use the exploit over time without swapping hdmi connections for every reboot. And it does do that. But it also takes a power cycle in order boot to dfu mode from an actively running OS. Booting any of the other images, such as fastboot, twrp, etc., do not require a power cycle and reboot straight to dfu mode with the passthrough device installed.

    So, it is still more convenient to just cycle power rather than swap hdmi plugs.

    As far as testing the exploit itself, I've only spent an hour so far. The included magisk patched boot image does work, although when I tried to boot a magisk patched boot image that I patched myself (using the original image on the device as a source), it did not boot. All of the provided boot images do work, and are all very useful.
    3
    I'll see if I can simplify things any further. I tried to find a way to have TWRP automatically skip over the Bootloader code, but there is no simple solution.

    I made a minor TWRP edit that should avoid and date/downgrade warnings, put the image in raven_boot/images.

    Lastly I made an updated magisk patched boot image using the kernel from PS7614/3227 since there have been +10 updates since PS7242/2906 (still worked fine with PS7614/3227 anyways). It's probably about time to make a new version of the OP files, I was just waiting on the next release of Magisk.

    I've been able to both upgrade and downgrade. I'm testing PS7614/3227 now, and as far as I can tell everything is working without any problems.

    PS if anyone is running a firmware below PS7273 and not one of the following, please backup your unit and let me know for the archive:
    PS7212/1333
    PS7229/1853
    PS7229/1856
    PS7242/2906
    PS7242/3516
    3
    Hi, I could do with some help regarding Magisk.
    The original (May'22) version installs OK but it's not fully functional.
    The July update with working modules (from post#21) won't update and install: when I try to run it - and it asks to update - I just get 'downloading Magisk' spinning wheel.
    When I created the magisk-patched boot.img in post#21, it was with a Canary build (before v25.2 was released). I think the Canary build may not have had signing enabled, which could be causing an issue with the official release.

    I've created a new magisk-patched-boot.img from Magisk v25.2, for pre PS7242/2906 firmware. Download and unzip this into the 'images' directory of raven_boot. Then boot into FireOS and try installing Magisk Manager v25.2.

    If that doesn't work, I can give you the steps for patching your own boot.img. It's easy, but requires a keyboard to navigate Magisk Manager on FireOS7, so I just post the patched images here to save people the hassle.

    @hasobist Are you using the magisk image from post#21? I'm not sure if I need to create a second image for +PS7242/2906? The modules+Zygisk are broken in the image from the OP.

    @JJ2017 which DFU entry device are you using? Arduino/ATmega/HDMI dongle? Just curious since this is the biggest barrier running this exploit.

    EDIT: uploaded v25.2 Magisk patched boot.img for +PS7242/2906